Play interactive tour

Edit tour

Analysis Report 9fERLFJPjq.exe

Overview

General Information

Sample Name:	9fERLFJPjq.exe
Analysis ID:	1274527
MD5:	ddd60e9ae362def377aa70d414ed374d
SHA1:	ad33d0ff9adc122776771d51743ca855cd882b4d
SHA256:	71b4a68d77929e2815ad7496882fce6c96c677fc154786621943fb90755477b3
Most interesting Screenshot:

Detection

DarkComet

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Antivirus detection for dropped file

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Sigma detected: Drops script at startup location

Yara detected DarkComet

Yara detected Generic Dropper

Detected RDTSC dummy instruction sequence (likely for instruction hammering)

Drops VBS files to the startup folder

Installs a global keyboard hook

Machine Learning detection for dropped file

Machine Learning detection for sample

Potential malicious VBS script found (suspicious strings)

Tries to detect virtualization through RDTSC time measurements

Creates a DirectInput object (often for capturing keystrokes)

Creates a process in suspended mode (likely to inject code)

Creates a start menu entry (Start Menu\Programs\Startup)

Drops PE files

Enables debug privileges

Enables driver privileges

Enables security privileges

Found WSH timer for Javascript or VBS script (likely evasive script)

May sleep (evasive loops) to hinder dynamic analysis

PE file contains an invalid checksum

PE file contains strange resources

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Stores files to the Windows start menu directory

Tries to load missing DLLs

Yara detected Keylogger Generic

Yara signature match

Classification

Startup

System is w10x64_office

9fERLFJPjq.exe (PID: 6088 cmdline: 'C:\Users\user\Desktop\9fERLFJPjq.exe' MD5: DDD60E9AE362DEF377AA70D414ED374D)

9fERLFJPjq.exe (PID: 5844 cmdline: 'C:\Users\user\Desktop\9fERLFJPjq.exe' MD5: DDD60E9AE362DEF377AA70D414ED374D)

wscript.exe (PID: 368 cmdline: 'C:\Windows\System32\WScript.exe' 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\enxavse.vbs' MD5: 9A68ADD12EB50DDE7586782C3EB9FF9C)

enxavse.exe (PID: 880 cmdline: 'C:\Users\user\AppData\Local\Temp\Exjoares\enxavse.exe' MD5: D409D2D823F91A2DCC7EE6563B632BF3)

enxavse.exe (PID: 5520 cmdline: 'C:\Users\user\AppData\Local\Temp\Exjoares\enxavse.exe' MD5: D409D2D823F91A2DCC7EE6563B632BF3)

cleanup

Malware Configuration

No configs have been found

Yara Overview

Memory Dumps

Source	Rule	Description	Author	Strings
00000006.00000002.602074619.00000000006C1000.00000004.00000001.sdmp	DarkComet_2	DarkComet	Jean-Philippe Teissier / @Jipe_	0xf08:$a: #BEGIN DARKCOMET DATA -- 0xfd0:$a: #BEGIN DARKCOMET DATA -- 0xf80:$b: #EOF DARKCOMET DATA -- 0xee7:$c: DC_MUTEX-
00000006.00000002.602017158.0000000000696000.00000004.00000001.sdmp	DarkComet_2	DarkComet	Jean-Philippe Teissier / @Jipe_	0x6e8:$k2: #KCMDDC51#-890
00000006.00000002.601989587.0000000000668000.00000004.00000001.sdmp	DarkComet_2	DarkComet	Jean-Philippe Teissier / @Jipe_	0x138:$a: #BEGIN DARKCOMET DATA -- 0x2b8:$a: #BEGIN DARKCOMET DATA -- 0x1c7:$b: #EOF DARKCOMET DATA -- 0x347:$b: #EOF DARKCOMET DATA -- 0x159:$c: DC_MUTEX- 0x2d9:$c: DC_MUTEX-
00000006.00000002.602066507.00000000006BA000.00000004.00000001.sdmp	DarkComet_2	DarkComet	Jean-Philippe Teissier / @Jipe_	0x928:$c: DC_MUTEX- 0x9e8:$k2: #KCMDDC51#-890
0000000B.00000002.503082454.0000000000668000.00000004.00000001.sdmp	DarkComet_2	DarkComet	Jean-Philippe Teissier / @Jipe_	0x138:$a: #BEGIN DARKCOMET DATA -- 0x2b8:$a: #BEGIN DARKCOMET DATA -- 0x1c7:$b: #EOF DARKCOMET DATA -- 0x347:$b: #EOF DARKCOMET DATA -- 0x159:$c: DC_MUTEX- 0x2d9:$c: DC_MUTEX-
0000000B.00000002.503148674.00000000006C1000.00000004.00000001.sdmp	DarkComet_2	DarkComet	Jean-Philippe Teissier / @Jipe_	0xee0:$a: #BEGIN DARKCOMET DATA -- 0xf80:$b: #EOF DARKCOMET DATA -- 0xf5f:$c: DC_MUTEX-
00000008.00000002.501960152.0000000002FB6000.00000040.00000001.sdmp	Malware_QA_update	VT Research QA uploaded malware - file update.exe	Florian Roth	0x7d124:$x1: UnActiveOfflineKeylogger 0x8422c:$x2: BTRESULTDownload File\|Mass Download : File Downloaded , Executing new one in temp dir...\| 0x7d088:$x3: ActiveOnlineKeylogger 0x7d934:$x6: BTRESULTUpdate from URL\|Update : File Downloaded , Executing new one in temp dir...\| 0xa4684:$s1: MSRSAAP.EXE 0x7d7c5:$s2: Command successfully executed!\| 0x65198:$s3: BTMemoryLoadLibary: Get DLLEntyPoint failed 0x72228:$s4: I wasn't able to open the hosts file, maybe because UAC is enabled in remote computer! 0x72ee4:$s5: \Internet Explorer\iexplore.exe 0x7c910:$s6: ping 127.0.0.1 -n 4 > NUL && " 0x65384:$s7: BTMemoryGetProcAddress: DLL doesn't export anything 0x82c30:$s8: POST /index.php/1.0
00000008.00000002.501960152.0000000002FB6000.00000040.00000001.sdmp	RAT_DarkComet	Detects DarkComet RAT	Kevin Breen <kevin@techanarchy.net>	0x7d8ac:$a1: #BOT#URLUpdate 0x7d7c5:$a2: Command successfully executed! 0x808:$b1: FastMM Borland Edition 0x2b34c:$b2: %s, ClassID: %s 0x72228:$b3: I wasn't able to open the hosts file 0x7d6b0:$b4: #BOT#VisitUrl 0x6c5c0:$b5: #KCMDDC
00000008.00000002.501960152.0000000002FB6000.00000040.00000001.sdmp	Malware_QA_update_RID2DAD	VT Research QA uploaded malware - file update.exe	Florian Roth	0x7d124:$x1: UnActiveOfflineKeylogger 0x8422c:$x2: BTRESULTDownload File\|Mass Download : File Downloaded , Executing new one in temp dir...\| 0x7d088:$x3: ActiveOnlineKeylogger 0x7d934:$x6: BTRESULTUpdate from URL\|Update : File Downloaded , Executing new one in temp dir...\| 0xa4684:$s1: MSRSAAP.EXE 0x7d7c5:$s2: Command successfully executed!\| 0x65198:$s3: BTMemoryLoadLibary: Get DLLEntyPoint failed 0x72228:$s4: I wasn't able to open the hosts file, maybe because UAC is enabled in remote computer! 0x72ee4:$s5: \Internet Explorer\iexplore.exe 0x7c910:$s6: ping 127.0.0.1 -n 4 > NUL && " 0x65384:$s7: BTMemoryGetProcAddress: DLL doesn't export anything 0x82c30:$s8: POST /index.php/1.0
00000008.00000002.501960152.0000000002FB6000.00000040.00000001.sdmp	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
00000008.00000002.501960152.0000000002FB6000.00000040.00000001.sdmp	JoeSecurity_DarkCometRat	Yara detected DarkComet	Kevin Breen <kevin@techanarchy.net>
00000008.00000002.501960152.0000000002FB6000.00000040.00000001.sdmp	JoeSecurity_DelphiSystemParamCount	Detected Delphi use of System.ParamCount()	Joe Security
00000008.00000002.501960152.0000000002FB6000.00000040.00000001.sdmp	DarkComet_1	DarkComet RAT	botherder https://github.com/botherder	0x7d6c8:$bot1: #BOT#OpenUrl 0x7d744:$bot2: #BOT#Ping 0x7d78c:$bot3: #BOT#RunPrompt 0x7d84c:$bot4: #BOT#SvrUninstall 0x7d994:$bot5: #BOT#URLDownload 0x7d8ac:$bot6: #BOT#URLUpdate 0x7d6b0:$bot7: #BOT#VisitUrl 0x7d7f0:$bot8: #BOT#CloseServer 0x7da38:$ddos1: DDOSHTTPFLOOD 0x7da50:$ddos2: DDOSSYNFLOOD 0x7da68:$ddos3: DDOSUDPFLOOD 0x7d088:$keylogger1: ActiveOnlineKeylogger 0x7d0aa:$keylogger1: ActiveOnlineKeylogger 0x7d0a8:$keylogger2: UnActiveOnlineKeylogger 0x7d104:$keylogger3: ActiveOfflineKeylogger 0x7d126:$keylogger3: ActiveOfflineKeylogger 0x7d124:$keylogger4: UnActiveOfflineKeylogger 0x7dd30:$shell1: ACTIVEREMOTESHELL 0x7dd5c:$shell2: SUBMREMOTESHELL 0x7dd74:$shell3: KILLREMOTESHELL
00000008.00000002.501960152.0000000002FB6000.00000040.00000001.sdmp	DarkComet_3	unknown	Kevin Breen <kevin@techanarchy.net>	0x7d8ac:$a1: #BOT#URLUpdate 0x7d7c5:$a2: Command successfully executed! 0x808:$b1: FastMM Borland Edition 0x2b34c:$b2: %s, ClassID: %s 0x72228:$b3: I wasn't able to open the hosts file 0x7d6b0:$b4: #BOT#VisitUrl 0x6c5c0:$b5: #KCMDDC
00000008.00000002.501960152.0000000002FB6000.00000040.00000001.sdmp	DarkComet_4	unknown	unknown	0x7d6b0:$a1: #BOT# 0x7d6c8:$a1: #BOT# 0x7d744:$a1: #BOT# 0x7d78c:$a1: #BOT# 0x7d7f0:$a1: #BOT# 0x7d84c:$a1: #BOT# 0x7d8ac:$a1: #BOT# 0x7d994:$a1: #BOT# 0x7ddcc:$a2: WEBCAMSTOP 0x7d168:$a3: UnActiveOnlineKeyStrokes 0x7d618:$a4: #SendTaskMgr 0x7dabc:$a5: #RemoteScreenSize 0x7c910:$a6: ping 127.0.0.1 -n 4 > NUL &&
00000002.00000002.605724298.0000000002F24000.00000040.00000001.sdmp	RAT_DarkComet	Detects DarkComet RAT	Kevin Breen <kevin@techanarchy.net>	0x7f8ac:$a1: #BOT#URLUpdate 0x7f7c5:$a2: Command successfully executed! 0x2808:$b1: FastMM Borland Edition 0x2d34c:$b2: %s, ClassID: %s 0x74228:$b3: I wasn't able to open the hosts file 0x7f6b0:$b4: #BOT#VisitUrl 0x6e5c0:$b5: #KCMDDC
00000002.00000002.605724298.0000000002F24000.00000040.00000001.sdmp	LokiBot_Dropper_Packed_R11_Feb18	Auto-generated rule - file scan copy.pdf.r11	Florian Roth	0x132042:$s1: C:\Program Files (x86)\Microsoft Visual Studio\VB98\VB6.OLB
00000002.00000002.605724298.0000000002F24000.00000040.00000001.sdmp	LokiBot_Dropper_Packed_R11_Feb18_RID328F	Semiautomatic generated rule - file scan copy.pdf.r11	Florian Roth	0x132042:$s1: C:\Program Files (x86)\Microsoft Visual Studio\VB98\VB6.OLB
00000002.00000002.605724298.0000000002F24000.00000040.00000001.sdmp	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
00000002.00000002.605724298.0000000002F24000.00000040.00000001.sdmp	JoeSecurity_DarkCometRat	Yara detected DarkComet	Kevin Breen <kevin@techanarchy.net>
00000002.00000002.605724298.0000000002F24000.00000040.00000001.sdmp	JoeSecurity_DelphiSystemParamCount	Detected Delphi use of System.ParamCount()	Joe Security
00000002.00000002.605724298.0000000002F24000.00000040.00000001.sdmp	DarkComet_1	DarkComet RAT	botherder https://github.com/botherder	0x7f6c8:$bot1: #BOT#OpenUrl 0x7f744:$bot2: #BOT#Ping 0x7f78c:$bot3: #BOT#RunPrompt 0x7f84c:$bot4: #BOT#SvrUninstall 0x7f994:$bot5: #BOT#URLDownload 0x7f8ac:$bot6: #BOT#URLUpdate 0x7f6b0:$bot7: #BOT#VisitUrl 0x7f7f0:$bot8: #BOT#CloseServer 0x7fa38:$ddos1: DDOSHTTPFLOOD 0x7fa50:$ddos2: DDOSSYNFLOOD 0x7fa68:$ddos3: DDOSUDPFLOOD 0x7f088:$keylogger1: ActiveOnlineKeylogger 0x7f0aa:$keylogger1: ActiveOnlineKeylogger 0x7f0a8:$keylogger2: UnActiveOnlineKeylogger 0x7f104:$keylogger3: ActiveOfflineKeylogger 0x7f126:$keylogger3: ActiveOfflineKeylogger 0x7f124:$keylogger4: UnActiveOfflineKeylogger 0x7fd30:$shell1: ACTIVEREMOTESHELL 0x7fd5c:$shell2: SUBMREMOTESHELL 0x7fd74:$shell3: KILLREMOTESHELL
00000002.00000002.605724298.0000000002F24000.00000040.00000001.sdmp	DarkComet_3	unknown	Kevin Breen <kevin@techanarchy.net>	0x7f8ac:$a1: #BOT#URLUpdate 0x7f7c5:$a2: Command successfully executed! 0x2808:$b1: FastMM Borland Edition 0x2d34c:$b2: %s, ClassID: %s 0x74228:$b3: I wasn't able to open the hosts file 0x7f6b0:$b4: #BOT#VisitUrl 0x6e5c0:$b5: #KCMDDC
00000002.00000002.605724298.0000000002F24000.00000040.00000001.sdmp	DarkComet_4	unknown	unknown	0x7f6b0:$a1: #BOT# 0x7f6c8:$a1: #BOT# 0x7f744:$a1: #BOT# 0x7f78c:$a1: #BOT# 0x7f7f0:$a1: #BOT# 0x7f84c:$a1: #BOT# 0x7f8ac:$a1: #BOT# 0x7f994:$a1: #BOT# 0x7fdcc:$a2: WEBCAMSTOP 0x7f168:$a3: UnActiveOnlineKeyStrokes 0x7f618:$a4: #SendTaskMgr 0x7fabc:$a5: #RemoteScreenSize 0x7e910:$a6: ping 127.0.0.1 -n 4 > NUL &&
0000000B.00000002.503141508.00000000006BA000.00000004.00000001.sdmp	DarkComet_2	DarkComet	Jean-Philippe Teissier / @Jipe_	0x948:$c: DC_MUTEX-
0000000B.00000002.503100449.0000000000696000.00000004.00000001.sdmp	DarkComet_2	DarkComet	Jean-Philippe Teissier / @Jipe_	0x6e8:$k2: #KCMDDC51#-890
Process Memory Space: 9fERLFJPjq.exe PID: 5844	DarkComet_2	DarkComet	Jean-Philippe Teissier / @Jipe_	0x2df:$a: #BEGIN DARKCOMET DATA -- 0x3e7:$a: #BEGIN DARKCOMET DATA -- 0x21e08:$a: #BEGIN DARKCOMET DATA -- 0x21eba:$a: #BEGIN DARKCOMET DATA -- 0x21f94:$a: #BEGIN DARKCOMET DATA -- 0x379:$b: #EOF DARKCOMET DATA -- 0x39d:$b: #EOF DARKCOMET DATA -- 0x21e97:$b: #EOF DARKCOMET DATA -- 0x21f49:$b: #EOF DARKCOMET DATA -- 0x22023:$b: #EOF DARKCOMET DATA -- 0x29b:$c: DC_MUTEX- 0x2c0:$c: DC_MUTEX- 0x21e29:$c: DC_MUTEX- 0x21edb:$c: DC_MUTEX- 0x21fb5:$c: DC_MUTEX- 0x23ee8:$c: DC_MUTEX- 0x23f05:$c: DC_MUTEX- 0x1e949:$k2: #KCMDDC51#-890 0x23ffd:$k2: #KCMDDC51#-890 0x24018:$k2: #KCMDDC51#-890
Process Memory Space: 9fERLFJPjq.exe PID: 6088	RAT_DarkComet	Detects DarkComet RAT	Kevin Breen <kevin@techanarchy.net>	0x42d1a:$a1: #BOT#URLUpdate 0x42b71:$a2: Command successfully executed! 0x42b9f:$a2: Command successfully executed! 0x2b0b7:$b1: FastMM Borland Edition 0x2b0dc:$b1: FastMM Borland Edition 0x312cb:$b2: %s, ClassID: %s 0x312e7:$b2: %s, ClassID: %s 0x400ea:$b3: I wasn't able to open the hosts file 0x4014e:$b3: I wasn't able to open the hosts file 0x429eb:$b4: #BOT#VisitUrl 0x42a06:$b4: #BOT#VisitUrl 0x3e374:$b5: #KCMDDC
Process Memory Space: 9fERLFJPjq.exe PID: 6088	JoeSecurity_GenericDropper	Yara detected Generic Dropper	Joe Security
Process Memory Space: 9fERLFJPjq.exe PID: 6088	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
Process Memory Space: 9fERLFJPjq.exe PID: 6088	JoeSecurity_DarkCometRat	Yara detected DarkComet	Kevin Breen <kevin@techanarchy.net>
Process Memory Space: 9fERLFJPjq.exe PID: 6088	DarkComet_1	DarkComet RAT	botherder https://github.com/botherder	0x42a20:$bot1: #BOT#OpenUrl 0x42a9a:$bot2: #BOT#Ping 0x42ab1:$bot2: #BOT#Ping 0x42b34:$bot3: #BOT#RunPrompt 0x42c71:$bot4: #BOT#SvrUninstall 0x42ec1:$bot5: #BOT#URLDownload 0x42d1a:$bot6: #BOT#URLUpdate 0x429eb:$bot7: #BOT#VisitUrl 0x42a06:$bot7: #BOT#VisitUrl 0x42bcb:$bot8: #BOT#CloseServer 0x42f93:$ddos1: DDOSHTTPFLOOD 0x42fae:$ddos1: DDOSHTTPFLOOD 0x42fc8:$ddos2: DDOSSYNFLOOD 0x42fe1:$ddos3: DDOSUDPFLOOD 0x421cd:$keylogger1: ActiveOnlineKeylogger 0x421f1:$keylogger1: ActiveOnlineKeylogger 0x421ef:$keylogger2: UnActiveOnlineKeylogger 0x42257:$keylogger3: ActiveOfflineKeylogger 0x4227c:$keylogger3: ActiveOfflineKeylogger 0x4227a:$keylogger4: UnActiveOfflineKeylogger 0x43376:$shell1: ACTIVEREMOTESHELL
Process Memory Space: 9fERLFJPjq.exe PID: 6088	DarkComet_3	unknown	Kevin Breen <kevin@techanarchy.net>	0x42d1a:$a1: #BOT#URLUpdate 0x42b71:$a2: Command successfully executed! 0x42b9f:$a2: Command successfully executed! 0x2b0b7:$b1: FastMM Borland Edition 0x2b0dc:$b1: FastMM Borland Edition 0x312cb:$b2: %s, ClassID: %s 0x312e7:$b2: %s, ClassID: %s 0x400ea:$b3: I wasn't able to open the hosts file 0x4014e:$b3: I wasn't able to open the hosts file 0x429eb:$b4: #BOT#VisitUrl 0x42a06:$b4: #BOT#VisitUrl 0x3e374:$b5: #KCMDDC
Process Memory Space: 9fERLFJPjq.exe PID: 6088	DarkComet_4	unknown	unknown	0x429eb:$a1: #BOT# 0x42a06:$a1: #BOT# 0x42a20:$a1: #BOT# 0x42a9a:$a1: #BOT# 0x42ab1:$a1: #BOT# 0x42b34:$a1: #BOT# 0x42bcb:$a1: #BOT# 0x42c71:$a1: #BOT# 0x42d1a:$a1: #BOT# 0x42ec1:$a1: #BOT# 0x43441:$a2: WEBCAMSTOP 0x43459:$a2: WEBCAMSTOP 0x422c2:$a3: UnActiveOnlineKeyStrokes 0x42916:$a4: #SendTaskMgr 0x42943:$a4: #SendTaskMgr 0x43058:$a5: #RemoteScreenSize 0x417eb:$a6: ping 127.0.0.1 -n 4 > NUL &&
Process Memory Space: enxavse.exe PID: 880	RAT_DarkComet	Detects DarkComet RAT	Kevin Breen <kevin@techanarchy.net>	0x217bc:$a1: #BOT#URLUpdate 0x21613:$a2: Command successfully executed! 0x21641:$a2: Command successfully executed! 0x9b59:$b1: FastMM Borland Edition 0x9b7e:$b1: FastMM Borland Edition 0xfd6d:$b2: %s, ClassID: %s 0xfd89:$b2: %s, ClassID: %s 0x1eb8c:$b3: I wasn't able to open the hosts file 0x1ebf0:$b3: I wasn't able to open the hosts file 0x2148d:$b4: #BOT#VisitUrl 0x214a8:$b4: #BOT#VisitUrl 0x1ce16:$b5: #KCMDDC
Process Memory Space: enxavse.exe PID: 880	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
Process Memory Space: enxavse.exe PID: 880	JoeSecurity_DarkCometRat	Yara detected DarkComet	Kevin Breen <kevin@techanarchy.net>
Process Memory Space: enxavse.exe PID: 880	DarkComet_1	DarkComet RAT	botherder https://github.com/botherder	0x214c2:$bot1: #BOT#OpenUrl 0x2153c:$bot2: #BOT#Ping 0x21553:$bot2: #BOT#Ping 0x215d6:$bot3: #BOT#RunPrompt 0x21713:$bot4: #BOT#SvrUninstall 0x21963:$bot5: #BOT#URLDownload 0x217bc:$bot6: #BOT#URLUpdate 0x2148d:$bot7: #BOT#VisitUrl 0x214a8:$bot7: #BOT#VisitUrl 0x2166d:$bot8: #BOT#CloseServer 0x21a35:$ddos1: DDOSHTTPFLOOD 0x21a50:$ddos1: DDOSHTTPFLOOD 0x21a6a:$ddos2: DDOSSYNFLOOD 0x21a83:$ddos3: DDOSUDPFLOOD 0x20c6f:$keylogger1: ActiveOnlineKeylogger 0x20c93:$keylogger1: ActiveOnlineKeylogger 0x20c91:$keylogger2: UnActiveOnlineKeylogger 0x20cf9:$keylogger3: ActiveOfflineKeylogger 0x20d1e:$keylogger3: ActiveOfflineKeylogger 0x20d1c:$keylogger4: UnActiveOfflineKeylogger 0x21e18:$shell1: ACTIVEREMOTESHELL
Process Memory Space: enxavse.exe PID: 880	DarkComet_3	unknown	Kevin Breen <kevin@techanarchy.net>	0x217bc:$a1: #BOT#URLUpdate 0x21613:$a2: Command successfully executed! 0x21641:$a2: Command successfully executed! 0x9b59:$b1: FastMM Borland Edition 0x9b7e:$b1: FastMM Borland Edition 0xfd6d:$b2: %s, ClassID: %s 0xfd89:$b2: %s, ClassID: %s 0x1eb8c:$b3: I wasn't able to open the hosts file 0x1ebf0:$b3: I wasn't able to open the hosts file 0x2148d:$b4: #BOT#VisitUrl 0x214a8:$b4: #BOT#VisitUrl 0x1ce16:$b5: #KCMDDC
Process Memory Space: enxavse.exe PID: 880	DarkComet_4	unknown	unknown	0x2148d:$a1: #BOT# 0x214a8:$a1: #BOT# 0x214c2:$a1: #BOT# 0x2153c:$a1: #BOT# 0x21553:$a1: #BOT# 0x215d6:$a1: #BOT# 0x2166d:$a1: #BOT# 0x21713:$a1: #BOT# 0x217bc:$a1: #BOT# 0x21963:$a1: #BOT# 0x21ee3:$a2: WEBCAMSTOP 0x21efb:$a2: WEBCAMSTOP 0x20d64:$a3: UnActiveOnlineKeyStrokes 0x213b8:$a4: #SendTaskMgr 0x213e5:$a4: #SendTaskMgr 0x21afa:$a5: #RemoteScreenSize 0x2028d:$a6: ping 127.0.0.1 -n 4 > NUL &&
Process Memory Space: enxavse.exe PID: 5520	DarkComet_2	DarkComet	Jean-Philippe Teissier / @Jipe_	0x19f3f:$a: #BEGIN DARKCOMET DATA -- 0x19ff1:$a: #BEGIN DARKCOMET DATA -- 0x1a0cb:$a: #BEGIN DARKCOMET DATA -- 0x1ad16:$a: #BEGIN DARKCOMET DATA -- 0x1ad3b:$a: #BEGIN DARKCOMET DATA -- 0x19fce:$b: #EOF DARKCOMET DATA -- 0x1a080:$b: #EOF DARKCOMET DATA -- 0x1a15a:$b: #EOF DARKCOMET DATA -- 0x1ae21:$b: #EOF DARKCOMET DATA -- 0x19f60:$c: DC_MUTEX- 0x1a012:$c: DC_MUTEX- 0x1a0ec:$c: DC_MUTEX- 0x1addd:$c: DC_MUTEX- 0x1ae02:$c: DC_MUTEX- 0x2d2e1:$c: DC_MUTEX- 0x2d8b9:$c: DC_MUTEX- 0x2d8d6:$c: DC_MUTEX- 0x2dde8:$k2: #KCMDDC51#-890
Click to see the 36 entries

Sigma Overview

System Summary:

Sigma detected: Drops script at startup location

Show sources

Source: File created

Author: Joe Security: Data: EventID: 11, Image: C:\Users\user\Desktop\9fERLFJPjq.exe, ProcessId: 6088, TargetFilename: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\enxavse.vbs

Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Antivirus / Scanner detection for submitted sample

Show sources

Source: 9fERLFJPjq.exe	Avira: detected
Source: 9fERLFJPjq.exe	Avira: detected

Antivirus detection for dropped file

Show sources

Source: C:\Users\user\AppData\Local\Temp\Exjoares\enxavse.exe	Avira: detection malicious, Label: HEUR/AGEN.1112794
Source: C:\Users\user\AppData\Local\Temp\Exjoares\enxavse.exe	Avira: detection malicious, Label: HEUR/AGEN.1112794

Multi AV Scanner detection for domain / URL

Show sources

Source: pownedfag.pw	Virustotal: Detection: 8%			Perma Link
Source: pownedfag.pw	Virustotal: Detection: 8%			Perma Link

Multi AV Scanner detection for dropped file

Show sources

Source: C:\Users\user\AppData\Local\Temp\Exjoares\enxavse.exe	Virustotal: Detection: 73%	Perma Link
Source: C:\Users\user\AppData\Local\Temp\Exjoares\enxavse.exe	ReversingLabs: Detection: 65%
Source: C:\Users\user\AppData\Local\Temp\Exjoares\enxavse.exe	Virustotal: Detection: 73%	Perma Link
Source: C:\Users\user\AppData\Local\Temp\Exjoares\enxavse.exe	ReversingLabs: Detection: 65%

Multi AV Scanner detection for submitted file

Show sources

Source: 9fERLFJPjq.exe	Virustotal: Detection: 74%	Perma Link
Source: 9fERLFJPjq.exe	Metadefender: Detection: 62%	Perma Link
Source: 9fERLFJPjq.exe	ReversingLabs: Detection: 86%
Source: 9fERLFJPjq.exe	Virustotal: Detection: 74%	Perma Link
Source: 9fERLFJPjq.exe	Metadefender: Detection: 62%	Perma Link
Source: 9fERLFJPjq.exe	ReversingLabs: Detection: 86%

Machine Learning detection for dropped file

Show sources

Source: C:\Users\user\AppData\Local\Temp\Exjoares\enxavse.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\Exjoares\enxavse.exe	Joe Sandbox ML: detected

Machine Learning detection for sample

Show sources

Source: 9fERLFJPjq.exe	Joe Sandbox ML: detected
Source: 9fERLFJPjq.exe	Joe Sandbox ML: detected

Source: C:\Windows\System32\wscript.exe	File opened: C:\Users\user\	Jump to behavior
Source: C:\Windows\System32\wscript.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\	Jump to behavior
Source: C:\Windows\System32\wscript.exe	File opened: C:\Users\user\AppData\	Jump to behavior
Source: C:\Windows\System32\wscript.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\	Jump to behavior
Source: C:\Windows\System32\wscript.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\	Jump to behavior
Source: C:\Windows\System32\wscript.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\	Jump to behavior
Source: C:\Windows\System32\wscript.exe	File opened: C:\Users\user\	Jump to behavior
Source: C:\Windows\System32\wscript.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\	Jump to behavior
Source: C:\Windows\System32\wscript.exe	File opened: C:\Users\user\AppData\	Jump to behavior
Source: C:\Windows\System32\wscript.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\	Jump to behavior
Source: C:\Windows\System32\wscript.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\	Jump to behavior
Source: C:\Windows\System32\wscript.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\	Jump to behavior

Source: unknown	DNS traffic detected: queries for: pownedfag.pw
Source: unknown	DNS traffic detected: queries for: pownedfag.pw

Key, Mouse, Clipboard, Microphone and Screen Capturing:

Installs a global keyboard hook

Show sources

Source: C:\Users\user\Desktop\9fERLFJPjq.exe	Windows user hook set: 0 keyboard low level C:\Users\user\Desktop\9fERLFJPjq.exe			Jump to behavior
Source: C:\Users\user\Desktop\9fERLFJPjq.exe	Windows user hook set: 0 keyboard low level C:\Users\user\Desktop\9fERLFJPjq.exe			Jump to behavior

Source: enxavse.exe, 00000008.00000002.500606567.000000000093A000.00000004.00000020.sdmp	Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>
Source: enxavse.exe, 00000008.00000002.500606567.000000000093A000.00000004.00000020.sdmp	Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

Source: Yara match	File source: 00000008.00000002.501960152.0000000002FB6000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.605724298.0000000002F24000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: 9fERLFJPjq.exe PID: 6088, type: MEMORY
Source: Yara match	File source: Process Memory Space: enxavse.exe PID: 880, type: MEMORY

System Summary:

Malicious sample detected (through community Yara rule)

Show sources

Source: 00000006.00000002.602074619.00000000006C1000.00000004.00000001.sdmp, type: MEMORY	Matched rule: DarkComet Author: Jean-Philippe Teissier / @Jipe_
Source: 00000006.00000002.602017158.0000000000696000.00000004.00000001.sdmp, type: MEMORY	Matched rule: DarkComet Author: Jean-Philippe Teissier / @Jipe_
Source: 00000006.00000002.601989587.0000000000668000.00000004.00000001.sdmp, type: MEMORY	Matched rule: DarkComet Author: Jean-Philippe Teissier / @Jipe_
Source: 00000006.00000002.602066507.00000000006BA000.00000004.00000001.sdmp, type: MEMORY	Matched rule: DarkComet Author: Jean-Philippe Teissier / @Jipe_
Source: 0000000B.00000002.503082454.0000000000668000.00000004.00000001.sdmp, type: MEMORY	Matched rule: DarkComet Author: Jean-Philippe Teissier / @Jipe_
Source: 0000000B.00000002.503148674.00000000006C1000.00000004.00000001.sdmp, type: MEMORY	Matched rule: DarkComet Author: Jean-Philippe Teissier / @Jipe_
Source: 00000008.00000002.501960152.0000000002FB6000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Detects DarkComet RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000008.00000002.501960152.0000000002FB6000.00000040.00000001.sdmp, type: MEMORY	Matched rule: DarkComet RAT Author: botherder https://github.com/botherder
Source: 00000008.00000002.501960152.0000000002FB6000.00000040.00000001.sdmp, type: MEMORY	Matched rule: DarkComet_3 Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000008.00000002.501960152.0000000002FB6000.00000040.00000001.sdmp, type: MEMORY	Matched rule: DarkComet_4 Author: unknown
Source: 00000002.00000002.605724298.0000000002F24000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Detects DarkComet RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000002.00000002.605724298.0000000002F24000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Auto-generated rule - file scan copy.pdf.r11 Author: Florian Roth
Source: 00000002.00000002.605724298.0000000002F24000.00000040.00000001.sdmp, type: MEMORY	Matched rule: DarkComet RAT Author: botherder https://github.com/botherder
Source: 00000002.00000002.605724298.0000000002F24000.00000040.00000001.sdmp, type: MEMORY	Matched rule: DarkComet_3 Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000002.00000002.605724298.0000000002F24000.00000040.00000001.sdmp, type: MEMORY	Matched rule: DarkComet_4 Author: unknown
Source: 0000000B.00000002.503141508.00000000006BA000.00000004.00000001.sdmp, type: MEMORY	Matched rule: DarkComet Author: Jean-Philippe Teissier / @Jipe_
Source: 0000000B.00000002.503100449.0000000000696000.00000004.00000001.sdmp, type: MEMORY	Matched rule: DarkComet Author: Jean-Philippe Teissier / @Jipe_
Source: Process Memory Space: 9fERLFJPjq.exe PID: 5844, type: MEMORY	Matched rule: DarkComet Author: Jean-Philippe Teissier / @Jipe_
Source: Process Memory Space: 9fERLFJPjq.exe PID: 6088, type: MEMORY	Matched rule: Detects DarkComet RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: Process Memory Space: 9fERLFJPjq.exe PID: 6088, type: MEMORY	Matched rule: DarkComet RAT Author: botherder https://github.com/botherder
Source: Process Memory Space: 9fERLFJPjq.exe PID: 6088, type: MEMORY	Matched rule: DarkComet_3 Author: Kevin Breen <kevin@techanarchy.net>
Source: Process Memory Space: 9fERLFJPjq.exe PID: 6088, type: MEMORY	Matched rule: DarkComet_4 Author: unknown
Source: Process Memory Space: enxavse.exe PID: 880, type: MEMORY	Matched rule: Detects DarkComet RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: Process Memory Space: enxavse.exe PID: 880, type: MEMORY	Matched rule: DarkComet RAT Author: botherder https://github.com/botherder
Source: Process Memory Space: enxavse.exe PID: 880, type: MEMORY	Matched rule: DarkComet_3 Author: Kevin Breen <kevin@techanarchy.net>
Source: Process Memory Space: enxavse.exe PID: 880, type: MEMORY	Matched rule: DarkComet_4 Author: unknown
Source: Process Memory Space: enxavse.exe PID: 5520, type: MEMORY	Matched rule: DarkComet Author: Jean-Philippe Teissier / @Jipe_
Source: 00000006.00000002.602074619.00000000006C1000.00000004.00000001.sdmp, type: MEMORY	Matched rule: DarkComet Author: Jean-Philippe Teissier / @Jipe_
Source: 00000006.00000002.602017158.0000000000696000.00000004.00000001.sdmp, type: MEMORY	Matched rule: DarkComet Author: Jean-Philippe Teissier / @Jipe_
Source: 00000006.00000002.601989587.0000000000668000.00000004.00000001.sdmp, type: MEMORY	Matched rule: DarkComet Author: Jean-Philippe Teissier / @Jipe_
Source: 00000006.00000002.602066507.00000000006BA000.00000004.00000001.sdmp, type: MEMORY	Matched rule: DarkComet Author: Jean-Philippe Teissier / @Jipe_
Source: 0000000B.00000002.503082454.0000000000668000.00000004.00000001.sdmp, type: MEMORY	Matched rule: DarkComet Author: Jean-Philippe Teissier / @Jipe_
Source: 0000000B.00000002.503148674.00000000006C1000.00000004.00000001.sdmp, type: MEMORY	Matched rule: DarkComet Author: Jean-Philippe Teissier / @Jipe_
Source: 00000008.00000002.501960152.0000000002FB6000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Detects DarkComet RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000008.00000002.501960152.0000000002FB6000.00000040.00000001.sdmp, type: MEMORY	Matched rule: DarkComet RAT Author: botherder https://github.com/botherder
Source: 00000008.00000002.501960152.0000000002FB6000.00000040.00000001.sdmp, type: MEMORY	Matched rule: DarkComet_3 Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000008.00000002.501960152.0000000002FB6000.00000040.00000001.sdmp, type: MEMORY	Matched rule: DarkComet_4 Author: unknown
Source: 00000002.00000002.605724298.0000000002F24000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Detects DarkComet RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000002.00000002.605724298.0000000002F24000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Auto-generated rule - file scan copy.pdf.r11 Author: Florian Roth
Source: 00000002.00000002.605724298.0000000002F24000.00000040.00000001.sdmp, type: MEMORY	Matched rule: DarkComet RAT Author: botherder https://github.com/botherder
Source: 00000002.00000002.605724298.0000000002F24000.00000040.00000001.sdmp, type: MEMORY	Matched rule: DarkComet_3 Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000002.00000002.605724298.0000000002F24000.00000040.00000001.sdmp, type: MEMORY	Matched rule: DarkComet_4 Author: unknown
Source: 0000000B.00000002.503141508.00000000006BA000.00000004.00000001.sdmp, type: MEMORY	Matched rule: DarkComet Author: Jean-Philippe Teissier / @Jipe_
Source: 0000000B.00000002.503100449.0000000000696000.00000004.00000001.sdmp, type: MEMORY	Matched rule: DarkComet Author: Jean-Philippe Teissier / @Jipe_
Source: Process Memory Space: 9fERLFJPjq.exe PID: 5844, type: MEMORY	Matched rule: DarkComet Author: Jean-Philippe Teissier / @Jipe_
Source: Process Memory Space: 9fERLFJPjq.exe PID: 6088, type: MEMORY	Matched rule: Detects DarkComet RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: Process Memory Space: 9fERLFJPjq.exe PID: 6088, type: MEMORY	Matched rule: DarkComet RAT Author: botherder https://github.com/botherder
Source: Process Memory Space: 9fERLFJPjq.exe PID: 6088, type: MEMORY	Matched rule: DarkComet_3 Author: Kevin Breen <kevin@techanarchy.net>
Source: Process Memory Space: 9fERLFJPjq.exe PID: 6088, type: MEMORY	Matched rule: DarkComet_4 Author: unknown
Source: Process Memory Space: enxavse.exe PID: 880, type: MEMORY	Matched rule: Detects DarkComet RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: Process Memory Space: enxavse.exe PID: 880, type: MEMORY	Matched rule: DarkComet RAT Author: botherder https://github.com/botherder
Source: Process Memory Space: enxavse.exe PID: 880, type: MEMORY	Matched rule: DarkComet_3 Author: Kevin Breen <kevin@techanarchy.net>
Source: Process Memory Space: enxavse.exe PID: 880, type: MEMORY	Matched rule: DarkComet_4 Author: unknown
Source: Process Memory Space: enxavse.exe PID: 5520, type: MEMORY	Matched rule: DarkComet Author: Jean-Philippe Teissier / @Jipe_

Yara detected DarkComet

Show sources

Source: Yara match	File source: 00000008.00000002.501960152.0000000002FB6000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.605724298.0000000002F24000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: 9fERLFJPjq.exe PID: 6088, type: MEMORY
Source: Yara match	File source: Process Memory Space: enxavse.exe PID: 880, type: MEMORY

Potential malicious VBS script found (suspicious strings)

Show sources

Source: C:\Users\user\Desktop\9fERLFJPjq.exe	Dropped file: objShell.ShellExecute "C:\Users\user\AppData\Local\Temp\Exjoares\enxavse.exe", "", "", "", 1			Jump to dropped file
Source: C:\Users\user\Desktop\9fERLFJPjq.exe	Dropped file: objShell.ShellExecute "C:\Users\user\AppData\Local\Temp\Exjoares\enxavse.exe", "", "", "", 1			Jump to dropped file

Source: C:\Users\user\Desktop\9fERLFJPjq.exe	Process token adjusted: Load Driver			Jump to behavior
Source: C:\Users\user\Desktop\9fERLFJPjq.exe	Process token adjusted: Load Driver			Jump to behavior

Source: C:\Users\user\Desktop\9fERLFJPjq.exe	Process token adjusted: Security			Jump to behavior
Source: C:\Users\user\Desktop\9fERLFJPjq.exe	Process token adjusted: Security			Jump to behavior

Source: 9fERLFJPjq.exe	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: 9fERLFJPjq.exe	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: enxavse.exe.2.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: enxavse.exe.2.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: 9fERLFJPjq.exe	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: 9fERLFJPjq.exe	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: enxavse.exe.2.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: enxavse.exe.2.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST

Source: 9fERLFJPjq.exe, 00000002.00000002.601937327.0000000000547000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenameAmamau.exe<?xml version="1.0" encoding="UTF-8" standalone="yes"?> vs 9fERLFJPjq.exe
Source: 9fERLFJPjq.exe, 00000002.00000002.605724298.0000000002F24000.00000040.00000001.sdmp	Binary or memory string: OriginalFilenameMSRSAAP.EXEV vs 9fERLFJPjq.exe
Source: 9fERLFJPjq.exe, 00000002.00000002.602900469.00000000021D0000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenameuser32j% vs 9fERLFJPjq.exe
Source: 9fERLFJPjq.exe, 00000006.00000000.387200650.0000000000547000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenameAmamau.exe<?xml version="1.0" encoding="UTF-8" standalone="yes"?> vs 9fERLFJPjq.exe
Source: 9fERLFJPjq.exe, 00000006.00000002.601302452.00000000001E0000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenameAVICAP32.DLL.MUIj% vs 9fERLFJPjq.exe
Source: 9fERLFJPjq.exe, 00000006.00000002.603021982.0000000002450000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenameuser32j% vs 9fERLFJPjq.exe
Source: 9fERLFJPjq.exe	Binary or memory string: OriginalFilenameAmamau.exe<?xml version="1.0" encoding="UTF-8" standalone="yes"?> vs 9fERLFJPjq.exe
Source: 9fERLFJPjq.exe, 00000002.00000002.601937327.0000000000547000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenameAmamau.exe<?xml version="1.0" encoding="UTF-8" standalone="yes"?> vs 9fERLFJPjq.exe
Source: 9fERLFJPjq.exe, 00000002.00000002.605724298.0000000002F24000.00000040.00000001.sdmp	Binary or memory string: OriginalFilenameMSRSAAP.EXEV vs 9fERLFJPjq.exe
Source: 9fERLFJPjq.exe, 00000002.00000002.602900469.00000000021D0000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenameuser32j% vs 9fERLFJPjq.exe
Source: 9fERLFJPjq.exe, 00000006.00000000.387200650.0000000000547000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenameAmamau.exe<?xml version="1.0" encoding="UTF-8" standalone="yes"?> vs 9fERLFJPjq.exe
Source: 9fERLFJPjq.exe, 00000006.00000002.601302452.00000000001E0000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenameAVICAP32.DLL.MUIj% vs 9fERLFJPjq.exe
Source: 9fERLFJPjq.exe, 00000006.00000002.603021982.0000000002450000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenameuser32j% vs 9fERLFJPjq.exe
Source: 9fERLFJPjq.exe	Binary or memory string: OriginalFilenameAmamau.exe<?xml version="1.0" encoding="UTF-8" standalone="yes"?> vs 9fERLFJPjq.exe

Source: C:\Windows\System32\wscript.exe	Section loaded: windows.staterepositoryps.dll			Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: windows.staterepositoryps.dll			Jump to behavior

Source: 00000006.00000002.602074619.00000000006C1000.00000004.00000001.sdmp, type: MEMORY	Matched rule: DarkComet_2 date = 2013-01-12, filetype = memory, author = Jean-Philippe Teissier / @Jipe_, description = DarkComet, version = 1.0
Source: 00000006.00000002.602017158.0000000000696000.00000004.00000001.sdmp, type: MEMORY	Matched rule: DarkComet_2 date = 2013-01-12, filetype = memory, author = Jean-Philippe Teissier / @Jipe_, description = DarkComet, version = 1.0
Source: 00000006.00000002.601989587.0000000000668000.00000004.00000001.sdmp, type: MEMORY	Matched rule: DarkComet_2 date = 2013-01-12, filetype = memory, author = Jean-Philippe Teissier / @Jipe_, description = DarkComet, version = 1.0
Source: 00000006.00000002.602066507.00000000006BA000.00000004.00000001.sdmp, type: MEMORY	Matched rule: DarkComet_2 date = 2013-01-12, filetype = memory, author = Jean-Philippe Teissier / @Jipe_, description = DarkComet, version = 1.0
Source: 0000000B.00000002.503082454.0000000000668000.00000004.00000001.sdmp, type: MEMORY	Matched rule: DarkComet_2 date = 2013-01-12, filetype = memory, author = Jean-Philippe Teissier / @Jipe_, description = DarkComet, version = 1.0
Source: 0000000B.00000002.503148674.00000000006C1000.00000004.00000001.sdmp, type: MEMORY	Matched rule: DarkComet_2 date = 2013-01-12, filetype = memory, author = Jean-Philippe Teissier / @Jipe_, description = DarkComet, version = 1.0
Source: 00000008.00000002.501960152.0000000002FB6000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Malware_QA_update date = 2016-08-29, hash2 = 6415b45f5bae6429dd5d92d6cae46e8a704873b7090853e68e80cd179058903e, author = Florian Roth, description = VT Research QA uploaded malware - file update.exe, reference = VT Research QA, license = https://creativecommons.org/licenses/by-nc/4.0/, score = 6d805533623d7063241620eec38b7eb9b625533ccadeaf4f6c2cc6db32711541
Source: 00000008.00000002.501960152.0000000002FB6000.00000040.00000001.sdmp, type: MEMORY	Matched rule: RAT_DarkComet date = 01.04.2014, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, description = Detects DarkComet RAT, reference = http://malwareconfig.com/stats/DarkComet
Source: 00000008.00000002.501960152.0000000002FB6000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Malware_QA_update_RID2DAD date = 2016-08-29 10:42:01, author = Florian Roth, description = VT Research QA uploaded malware - file update.exe, reference = VT Research QA, license = CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/, score = demo, minimum_yara = 1.7
Source: 00000008.00000002.501960152.0000000002FB6000.00000040.00000001.sdmp, type: MEMORY	Matched rule: DarkComet_1 author = botherder https://github.com/botherder, description = DarkComet RAT
Source: 00000008.00000002.501960152.0000000002FB6000.00000040.00000001.sdmp, type: MEMORY	Matched rule: DarkComet_3 date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/DarkComet
Source: 00000008.00000002.501960152.0000000002FB6000.00000040.00000001.sdmp, type: MEMORY	Matched rule: DarkComet_4 reference = https://github.com/bwall/bamfdetect/blob/master/BAMF_Detect/modules/yara/darkcomet.yara
Source: 00000002.00000002.605724298.0000000002F24000.00000040.00000001.sdmp, type: MEMORY	Matched rule: RAT_DarkComet date = 01.04.2014, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, description = Detects DarkComet RAT, reference = http://malwareconfig.com/stats/DarkComet
Source: 00000002.00000002.605724298.0000000002F24000.00000040.00000001.sdmp, type: MEMORY	Matched rule: LokiBot_Dropper_Packed_R11_Feb18 date = 2018-02-14, hash1 = 3b248d40fd7acb839cc592def1ed7652734e0e5ef93368be3c36c042883a3029, author = Florian Roth, description = Auto-generated rule - file scan copy.pdf.r11, reference = https://app.any.run/tasks/401df4d9-098b-4fd0-86e0-7a52ce6ddbf5, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000002.00000002.605724298.0000000002F24000.00000040.00000001.sdmp, type: MEMORY	Matched rule: LokiBot_Dropper_Packed_R11_Feb18_RID328F date = 2018-02-14 14:10:21, author = Florian Roth, description = Semiautomatic generated rule - file scan copy.pdf.r11, reference = https://app.any.run/tasks/401df4d9-098b-4fd0-86e0-7a52ce6ddbf5, license = CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/, score = demo, minimum_yara = 1.7
Source: 00000002.00000002.605724298.0000000002F24000.00000040.00000001.sdmp, type: MEMORY	Matched rule: DarkComet_1 author = botherder https://github.com/botherder, description = DarkComet RAT
Source: 00000002.00000002.605724298.0000000002F24000.00000040.00000001.sdmp, type: MEMORY	Matched rule: DarkComet_3 date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/DarkComet
Source: 00000002.00000002.605724298.0000000002F24000.00000040.00000001.sdmp, type: MEMORY	Matched rule: DarkComet_4 reference = https://github.com/bwall/bamfdetect/blob/master/BAMF_Detect/modules/yara/darkcomet.yara
Source: 0000000B.00000002.503141508.00000000006BA000.00000004.00000001.sdmp, type: MEMORY	Matched rule: DarkComet_2 date = 2013-01-12, filetype = memory, author = Jean-Philippe Teissier / @Jipe_, description = DarkComet, version = 1.0
Source: 0000000B.00000002.503100449.0000000000696000.00000004.00000001.sdmp, type: MEMORY	Matched rule: DarkComet_2 date = 2013-01-12, filetype = memory, author = Jean-Philippe Teissier / @Jipe_, description = DarkComet, version = 1.0
Source: Process Memory Space: 9fERLFJPjq.exe PID: 5844, type: MEMORY	Matched rule: DarkComet_2 date = 2013-01-12, filetype = memory, author = Jean-Philippe Teissier / @Jipe_, description = DarkComet, version = 1.0
Source: Process Memory Space: 9fERLFJPjq.exe PID: 6088, type: MEMORY	Matched rule: RAT_DarkComet date = 01.04.2014, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, description = Detects DarkComet RAT, reference = http://malwareconfig.com/stats/DarkComet
Source: Process Memory Space: 9fERLFJPjq.exe PID: 6088, type: MEMORY	Matched rule: DarkComet_1 author = botherder https://github.com/botherder, description = DarkComet RAT
Source: Process Memory Space: 9fERLFJPjq.exe PID: 6088, type: MEMORY	Matched rule: DarkComet_3 date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/DarkComet
Source: Process Memory Space: 9fERLFJPjq.exe PID: 6088, type: MEMORY	Matched rule: DarkComet_4 reference = https://github.com/bwall/bamfdetect/blob/master/BAMF_Detect/modules/yara/darkcomet.yara
Source: Process Memory Space: enxavse.exe PID: 880, type: MEMORY	Matched rule: RAT_DarkComet date = 01.04.2014, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, description = Detects DarkComet RAT, reference = http://malwareconfig.com/stats/DarkComet
Source: Process Memory Space: enxavse.exe PID: 880, type: MEMORY	Matched rule: DarkComet_1 author = botherder https://github.com/botherder, description = DarkComet RAT
Source: Process Memory Space: enxavse.exe PID: 880, type: MEMORY	Matched rule: DarkComet_3 date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/DarkComet
Source: Process Memory Space: enxavse.exe PID: 880, type: MEMORY	Matched rule: DarkComet_4 reference = https://github.com/bwall/bamfdetect/blob/master/BAMF_Detect/modules/yara/darkcomet.yara
Source: Process Memory Space: enxavse.exe PID: 5520, type: MEMORY	Matched rule: DarkComet_2 date = 2013-01-12, filetype = memory, author = Jean-Philippe Teissier / @Jipe_, description = DarkComet, version = 1.0
Source: 00000006.00000002.602074619.00000000006C1000.00000004.00000001.sdmp, type: MEMORY	Matched rule: DarkComet_2 date = 2013-01-12, filetype = memory, author = Jean-Philippe Teissier / @Jipe_, description = DarkComet, version = 1.0
Source: 00000006.00000002.602017158.0000000000696000.00000004.00000001.sdmp, type: MEMORY	Matched rule: DarkComet_2 date = 2013-01-12, filetype = memory, author = Jean-Philippe Teissier / @Jipe_, description = DarkComet, version = 1.0
Source: 00000006.00000002.601989587.0000000000668000.00000004.00000001.sdmp, type: MEMORY	Matched rule: DarkComet_2 date = 2013-01-12, filetype = memory, author = Jean-Philippe Teissier / @Jipe_, description = DarkComet, version = 1.0
Source: 00000006.00000002.602066507.00000000006BA000.00000004.00000001.sdmp, type: MEMORY	Matched rule: DarkComet_2 date = 2013-01-12, filetype = memory, author = Jean-Philippe Teissier / @Jipe_, description = DarkComet, version = 1.0
Source: 0000000B.00000002.503082454.0000000000668000.00000004.00000001.sdmp, type: MEMORY	Matched rule: DarkComet_2 date = 2013-01-12, filetype = memory, author = Jean-Philippe Teissier / @Jipe_, description = DarkComet, version = 1.0
Source: 0000000B.00000002.503148674.00000000006C1000.00000004.00000001.sdmp, type: MEMORY	Matched rule: DarkComet_2 date = 2013-01-12, filetype = memory, author = Jean-Philippe Teissier / @Jipe_, description = DarkComet, version = 1.0
Source: 00000008.00000002.501960152.0000000002FB6000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Malware_QA_update date = 2016-08-29, hash2 = 6415b45f5bae6429dd5d92d6cae46e8a704873b7090853e68e80cd179058903e, author = Florian Roth, description = VT Research QA uploaded malware - file update.exe, reference = VT Research QA, license = https://creativecommons.org/licenses/by-nc/4.0/, score = 6d805533623d7063241620eec38b7eb9b625533ccadeaf4f6c2cc6db32711541
Source: 00000008.00000002.501960152.0000000002FB6000.00000040.00000001.sdmp, type: MEMORY	Matched rule: RAT_DarkComet date = 01.04.2014, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, description = Detects DarkComet RAT, reference = http://malwareconfig.com/stats/DarkComet
Source: 00000008.00000002.501960152.0000000002FB6000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Malware_QA_update_RID2DAD date = 2016-08-29 10:42:01, author = Florian Roth, description = VT Research QA uploaded malware - file update.exe, reference = VT Research QA, license = CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/, score = demo, minimum_yara = 1.7
Source: 00000008.00000002.501960152.0000000002FB6000.00000040.00000001.sdmp, type: MEMORY	Matched rule: DarkComet_1 author = botherder https://github.com/botherder, description = DarkComet RAT
Source: 00000008.00000002.501960152.0000000002FB6000.00000040.00000001.sdmp, type: MEMORY	Matched rule: DarkComet_3 date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/DarkComet
Source: 00000008.00000002.501960152.0000000002FB6000.00000040.00000001.sdmp, type: MEMORY	Matched rule: DarkComet_4 reference = https://github.com/bwall/bamfdetect/blob/master/BAMF_Detect/modules/yara/darkcomet.yara
Source: 00000002.00000002.605724298.0000000002F24000.00000040.00000001.sdmp, type: MEMORY	Matched rule: RAT_DarkComet date = 01.04.2014, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, description = Detects DarkComet RAT, reference = http://malwareconfig.com/stats/DarkComet
Source: 00000002.00000002.605724298.0000000002F24000.00000040.00000001.sdmp, type: MEMORY	Matched rule: LokiBot_Dropper_Packed_R11_Feb18 date = 2018-02-14, hash1 = 3b248d40fd7acb839cc592def1ed7652734e0e5ef93368be3c36c042883a3029, author = Florian Roth, description = Auto-generated rule - file scan copy.pdf.r11, reference = https://app.any.run/tasks/401df4d9-098b-4fd0-86e0-7a52ce6ddbf5, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000002.00000002.605724298.0000000002F24000.00000040.00000001.sdmp, type: MEMORY	Matched rule: LokiBot_Dropper_Packed_R11_Feb18_RID328F date = 2018-02-14 14:10:21, author = Florian Roth, description = Semiautomatic generated rule - file scan copy.pdf.r11, reference = https://app.any.run/tasks/401df4d9-098b-4fd0-86e0-7a52ce6ddbf5, license = CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/, score = demo, minimum_yara = 1.7
Source: 00000002.00000002.605724298.0000000002F24000.00000040.00000001.sdmp, type: MEMORY	Matched rule: DarkComet_1 author = botherder https://github.com/botherder, description = DarkComet RAT
Source: 00000002.00000002.605724298.0000000002F24000.00000040.00000001.sdmp, type: MEMORY	Matched rule: DarkComet_3 date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/DarkComet
Source: 00000002.00000002.605724298.0000000002F24000.00000040.00000001.sdmp, type: MEMORY	Matched rule: DarkComet_4 reference = https://github.com/bwall/bamfdetect/blob/master/BAMF_Detect/modules/yara/darkcomet.yara
Source: 0000000B.00000002.503141508.00000000006BA000.00000004.00000001.sdmp, type: MEMORY	Matched rule: DarkComet_2 date = 2013-01-12, filetype = memory, author = Jean-Philippe Teissier / @Jipe_, description = DarkComet, version = 1.0
Source: 0000000B.00000002.503100449.0000000000696000.00000004.00000001.sdmp, type: MEMORY	Matched rule: DarkComet_2 date = 2013-01-12, filetype = memory, author = Jean-Philippe Teissier / @Jipe_, description = DarkComet, version = 1.0
Source: Process Memory Space: 9fERLFJPjq.exe PID: 5844, type: MEMORY	Matched rule: DarkComet_2 date = 2013-01-12, filetype = memory, author = Jean-Philippe Teissier / @Jipe_, description = DarkComet, version = 1.0
Source: Process Memory Space: 9fERLFJPjq.exe PID: 6088, type: MEMORY	Matched rule: RAT_DarkComet date = 01.04.2014, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, description = Detects DarkComet RAT, reference = http://malwareconfig.com/stats/DarkComet
Source: Process Memory Space: 9fERLFJPjq.exe PID: 6088, type: MEMORY	Matched rule: DarkComet_1 author = botherder https://github.com/botherder, description = DarkComet RAT
Source: Process Memory Space: 9fERLFJPjq.exe PID: 6088, type: MEMORY	Matched rule: DarkComet_3 date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/DarkComet
Source: Process Memory Space: 9fERLFJPjq.exe PID: 6088, type: MEMORY	Matched rule: DarkComet_4 reference = https://github.com/bwall/bamfdetect/blob/master/BAMF_Detect/modules/yara/darkcomet.yara
Source: Process Memory Space: enxavse.exe PID: 880, type: MEMORY	Matched rule: RAT_DarkComet date = 01.04.2014, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, description = Detects DarkComet RAT, reference = http://malwareconfig.com/stats/DarkComet
Source: Process Memory Space: enxavse.exe PID: 880, type: MEMORY	Matched rule: DarkComet_1 author = botherder https://github.com/botherder, description = DarkComet RAT
Source: Process Memory Space: enxavse.exe PID: 880, type: MEMORY	Matched rule: DarkComet_3 date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/DarkComet
Source: Process Memory Space: enxavse.exe PID: 880, type: MEMORY	Matched rule: DarkComet_4 reference = https://github.com/bwall/bamfdetect/blob/master/BAMF_Detect/modules/yara/darkcomet.yara
Source: Process Memory Space: enxavse.exe PID: 5520, type: MEMORY	Matched rule: DarkComet_2 date = 2013-01-12, filetype = memory, author = Jean-Philippe Teissier / @Jipe_, description = DarkComet, version = 1.0

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@8/2@349/0

Source: C:\Users\user\Desktop\9fERLFJPjq.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\enxavse.vbs			Jump to behavior
Source: C:\Users\user\Desktop\9fERLFJPjq.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\enxavse.vbs			Jump to behavior

Source: C:\Users\user\Desktop\9fERLFJPjq.exe	Mutant created: \Sessions\1\BaseNamedObjects\DC_MUTEX-HXSPSH8
Source: C:\Users\user\Desktop\9fERLFJPjq.exe	Mutant created: \Sessions\1\BaseNamedObjects\DC_MUTEX-HXSPSH8

Source: C:\Users\user\Desktop\9fERLFJPjq.exe	File created: C:\Users\user\AppData\Local\Temp\Exjoares			Jump to behavior
Source: C:\Users\user\Desktop\9fERLFJPjq.exe	File created: C:\Users\user\AppData\Local\Temp\Exjoares			Jump to behavior

Source: Yara match	File source: 00000008.00000002.501960152.0000000002FB6000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.605724298.0000000002F24000.00000040.00000001.sdmp, type: MEMORY

Source: unknown	Process created: C:\Windows\System32\wscript.exe 'C:\Windows\System32\WScript.exe' 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\enxavse.vbs'
Source: unknown	Process created: C:\Windows\System32\wscript.exe 'C:\Windows\System32\WScript.exe' 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\enxavse.vbs'

Source: 9fERLFJPjq.exe	Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: 9fERLFJPjq.exe	Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\9fERLFJPjq.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Exjoares\enxavse.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Users\user\Desktop\9fERLFJPjq.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Exjoares\enxavse.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior

Source: C:\Users\user\Desktop\9fERLFJPjq.exe	Section loaded: C:\Windows\SysWOW64\msvbvm60.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Exjoares\enxavse.exe	Section loaded: C:\Windows\SysWOW64\msvbvm60.dll	Jump to behavior
Source: C:\Users\user\Desktop\9fERLFJPjq.exe	Section loaded: C:\Windows\SysWOW64\msvbvm60.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Exjoares\enxavse.exe	Section loaded: C:\Windows\SysWOW64\msvbvm60.dll	Jump to behavior

Source: C:\Users\user\Desktop\9fERLFJPjq.exe	File read: C:\Users\desktop.ini			Jump to behavior
Source: C:\Users\user\Desktop\9fERLFJPjq.exe	File read: C:\Users\desktop.ini			Jump to behavior

Source: C:\Users\user\Desktop\9fERLFJPjq.exe	Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers			Jump to behavior
Source: C:\Users\user\Desktop\9fERLFJPjq.exe	Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers			Jump to behavior

Source: C:\Users\user\Desktop\9fERLFJPjq.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\Desktop\9fERLFJPjq.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\Desktop\9fERLFJPjq.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\Desktop\9fERLFJPjq.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior

Source: 9fERLFJPjq.exe	Virustotal: Detection: 74%
Source: 9fERLFJPjq.exe	Metadefender: Detection: 62%
Source: 9fERLFJPjq.exe	ReversingLabs: Detection: 86%
Source: 9fERLFJPjq.exe	Virustotal: Detection: 74%
Source: 9fERLFJPjq.exe	Metadefender: Detection: 62%
Source: 9fERLFJPjq.exe	ReversingLabs: Detection: 86%

Source: C:\Users\user\Desktop\9fERLFJPjq.exe	File read: C:\Users\user\Desktop\9fERLFJPjq.exe			Jump to behavior
Source: C:\Users\user\Desktop\9fERLFJPjq.exe	File read: C:\Users\user\Desktop\9fERLFJPjq.exe			Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\9fERLFJPjq.exe 'C:\Users\user\Desktop\9fERLFJPjq.exe'
Source: unknown	Process created: C:\Users\user\Desktop\9fERLFJPjq.exe 'C:\Users\user\Desktop\9fERLFJPjq.exe'
Source: unknown	Process created: C:\Windows\System32\wscript.exe 'C:\Windows\System32\WScript.exe' 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\enxavse.vbs'
Source: unknown	Process created: C:\Users\user\AppData\Local\Temp\Exjoares\enxavse.exe 'C:\Users\user\AppData\Local\Temp\Exjoares\enxavse.exe'
Source: unknown	Process created: C:\Users\user\AppData\Local\Temp\Exjoares\enxavse.exe 'C:\Users\user\AppData\Local\Temp\Exjoares\enxavse.exe'
Source: C:\Users\user\Desktop\9fERLFJPjq.exe	Process created: C:\Users\user\Desktop\9fERLFJPjq.exe 'C:\Users\user\Desktop\9fERLFJPjq.exe'	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process created: C:\Users\user\AppData\Local\Temp\Exjoares\enxavse.exe 'C:\Users\user\AppData\Local\Temp\Exjoares\enxavse.exe'	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Exjoares\enxavse.exe	Process created: C:\Users\user\AppData\Local\Temp\Exjoares\enxavse.exe 'C:\Users\user\AppData\Local\Temp\Exjoares\enxavse.exe'	Jump to behavior
Source: unknown	Process created: C:\Users\user\Desktop\9fERLFJPjq.exe 'C:\Users\user\Desktop\9fERLFJPjq.exe'
Source: unknown	Process created: C:\Users\user\Desktop\9fERLFJPjq.exe 'C:\Users\user\Desktop\9fERLFJPjq.exe'
Source: unknown	Process created: C:\Windows\System32\wscript.exe 'C:\Windows\System32\WScript.exe' 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\enxavse.vbs'
Source: unknown	Process created: C:\Users\user\AppData\Local\Temp\Exjoares\enxavse.exe 'C:\Users\user\AppData\Local\Temp\Exjoares\enxavse.exe'
Source: unknown	Process created: C:\Users\user\AppData\Local\Temp\Exjoares\enxavse.exe 'C:\Users\user\AppData\Local\Temp\Exjoares\enxavse.exe'
Source: C:\Users\user\Desktop\9fERLFJPjq.exe	Process created: C:\Users\user\Desktop\9fERLFJPjq.exe 'C:\Users\user\Desktop\9fERLFJPjq.exe'	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process created: C:\Users\user\AppData\Local\Temp\Exjoares\enxavse.exe 'C:\Users\user\AppData\Local\Temp\Exjoares\enxavse.exe'	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Exjoares\enxavse.exe	Process created: C:\Users\user\AppData\Local\Temp\Exjoares\enxavse.exe 'C:\Users\user\AppData\Local\Temp\Exjoares\enxavse.exe'	Jump to behavior

Source: C:\Users\user\Desktop\9fERLFJPjq.exe	Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32			Jump to behavior
Source: C:\Users\user\Desktop\9fERLFJPjq.exe	Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32			Jump to behavior

Source: Window Recorder	Window detected: More than 3 window changes detected
Source: Window Recorder	Window detected: More than 3 window changes detected

Source: 9fERLFJPjq.exe	Static PE information: Virtual size of .text is bigger than: 0x100000
Source: 9fERLFJPjq.exe	Static PE information: Virtual size of .text is bigger than: 0x100000

Source: 9fERLFJPjq.exe	Static file information: File size 1593344 > 1048576
Source: 9fERLFJPjq.exe	Static file information: File size 1593344 > 1048576

Source: 9fERLFJPjq.exe	Static PE information: Raw size of .text is bigger than: 0x100000 < 0x13f000
Source: 9fERLFJPjq.exe	Static PE information: Raw size of .text is bigger than: 0x100000 < 0x13f000

Source: enxavse.exe.2.dr	Static PE information: real checksum: 0x191aaa should be: 0x191ac2
Source: 9fERLFJPjq.exe	Static PE information: real checksum: 0x191aaa should be: 0x191ab6
Source: enxavse.exe.2.dr	Static PE information: real checksum: 0x191aaa should be: 0x191ac2
Source: 9fERLFJPjq.exe	Static PE information: real checksum: 0x191aaa should be: 0x191ab6

Source: C:\Users\user\Desktop\9fERLFJPjq.exe	File created: C:\Users\user\AppData\Local\Temp\Exjoares\enxavse.exe			Jump to dropped file
Source: C:\Users\user\Desktop\9fERLFJPjq.exe	File created: C:\Users\user\AppData\Local\Temp\Exjoares\enxavse.exe			Jump to dropped file

Boot Survival:

Drops VBS files to the startup folder

Show sources

Source: C:\Users\user\Desktop\9fERLFJPjq.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\enxavse.vbs			Jump to dropped file
Source: C:\Users\user\Desktop\9fERLFJPjq.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\enxavse.vbs			Jump to dropped file

Source: C:\Users\user\Desktop\9fERLFJPjq.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\enxavse.vbs			Jump to behavior
Source: C:\Users\user\Desktop\9fERLFJPjq.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\enxavse.vbs			Jump to behavior

Source: C:\Users\user\Desktop\9fERLFJPjq.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\enxavse.vbs			Jump to behavior
Source: C:\Users\user\Desktop\9fERLFJPjq.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\enxavse.vbs			Jump to behavior

Source: C:\Users\user\Desktop\9fERLFJPjq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9fERLFJPjq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9fERLFJPjq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9fERLFJPjq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Exjoares\enxavse.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Exjoares\enxavse.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Exjoares\enxavse.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Exjoares\enxavse.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Exjoares\enxavse.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9fERLFJPjq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9fERLFJPjq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9fERLFJPjq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9fERLFJPjq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Exjoares\enxavse.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Exjoares\enxavse.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Exjoares\enxavse.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Exjoares\enxavse.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Exjoares\enxavse.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion:

Detected RDTSC dummy instruction sequence (likely for instruction hammering)

Show sources

Source: C:\Users\user\Desktop\9fERLFJPjq.exe	RDTSC instruction interceptor: First address: 000000000052B688 second address: 000000000052B6BD instructions: 0x00000000 rdtsc 0x00000002 test dh, 00000036h 0x00000005 paddd mm1, mm2 0x00000008 cmp bx, B97Fh 0x0000000d mov eax, esp 0x0000000f cmp cx, C32Fh 0x00000014 mov eax, dword ptr [eax+28h] 0x00000017 test ch, 00000071h 0x0000001a movd mm4, eax 0x0000001d test ch, 00000043h 0x00000020 pxor mm4, mm1 0x00000023 cmp ax, 0000DCD4h 0x00000027 movd ebx, mm4 0x0000002a test ch, 00000029h 0x0000002d cmp ebx, 636F6C6Ch 0x00000033 jne 00007F7368CE7B4Ah
Source: C:\Users\user\AppData\Local\Temp\Exjoares\enxavse.exe	RDTSC instruction interceptor: First address: 000000000052B688 second address: 000000000052B6BD instructions: 0x00000000 rdtsc 0x00000002 test dh, 00000036h 0x00000005 paddd mm1, mm2 0x00000008 cmp bx, B97Fh 0x0000000d mov eax, esp 0x0000000f cmp cx, C32Fh 0x00000014 mov eax, dword ptr [eax+28h] 0x00000017 test ch, 00000071h 0x0000001a movd mm4, eax 0x0000001d test ch, 00000043h 0x00000020 pxor mm4, mm1 0x00000023 cmp ax, 0000DCD4h 0x00000027 movd ebx, mm4 0x0000002a test ch, 00000029h 0x0000002d cmp ebx, 636F6C6Ch 0x00000033 jne 00007F73688EB32Ah

Tries to detect virtualization through RDTSC time measurements

Show sources

Source: C:\Users\user\Desktop\9fERLFJPjq.exe	RDTSC instruction interceptor: First address: 000000000052B688 second address: 000000000052B6BD instructions: 0x00000000 rdtsc 0x00000002 test dh, 00000036h 0x00000005 paddd mm1, mm2 0x00000008 cmp bx, B97Fh 0x0000000d mov eax, esp 0x0000000f cmp cx, C32Fh 0x00000014 mov eax, dword ptr [eax+28h] 0x00000017 test ch, 00000071h 0x0000001a movd mm4, eax 0x0000001d test ch, 00000043h 0x00000020 pxor mm4, mm1 0x00000023 cmp ax, 0000DCD4h 0x00000027 movd ebx, mm4 0x0000002a test ch, 00000029h 0x0000002d cmp ebx, 636F6C6Ch 0x00000033 jne 00007F7368CE7B4Ah
Source: C:\Users\user\AppData\Local\Temp\Exjoares\enxavse.exe	RDTSC instruction interceptor: First address: 000000000052B688 second address: 000000000052B6BD instructions: 0x00000000 rdtsc 0x00000002 test dh, 00000036h 0x00000005 paddd mm1, mm2 0x00000008 cmp bx, B97Fh 0x0000000d mov eax, esp 0x0000000f cmp cx, C32Fh 0x00000014 mov eax, dword ptr [eax+28h] 0x00000017 test ch, 00000071h 0x0000001a movd mm4, eax 0x0000001d test ch, 00000043h 0x00000020 pxor mm4, mm1 0x00000023 cmp ax, 0000DCD4h 0x00000027 movd ebx, mm4 0x0000002a test ch, 00000029h 0x0000002d cmp ebx, 636F6C6Ch 0x00000033 jne 00007F73688EB32Ah

Source: C:\Windows\System32\wscript.exe	Window found: window name: WSH-Timer			Jump to behavior
Source: C:\Windows\System32\wscript.exe	Window found: window name: WSH-Timer			Jump to behavior

Source: C:\Users\user\Desktop\9fERLFJPjq.exe TID: 1820	Thread sleep time: -63800s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Exjoares\enxavse.exe TID: 6076	Thread sleep count: 67 > 30	Jump to behavior
Source: C:\Users\user\Desktop\9fERLFJPjq.exe TID: 1820	Thread sleep time: -63800s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Exjoares\enxavse.exe TID: 6076	Thread sleep count: 67 > 30	Jump to behavior

Source: C:\Users\user\Desktop\9fERLFJPjq.exe	Last function: Thread delayed
Source: C:\Users\user\Desktop\9fERLFJPjq.exe	Last function: Thread delayed

Source: C:\Windows\System32\wscript.exe	File opened: C:\Users\user\	Jump to behavior
Source: C:\Windows\System32\wscript.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\	Jump to behavior
Source: C:\Windows\System32\wscript.exe	File opened: C:\Users\user\AppData\	Jump to behavior
Source: C:\Windows\System32\wscript.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\	Jump to behavior
Source: C:\Windows\System32\wscript.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\	Jump to behavior
Source: C:\Windows\System32\wscript.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\	Jump to behavior
Source: C:\Windows\System32\wscript.exe	File opened: C:\Users\user\	Jump to behavior
Source: C:\Windows\System32\wscript.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\	Jump to behavior
Source: C:\Windows\System32\wscript.exe	File opened: C:\Users\user\AppData\	Jump to behavior
Source: C:\Windows\System32\wscript.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\	Jump to behavior
Source: C:\Windows\System32\wscript.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\	Jump to behavior
Source: C:\Windows\System32\wscript.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\	Jump to behavior

Source: C:\Users\user\Desktop\9fERLFJPjq.exe	Process token adjusted: Debug			Jump to behavior
Source: C:\Users\user\Desktop\9fERLFJPjq.exe	Process token adjusted: Debug			Jump to behavior

Source: C:\Users\user\Desktop\9fERLFJPjq.exe	Process created: C:\Users\user\Desktop\9fERLFJPjq.exe 'C:\Users\user\Desktop\9fERLFJPjq.exe'	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process created: C:\Users\user\AppData\Local\Temp\Exjoares\enxavse.exe 'C:\Users\user\AppData\Local\Temp\Exjoares\enxavse.exe'	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Exjoares\enxavse.exe	Process created: C:\Users\user\AppData\Local\Temp\Exjoares\enxavse.exe 'C:\Users\user\AppData\Local\Temp\Exjoares\enxavse.exe'	Jump to behavior
Source: C:\Users\user\Desktop\9fERLFJPjq.exe	Process created: C:\Users\user\Desktop\9fERLFJPjq.exe 'C:\Users\user\Desktop\9fERLFJPjq.exe'	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process created: C:\Users\user\AppData\Local\Temp\Exjoares\enxavse.exe 'C:\Users\user\AppData\Local\Temp\Exjoares\enxavse.exe'	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Exjoares\enxavse.exe	Process created: C:\Users\user\AppData\Local\Temp\Exjoares\enxavse.exe 'C:\Users\user\AppData\Local\Temp\Exjoares\enxavse.exe'	Jump to behavior

Source: 9fERLFJPjq.exe, 00000002.00000002.605724298.0000000002F24000.00000040.00000001.sdmp, enxavse.exe, 00000008.00000002.501960152.0000000002FB6000.00000040.00000001.sdmp	Binary or memory string: Shell_traywndTrayNotifyWndTrayClockWClassjh<
Source: 9fERLFJPjq.exe, 00000002.00000002.602698012.0000000000DC0000.00000002.00000001.sdmp, 9fERLFJPjq.exe, 00000006.00000002.602880501.0000000001010000.00000002.00000001.sdmp	Binary or memory string: Program ManagerWv{
Source: 9fERLFJPjq.exe, 00000002.00000002.605724298.0000000002F24000.00000040.00000001.sdmp, 9fERLFJPjq.exe, 00000006.00000002.602880501.0000000001010000.00000002.00000001.sdmp, enxavse.exe, 00000008.00000002.501960152.0000000002FB6000.00000040.00000001.sdmp	Binary or memory string: Shell_TrayWnd
Source: 9fERLFJPjq.exe, 00000002.00000002.605724298.0000000002F24000.00000040.00000001.sdmp, 9fERLFJPjq.exe, 00000006.00000002.602880501.0000000001010000.00000002.00000001.sdmp, enxavse.exe, 00000008.00000002.501960152.0000000002FB6000.00000040.00000001.sdmp	Binary or memory string: Progman
Source: 9fERLFJPjq.exe, 00000002.00000002.605724298.0000000002F24000.00000040.00000001.sdmp, enxavse.exe, 00000008.00000002.501960152.0000000002FB6000.00000040.00000001.sdmp	Binary or memory string: Shell_TrayWndjjh
Source: 9fERLFJPjq.exe, 00000002.00000002.605724298.0000000002F24000.00000040.00000001.sdmp, enxavse.exe, 00000008.00000002.501960152.0000000002FB6000.00000040.00000001.sdmp	Binary or memory string: Progmanjhh
Source: 9fERLFJPjq.exe, 00000002.00000002.605724298.0000000002F24000.00000040.00000001.sdmp, enxavse.exe, 00000008.00000002.501960152.0000000002FB6000.00000040.00000001.sdmp	Binary or memory string: Shell_traywndTrayNotifyWndjh
Source: 9fERLFJPjq.exe, 00000002.00000002.605724298.0000000002F24000.00000040.00000001.sdmp, enxavse.exe, 00000008.00000002.501960152.0000000002FB6000.00000040.00000001.sdmp	Binary or memory string: ProgmanU
Source: 9fERLFJPjq.exe, 00000002.00000002.605724298.0000000002F24000.00000040.00000001.sdmp, enxavse.exe, 00000008.00000002.501960152.0000000002FB6000.00000040.00000001.sdmp	Binary or memory string: Shell_traywndTrayNotifyWndTrayClockWClassjh
Source: 9fERLFJPjq.exe, 00000002.00000002.605724298.0000000002F24000.00000040.00000001.sdmp, enxavse.exe, 00000008.00000002.501960152.0000000002FB6000.00000040.00000001.sdmp	Binary or memory string: ButtonShell_TrayWndj
Source: 9fERLFJPjq.exe, 00000002.00000002.605724298.0000000002F24000.00000040.00000001.sdmp, enxavse.exe, 00000008.00000002.501960152.0000000002FB6000.00000040.00000001.sdmp	Binary or memory string: Shell_traywndReBarWindow32jh
Source: 9fERLFJPjq.exe, 00000002.00000002.605724298.0000000002F24000.00000040.00000001.sdmp, enxavse.exe, 00000008.00000002.501960152.0000000002FB6000.00000040.00000001.sdmp	Binary or memory string: Shell_traywndReBarWindow32jhD
Source: 9fERLFJPjq.exe, 00000002.00000002.605724298.0000000002F24000.00000040.00000001.sdmp, enxavse.exe, 00000008.00000002.501960152.0000000002FB6000.00000040.00000001.sdmp	Binary or memory string: Shell_traywnd
Source: 9fERLFJPjq.exe, 00000002.00000002.605724298.0000000002F24000.00000040.00000001.sdmp, enxavse.exe, 00000008.00000002.501960152.0000000002FB6000.00000040.00000001.sdmp	Binary or memory string: Shell_TrayWndPjjh
Source: 9fERLFJPjq.exe, 00000002.00000002.605724298.0000000002F24000.00000040.00000001.sdmp, enxavse.exe, 00000008.00000002.501960152.0000000002FB6000.00000040.00000001.sdmp	Binary or memory string: Shell_traywndTrayNotifyWndTrayClockWClassjh<
Source: 9fERLFJPjq.exe, 00000002.00000002.602698012.0000000000DC0000.00000002.00000001.sdmp, 9fERLFJPjq.exe, 00000006.00000002.602880501.0000000001010000.00000002.00000001.sdmp	Binary or memory string: Program ManagerWv{
Source: 9fERLFJPjq.exe, 00000002.00000002.605724298.0000000002F24000.00000040.00000001.sdmp, 9fERLFJPjq.exe, 00000006.00000002.602880501.0000000001010000.00000002.00000001.sdmp, enxavse.exe, 00000008.00000002.501960152.0000000002FB6000.00000040.00000001.sdmp	Binary or memory string: Shell_TrayWnd
Source: 9fERLFJPjq.exe, 00000002.00000002.605724298.0000000002F24000.00000040.00000001.sdmp, 9fERLFJPjq.exe, 00000006.00000002.602880501.0000000001010000.00000002.00000001.sdmp, enxavse.exe, 00000008.00000002.501960152.0000000002FB6000.00000040.00000001.sdmp	Binary or memory string: Progman
Source: 9fERLFJPjq.exe, 00000002.00000002.605724298.0000000002F24000.00000040.00000001.sdmp, enxavse.exe, 00000008.00000002.501960152.0000000002FB6000.00000040.00000001.sdmp	Binary or memory string: Shell_TrayWndjjh
Source: 9fERLFJPjq.exe, 00000002.00000002.605724298.0000000002F24000.00000040.00000001.sdmp, enxavse.exe, 00000008.00000002.501960152.0000000002FB6000.00000040.00000001.sdmp	Binary or memory string: Progmanjhh
Source: 9fERLFJPjq.exe, 00000002.00000002.605724298.0000000002F24000.00000040.00000001.sdmp, enxavse.exe, 00000008.00000002.501960152.0000000002FB6000.00000040.00000001.sdmp	Binary or memory string: Shell_traywndTrayNotifyWndjh
Source: 9fERLFJPjq.exe, 00000002.00000002.605724298.0000000002F24000.00000040.00000001.sdmp, enxavse.exe, 00000008.00000002.501960152.0000000002FB6000.00000040.00000001.sdmp	Binary or memory string: ProgmanU
Source: 9fERLFJPjq.exe, 00000002.00000002.605724298.0000000002F24000.00000040.00000001.sdmp, enxavse.exe, 00000008.00000002.501960152.0000000002FB6000.00000040.00000001.sdmp	Binary or memory string: Shell_traywndTrayNotifyWndTrayClockWClassjh
Source: 9fERLFJPjq.exe, 00000002.00000002.605724298.0000000002F24000.00000040.00000001.sdmp, enxavse.exe, 00000008.00000002.501960152.0000000002FB6000.00000040.00000001.sdmp	Binary or memory string: ButtonShell_TrayWndj
Source: 9fERLFJPjq.exe, 00000002.00000002.605724298.0000000002F24000.00000040.00000001.sdmp, enxavse.exe, 00000008.00000002.501960152.0000000002FB6000.00000040.00000001.sdmp	Binary or memory string: Shell_traywndReBarWindow32jh
Source: 9fERLFJPjq.exe, 00000002.00000002.605724298.0000000002F24000.00000040.00000001.sdmp, enxavse.exe, 00000008.00000002.501960152.0000000002FB6000.00000040.00000001.sdmp	Binary or memory string: Shell_traywndReBarWindow32jhD
Source: 9fERLFJPjq.exe, 00000002.00000002.605724298.0000000002F24000.00000040.00000001.sdmp, enxavse.exe, 00000008.00000002.501960152.0000000002FB6000.00000040.00000001.sdmp	Binary or memory string: Shell_traywnd
Source: 9fERLFJPjq.exe, 00000002.00000002.605724298.0000000002F24000.00000040.00000001.sdmp, enxavse.exe, 00000008.00000002.501960152.0000000002FB6000.00000040.00000001.sdmp	Binary or memory string: Shell_TrayWndPjjh

Source: C:\Users\user\Desktop\9fERLFJPjq.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Exjoares\enxavse.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9fERLFJPjq.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Exjoares\enxavse.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior

Source: C:\Windows\System32\wscript.exe	Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid			Jump to behavior
Source: C:\Windows\System32\wscript.exe	Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid			Jump to behavior

Stealing of Sensitive Information:

Yara detected Generic Dropper

Show sources

Source: Yara match

File source: Process Memory Space: 9fERLFJPjq.exe PID: 6088, type: MEMORY

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Scripting211	Startup Items1	Startup Items1	Masquerading1	Input Capture111	Security Software Discovery3	Remote Services	Input Capture111	Exfiltration Over Other Network Medium	Non-Application Layer Protocol1	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Scheduled Task/Job	Registry Run Keys / Startup Folder2	Process Injection12	Virtualization/Sandbox Evasion1	LSASS Memory	Virtualization/Sandbox Evasion1	Remote Desktop Protocol	Data from Removable Media	Exfiltration Over Bluetooth	Application Layer Protocol1	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	LSASS Driver1	Registry Run Keys / Startup Folder2	Process Injection12	Security Account Manager	Process Discovery1	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	Steganography	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	DLL Side-Loading1	LSASS Driver1	Scripting211	NTDS	Remote System Discovery1	Distributed Component Object Model	Input Capture	Scheduled Transfer	Protocol Impersonation	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	DLL Side-Loading1	DLL Side-Loading1	LSA Secrets	File and Directory Discovery2	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	Steganography	Cached Domain Credentials	System Information Discovery212	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
9fERLFJPjq.exe	75%	Virustotal		Browse
9fERLFJPjq.exe	65%	Metadefender		Browse
9fERLFJPjq.exe	86%	ReversingLabs	Win32.Infostealer.PonyStealer
9fERLFJPjq.exe	100%	Avira	HEUR/AGEN.1112794
9fERLFJPjq.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Local\Temp\Exjoares\enxavse.exe	100%	Avira	HEUR/AGEN.1112794
C:\Users\user\AppData\Local\Temp\Exjoares\enxavse.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\Temp\Exjoares\enxavse.exe	73%	Virustotal		Browse
C:\Users\user\AppData\Local\Temp\Exjoares\enxavse.exe	66%	ReversingLabs	Win32.Trojan.Symmi

Unpacked PE Files

No Antivirus matches

Domains

Source	Detection	Scanner	Label	Link
pownedfag.pw	9%	Virustotal		Browse

URLs

No Antivirus matches

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
pownedfag.pw	unknown	unknown	true	9%, Virustotal, Browse	unknown

Contacted IPs

No contacted IP infos

General Information

Joe Sandbox Version:	30.0.0 Red Diamond
Analysis ID:	1274527
Start date:	31.10.2020
Start time:	22:55:53
Joe Sandbox Product:	Cloud
Overall analysis duration:	0h 5m 13s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	9fERLFJPjq.exe
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit (version 1803) with Office 2016 Adobe Reader DC 19, Chrome 70, Firefox 63, Java 8.171, Flash 30.0.0.113
Number of analysed new started processes analysed:	13
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	EGA enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@8/2@349/0
Cookbook Comments:	Adjust boot time Found application associated with file extension: .exe
Warnings:	Show All Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SgrmBroker.exe, conhost.exe, svchost.exe Excluded IPs from analysis (whitelisted): 2.20.142.209, 2.20.142.210 Excluded domains from analysis (whitelisted): au.download.windowsupdate.com.edgesuite.net, audownload.windowsupdate.nsatc.net, ctldl.windowsupdate.com, a767.dscg3.akamai.net, au-bg-shim.trafficmanager.net Report size getting too big, too many NtDeviceIoControlFile calls found. Report size getting too big, too many NtOpenKeyEx calls found. Report size getting too big, too many NtProtectVirtualMemory calls found. Report size getting too big, too many NtQueryValueKey calls found.

Signature Similarity

Sample Distance (10 = nearest)

10 9 8 7 6 5 4 3 2 1

Similar Samples

Samplename	Analysis ID	SHA256	Similarity

Simulations

Behavior and APIs

Time	Type	Description
22:58:03	Autostart	Run: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\enxavse.vbs

Joe Sandbox View / Context

IPs

No context

Domains

No context

ASN

No context

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

C:\Users\user\AppData\Local\Temp\Exjoares\enxavse.exe Download File
Process:	C:\Users\user\Desktop\9fERLFJPjq.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1593344
Entropy (8bit):	6.1273220474956585
Encrypted:	false
SSDEEP:	24576:5VFstxjDwKaxoaacAx5elx7IwQPDR/20B9/En9+:jKtx/naxoaafx5sx7ZQPF/2g
MD5:	D409D2D823F91A2DCC7EE6563B632BF3
SHA1:	CF458BA081326F5ABEF51FC49C029691E31DE798
SHA-256:	93FC7E03EF797A702427D45C49B15D9CEC8902023E1964D7EF245B49F15A7467
SHA-512:	980DC1083D217BB9F23F5E8ED06453032B7B49C67C78FF005F3DC26558DA23F4A840AE14929F75CA00340E42731FB390ABC48877AE534B3548B5B3E9F63BA4E8
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: Virustotal, Detection: 73%, Browse Antivirus: ReversingLabs, Detection: 66%
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$......................................Rich...........PE..L.....jX..........................................@.........................................................................T...(....p..89..................................................................(... ....................................text............................... ..`.data...\e..........................@....rsrc...89...p...@..................@..@...I............MSVBVM60.DLL....................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\enxavse.vbs Download File
Process:	C:\Users\user\Desktop\9fERLFJPjq.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	384
Entropy (8bit):	2.735492028162851
Encrypted:	false
SSDEEP:	3:j+qAHmFEm86oQ/FERMQsNC2xAvOyyiE2J5xAI81SiHFHrLL:j+q9Nht6Gzyy23fri
MD5:	4D51A387E345D7647D448829FA4721E1
SHA1:	B6436CC59AC5316B7C6566E799226E450C0DBA8A
SHA-256:	BF14C4B45AA14144D0B7FC6642CECCB7977E1588076CDE04B19A3B4D2D9CAC5D
SHA-512:	23FBBC57DC9A3FD8C8CE296E1BEB1582B1DFFEEADB54AE74C01897CD5779866C8C8726B0CCACAE47BFF69DDF3C6A7804E441D43217202FC18075A35AB5BCB8C0
Malicious:	true
Reputation:	low
Preview:	Set objShell = CreateObject("Shell.Application")..objShell.ShellExecute "C:\Users\user\AppData\Local\Temp\Exjoares\enxavse.exe", "", "", "", 1..................................................................................................................................................................................................................................................

Static File Info

General
File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	6.127320166154349
TrID:	Win32 Executable (generic) a (10002005/4) 99.15% Win32 Executable Microsoft Visual Basic 6 (82127/2) 0.81% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	9fERLFJPjq.exe
File size:	1593344
MD5:	ddd60e9ae362def377aa70d414ed374d
SHA1:	ad33d0ff9adc122776771d51743ca855cd882b4d
SHA256:	71b4a68d77929e2815ad7496882fce6c96c677fc154786621943fb90755477b3
SHA512:	ae05c72a51694d6048874cf73d59ab763bb44249b92304c9e15f87ad78cd4801b424b7961543086e3b08aa116022ad3b3634850566ef3979ca003eb6ed650369
SSDEEP:	24576:iVFstxjDwKaxoaacAx5elx7IwQPcR/20B9/En9+:QKtx/naxoaafx5sx7ZQPC/2g
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...............................................Rich............PE..L.....jX..........................................@................

File Icon


Icon Hash:	f0b0b2b2e8aaa6c2

Static PE Info

General
Entrypoint:	0x4019f0
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
DLL Characteristics:
Time Stamp:	0x586AC81E [Mon Jan 2 21:37:34 2017 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	30206b822448e92e4bc425d017e3f08f

Entrypoint Preview

Instruction
push 0052FC24h
call 00007F7368EB5B75h
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
xor byte ptr [eax], al
add byte ptr [eax], al
inc eax
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add ah, al
out 86h, eax

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x13ef54	0x28	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x147000	0x43938	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x228	0x20
IMAGE_DIRECTORY_ENTRY_IAT	0x1000	0x104	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x13e3d4	0x13f000	False	0.583817532817	data	5.85654728614	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.data	0x140000	0x655c	0x1000	False	0.00634765625	data	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
.rsrc	0x147000	0x43938	0x44000	False	0.62591193704	data	7.02544070644	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country
RT_ICON	0x147384	0x1b284	PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced
RT_ICON	0x162608	0x10828	dBase IV DBT, blocks size 0, block length 2048, next free block index 40, next free block 302384646, next used block 100663296
RT_ICON	0x172e30	0x94a8	data
RT_ICON	0x17c2d8	0x5488	data
RT_ICON	0x181760	0x4228	dBase IV DBT of \200.DBF, blocks size 0, block length 16896, next free block index 40, next free block 224, next used block 117440512
RT_ICON	0x185988	0x25a8	data
RT_ICON	0x187f30	0x10a8	data
RT_ICON	0x188fd8	0x988	data
RT_ICON	0x189960	0x468	GLS_BINARY_LSB_FIRST
RT_ICON	0x189dc8	0x130	data
RT_ICON	0x189ef8	0x2e8	data
RT_ICON	0x18a1e0	0x128	GLS_BINARY_LSB_FIRST
RT_GROUP_ICON	0x18a308	0x84	data
RT_GROUP_ICON	0x18a38c	0x30	data
RT_VERSION	0x18a3bc	0x284	data	English	United States
RT_MANIFEST	0x18a640	0x2f7	XML 1.0 document, ASCII text, with CRLF line terminators	Catalan	Spain

Imports

DLL

Import

MSVBVM60.DLL

_CIcos, _adj_fptan, __vbaVarMove, __vbaFreeVar, __vbaEnd, __vbaFreeVarList, _adj_fdiv_m64, _adj_fprem1, __vbaSetSystemError, __vbaHresultCheckObj, _adj_fdiv_m32, __vbaOnError, __vbaObjSet, _adj_fdiv_m16i, _adj_fdivr_m16i, _CIsin, __vbaChkstk, EVENT_SINK_AddRef, __vbaI2I4, DllFunctionCall, _adj_fpatan, __vbaLateIdCallLd, EVENT_SINK_Release, __vbaUI1I2, _CIsqrt, EVENT_SINK_QueryInterface, __vbaVarMul, __vbaExceptHandler, _adj_fprem, _adj_fdivr_m64, __vbaFPException, __vbaStrVarVal, __vbaVarCat, _CIlog, __vbaNew2, _adj_fdiv_m32i, _adj_fdivr_m32i, _adj_fdivr_m32, _adj_fdiv_r, __vbaVarTstNe, __vbaVarSetVar, __vbaI4Var, __vbaVarAdd, __vbaVarDup, __vbaFpI4, __vbaVarLateMemCallLd, _CIatan, __vbaStrMove, _allmul, _CItan, _CIexp, __vbaFreeObj, __vbaFreeStr

Version Infos

Description	Data
Translation	0x0403 0x04b0
InternalName	Amamau
FileVersion	1.03.0009
CompanyName	Asrock
Comments	Jaacata
ProductName	Ndoe5
ProductVersion	1.03.0009
FileDescription	Jaacata
OriginalFilename	Amamau.exe

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States
Catalan	Spain

Network Behavior

Network Port Distribution

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Oct 31, 2020 22:57:58.356106997 CET	56207	53	192.168.1.102	8.8.8.8
Oct 31, 2020 22:57:58.394027948 CET	53	56207	8.8.8.8	192.168.1.102
Oct 31, 2020 22:57:58.659580946 CET	53477	53	192.168.1.102	8.8.8.8
Oct 31, 2020 22:57:58.692158937 CET	53	53477	8.8.8.8	192.168.1.102
Oct 31, 2020 22:57:58.942051888 CET	59765	53	192.168.1.102	8.8.8.8
Oct 31, 2020 22:57:58.974617004 CET	53	59765	8.8.8.8	192.168.1.102
Oct 31, 2020 22:57:59.236418009 CET	56491	53	192.168.1.102	8.8.8.8
Oct 31, 2020 22:57:59.276905060 CET	53	56491	8.8.8.8	192.168.1.102
Oct 31, 2020 22:57:59.496068954 CET	54834	53	192.168.1.102	8.8.8.8
Oct 31, 2020 22:57:59.530893087 CET	53	54834	8.8.8.8	192.168.1.102
Oct 31, 2020 22:57:59.761670113 CET	55551	53	192.168.1.102	8.8.8.8
Oct 31, 2020 22:57:59.794290066 CET	53	55551	8.8.8.8	192.168.1.102
Oct 31, 2020 22:58:00.019314051 CET	58258	53	192.168.1.102	8.8.8.8
Oct 31, 2020 22:58:00.059798002 CET	53	58258	8.8.8.8	192.168.1.102
Oct 31, 2020 22:58:00.294744015 CET	50042	53	192.168.1.102	8.8.8.8
Oct 31, 2020 22:58:00.327389956 CET	53	50042	8.8.8.8	192.168.1.102
Oct 31, 2020 22:58:00.542402983 CET	56374	53	192.168.1.102	8.8.8.8
Oct 31, 2020 22:58:00.575041056 CET	53	56374	8.8.8.8	192.168.1.102
Oct 31, 2020 22:58:00.791368961 CET	60220	53	192.168.1.102	8.8.8.8
Oct 31, 2020 22:58:00.815601110 CET	53	60220	8.8.8.8	192.168.1.102
Oct 31, 2020 22:58:01.040200949 CET	57148	53	192.168.1.102	8.8.8.8
Oct 31, 2020 22:58:01.072635889 CET	53	57148	8.8.8.8	192.168.1.102
Oct 31, 2020 22:58:01.315272093 CET	57038	53	192.168.1.102	8.8.8.8
Oct 31, 2020 22:58:01.347723961 CET	53	57038	8.8.8.8	192.168.1.102
Oct 31, 2020 22:58:01.564667940 CET	64159	53	192.168.1.102	8.8.8.8
Oct 31, 2020 22:58:01.596940041 CET	53	64159	8.8.8.8	192.168.1.102
Oct 31, 2020 22:58:01.817579031 CET	65439	53	192.168.1.102	8.8.8.8
Oct 31, 2020 22:58:01.850222111 CET	53	65439	8.8.8.8	192.168.1.102
Oct 31, 2020 22:58:01.881184101 CET	51987	53	192.168.1.102	8.8.8.8
Oct 31, 2020 22:58:01.915091038 CET	53	51987	8.8.8.8	192.168.1.102
Oct 31, 2020 22:58:02.068314075 CET	58920	53	192.168.1.102	8.8.8.8
Oct 31, 2020 22:58:02.092422962 CET	53	58920	8.8.8.8	192.168.1.102
Oct 31, 2020 22:58:02.332345009 CET	61047	53	192.168.1.102	8.8.8.8
Oct 31, 2020 22:58:02.365031004 CET	53	61047	8.8.8.8	192.168.1.102
Oct 31, 2020 22:58:02.601298094 CET	63824	53	192.168.1.102	8.8.8.8
Oct 31, 2020 22:58:02.633838892 CET	53	63824	8.8.8.8	192.168.1.102
Oct 31, 2020 22:58:02.866518021 CET	65396	53	192.168.1.102	8.8.8.8
Oct 31, 2020 22:58:02.899205923 CET	53	65396	8.8.8.8	192.168.1.102
Oct 31, 2020 22:58:03.309684038 CET	56632	53	192.168.1.102	8.8.8.8
Oct 31, 2020 22:58:03.333837986 CET	53	56632	8.8.8.8	192.168.1.102
Oct 31, 2020 22:58:03.552083015 CET	59034	53	192.168.1.102	8.8.8.8
Oct 31, 2020 22:58:03.584611893 CET	53	59034	8.8.8.8	192.168.1.102
Oct 31, 2020 22:58:03.811285973 CET	61604	53	192.168.1.102	8.8.8.8
Oct 31, 2020 22:58:03.844147921 CET	53	61604	8.8.8.8	192.168.1.102
Oct 31, 2020 22:58:04.077286959 CET	54649	53	192.168.1.102	8.8.8.8
Oct 31, 2020 22:58:04.109910965 CET	53	54649	8.8.8.8	192.168.1.102
Oct 31, 2020 22:58:04.325582981 CET	56594	53	192.168.1.102	8.8.8.8
Oct 31, 2020 22:58:04.357940912 CET	53	56594	8.8.8.8	192.168.1.102
Oct 31, 2020 22:58:04.576935053 CET	64674	53	192.168.1.102	8.8.8.8
Oct 31, 2020 22:58:04.609405041 CET	53	64674	8.8.8.8	192.168.1.102
Oct 31, 2020 22:58:04.842366934 CET	64575	53	192.168.1.102	8.8.8.8
Oct 31, 2020 22:58:04.875086069 CET	53	64575	8.8.8.8	192.168.1.102
Oct 31, 2020 22:58:05.088447094 CET	62746	53	192.168.1.102	8.8.8.8
Oct 31, 2020 22:58:05.121138096 CET	53	62746	8.8.8.8	192.168.1.102
Oct 31, 2020 22:58:05.331859112 CET	57017	53	192.168.1.102	8.8.8.8
Oct 31, 2020 22:58:05.355911970 CET	53	57017	8.8.8.8	192.168.1.102
Oct 31, 2020 22:58:05.575695038 CET	51370	53	192.168.1.102	8.8.8.8
Oct 31, 2020 22:58:05.599952936 CET	53	51370	8.8.8.8	192.168.1.102
Oct 31, 2020 22:58:05.828222990 CET	64252	53	192.168.1.102	8.8.8.8
Oct 31, 2020 22:58:05.860693932 CET	53	64252	8.8.8.8	192.168.1.102
Oct 31, 2020 22:58:06.113827944 CET	56928	53	192.168.1.102	8.8.8.8
Oct 31, 2020 22:58:06.146298885 CET	53	56928	8.8.8.8	192.168.1.102
Oct 31, 2020 22:58:06.370800972 CET	65441	53	192.168.1.102	8.8.8.8
Oct 31, 2020 22:58:06.403548002 CET	53	65441	8.8.8.8	192.168.1.102
Oct 31, 2020 22:58:06.629591942 CET	50720	53	192.168.1.102	8.8.8.8
Oct 31, 2020 22:58:06.653817892 CET	53	50720	8.8.8.8	192.168.1.102
Oct 31, 2020 22:58:06.895286083 CET	65401	53	192.168.1.102	8.8.8.8
Oct 31, 2020 22:58:06.927692890 CET	53	65401	8.8.8.8	192.168.1.102
Oct 31, 2020 22:58:07.142600060 CET	50861	53	192.168.1.102	8.8.8.8
Oct 31, 2020 22:58:07.166835070 CET	53	50861	8.8.8.8	192.168.1.102
Oct 31, 2020 22:58:07.391448975 CET	51755	53	192.168.1.102	8.8.8.8
Oct 31, 2020 22:58:07.426150084 CET	53	51755	8.8.8.8	192.168.1.102
Oct 31, 2020 22:58:07.643035889 CET	50463	53	192.168.1.102	8.8.8.8
Oct 31, 2020 22:58:07.667279959 CET	53	50463	8.8.8.8	192.168.1.102
Oct 31, 2020 22:58:07.887782097 CET	56769	53	192.168.1.102	8.8.8.8
Oct 31, 2020 22:58:07.920172930 CET	53	56769	8.8.8.8	192.168.1.102
Oct 31, 2020 22:58:08.174350977 CET	51916	53	192.168.1.102	8.8.8.8
Oct 31, 2020 22:58:08.198610067 CET	53	51916	8.8.8.8	192.168.1.102
Oct 31, 2020 22:58:08.437330961 CET	56942	53	192.168.1.102	8.8.8.8
Oct 31, 2020 22:58:08.461559057 CET	53	56942	8.8.8.8	192.168.1.102
Oct 31, 2020 22:58:08.670663118 CET	55068	53	192.168.1.102	8.8.8.8
Oct 31, 2020 22:58:08.703073025 CET	53	55068	8.8.8.8	192.168.1.102
Oct 31, 2020 22:58:08.916201115 CET	53841	53	192.168.1.102	8.8.8.8
Oct 31, 2020 22:58:08.948748112 CET	53	53841	8.8.8.8	192.168.1.102
Oct 31, 2020 22:58:09.166476011 CET	64828	53	192.168.1.102	8.8.8.8
Oct 31, 2020 22:58:09.199018955 CET	53	64828	8.8.8.8	192.168.1.102
Oct 31, 2020 22:58:09.410628080 CET	56358	53	192.168.1.102	8.8.8.8
Oct 31, 2020 22:58:09.434798002 CET	53	56358	8.8.8.8	192.168.1.102
Oct 31, 2020 22:58:09.655642986 CET	63561	53	192.168.1.102	8.8.8.8
Oct 31, 2020 22:58:09.679802895 CET	53	63561	8.8.8.8	192.168.1.102
Oct 31, 2020 22:58:09.901715994 CET	51394	53	192.168.1.102	8.8.8.8
Oct 31, 2020 22:58:09.934288979 CET	53	51394	8.8.8.8	192.168.1.102
Oct 31, 2020 22:58:10.241559029 CET	49992	53	192.168.1.102	8.8.8.8
Oct 31, 2020 22:58:10.265716076 CET	53	49992	8.8.8.8	192.168.1.102
Oct 31, 2020 22:58:11.119221926 CET	49809	53	192.168.1.102	8.8.8.8
Oct 31, 2020 22:58:11.143455982 CET	53	49809	8.8.8.8	192.168.1.102
Oct 31, 2020 22:58:11.486649036 CET	56534	53	192.168.1.102	8.8.8.8
Oct 31, 2020 22:58:11.519293070 CET	53	56534	8.8.8.8	192.168.1.102
Oct 31, 2020 22:58:12.063915014 CET	60347	53	192.168.1.102	8.8.8.8
Oct 31, 2020 22:58:12.088180065 CET	53	60347	8.8.8.8	192.168.1.102
Oct 31, 2020 22:58:12.360224962 CET	57196	53	192.168.1.102	8.8.8.8
Oct 31, 2020 22:58:12.392833948 CET	53	57196	8.8.8.8	192.168.1.102
Oct 31, 2020 22:58:12.638248920 CET	49854	53	192.168.1.102	8.8.8.8
Oct 31, 2020 22:58:12.670840025 CET	53	49854	8.8.8.8	192.168.1.102
Oct 31, 2020 22:58:12.888031006 CET	55636	53	192.168.1.102	8.8.8.8
Oct 31, 2020 22:58:12.912288904 CET	53	55636	8.8.8.8	192.168.1.102
Oct 31, 2020 22:58:13.152443886 CET	52639	53	192.168.1.102	8.8.8.8
Oct 31, 2020 22:58:13.176635981 CET	53	52639	8.8.8.8	192.168.1.102
Oct 31, 2020 22:58:13.389481068 CET	51081	53	192.168.1.102	8.8.8.8
Oct 31, 2020 22:58:13.421798944 CET	53	51081	8.8.8.8	192.168.1.102
Oct 31, 2020 22:58:13.637166977 CET	54091	53	192.168.1.102	8.8.8.8
Oct 31, 2020 22:58:13.661380053 CET	53	54091	8.8.8.8	192.168.1.102
Oct 31, 2020 22:58:13.882484913 CET	50698	53	192.168.1.102	8.8.8.8
Oct 31, 2020 22:58:13.915235996 CET	53	50698	8.8.8.8	192.168.1.102
Oct 31, 2020 22:58:14.129964113 CET	59236	53	192.168.1.102	8.8.8.8
Oct 31, 2020 22:58:14.162384987 CET	53	59236	8.8.8.8	192.168.1.102
Oct 31, 2020 22:58:14.379251003 CET	56424	53	192.168.1.102	8.8.8.8
Oct 31, 2020 22:58:14.411956072 CET	53	56424	8.8.8.8	192.168.1.102
Oct 31, 2020 22:58:14.622591972 CET	49281	53	192.168.1.102	8.8.8.8
Oct 31, 2020 22:58:14.657351971 CET	53	49281	8.8.8.8	192.168.1.102
Oct 31, 2020 22:58:14.865195990 CET	63120	53	192.168.1.102	8.8.8.8
Oct 31, 2020 22:58:14.897814035 CET	53	63120	8.8.8.8	192.168.1.102
Oct 31, 2020 22:58:15.108350039 CET	52700	53	192.168.1.102	8.8.8.8
Oct 31, 2020 22:58:15.132586956 CET	53	52700	8.8.8.8	192.168.1.102
Oct 31, 2020 22:58:15.339456081 CET	61439	53	192.168.1.102	8.8.8.8
Oct 31, 2020 22:58:15.371829033 CET	53	61439	8.8.8.8	192.168.1.102
Oct 31, 2020 22:58:15.587194920 CET	53618	53	192.168.1.102	8.8.8.8
Oct 31, 2020 22:58:15.619775057 CET	53	53618	8.8.8.8	192.168.1.102
Oct 31, 2020 22:58:15.833266973 CET	59268	53	192.168.1.102	8.8.8.8
Oct 31, 2020 22:58:15.857454062 CET	53	59268	8.8.8.8	192.168.1.102
Oct 31, 2020 22:58:16.083573103 CET	51656	53	192.168.1.102	8.8.8.8
Oct 31, 2020 22:58:16.107834101 CET	53	51656	8.8.8.8	192.168.1.102
Oct 31, 2020 22:58:16.334146023 CET	64193	53	192.168.1.102	8.8.8.8
Oct 31, 2020 22:58:16.358230114 CET	53	64193	8.8.8.8	192.168.1.102
Oct 31, 2020 22:58:16.581343889 CET	57782	53	192.168.1.102	8.8.8.8
Oct 31, 2020 22:58:16.605617046 CET	53	57782	8.8.8.8	192.168.1.102
Oct 31, 2020 22:58:16.854422092 CET	59335	53	192.168.1.102	8.8.8.8
Oct 31, 2020 22:58:16.878748894 CET	53	59335	8.8.8.8	192.168.1.102
Oct 31, 2020 22:58:17.094836950 CET	60355	53	192.168.1.102	8.8.8.8
Oct 31, 2020 22:58:17.127824068 CET	53	60355	8.8.8.8	192.168.1.102
Oct 31, 2020 22:58:17.352400064 CET	57230	53	192.168.1.102	8.8.8.8
Oct 31, 2020 22:58:17.385077953 CET	53	57230	8.8.8.8	192.168.1.102
Oct 31, 2020 22:58:17.597307920 CET	53989	53	192.168.1.102	8.8.8.8
Oct 31, 2020 22:58:17.621516943 CET	53	53989	8.8.8.8	192.168.1.102
Oct 31, 2020 22:58:17.848023891 CET	63857	53	192.168.1.102	8.8.8.8
Oct 31, 2020 22:58:17.880671978 CET	53	63857	8.8.8.8	192.168.1.102
Oct 31, 2020 22:58:18.092550039 CET	55720	53	192.168.1.102	8.8.8.8
Oct 31, 2020 22:58:18.116739035 CET	53	55720	8.8.8.8	192.168.1.102
Oct 31, 2020 22:58:18.337786913 CET	61240	53	192.168.1.102	8.8.8.8
Oct 31, 2020 22:58:18.361890078 CET	53	61240	8.8.8.8	192.168.1.102
Oct 31, 2020 22:58:18.574656010 CET	51595	53	192.168.1.102	8.8.8.8
Oct 31, 2020 22:58:18.607055902 CET	53	51595	8.8.8.8	192.168.1.102
Oct 31, 2020 22:58:18.816879034 CET	57505	53	192.168.1.102	8.8.8.8
Oct 31, 2020 22:58:18.841288090 CET	53	57505	8.8.8.8	192.168.1.102
Oct 31, 2020 22:58:19.060357094 CET	52985	53	192.168.1.102	8.8.8.8
Oct 31, 2020 22:58:19.093238115 CET	53	52985	8.8.8.8	192.168.1.102
Oct 31, 2020 22:58:19.300507069 CET	52371	53	192.168.1.102	8.8.8.8
Oct 31, 2020 22:58:19.324656010 CET	53	52371	8.8.8.8	192.168.1.102
Oct 31, 2020 22:58:19.550453901 CET	49343	53	192.168.1.102	8.8.8.8
Oct 31, 2020 22:58:19.574682951 CET	53	49343	8.8.8.8	192.168.1.102
Oct 31, 2020 22:58:19.791575909 CET	54587	53	192.168.1.102	8.8.8.8
Oct 31, 2020 22:58:19.815844059 CET	53	54587	8.8.8.8	192.168.1.102
Oct 31, 2020 22:58:20.035082102 CET	58952	53	192.168.1.102	8.8.8.8
Oct 31, 2020 22:58:20.067749977 CET	53	58952	8.8.8.8	192.168.1.102
Oct 31, 2020 22:58:20.282563925 CET	64972	53	192.168.1.102	8.8.8.8
Oct 31, 2020 22:58:20.317482948 CET	53	64972	8.8.8.8	192.168.1.102
Oct 31, 2020 22:58:20.531861067 CET	54614	53	192.168.1.102	8.8.8.8
Oct 31, 2020 22:58:20.556108952 CET	53	54614	8.8.8.8	192.168.1.102
Oct 31, 2020 22:58:20.780188084 CET	60683	53	192.168.1.102	8.8.8.8
Oct 31, 2020 22:58:20.812860966 CET	53	60683	8.8.8.8	192.168.1.102
Oct 31, 2020 22:58:21.034014940 CET	49685	53	192.168.1.102	8.8.8.8
Oct 31, 2020 22:58:21.058366060 CET	53	49685	8.8.8.8	192.168.1.102
Oct 31, 2020 22:58:21.288301945 CET	57523	53	192.168.1.102	8.8.8.8
Oct 31, 2020 22:58:21.312442064 CET	53	57523	8.8.8.8	192.168.1.102
Oct 31, 2020 22:58:21.531739950 CET	49862	53	192.168.1.102	8.8.8.8
Oct 31, 2020 22:58:21.564377069 CET	53	49862	8.8.8.8	192.168.1.102
Oct 31, 2020 22:58:21.775712013 CET	50759	53	192.168.1.102	8.8.8.8
Oct 31, 2020 22:58:21.799909115 CET	53	50759	8.8.8.8	192.168.1.102
Oct 31, 2020 22:58:22.013997078 CET	54283	53	192.168.1.102	8.8.8.8
Oct 31, 2020 22:58:22.038214922 CET	53	54283	8.8.8.8	192.168.1.102
Oct 31, 2020 22:58:22.249692917 CET	54350	53	192.168.1.102	8.8.8.8
Oct 31, 2020 22:58:22.282382011 CET	53	54350	8.8.8.8	192.168.1.102
Oct 31, 2020 22:58:22.496064901 CET	55297	53	192.168.1.102	8.8.8.8
Oct 31, 2020 22:58:22.528485060 CET	53	55297	8.8.8.8	192.168.1.102
Oct 31, 2020 22:58:22.754255056 CET	62405	53	192.168.1.102	8.8.8.8
Oct 31, 2020 22:58:22.778407097 CET	53	62405	8.8.8.8	192.168.1.102
Oct 31, 2020 22:58:22.987730980 CET	50044	53	192.168.1.102	8.8.8.8
Oct 31, 2020 22:58:23.011904001 CET	53	50044	8.8.8.8	192.168.1.102
Oct 31, 2020 22:58:23.237608910 CET	59095	53	192.168.1.102	8.8.8.8
Oct 31, 2020 22:58:23.261676073 CET	53	59095	8.8.8.8	192.168.1.102
Oct 31, 2020 22:58:23.484697104 CET	65467	53	192.168.1.102	8.8.8.8
Oct 31, 2020 22:58:23.508753061 CET	53	65467	8.8.8.8	192.168.1.102
Oct 31, 2020 22:58:23.720062017 CET	59586	53	192.168.1.102	8.8.8.8
Oct 31, 2020 22:58:23.744277954 CET	53	59586	8.8.8.8	192.168.1.102
Oct 31, 2020 22:58:23.952507019 CET	57783	53	192.168.1.102	8.8.8.8
Oct 31, 2020 22:58:23.985146046 CET	53	57783	8.8.8.8	192.168.1.102
Oct 31, 2020 22:58:24.201069117 CET	54146	53	192.168.1.102	8.8.8.8
Oct 31, 2020 22:58:24.225156069 CET	53	54146	8.8.8.8	192.168.1.102
Oct 31, 2020 22:58:24.452256918 CET	53803	53	192.168.1.102	8.8.8.8
Oct 31, 2020 22:58:24.476434946 CET	53	53803	8.8.8.8	192.168.1.102
Oct 31, 2020 22:58:24.705614090 CET	62351	53	192.168.1.102	8.8.8.8
Oct 31, 2020 22:58:24.738022089 CET	53	62351	8.8.8.8	192.168.1.102
Oct 31, 2020 22:58:25.002012968 CET	57307	53	192.168.1.102	8.8.8.8
Oct 31, 2020 22:58:25.026257992 CET	53	57307	8.8.8.8	192.168.1.102
Oct 31, 2020 22:58:25.269138098 CET	56455	53	192.168.1.102	8.8.8.8
Oct 31, 2020 22:58:25.293188095 CET	53	56455	8.8.8.8	192.168.1.102
Oct 31, 2020 22:58:25.519251108 CET	54605	53	192.168.1.102	8.8.8.8
Oct 31, 2020 22:58:25.543380022 CET	53	54605	8.8.8.8	192.168.1.102
Oct 31, 2020 22:58:25.770019054 CET	58993	53	192.168.1.102	8.8.8.8
Oct 31, 2020 22:58:25.794158936 CET	53	58993	8.8.8.8	192.168.1.102
Oct 31, 2020 22:58:26.021261930 CET	52514	53	192.168.1.102	8.8.8.8
Oct 31, 2020 22:58:26.045578003 CET	53	52514	8.8.8.8	192.168.1.102
Oct 31, 2020 22:58:26.331233978 CET	62186	53	192.168.1.102	8.8.8.8
Oct 31, 2020 22:58:26.355210066 CET	53	62186	8.8.8.8	192.168.1.102
Oct 31, 2020 22:58:26.566318989 CET	61947	53	192.168.1.102	8.8.8.8
Oct 31, 2020 22:58:26.590398073 CET	53	61947	8.8.8.8	192.168.1.102
Oct 31, 2020 22:58:26.813718081 CET	63079	53	192.168.1.102	8.8.8.8
Oct 31, 2020 22:58:26.837829113 CET	53	63079	8.8.8.8	192.168.1.102
Oct 31, 2020 22:58:27.056814909 CET	49656	53	192.168.1.102	8.8.8.8
Oct 31, 2020 22:58:27.081043005 CET	53	49656	8.8.8.8	192.168.1.102
Oct 31, 2020 22:58:27.312645912 CET	52180	53	192.168.1.102	8.8.8.8
Oct 31, 2020 22:58:27.336785078 CET	53	52180	8.8.8.8	192.168.1.102
Oct 31, 2020 22:58:27.611253977 CET	59814	53	192.168.1.102	8.8.8.8
Oct 31, 2020 22:58:27.635328054 CET	53	59814	8.8.8.8	192.168.1.102
Oct 31, 2020 22:58:27.957024097 CET	54946	53	192.168.1.102	8.8.8.8
Oct 31, 2020 22:58:27.989484072 CET	53	54946	8.8.8.8	192.168.1.102
Oct 31, 2020 22:58:28.633605003 CET	55118	53	192.168.1.102	8.8.8.8
Oct 31, 2020 22:58:28.666385889 CET	53	55118	8.8.8.8	192.168.1.102
Oct 31, 2020 22:58:28.967077017 CET	57107	53	192.168.1.102	8.8.8.8
Oct 31, 2020 22:58:28.991214991 CET	53	57107	8.8.8.8	192.168.1.102
Oct 31, 2020 22:58:29.646918058 CET	56712	53	192.168.1.102	8.8.8.8
Oct 31, 2020 22:58:29.679399967 CET	53	56712	8.8.8.8	192.168.1.102
Oct 31, 2020 22:58:29.896704912 CET	62913	53	192.168.1.102	8.8.8.8
Oct 31, 2020 22:58:29.920857906 CET	53	62913	8.8.8.8	192.168.1.102
Oct 31, 2020 22:58:30.132014036 CET	61321	53	192.168.1.102	8.8.8.8
Oct 31, 2020 22:58:30.156132936 CET	53	61321	8.8.8.8	192.168.1.102
Oct 31, 2020 22:58:30.377209902 CET	64117	53	192.168.1.102	8.8.8.8
Oct 31, 2020 22:58:30.409487963 CET	53	64117	8.8.8.8	192.168.1.102
Oct 31, 2020 22:58:30.629019022 CET	56830	53	192.168.1.102	8.8.8.8
Oct 31, 2020 22:58:30.653052092 CET	53	56830	8.8.8.8	192.168.1.102
Oct 31, 2020 22:58:30.870219946 CET	55685	53	192.168.1.102	8.8.8.8
Oct 31, 2020 22:58:30.894418001 CET	53	55685	8.8.8.8	192.168.1.102
Oct 31, 2020 22:58:31.118225098 CET	59193	53	192.168.1.102	8.8.8.8
Oct 31, 2020 22:58:31.142339945 CET	53	59193	8.8.8.8	192.168.1.102
Oct 31, 2020 22:58:31.351303101 CET	49944	53	192.168.1.102	8.8.8.8
Oct 31, 2020 22:58:31.375416994 CET	53	49944	8.8.8.8	192.168.1.102
Oct 31, 2020 22:58:31.599716902 CET	49164	53	192.168.1.102	8.8.8.8
Oct 31, 2020 22:58:31.623965979 CET	53	49164	8.8.8.8	192.168.1.102
Oct 31, 2020 22:58:31.847336054 CET	59160	53	192.168.1.102	8.8.8.8
Oct 31, 2020 22:58:31.871427059 CET	53	59160	8.8.8.8	192.168.1.102
Oct 31, 2020 22:58:32.092302084 CET	60937	53	192.168.1.102	8.8.8.8
Oct 31, 2020 22:58:32.116513014 CET	53	60937	8.8.8.8	192.168.1.102
Oct 31, 2020 22:58:32.328479052 CET	65365	53	192.168.1.102	8.8.8.8
Oct 31, 2020 22:58:32.352600098 CET	53	65365	8.8.8.8	192.168.1.102
Oct 31, 2020 22:58:32.577069998 CET	60070	53	192.168.1.102	8.8.8.8
Oct 31, 2020 22:58:32.601262093 CET	53	60070	8.8.8.8	192.168.1.102
Oct 31, 2020 22:58:32.822932959 CET	59512	53	192.168.1.102	8.8.8.8
Oct 31, 2020 22:58:32.847043991 CET	53	59512	8.8.8.8	192.168.1.102
Oct 31, 2020 22:58:33.063493013 CET	58105	53	192.168.1.102	8.8.8.8
Oct 31, 2020 22:58:33.087570906 CET	53	58105	8.8.8.8	192.168.1.102
Oct 31, 2020 22:58:33.311418056 CET	61117	53	192.168.1.102	8.8.8.8
Oct 31, 2020 22:58:33.335694075 CET	53	61117	8.8.8.8	192.168.1.102
Oct 31, 2020 22:58:33.552701950 CET	55210	53	192.168.1.102	8.8.8.8
Oct 31, 2020 22:58:33.585167885 CET	53	55210	8.8.8.8	192.168.1.102
Oct 31, 2020 22:58:33.798768044 CET	57297	53	192.168.1.102	8.8.8.8
Oct 31, 2020 22:58:33.822961092 CET	53	57297	8.8.8.8	192.168.1.102
Oct 31, 2020 22:58:34.033284903 CET	54393	53	192.168.1.102	8.8.8.8
Oct 31, 2020 22:58:34.057393074 CET	53	54393	8.8.8.8	192.168.1.102
Oct 31, 2020 22:58:34.284466982 CET	52644	53	192.168.1.102	8.8.8.8
Oct 31, 2020 22:58:34.317047119 CET	53	52644	8.8.8.8	192.168.1.102
Oct 31, 2020 22:58:34.526227951 CET	54515	53	192.168.1.102	8.8.8.8
Oct 31, 2020 22:58:34.550215006 CET	53	54515	8.8.8.8	192.168.1.102
Oct 31, 2020 22:58:34.758867025 CET	60329	53	192.168.1.102	8.8.8.8
Oct 31, 2020 22:58:34.782953978 CET	53	60329	8.8.8.8	192.168.1.102
Oct 31, 2020 22:58:34.997220993 CET	50998	53	192.168.1.102	8.8.8.8
Oct 31, 2020 22:58:35.021348953 CET	53	50998	8.8.8.8	192.168.1.102
Oct 31, 2020 22:58:35.243607044 CET	55688	53	192.168.1.102	8.8.8.8
Oct 31, 2020 22:58:35.267817020 CET	53	55688	8.8.8.8	192.168.1.102
Oct 31, 2020 22:58:35.494707108 CET	57688	53	192.168.1.102	8.8.8.8
Oct 31, 2020 22:58:35.518752098 CET	53	57688	8.8.8.8	192.168.1.102
Oct 31, 2020 22:58:35.738225937 CET	62783	53	192.168.1.102	8.8.8.8
Oct 31, 2020 22:58:35.762243032 CET	53	62783	8.8.8.8	192.168.1.102
Oct 31, 2020 22:58:35.982425928 CET	52594	53	192.168.1.102	8.8.8.8
Oct 31, 2020 22:58:36.014950037 CET	53	52594	8.8.8.8	192.168.1.102
Oct 31, 2020 22:58:36.230536938 CET	59739	53	192.168.1.102	8.8.8.8
Oct 31, 2020 22:58:36.254667044 CET	53	59739	8.8.8.8	192.168.1.102
Oct 31, 2020 22:58:36.482888937 CET	58695	53	192.168.1.102	8.8.8.8
Oct 31, 2020 22:58:36.506968975 CET	53	58695	8.8.8.8	192.168.1.102
Oct 31, 2020 22:58:36.721333981 CET	56807	53	192.168.1.102	8.8.8.8
Oct 31, 2020 22:58:36.745426893 CET	53	56807	8.8.8.8	192.168.1.102
Oct 31, 2020 22:58:36.972196102 CET	58389	53	192.168.1.102	8.8.8.8
Oct 31, 2020 22:58:36.996511936 CET	53	58389	8.8.8.8	192.168.1.102
Oct 31, 2020 22:58:37.216810942 CET	65046	53	192.168.1.102	8.8.8.8
Oct 31, 2020 22:58:37.240936041 CET	53	65046	8.8.8.8	192.168.1.102
Oct 31, 2020 22:58:37.462160110 CET	63244	53	192.168.1.102	8.8.8.8
Oct 31, 2020 22:58:37.486321926 CET	53	63244	8.8.8.8	192.168.1.102
Oct 31, 2020 22:58:37.731558084 CET	65273	53	192.168.1.102	8.8.8.8
Oct 31, 2020 22:58:37.755875111 CET	53	65273	8.8.8.8	192.168.1.102
Oct 31, 2020 22:58:38.001010895 CET	56886	53	192.168.1.102	8.8.8.8
Oct 31, 2020 22:58:38.025197029 CET	53	56886	8.8.8.8	192.168.1.102
Oct 31, 2020 22:58:38.255713940 CET	59804	53	192.168.1.102	8.8.8.8
Oct 31, 2020 22:58:38.279748917 CET	53	59804	8.8.8.8	192.168.1.102
Oct 31, 2020 22:58:38.510190010 CET	60768	53	192.168.1.102	8.8.8.8
Oct 31, 2020 22:58:38.542990923 CET	53	60768	8.8.8.8	192.168.1.102
Oct 31, 2020 22:58:38.794533014 CET	49318	53	192.168.1.102	8.8.8.8
Oct 31, 2020 22:58:38.818690062 CET	53	49318	8.8.8.8	192.168.1.102
Oct 31, 2020 22:58:39.037404060 CET	64692	53	192.168.1.102	8.8.8.8
Oct 31, 2020 22:58:39.061516047 CET	53	64692	8.8.8.8	192.168.1.102
Oct 31, 2020 22:58:39.291409016 CET	60203	53	192.168.1.102	8.8.8.8
Oct 31, 2020 22:58:39.315632105 CET	53	60203	8.8.8.8	192.168.1.102
Oct 31, 2020 22:58:39.541771889 CET	49836	53	192.168.1.102	8.8.8.8
Oct 31, 2020 22:58:39.565871954 CET	53	49836	8.8.8.8	192.168.1.102
Oct 31, 2020 22:58:39.806390047 CET	50725	53	192.168.1.102	8.8.8.8
Oct 31, 2020 22:58:39.838660955 CET	53	50725	8.8.8.8	192.168.1.102
Oct 31, 2020 22:58:40.071918964 CET	49311	53	192.168.1.102	8.8.8.8
Oct 31, 2020 22:58:40.104702950 CET	53	49311	8.8.8.8	192.168.1.102
Oct 31, 2020 22:58:40.319116116 CET	63592	53	192.168.1.102	8.8.8.8
Oct 31, 2020 22:58:40.343267918 CET	53	63592	8.8.8.8	192.168.1.102
Oct 31, 2020 22:58:40.565732956 CET	63821	53	192.168.1.102	8.8.8.8
Oct 31, 2020 22:58:40.589935064 CET	53	63821	8.8.8.8	192.168.1.102
Oct 31, 2020 22:58:40.821423054 CET	63605	53	192.168.1.102	8.8.8.8
Oct 31, 2020 22:58:40.854068041 CET	53	63605	8.8.8.8	192.168.1.102
Oct 31, 2020 22:58:41.094196081 CET	57058	53	192.168.1.102	8.8.8.8
Oct 31, 2020 22:58:41.118374109 CET	53	57058	8.8.8.8	192.168.1.102
Oct 31, 2020 22:58:41.347328901 CET	61836	53	192.168.1.102	8.8.8.8
Oct 31, 2020 22:58:41.371474028 CET	53	61836	8.8.8.8	192.168.1.102
Oct 31, 2020 22:58:41.614700079 CET	51184	53	192.168.1.102	8.8.8.8
Oct 31, 2020 22:58:41.638802052 CET	53	51184	8.8.8.8	192.168.1.102
Oct 31, 2020 22:58:41.860361099 CET	53030	53	192.168.1.102	8.8.8.8
Oct 31, 2020 22:58:41.884532928 CET	53	53030	8.8.8.8	192.168.1.102
Oct 31, 2020 22:58:42.106020927 CET	57520	53	192.168.1.102	8.8.8.8
Oct 31, 2020 22:58:42.138346910 CET	53	57520	8.8.8.8	192.168.1.102
Oct 31, 2020 22:58:42.351480007 CET	49981	53	192.168.1.102	8.8.8.8
Oct 31, 2020 22:58:42.375706911 CET	53	49981	8.8.8.8	192.168.1.102
Oct 31, 2020 22:58:42.598376036 CET	55440	53	192.168.1.102	8.8.8.8
Oct 31, 2020 22:58:42.622498989 CET	53	55440	8.8.8.8	192.168.1.102
Oct 31, 2020 22:58:42.837658882 CET	58730	53	192.168.1.102	8.8.8.8
Oct 31, 2020 22:58:42.861886024 CET	53	58730	8.8.8.8	192.168.1.102
Oct 31, 2020 22:58:43.114191055 CET	56874	53	192.168.1.102	8.8.8.8
Oct 31, 2020 22:58:43.138371944 CET	53	56874	8.8.8.8	192.168.1.102
Oct 31, 2020 22:58:43.360255003 CET	49911	53	192.168.1.102	8.8.8.8
Oct 31, 2020 22:58:43.384397984 CET	53	49911	8.8.8.8	192.168.1.102
Oct 31, 2020 22:58:43.608668089 CET	58453	53	192.168.1.102	8.8.8.8
Oct 31, 2020 22:58:43.632755041 CET	53	58453	8.8.8.8	192.168.1.102
Oct 31, 2020 22:58:43.854275942 CET	60578	53	192.168.1.102	8.8.8.8
Oct 31, 2020 22:58:43.878500938 CET	53	60578	8.8.8.8	192.168.1.102
Oct 31, 2020 22:58:44.101288080 CET	62571	53	192.168.1.102	8.8.8.8
Oct 31, 2020 22:58:44.125572920 CET	53	62571	8.8.8.8	192.168.1.102
Oct 31, 2020 22:58:44.347199917 CET	65477	53	192.168.1.102	8.8.8.8
Oct 31, 2020 22:58:44.371329069 CET	53	65477	8.8.8.8	192.168.1.102
Oct 31, 2020 22:58:44.588150024 CET	53735	53	192.168.1.102	8.8.8.8
Oct 31, 2020 22:58:44.612421989 CET	53	53735	8.8.8.8	192.168.1.102
Oct 31, 2020 22:58:44.946187019 CET	63405	53	192.168.1.102	8.8.8.8
Oct 31, 2020 22:58:44.970352888 CET	53	63405	8.8.8.8	192.168.1.102
Oct 31, 2020 22:58:45.183635950 CET	58703	53	192.168.1.102	8.8.8.8
Oct 31, 2020 22:58:45.207782030 CET	53	58703	8.8.8.8	192.168.1.102
Oct 31, 2020 22:58:45.422210932 CET	50134	53	192.168.1.102	8.8.8.8
Oct 31, 2020 22:58:45.446420908 CET	53	50134	8.8.8.8	192.168.1.102
Oct 31, 2020 22:58:45.668564081 CET	64765	53	192.168.1.102	8.8.8.8
Oct 31, 2020 22:58:45.692790031 CET	53	64765	8.8.8.8	192.168.1.102
Oct 31, 2020 22:58:46.283267021 CET	53342	53	192.168.1.102	8.8.8.8
Oct 31, 2020 22:58:46.315936089 CET	53	53342	8.8.8.8	192.168.1.102
Oct 31, 2020 22:58:47.013602972 CET	65135	53	192.168.1.102	8.8.8.8
Oct 31, 2020 22:58:47.037919044 CET	53	65135	8.8.8.8	192.168.1.102
Oct 31, 2020 22:58:47.287213087 CET	54498	53	192.168.1.102	8.8.8.8
Oct 31, 2020 22:58:47.311530113 CET	53	54498	8.8.8.8	192.168.1.102
Oct 31, 2020 22:58:47.583743095 CET	57518	53	192.168.1.102	8.8.8.8
Oct 31, 2020 22:58:47.607892036 CET	53	57518	8.8.8.8	192.168.1.102
Oct 31, 2020 22:58:47.867212057 CET	62452	53	192.168.1.102	8.8.8.8
Oct 31, 2020 22:58:47.891453981 CET	53	62452	8.8.8.8	192.168.1.102
Oct 31, 2020 22:58:48.120528936 CET	58819	53	192.168.1.102	8.8.8.8
Oct 31, 2020 22:58:48.144661903 CET	53	58819	8.8.8.8	192.168.1.102
Oct 31, 2020 22:58:48.375437975 CET	57083	53	192.168.1.102	8.8.8.8
Oct 31, 2020 22:58:48.399682999 CET	53	57083	8.8.8.8	192.168.1.102
Oct 31, 2020 22:58:48.629600048 CET	64811	53	192.168.1.102	8.8.8.8
Oct 31, 2020 22:58:48.653717995 CET	53	64811	8.8.8.8	192.168.1.102
Oct 31, 2020 22:58:48.879422903 CET	65510	53	192.168.1.102	8.8.8.8
Oct 31, 2020 22:58:48.903634071 CET	53	65510	8.8.8.8	192.168.1.102
Oct 31, 2020 22:58:49.132314920 CET	55559	53	192.168.1.102	8.8.8.8
Oct 31, 2020 22:58:49.156527996 CET	53	55559	8.8.8.8	192.168.1.102
Oct 31, 2020 22:58:49.378151894 CET	56930	53	192.168.1.102	8.8.8.8
Oct 31, 2020 22:58:49.402359962 CET	53	56930	8.8.8.8	192.168.1.102
Oct 31, 2020 22:58:49.626338959 CET	52180	53	192.168.1.102	8.8.8.8
Oct 31, 2020 22:58:49.650624990 CET	53	52180	8.8.8.8	192.168.1.102
Oct 31, 2020 22:58:49.879075050 CET	49913	53	192.168.1.102	8.8.8.8
Oct 31, 2020 22:58:49.903287888 CET	53	49913	8.8.8.8	192.168.1.102
Oct 31, 2020 22:58:50.131946087 CET	64304	53	192.168.1.102	8.8.8.8
Oct 31, 2020 22:58:50.156435966 CET	53	64304	8.8.8.8	192.168.1.102
Oct 31, 2020 22:58:50.377088070 CET	59117	53	192.168.1.102	8.8.8.8
Oct 31, 2020 22:58:50.401303053 CET	53	59117	8.8.8.8	192.168.1.102
Oct 31, 2020 22:58:50.643929005 CET	51297	53	192.168.1.102	8.8.8.8
Oct 31, 2020 22:58:50.668054104 CET	53	51297	8.8.8.8	192.168.1.102
Oct 31, 2020 22:58:50.914680004 CET	52465	53	192.168.1.102	8.8.8.8
Oct 31, 2020 22:58:50.938851118 CET	53	52465	8.8.8.8	192.168.1.102
Oct 31, 2020 22:58:51.172966003 CET	63953	53	192.168.1.102	8.8.8.8
Oct 31, 2020 22:58:51.197154045 CET	53	63953	8.8.8.8	192.168.1.102
Oct 31, 2020 22:58:51.424407005 CET	56302	53	192.168.1.102	8.8.8.8
Oct 31, 2020 22:58:51.448590994 CET	53	56302	8.8.8.8	192.168.1.102
Oct 31, 2020 22:58:51.688716888 CET	56717	53	192.168.1.102	8.8.8.8
Oct 31, 2020 22:58:51.712738037 CET	53	56717	8.8.8.8	192.168.1.102
Oct 31, 2020 22:58:51.925961971 CET	50255	53	192.168.1.102	8.8.8.8
Oct 31, 2020 22:58:51.958904982 CET	53	50255	8.8.8.8	192.168.1.102
Oct 31, 2020 22:58:52.186191082 CET	59870	53	192.168.1.102	8.8.8.8
Oct 31, 2020 22:58:52.210366011 CET	53	59870	8.8.8.8	192.168.1.102
Oct 31, 2020 22:58:52.426301003 CET	62234	53	192.168.1.102	8.8.8.8
Oct 31, 2020 22:58:52.450582981 CET	53	62234	8.8.8.8	192.168.1.102
Oct 31, 2020 22:58:52.672508001 CET	60207	53	192.168.1.102	8.8.8.8
Oct 31, 2020 22:58:52.696655035 CET	53	60207	8.8.8.8	192.168.1.102
Oct 31, 2020 22:58:52.926002026 CET	57423	53	192.168.1.102	8.8.8.8
Oct 31, 2020 22:58:52.950433969 CET	53	57423	8.8.8.8	192.168.1.102
Oct 31, 2020 22:58:53.175318003 CET	64291	53	192.168.1.102	8.8.8.8
Oct 31, 2020 22:58:53.199438095 CET	53	64291	8.8.8.8	192.168.1.102
Oct 31, 2020 22:58:53.464314938 CET	49530	53	192.168.1.102	8.8.8.8
Oct 31, 2020 22:58:53.488398075 CET	53	49530	8.8.8.8	192.168.1.102
Oct 31, 2020 22:58:53.706046104 CET	56309	53	192.168.1.102	8.8.8.8
Oct 31, 2020 22:58:53.730273962 CET	53	56309	8.8.8.8	192.168.1.102
Oct 31, 2020 22:58:53.961328030 CET	61575	53	192.168.1.102	8.8.8.8
Oct 31, 2020 22:58:53.985579967 CET	53	61575	8.8.8.8	192.168.1.102
Oct 31, 2020 22:58:54.243802071 CET	59604	53	192.168.1.102	8.8.8.8
Oct 31, 2020 22:58:54.268002033 CET	53	59604	8.8.8.8	192.168.1.102
Oct 31, 2020 22:58:54.499098063 CET	65008	53	192.168.1.102	8.8.8.8
Oct 31, 2020 22:58:54.523300886 CET	53	65008	8.8.8.8	192.168.1.102
Oct 31, 2020 22:58:54.777808905 CET	62063	53	192.168.1.102	8.8.8.8
Oct 31, 2020 22:58:54.801896095 CET	53	62063	8.8.8.8	192.168.1.102
Oct 31, 2020 22:58:55.033621073 CET	60224	53	192.168.1.102	8.8.8.8
Oct 31, 2020 22:58:55.057796955 CET	53	60224	8.8.8.8	192.168.1.102
Oct 31, 2020 22:58:55.324409008 CET	62597	53	192.168.1.102	8.8.8.8
Oct 31, 2020 22:58:55.348665953 CET	53	62597	8.8.8.8	192.168.1.102
Oct 31, 2020 22:58:55.567173958 CET	55717	53	192.168.1.102	8.8.8.8
Oct 31, 2020 22:58:55.591279030 CET	53	55717	8.8.8.8	192.168.1.102
Oct 31, 2020 22:58:55.818265915 CET	58855	53	192.168.1.102	8.8.8.8
Oct 31, 2020 22:58:55.842416048 CET	53	58855	8.8.8.8	192.168.1.102
Oct 31, 2020 22:58:56.062531948 CET	59544	53	192.168.1.102	8.8.8.8
Oct 31, 2020 22:58:56.086709023 CET	53	59544	8.8.8.8	192.168.1.102
Oct 31, 2020 22:58:56.301527977 CET	52147	53	192.168.1.102	8.8.8.8
Oct 31, 2020 22:58:56.325673103 CET	53	52147	8.8.8.8	192.168.1.102
Oct 31, 2020 22:58:56.595185041 CET	57054	53	192.168.1.102	8.8.8.8
Oct 31, 2020 22:58:56.619375944 CET	53	57054	8.8.8.8	192.168.1.102
Oct 31, 2020 22:58:56.899789095 CET	54852	53	192.168.1.102	8.8.8.8
Oct 31, 2020 22:58:56.923993111 CET	53	54852	8.8.8.8	192.168.1.102
Oct 31, 2020 22:58:57.158828020 CET	60972	53	192.168.1.102	8.8.8.8
Oct 31, 2020 22:58:57.183202982 CET	53	60972	8.8.8.8	192.168.1.102
Oct 31, 2020 22:58:57.396714926 CET	50751	53	192.168.1.102	8.8.8.8
Oct 31, 2020 22:58:57.420866966 CET	53	50751	8.8.8.8	192.168.1.102
Oct 31, 2020 22:58:57.649252892 CET	54740	53	192.168.1.102	8.8.8.8
Oct 31, 2020 22:58:57.673403978 CET	53	54740	8.8.8.8	192.168.1.102
Oct 31, 2020 22:58:57.914612055 CET	55214	53	192.168.1.102	8.8.8.8
Oct 31, 2020 22:58:57.938954115 CET	53	55214	8.8.8.8	192.168.1.102
Oct 31, 2020 22:58:58.198401928 CET	56233	53	192.168.1.102	8.8.8.8
Oct 31, 2020 22:58:58.222671986 CET	53	56233	8.8.8.8	192.168.1.102
Oct 31, 2020 22:58:58.474261045 CET	60507	53	192.168.1.102	8.8.8.8
Oct 31, 2020 22:58:58.498405933 CET	53	60507	8.8.8.8	192.168.1.102
Oct 31, 2020 22:58:58.724769115 CET	64708	53	192.168.1.102	8.8.8.8
Oct 31, 2020 22:58:58.749001026 CET	53	64708	8.8.8.8	192.168.1.102
Oct 31, 2020 22:58:58.974025965 CET	52619	53	192.168.1.102	8.8.8.8
Oct 31, 2020 22:58:58.998239040 CET	53	52619	8.8.8.8	192.168.1.102
Oct 31, 2020 22:58:59.221676111 CET	58552	53	192.168.1.102	8.8.8.8
Oct 31, 2020 22:58:59.245881081 CET	53	58552	8.8.8.8	192.168.1.102
Oct 31, 2020 22:58:59.460984945 CET	59490	53	192.168.1.102	8.8.8.8
Oct 31, 2020 22:58:59.485228062 CET	53	59490	8.8.8.8	192.168.1.102
Oct 31, 2020 22:58:59.717564106 CET	58873	53	192.168.1.102	8.8.8.8
Oct 31, 2020 22:58:59.741791010 CET	53	58873	8.8.8.8	192.168.1.102
Oct 31, 2020 22:59:00.027281046 CET	56549	53	192.168.1.102	8.8.8.8
Oct 31, 2020 22:59:00.051398993 CET	53	56549	8.8.8.8	192.168.1.102
Oct 31, 2020 22:59:00.317502022 CET	55855	53	192.168.1.102	8.8.8.8
Oct 31, 2020 22:59:00.341680050 CET	53	55855	8.8.8.8	192.168.1.102
Oct 31, 2020 22:59:00.571221113 CET	56579	53	192.168.1.102	8.8.8.8
Oct 31, 2020 22:59:00.595423937 CET	53	56579	8.8.8.8	192.168.1.102
Oct 31, 2020 22:59:00.818341970 CET	62793	53	192.168.1.102	8.8.8.8
Oct 31, 2020 22:59:00.843266010 CET	53	62793	8.8.8.8	192.168.1.102
Oct 31, 2020 22:59:01.097857952 CET	59367	53	192.168.1.102	8.8.8.8
Oct 31, 2020 22:59:01.130239964 CET	53	59367	8.8.8.8	192.168.1.102
Oct 31, 2020 22:59:01.392920017 CET	54268	53	192.168.1.102	8.8.8.8
Oct 31, 2020 22:59:01.416995049 CET	53	54268	8.8.8.8	192.168.1.102
Oct 31, 2020 22:59:01.633388996 CET	64936	53	192.168.1.102	8.8.8.8
Oct 31, 2020 22:59:01.657594919 CET	53	64936	8.8.8.8	192.168.1.102
Oct 31, 2020 22:59:01.888259888 CET	51053	53	192.168.1.102	8.8.8.8
Oct 31, 2020 22:59:01.912434101 CET	53	51053	8.8.8.8	192.168.1.102
Oct 31, 2020 22:59:02.132716894 CET	61982	53	192.168.1.102	8.8.8.8
Oct 31, 2020 22:59:02.156886101 CET	53	61982	8.8.8.8	192.168.1.102
Oct 31, 2020 22:59:02.383390903 CET	50558	53	192.168.1.102	8.8.8.8
Oct 31, 2020 22:59:02.407545090 CET	53	50558	8.8.8.8	192.168.1.102
Oct 31, 2020 22:59:02.629148006 CET	52017	53	192.168.1.102	8.8.8.8
Oct 31, 2020 22:59:02.653281927 CET	53	52017	8.8.8.8	192.168.1.102
Oct 31, 2020 22:59:02.892231941 CET	49441	53	192.168.1.102	8.8.8.8
Oct 31, 2020 22:59:02.916342974 CET	53	49441	8.8.8.8	192.168.1.102
Oct 31, 2020 22:59:03.190824032 CET	62164	53	192.168.1.102	8.8.8.8
Oct 31, 2020 22:59:03.214942932 CET	53	62164	8.8.8.8	192.168.1.102
Oct 31, 2020 22:59:03.471592903 CET	53570	53	192.168.1.102	8.8.8.8
Oct 31, 2020 22:59:03.495737076 CET	53	53570	8.8.8.8	192.168.1.102
Oct 31, 2020 22:59:03.724661112 CET	54484	53	192.168.1.102	8.8.8.8
Oct 31, 2020 22:59:03.748977900 CET	53	54484	8.8.8.8	192.168.1.102
Oct 31, 2020 22:59:03.971355915 CET	57759	53	192.168.1.102	8.8.8.8
Oct 31, 2020 22:59:03.995729923 CET	53	57759	8.8.8.8	192.168.1.102
Oct 31, 2020 22:59:04.219145060 CET	55894	53	192.168.1.102	8.8.8.8
Oct 31, 2020 22:59:04.243385077 CET	53	55894	8.8.8.8	192.168.1.102
Oct 31, 2020 22:59:04.520612955 CET	59991	53	192.168.1.102	8.8.8.8
Oct 31, 2020 22:59:04.544728994 CET	53	59991	8.8.8.8	192.168.1.102
Oct 31, 2020 22:59:04.759471893 CET	61955	53	192.168.1.102	8.8.8.8
Oct 31, 2020 22:59:04.783665895 CET	53	61955	8.8.8.8	192.168.1.102
Oct 31, 2020 22:59:05.006222010 CET	60886	53	192.168.1.102	8.8.8.8
Oct 31, 2020 22:59:05.030752897 CET	53	60886	8.8.8.8	192.168.1.102
Oct 31, 2020 22:59:05.248702049 CET	50849	53	192.168.1.102	8.8.8.8
Oct 31, 2020 22:59:05.273355961 CET	53	50849	8.8.8.8	192.168.1.102
Oct 31, 2020 22:59:05.498981953 CET	64983	53	192.168.1.102	8.8.8.8
Oct 31, 2020 22:59:05.523180008 CET	53	64983	8.8.8.8	192.168.1.102
Oct 31, 2020 22:59:05.741180897 CET	57969	53	192.168.1.102	8.8.8.8
Oct 31, 2020 22:59:05.765384912 CET	53	57969	8.8.8.8	192.168.1.102
Oct 31, 2020 22:59:05.980118990 CET	63601	53	192.168.1.102	8.8.8.8
Oct 31, 2020 22:59:06.004417896 CET	53	63601	8.8.8.8	192.168.1.102
Oct 31, 2020 22:59:06.281059027 CET	60634	53	192.168.1.102	8.8.8.8
Oct 31, 2020 22:59:06.305275917 CET	53	60634	8.8.8.8	192.168.1.102
Oct 31, 2020 22:59:06.544899940 CET	54728	53	192.168.1.102	8.8.8.8
Oct 31, 2020 22:59:06.569180012 CET	53	54728	8.8.8.8	192.168.1.102
Oct 31, 2020 22:59:06.797962904 CET	55538	53	192.168.1.102	8.8.8.8
Oct 31, 2020 22:59:06.822242975 CET	53	55538	8.8.8.8	192.168.1.102
Oct 31, 2020 22:59:07.054301023 CET	54753	53	192.168.1.102	8.8.8.8
Oct 31, 2020 22:59:07.078536034 CET	53	54753	8.8.8.8	192.168.1.102
Oct 31, 2020 22:59:07.338673115 CET	63889	53	192.168.1.102	8.8.8.8
Oct 31, 2020 22:59:07.371146917 CET	53	63889	8.8.8.8	192.168.1.102
Oct 31, 2020 22:59:07.599427938 CET	50653	53	192.168.1.102	8.8.8.8
Oct 31, 2020 22:59:07.623533964 CET	53	50653	8.8.8.8	192.168.1.102
Oct 31, 2020 22:59:07.848397970 CET	59803	53	192.168.1.102	8.8.8.8
Oct 31, 2020 22:59:07.872580051 CET	53	59803	8.8.8.8	192.168.1.102
Oct 31, 2020 22:59:08.113929033 CET	55187	53	192.168.1.102	8.8.8.8
Oct 31, 2020 22:59:08.138168097 CET	53	55187	8.8.8.8	192.168.1.102
Oct 31, 2020 22:59:08.353817940 CET	59654	53	192.168.1.102	8.8.8.8
Oct 31, 2020 22:59:08.378213882 CET	53	59654	8.8.8.8	192.168.1.102
Oct 31, 2020 22:59:08.590481997 CET	53774	53	192.168.1.102	8.8.8.8
Oct 31, 2020 22:59:08.614651918 CET	53	53774	8.8.8.8	192.168.1.102
Oct 31, 2020 22:59:08.840511084 CET	50231	53	192.168.1.102	8.8.8.8
Oct 31, 2020 22:59:08.864626884 CET	53	50231	8.8.8.8	192.168.1.102
Oct 31, 2020 22:59:09.117484093 CET	49638	53	192.168.1.102	8.8.8.8
Oct 31, 2020 22:59:09.141653061 CET	53	49638	8.8.8.8	192.168.1.102
Oct 31, 2020 22:59:09.362986088 CET	61470	53	192.168.1.102	8.8.8.8
Oct 31, 2020 22:59:09.387201071 CET	53	61470	8.8.8.8	192.168.1.102
Oct 31, 2020 22:59:09.626601934 CET	61182	53	192.168.1.102	8.8.8.8
Oct 31, 2020 22:59:09.650854111 CET	53	61182	8.8.8.8	192.168.1.102
Oct 31, 2020 22:59:09.909435034 CET	54229	53	192.168.1.102	8.8.8.8
Oct 31, 2020 22:59:09.933723927 CET	53	54229	8.8.8.8	192.168.1.102
Oct 31, 2020 22:59:10.157074928 CET	57493	53	192.168.1.102	8.8.8.8
Oct 31, 2020 22:59:10.181204081 CET	53	57493	8.8.8.8	192.168.1.102
Oct 31, 2020 22:59:10.436167955 CET	54522	53	192.168.1.102	8.8.8.8
Oct 31, 2020 22:59:10.460338116 CET	53	54522	8.8.8.8	192.168.1.102
Oct 31, 2020 22:59:10.713459015 CET	65178	53	192.168.1.102	8.8.8.8
Oct 31, 2020 22:59:10.737663031 CET	53	65178	8.8.8.8	192.168.1.102
Oct 31, 2020 22:59:10.969902992 CET	53520	53	192.168.1.102	8.8.8.8
Oct 31, 2020 22:59:10.994184017 CET	53	53520	8.8.8.8	192.168.1.102
Oct 31, 2020 22:59:11.203850985 CET	56538	53	192.168.1.102	8.8.8.8
Oct 31, 2020 22:59:11.228014946 CET	53	56538	8.8.8.8	192.168.1.102
Oct 31, 2020 22:59:11.456494093 CET	49372	53	192.168.1.102	8.8.8.8
Oct 31, 2020 22:59:11.480654001 CET	53	49372	8.8.8.8	192.168.1.102
Oct 31, 2020 22:59:11.703495026 CET	63245	53	192.168.1.102	8.8.8.8
Oct 31, 2020 22:59:11.727776051 CET	53	63245	8.8.8.8	192.168.1.102
Oct 31, 2020 22:59:11.937109947 CET	60603	53	192.168.1.102	8.8.8.8
Oct 31, 2020 22:59:11.961415052 CET	53	60603	8.8.8.8	192.168.1.102
Oct 31, 2020 22:59:12.215946913 CET	55587	53	192.168.1.102	8.8.8.8
Oct 31, 2020 22:59:12.240103006 CET	53	55587	8.8.8.8	192.168.1.102
Oct 31, 2020 22:59:12.463819981 CET	62755	53	192.168.1.102	8.8.8.8
Oct 31, 2020 22:59:12.487976074 CET	53	62755	8.8.8.8	192.168.1.102
Oct 31, 2020 22:59:12.703722954 CET	60200	53	192.168.1.102	8.8.8.8
Oct 31, 2020 22:59:12.727832079 CET	53	60200	8.8.8.8	192.168.1.102
Oct 31, 2020 22:59:12.956382990 CET	49495	53	192.168.1.102	8.8.8.8
Oct 31, 2020 22:59:12.980635881 CET	53	49495	8.8.8.8	192.168.1.102
Oct 31, 2020 22:59:13.253719091 CET	51291	53	192.168.1.102	8.8.8.8
Oct 31, 2020 22:59:13.277864933 CET	53	51291	8.8.8.8	192.168.1.102
Oct 31, 2020 22:59:13.534048080 CET	58749	53	192.168.1.102	8.8.8.8
Oct 31, 2020 22:59:13.558196068 CET	53	58749	8.8.8.8	192.168.1.102
Oct 31, 2020 22:59:13.813366890 CET	53484	53	192.168.1.102	8.8.8.8
Oct 31, 2020 22:59:13.837476969 CET	53	53484	8.8.8.8	192.168.1.102
Oct 31, 2020 22:59:14.054671049 CET	61290	53	192.168.1.102	8.8.8.8
Oct 31, 2020 22:59:14.078919888 CET	53	61290	8.8.8.8	192.168.1.102
Oct 31, 2020 22:59:14.301342964 CET	55729	53	192.168.1.102	8.8.8.8
Oct 31, 2020 22:59:14.325351000 CET	53	55729	8.8.8.8	192.168.1.102
Oct 31, 2020 22:59:14.550076008 CET	65030	53	192.168.1.102	8.8.8.8
Oct 31, 2020 22:59:14.582607031 CET	53	65030	8.8.8.8	192.168.1.102
Oct 31, 2020 22:59:14.801049948 CET	64724	53	192.168.1.102	8.8.8.8
Oct 31, 2020 22:59:14.825131893 CET	53	64724	8.8.8.8	192.168.1.102
Oct 31, 2020 22:59:15.041461945 CET	64977	53	192.168.1.102	8.8.8.8
Oct 31, 2020 22:59:15.065736055 CET	53	64977	8.8.8.8	192.168.1.102
Oct 31, 2020 22:59:15.292025089 CET	59881	53	192.168.1.102	8.8.8.8
Oct 31, 2020 22:59:15.316190958 CET	53	59881	8.8.8.8	192.168.1.102
Oct 31, 2020 22:59:15.566790104 CET	62678	53	192.168.1.102	8.8.8.8
Oct 31, 2020 22:59:15.591017008 CET	53	62678	8.8.8.8	192.168.1.102
Oct 31, 2020 22:59:15.808876038 CET	56604	53	192.168.1.102	8.8.8.8
Oct 31, 2020 22:59:15.833029032 CET	53	56604	8.8.8.8	192.168.1.102
Oct 31, 2020 22:59:16.059195042 CET	51025	53	192.168.1.102	8.8.8.8
Oct 31, 2020 22:59:16.083314896 CET	53	51025	8.8.8.8	192.168.1.102
Oct 31, 2020 22:59:16.326210976 CET	64442	53	192.168.1.102	8.8.8.8
Oct 31, 2020 22:59:16.350312948 CET	53	64442	8.8.8.8	192.168.1.102
Oct 31, 2020 22:59:16.595269918 CET	55376	53	192.168.1.102	8.8.8.8
Oct 31, 2020 22:59:16.619399071 CET	53	55376	8.8.8.8	192.168.1.102
Oct 31, 2020 22:59:16.840065002 CET	53504	53	192.168.1.102	8.8.8.8
Oct 31, 2020 22:59:16.864172935 CET	53	53504	8.8.8.8	192.168.1.102
Oct 31, 2020 22:59:17.121419907 CET	54021	53	192.168.1.102	8.8.8.8
Oct 31, 2020 22:59:17.145641088 CET	53	54021	8.8.8.8	192.168.1.102
Oct 31, 2020 22:59:17.416896105 CET	49728	53	192.168.1.102	8.8.8.8
Oct 31, 2020 22:59:17.441052914 CET	53	49728	8.8.8.8	192.168.1.102
Oct 31, 2020 22:59:17.658880949 CET	51606	53	192.168.1.102	8.8.8.8
Oct 31, 2020 22:59:17.682924032 CET	53	51606	8.8.8.8	192.168.1.102
Oct 31, 2020 22:59:17.905126095 CET	58526	53	192.168.1.102	8.8.8.8
Oct 31, 2020 22:59:17.929291964 CET	53	58526	8.8.8.8	192.168.1.102
Oct 31, 2020 22:59:18.149868011 CET	59756	53	192.168.1.102	8.8.8.8
Oct 31, 2020 22:59:18.174017906 CET	53	59756	8.8.8.8	192.168.1.102
Oct 31, 2020 22:59:18.387938976 CET	64708	53	192.168.1.102	8.8.8.8
Oct 31, 2020 22:59:18.412138939 CET	53	64708	8.8.8.8	192.168.1.102
Oct 31, 2020 22:59:18.655294895 CET	59527	53	192.168.1.102	8.8.8.8
Oct 31, 2020 22:59:18.679408073 CET	53	59527	8.8.8.8	192.168.1.102
Oct 31, 2020 22:59:18.912914038 CET	63216	53	192.168.1.102	8.8.8.8
Oct 31, 2020 22:59:18.937150955 CET	53	63216	8.8.8.8	192.168.1.102
Oct 31, 2020 22:59:19.161531925 CET	50350	53	192.168.1.102	8.8.8.8
Oct 31, 2020 22:59:19.185652971 CET	53	50350	8.8.8.8	192.168.1.102
Oct 31, 2020 22:59:19.434782982 CET	58741	53	192.168.1.102	8.8.8.8
Oct 31, 2020 22:59:19.459067106 CET	53	58741	8.8.8.8	192.168.1.102
Oct 31, 2020 22:59:19.705502033 CET	63789	53	192.168.1.102	8.8.8.8
Oct 31, 2020 22:59:19.729603052 CET	53	63789	8.8.8.8	192.168.1.102
Oct 31, 2020 22:59:19.968070030 CET	59681	53	192.168.1.102	8.8.8.8
Oct 31, 2020 22:59:19.992373943 CET	53	59681	8.8.8.8	192.168.1.102
Oct 31, 2020 22:59:20.268593073 CET	62959	53	192.168.1.102	8.8.8.8
Oct 31, 2020 22:59:20.292696953 CET	53	62959	8.8.8.8	192.168.1.102
Oct 31, 2020 22:59:20.569405079 CET	52302	53	192.168.1.102	8.8.8.8
Oct 31, 2020 22:59:20.593558073 CET	53	52302	8.8.8.8	192.168.1.102
Oct 31, 2020 22:59:20.806374073 CET	56406	53	192.168.1.102	8.8.8.8
Oct 31, 2020 22:59:20.830477953 CET	53	56406	8.8.8.8	192.168.1.102
Oct 31, 2020 22:59:21.048388004 CET	50867	53	192.168.1.102	8.8.8.8
Oct 31, 2020 22:59:21.072523117 CET	53	50867	8.8.8.8	192.168.1.102
Oct 31, 2020 22:59:21.297161102 CET	50278	53	192.168.1.102	8.8.8.8
Oct 31, 2020 22:59:21.321295977 CET	53	50278	8.8.8.8	192.168.1.102
Oct 31, 2020 22:59:21.546818018 CET	64446	53	192.168.1.102	8.8.8.8
Oct 31, 2020 22:59:21.570874929 CET	53	64446	8.8.8.8	192.168.1.102
Oct 31, 2020 22:59:21.814594030 CET	56574	53	192.168.1.102	8.8.8.8
Oct 31, 2020 22:59:21.838738918 CET	53	56574	8.8.8.8	192.168.1.102
Oct 31, 2020 22:59:22.097029924 CET	49803	53	192.168.1.102	8.8.8.8
Oct 31, 2020 22:59:22.121248960 CET	53	49803	8.8.8.8	192.168.1.102
Oct 31, 2020 22:59:22.349307060 CET	63963	53	192.168.1.102	8.8.8.8
Oct 31, 2020 22:59:22.373425007 CET	53	63963	8.8.8.8	192.168.1.102
Oct 31, 2020 22:59:22.612602949 CET	59670	53	192.168.1.102	8.8.8.8
Oct 31, 2020 22:59:22.636688948 CET	53	59670	8.8.8.8	192.168.1.102
Oct 31, 2020 22:59:22.854568005 CET	61658	53	192.168.1.102	8.8.8.8
Oct 31, 2020 22:59:22.878793955 CET	53	61658	8.8.8.8	192.168.1.102
Oct 31, 2020 22:59:23.133879900 CET	58012	53	192.168.1.102	8.8.8.8
Oct 31, 2020 22:59:23.158044100 CET	53	58012	8.8.8.8	192.168.1.102
Oct 31, 2020 22:59:23.375050068 CET	60654	53	192.168.1.102	8.8.8.8
Oct 31, 2020 22:59:23.399208069 CET	53	60654	8.8.8.8	192.168.1.102
Oct 31, 2020 22:59:23.630074978 CET	57603	53	192.168.1.102	8.8.8.8
Oct 31, 2020 22:59:23.654383898 CET	53	57603	8.8.8.8	192.168.1.102
Oct 31, 2020 22:59:23.884705067 CET	50765	53	192.168.1.102	8.8.8.8
Oct 31, 2020 22:59:23.908905983 CET	53	50765	8.8.8.8	192.168.1.102
Oct 31, 2020 22:59:24.130032063 CET	57920	53	192.168.1.102	8.8.8.8
Oct 31, 2020 22:59:24.154334068 CET	53	57920	8.8.8.8	192.168.1.102
Oct 31, 2020 22:59:24.379892111 CET	57738	53	192.168.1.102	8.8.8.8
Oct 31, 2020 22:59:24.403971910 CET	53	57738	8.8.8.8	192.168.1.102
Oct 31, 2020 22:59:24.622478962 CET	52989	53	192.168.1.102	8.8.8.8
Oct 31, 2020 22:59:24.646840096 CET	53	52989	8.8.8.8	192.168.1.102
Oct 31, 2020 22:59:24.888324022 CET	64836	53	192.168.1.102	8.8.8.8
Oct 31, 2020 22:59:24.912674904 CET	53	64836	8.8.8.8	192.168.1.102
Oct 31, 2020 22:59:25.153604031 CET	51156	53	192.168.1.102	8.8.8.8
Oct 31, 2020 22:59:25.186151981 CET	53	51156	8.8.8.8	192.168.1.102
Oct 31, 2020 22:59:25.405442953 CET	57858	53	192.168.1.102	8.8.8.8
Oct 31, 2020 22:59:25.429682970 CET	53	57858	8.8.8.8	192.168.1.102
Oct 31, 2020 22:59:25.653238058 CET	51566	53	192.168.1.102	8.8.8.8
Oct 31, 2020 22:59:25.677448988 CET	53	51566	8.8.8.8	192.168.1.102
Oct 31, 2020 22:59:25.903892994 CET	58780	53	192.168.1.102	8.8.8.8
Oct 31, 2020 22:59:25.928066015 CET	53	58780	8.8.8.8	192.168.1.102
Oct 31, 2020 22:59:26.160885096 CET	55888	53	192.168.1.102	8.8.8.8
Oct 31, 2020 22:59:26.185185909 CET	53	55888	8.8.8.8	192.168.1.102
Oct 31, 2020 22:59:26.416438103 CET	62238	53	192.168.1.102	8.8.8.8
Oct 31, 2020 22:59:26.440584898 CET	53	62238	8.8.8.8	192.168.1.102
Oct 31, 2020 22:59:26.655599117 CET	57491	53	192.168.1.102	8.8.8.8
Oct 31, 2020 22:59:26.679734945 CET	53	57491	8.8.8.8	192.168.1.102
Oct 31, 2020 22:59:26.904875040 CET	62377	53	192.168.1.102	8.8.8.8
Oct 31, 2020 22:59:26.929169893 CET	53	62377	8.8.8.8	192.168.1.102
Oct 31, 2020 22:59:27.140017033 CET	61111	53	192.168.1.102	8.8.8.8
Oct 31, 2020 22:59:27.164298058 CET	53	61111	8.8.8.8	192.168.1.102
Oct 31, 2020 22:59:27.378006935 CET	54951	53	192.168.1.102	8.8.8.8
Oct 31, 2020 22:59:27.402121067 CET	53	54951	8.8.8.8	192.168.1.102
Oct 31, 2020 22:59:27.631149054 CET	64626	53	192.168.1.102	8.8.8.8
Oct 31, 2020 22:59:27.655303001 CET	53	64626	8.8.8.8	192.168.1.102
Oct 31, 2020 22:59:27.869113922 CET	57904	53	192.168.1.102	8.8.8.8
Oct 31, 2020 22:59:27.893304110 CET	53	57904	8.8.8.8	192.168.1.102
Oct 31, 2020 22:59:28.103110075 CET	54326	53	192.168.1.102	8.8.8.8
Oct 31, 2020 22:59:28.127270937 CET	53	54326	8.8.8.8	192.168.1.102
Oct 31, 2020 22:59:28.354991913 CET	55356	53	192.168.1.102	8.8.8.8
Oct 31, 2020 22:59:28.379195929 CET	53	55356	8.8.8.8	192.168.1.102
Oct 31, 2020 22:59:28.619333029 CET	60619	53	192.168.1.102	8.8.8.8
Oct 31, 2020 22:59:28.643476963 CET	53	60619	8.8.8.8	192.168.1.102
Oct 31, 2020 22:59:28.852669954 CET	64313	53	192.168.1.102	8.8.8.8
Oct 31, 2020 22:59:28.876889944 CET	53	64313	8.8.8.8	192.168.1.102
Oct 31, 2020 22:59:29.107744932 CET	50335	53	192.168.1.102	8.8.8.8
Oct 31, 2020 22:59:29.131956100 CET	53	50335	8.8.8.8	192.168.1.102
Oct 31, 2020 22:59:29.349948883 CET	63308	53	192.168.1.102	8.8.8.8
Oct 31, 2020 22:59:29.374089956 CET	53	63308	8.8.8.8	192.168.1.102
Oct 31, 2020 22:59:29.604275942 CET	64446	53	192.168.1.102	8.8.8.8
Oct 31, 2020 22:59:29.628443956 CET	53	64446	8.8.8.8	192.168.1.102
Oct 31, 2020 22:59:29.926681042 CET	53335	53	192.168.1.102	8.8.8.8
Oct 31, 2020 22:59:29.951117039 CET	53	53335	8.8.8.8	192.168.1.102
Oct 31, 2020 22:59:30.187779903 CET	55759	53	192.168.1.102	8.8.8.8
Oct 31, 2020 22:59:30.212205887 CET	53	55759	8.8.8.8	192.168.1.102
Oct 31, 2020 22:59:30.439661980 CET	57690	53	192.168.1.102	8.8.8.8
Oct 31, 2020 22:59:30.463994980 CET	53	57690	8.8.8.8	192.168.1.102

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class
Oct 31, 2020 22:57:58.356106997 CET	192.168.1.102	8.8.8.8	0x209	Standard query (0)	pownedfag.pw	A (IP address)	IN (0x0001)
Oct 31, 2020 22:57:58.659580946 CET	192.168.1.102	8.8.8.8	0x1c29	Standard query (0)	pownedfag.pw	A (IP address)	IN (0x0001)
Oct 31, 2020 22:57:58.942051888 CET	192.168.1.102	8.8.8.8	0x87e4	Standard query (0)	pownedfag.pw	A (IP address)	IN (0x0001)
Oct 31, 2020 22:57:59.236418009 CET	192.168.1.102	8.8.8.8	0x8f04	Standard query (0)	pownedfag.pw	A (IP address)	IN (0x0001)
Oct 31, 2020 22:57:59.496068954 CET	192.168.1.102	8.8.8.8	0x910f	Standard query (0)	pownedfag.pw	A (IP address)	IN (0x0001)
Oct 31, 2020 22:57:59.761670113 CET	192.168.1.102	8.8.8.8	0x9140	Standard query (0)	pownedfag.pw	A (IP address)	IN (0x0001)
Oct 31, 2020 22:58:00.019314051 CET	192.168.1.102	8.8.8.8	0x4e76	Standard query (0)	pownedfag.pw	A (IP address)	IN (0x0001)
Oct 31, 2020 22:58:00.294744015 CET	192.168.1.102	8.8.8.8	0x7830	Standard query (0)	pownedfag.pw	A (IP address)	IN (0x0001)
Oct 31, 2020 22:58:00.542402983 CET	192.168.1.102	8.8.8.8	0xf1a1	Standard query (0)	pownedfag.pw	A (IP address)	IN (0x0001)
Oct 31, 2020 22:58:00.791368961 CET	192.168.1.102	8.8.8.8	0x221c	Standard query (0)	pownedfag.pw	A (IP address)	IN (0x0001)
Oct 31, 2020 22:58:01.040200949 CET	192.168.1.102	8.8.8.8	0xcf99	Standard query (0)	pownedfag.pw	A (IP address)	IN (0x0001)
Oct 31, 2020 22:58:01.315272093 CET	192.168.1.102	8.8.8.8	0x2ac9	Standard query (0)	pownedfag.pw	A (IP address)	IN (0x0001)
Oct 31, 2020 22:58:01.564667940 CET	192.168.1.102	8.8.8.8	0xa10d	Standard query (0)	pownedfag.pw	A (IP address)	IN (0x0001)
Oct 31, 2020 22:58:01.817579031 CET	192.168.1.102	8.8.8.8	0xee71	Standard query (0)	pownedfag.pw	A (IP address)	IN (0x0001)
Oct 31, 2020 22:58:02.068314075 CET	192.168.1.102	8.8.8.8	0xb733	Standard query (0)	pownedfag.pw	A (IP address)	IN (0x0001)
Oct 31, 2020 22:58:02.332345009 CET	192.168.1.102	8.8.8.8	0xf8e8	Standard query (0)	pownedfag.pw	A (IP address)	IN (0x0001)
Oct 31, 2020 22:58:02.601298094 CET	192.168.1.102	8.8.8.8	0x1d68	Standard query (0)	pownedfag.pw	A (IP address)	IN (0x0001)
Oct 31, 2020 22:58:02.866518021 CET	192.168.1.102	8.8.8.8	0x2f73	Standard query (0)	pownedfag.pw	A (IP address)	IN (0x0001)
Oct 31, 2020 22:58:03.309684038 CET	192.168.1.102	8.8.8.8	0x199e	Standard query (0)	pownedfag.pw	A (IP address)	IN (0x0001)
Oct 31, 2020 22:58:03.552083015 CET	192.168.1.102	8.8.8.8	0x1e49	Standard query (0)	pownedfag.pw	A (IP address)	IN (0x0001)
Oct 31, 2020 22:58:03.811285973 CET	192.168.1.102	8.8.8.8	0x58ba	Standard query (0)	pownedfag.pw	A (IP address)	IN (0x0001)
Oct 31, 2020 22:58:04.077286959 CET	192.168.1.102	8.8.8.8	0xe2a4	Standard query (0)	pownedfag.pw	A (IP address)	IN (0x0001)
Oct 31, 2020 22:58:04.325582981 CET	192.168.1.102	8.8.8.8	0xb3e4	Standard query (0)	pownedfag.pw	A (IP address)	IN (0x0001)
Oct 31, 2020 22:58:04.576935053 CET	192.168.1.102	8.8.8.8	0xf2a	Standard query (0)	pownedfag.pw	A (IP address)	IN (0x0001)
Oct 31, 2020 22:58:04.842366934 CET	192.168.1.102	8.8.8.8	0x3f86	Standard query (0)	pownedfag.pw	A (IP address)	IN (0x0001)
Oct 31, 2020 22:58:05.088447094 CET	192.168.1.102	8.8.8.8	0x54cf	Standard query (0)	pownedfag.pw	A (IP address)	IN (0x0001)
Oct 31, 2020 22:58:05.331859112 CET	192.168.1.102	8.8.8.8	0x4840	Standard query (0)	pownedfag.pw	A (IP address)	IN (0x0001)
Oct 31, 2020 22:58:05.575695038 CET	192.168.1.102	8.8.8.8	0xfc09	Standard query (0)	pownedfag.pw	A (IP address)	IN (0x0001)
Oct 31, 2020 22:58:05.828222990 CET	192.168.1.102	8.8.8.8	0xa98	Standard query (0)	pownedfag.pw	A (IP address)	IN (0x0001)
Oct 31, 2020 22:58:06.113827944 CET	192.168.1.102	8.8.8.8	0x5ed1	Standard query (0)	pownedfag.pw	A (IP address)	IN (0x0001)
Oct 31, 2020 22:58:06.370800972 CET	192.168.1.102	8.8.8.8	0x7eef	Standard query (0)	pownedfag.pw	A (IP address)	IN (0x0001)
Oct 31, 2020 22:58:06.629591942 CET	192.168.1.102	8.8.8.8	0x3562	Standard query (0)	pownedfag.pw	A (IP address)	IN (0x0001)
Oct 31, 2020 22:58:06.895286083 CET	192.168.1.102	8.8.8.8	0xdd63	Standard query (0)	pownedfag.pw	A (IP address)	IN (0x0001)
Oct 31, 2020 22:58:07.142600060 CET	192.168.1.102	8.8.8.8	0x2f0a	Standard query (0)	pownedfag.pw	A (IP address)	IN (0x0001)
Oct 31, 2020 22:58:07.391448975 CET	192.168.1.102	8.8.8.8	0x80e8	Standard query (0)	pownedfag.pw	A (IP address)	IN (0x0001)
Oct 31, 2020 22:58:07.643035889 CET	192.168.1.102	8.8.8.8	0xfe10	Standard query (0)	pownedfag.pw	A (IP address)	IN (0x0001)
Oct 31, 2020 22:58:07.887782097 CET	192.168.1.102	8.8.8.8	0xf008	Standard query (0)	pownedfag.pw	A (IP address)	IN (0x0001)
Oct 31, 2020 22:58:08.174350977 CET	192.168.1.102	8.8.8.8	0x86db	Standard query (0)	pownedfag.pw	A (IP address)	IN (0x0001)
Oct 31, 2020 22:58:08.437330961 CET	192.168.1.102	8.8.8.8	0x7dd2	Standard query (0)	pownedfag.pw	A (IP address)	IN (0x0001)
Oct 31, 2020 22:58:08.670663118 CET	192.168.1.102	8.8.8.8	0x4f62	Standard query (0)	pownedfag.pw	A (IP address)	IN (0x0001)
Oct 31, 2020 22:58:08.916201115 CET	192.168.1.102	8.8.8.8	0xb4bb	Standard query (0)	pownedfag.pw	A (IP address)	IN (0x0001)
Oct 31, 2020 22:58:09.166476011 CET	192.168.1.102	8.8.8.8	0xa8d8	Standard query (0)	pownedfag.pw	A (IP address)	IN (0x0001)
Oct 31, 2020 22:58:09.410628080 CET	192.168.1.102	8.8.8.8	0xa29d	Standard query (0)	pownedfag.pw	A (IP address)	IN (0x0001)
Oct 31, 2020 22:58:09.655642986 CET	192.168.1.102	8.8.8.8	0xcb7f	Standard query (0)	pownedfag.pw	A (IP address)	IN (0x0001)
Oct 31, 2020 22:58:09.901715994 CET	192.168.1.102	8.8.8.8	0xc6cd	Standard query (0)	pownedfag.pw	A (IP address)	IN (0x0001)
Oct 31, 2020 22:58:10.241559029 CET	192.168.1.102	8.8.8.8	0xc922	Standard query (0)	pownedfag.pw	A (IP address)	IN (0x0001)
Oct 31, 2020 22:58:11.119221926 CET	192.168.1.102	8.8.8.8	0xd52c	Standard query (0)	pownedfag.pw	A (IP address)	IN (0x0001)
Oct 31, 2020 22:58:11.486649036 CET	192.168.1.102	8.8.8.8	0xcc7b	Standard query (0)	pownedfag.pw	A (IP address)	IN (0x0001)
Oct 31, 2020 22:58:12.063915014 CET	192.168.1.102	8.8.8.8	0xf93b	Standard query (0)	pownedfag.pw	A (IP address)	IN (0x0001)
Oct 31, 2020 22:58:12.360224962 CET	192.168.1.102	8.8.8.8	0xf377	Standard query (0)	pownedfag.pw	A (IP address)	IN (0x0001)
Oct 31, 2020 22:58:12.638248920 CET	192.168.1.102	8.8.8.8	0x376d	Standard query (0)	pownedfag.pw	A (IP address)	IN (0x0001)
Oct 31, 2020 22:58:12.888031006 CET	192.168.1.102	8.8.8.8	0x7db3	Standard query (0)	pownedfag.pw	A (IP address)	IN (0x0001)
Oct 31, 2020 22:58:13.152443886 CET	192.168.1.102	8.8.8.8	0x6114	Standard query (0)	pownedfag.pw	A (IP address)	IN (0x0001)
Oct 31, 2020 22:58:13.389481068 CET	192.168.1.102	8.8.8.8	0x3f83	Standard query (0)	pownedfag.pw	A (IP address)	IN (0x0001)
Oct 31, 2020 22:58:13.637166977 CET	192.168.1.102	8.8.8.8	0x54a4	Standard query (0)	pownedfag.pw	A (IP address)	IN (0x0001)
Oct 31, 2020 22:58:13.882484913 CET	192.168.1.102	8.8.8.8	0xf798	Standard query (0)	pownedfag.pw	A (IP address)	IN (0x0001)
Oct 31, 2020 22:58:14.129964113 CET	192.168.1.102	8.8.8.8	0xf438	Standard query (0)	pownedfag.pw	A (IP address)	IN (0x0001)
Oct 31, 2020 22:58:14.379251003 CET	192.168.1.102	8.8.8.8	0xa1c6	Standard query (0)	pownedfag.pw	A (IP address)	IN (0x0001)
Oct 31, 2020 22:58:14.622591972 CET	192.168.1.102	8.8.8.8	0xeb4b	Standard query (0)	pownedfag.pw	A (IP address)	IN (0x0001)
Oct 31, 2020 22:58:14.865195990 CET	192.168.1.102	8.8.8.8	0x69fe	Standard query (0)	pownedfag.pw	A (IP address)	IN (0x0001)
Oct 31, 2020 22:58:15.108350039 CET	192.168.1.102	8.8.8.8	0xe3ba	Standard query (0)	pownedfag.pw	A (IP address)	IN (0x0001)
Oct 31, 2020 22:58:15.339456081 CET	192.168.1.102	8.8.8.8	0x3f9b	Standard query (0)	pownedfag.pw	A (IP address)	IN (0x0001)
Oct 31, 2020 22:58:15.587194920 CET	192.168.1.102	8.8.8.8	0x2f15	Standard query (0)	pownedfag.pw	A (IP address)	IN (0x0001)
Oct 31, 2020 22:58:15.833266973 CET	192.168.1.102	8.8.8.8	0x361c	Standard query (0)	pownedfag.pw	A (IP address)	IN (0x0001)
Oct 31, 2020 22:58:16.083573103 CET	192.168.1.102	8.8.8.8	0x446b	Standard query (0)	pownedfag.pw	A (IP address)	IN (0x0001)
Oct 31, 2020 22:58:16.334146023 CET	192.168.1.102	8.8.8.8	0x2fbc	Standard query (0)	pownedfag.pw	A (IP address)	IN (0x0001)
Oct 31, 2020 22:58:16.581343889 CET	192.168.1.102	8.8.8.8	0xdf8b	Standard query (0)	pownedfag.pw	A (IP address)	IN (0x0001)
Oct 31, 2020 22:58:16.854422092 CET	192.168.1.102	8.8.8.8	0x2d1c	Standard query (0)	pownedfag.pw	A (IP address)	IN (0x0001)
Oct 31, 2020 22:58:17.094836950 CET	192.168.1.102	8.8.8.8	0xa583	Standard query (0)	pownedfag.pw	A (IP address)	IN (0x0001)
Oct 31, 2020 22:58:17.352400064 CET	192.168.1.102	8.8.8.8	0x9e56	Standard query (0)	pownedfag.pw	A (IP address)	IN (0x0001)
Oct 31, 2020 22:58:17.597307920 CET	192.168.1.102	8.8.8.8	0xf4e2	Standard query (0)	pownedfag.pw	A (IP address)	IN (0x0001)
Oct 31, 2020 22:58:17.848023891 CET	192.168.1.102	8.8.8.8	0xfe7b	Standard query (0)	pownedfag.pw	A (IP address)	IN (0x0001)
Oct 31, 2020 22:58:18.092550039 CET	192.168.1.102	8.8.8.8	0xd3dd	Standard query (0)	pownedfag.pw	A (IP address)	IN (0x0001)
Oct 31, 2020 22:58:18.337786913 CET	192.168.1.102	8.8.8.8	0xa28f	Standard query (0)	pownedfag.pw	A (IP address)	IN (0x0001)
Oct 31, 2020 22:58:18.574656010 CET	192.168.1.102	8.8.8.8	0xc9b7	Standard query (0)	pownedfag.pw	A (IP address)	IN (0x0001)
Oct 31, 2020 22:58:18.816879034 CET	192.168.1.102	8.8.8.8	0x889	Standard query (0)	pownedfag.pw	A (IP address)	IN (0x0001)
Oct 31, 2020 22:58:19.060357094 CET	192.168.1.102	8.8.8.8	0x6cd2	Standard query (0)	pownedfag.pw	A (IP address)	IN (0x0001)
Oct 31, 2020 22:58:19.300507069 CET	192.168.1.102	8.8.8.8	0x34f1	Standard query (0)	pownedfag.pw	A (IP address)	IN (0x0001)
Oct 31, 2020 22:58:19.550453901 CET	192.168.1.102	8.8.8.8	0x8810	Standard query (0)	pownedfag.pw	A (IP address)	IN (0x0001)
Oct 31, 2020 22:58:19.791575909 CET	192.168.1.102	8.8.8.8	0x8e1a	Standard query (0)	pownedfag.pw	A (IP address)	IN (0x0001)
Oct 31, 2020 22:58:20.035082102 CET	192.168.1.102	8.8.8.8	0xa97	Standard query (0)	pownedfag.pw	A (IP address)	IN (0x0001)
Oct 31, 2020 22:58:20.282563925 CET	192.168.1.102	8.8.8.8	0xd7aa	Standard query (0)	pownedfag.pw	A (IP address)	IN (0x0001)
Oct 31, 2020 22:58:20.531861067 CET	192.168.1.102	8.8.8.8	0xcf33	Standard query (0)	pownedfag.pw	A (IP address)	IN (0x0001)
Oct 31, 2020 22:58:20.780188084 CET	192.168.1.102	8.8.8.8	0x6917	Standard query (0)	pownedfag.pw	A (IP address)	IN (0x0001)
Oct 31, 2020 22:58:21.034014940 CET	192.168.1.102	8.8.8.8	0xa518	Standard query (0)	pownedfag.pw	A (IP address)	IN (0x0001)
Oct 31, 2020 22:58:21.288301945 CET	192.168.1.102	8.8.8.8	0xea3f	Standard query (0)	pownedfag.pw	A (IP address)	IN (0x0001)
Oct 31, 2020 22:58:21.531739950 CET	192.168.1.102	8.8.8.8	0xd4a5	Standard query (0)	pownedfag.pw	A (IP address)	IN (0x0001)
Oct 31, 2020 22:58:21.775712013 CET	192.168.1.102	8.8.8.8	0xf508	Standard query (0)	pownedfag.pw	A (IP address)	IN (0x0001)
Oct 31, 2020 22:58:22.013997078 CET	192.168.1.102	8.8.8.8	0x13bd	Standard query (0)	pownedfag.pw	A (IP address)	IN (0x0001)
Oct 31, 2020 22:58:22.249692917 CET	192.168.1.102	8.8.8.8	0x1cb8	Standard query (0)	pownedfag.pw	A (IP address)	IN (0x0001)
Oct 31, 2020 22:58:22.496064901 CET	192.168.1.102	8.8.8.8	0xaba6	Standard query (0)	pownedfag.pw	A (IP address)	IN (0x0001)
Oct 31, 2020 22:58:22.754255056 CET	192.168.1.102	8.8.8.8	0xa062	Standard query (0)	pownedfag.pw	A (IP address)	IN (0x0001)
Oct 31, 2020 22:58:22.987730980 CET	192.168.1.102	8.8.8.8	0x37d	Standard query (0)	pownedfag.pw	A (IP address)	IN (0x0001)
Oct 31, 2020 22:58:23.237608910 CET	192.168.1.102	8.8.8.8	0x8c06	Standard query (0)	pownedfag.pw	A (IP address)	IN (0x0001)
Oct 31, 2020 22:58:23.484697104 CET	192.168.1.102	8.8.8.8	0x2ad6	Standard query (0)	pownedfag.pw	A (IP address)	IN (0x0001)
Oct 31, 2020 22:58:23.720062017 CET	192.168.1.102	8.8.8.8	0xe9c0	Standard query (0)	pownedfag.pw	A (IP address)	IN (0x0001)
Oct 31, 2020 22:58:23.952507019 CET	192.168.1.102	8.8.8.8	0xfbd4	Standard query (0)	pownedfag.pw	A (IP address)	IN (0x0001)
Oct 31, 2020 22:58:24.201069117 CET	192.168.1.102	8.8.8.8	0xdf1e	Standard query (0)	pownedfag.pw	A (IP address)	IN (0x0001)
Oct 31, 2020 22:58:24.452256918 CET	192.168.1.102	8.8.8.8	0x2d94	Standard query (0)	pownedfag.pw	A (IP address)	IN (0x0001)
Oct 31, 2020 22:58:24.705614090 CET	192.168.1.102	8.8.8.8	0xd9c4	Standard query (0)	pownedfag.pw	A (IP address)	IN (0x0001)
Oct 31, 2020 22:58:25.002012968 CET	192.168.1.102	8.8.8.8	0xcd37	Standard query (0)	pownedfag.pw	A (IP address)	IN (0x0001)
Oct 31, 2020 22:58:25.269138098 CET	192.168.1.102	8.8.8.8	0xcbbf	Standard query (0)	pownedfag.pw	A (IP address)	IN (0x0001)
Oct 31, 2020 22:58:25.519251108 CET	192.168.1.102	8.8.8.8	0x18b4	Standard query (0)	pownedfag.pw	A (IP address)	IN (0x0001)
Oct 31, 2020 22:58:25.770019054 CET	192.168.1.102	8.8.8.8	0xcbfd	Standard query (0)	pownedfag.pw	A (IP address)	IN (0x0001)
Oct 31, 2020 22:58:26.021261930 CET	192.168.1.102	8.8.8.8	0xf2e4	Standard query (0)	pownedfag.pw	A (IP address)	IN (0x0001)
Oct 31, 2020 22:58:26.331233978 CET	192.168.1.102	8.8.8.8	0xaf5c	Standard query (0)	pownedfag.pw	A (IP address)	IN (0x0001)
Oct 31, 2020 22:58:26.566318989 CET	192.168.1.102	8.8.8.8	0x8a2	Standard query (0)	pownedfag.pw	A (IP address)	IN (0x0001)
Oct 31, 2020 22:58:26.813718081 CET	192.168.1.102	8.8.8.8	0x3739	Standard query (0)	pownedfag.pw	A (IP address)	IN (0x0001)
Oct 31, 2020 22:58:27.056814909 CET	192.168.1.102	8.8.8.8	0xdf89	Standard query (0)	pownedfag.pw	A (IP address)	IN (0x0001)
Oct 31, 2020 22:58:27.312645912 CET	192.168.1.102	8.8.8.8	0xc368	Standard query (0)	pownedfag.pw	A (IP address)	IN (0x0001)
Oct 31, 2020 22:58:27.611253977 CET	192.168.1.102	8.8.8.8	0xd183	Standard query (0)	pownedfag.pw	A (IP address)	IN (0x0001)
Oct 31, 2020 22:58:27.957024097 CET	192.168.1.102	8.8.8.8	0x9e40	Standard query (0)	pownedfag.pw	A (IP address)	IN (0x0001)
Oct 31, 2020 22:58:28.633605003 CET	192.168.1.102	8.8.8.8	0x6d6e	Standard query (0)	pownedfag.pw	A (IP address)	IN (0x0001)
Oct 31, 2020 22:58:28.967077017 CET	192.168.1.102	8.8.8.8	0x8b6	Standard query (0)	pownedfag.pw	A (IP address)	IN (0x0001)
Oct 31, 2020 22:58:29.646918058 CET	192.168.1.102	8.8.8.8	0x30c9	Standard query (0)	pownedfag.pw	A (IP address)	IN (0x0001)
Oct 31, 2020 22:58:29.896704912 CET	192.168.1.102	8.8.8.8	0x6c2d	Standard query (0)	pownedfag.pw	A (IP address)	IN (0x0001)
Oct 31, 2020 22:58:30.132014036 CET	192.168.1.102	8.8.8.8	0x8aa9	Standard query (0)	pownedfag.pw	A (IP address)	IN (0x0001)
Oct 31, 2020 22:58:30.377209902 CET	192.168.1.102	8.8.8.8	0xcd55	Standard query (0)	pownedfag.pw	A (IP address)	IN (0x0001)
Oct 31, 2020 22:58:30.629019022 CET	192.168.1.102	8.8.8.8	0xaac	Standard query (0)	pownedfag.pw	A (IP address)	IN (0x0001)
Oct 31, 2020 22:58:30.870219946 CET	192.168.1.102	8.8.8.8	0xc673	Standard query (0)	pownedfag.pw	A (IP address)	IN (0x0001)
Oct 31, 2020 22:58:31.118225098 CET	192.168.1.102	8.8.8.8	0x40b	Standard query (0)	pownedfag.pw	A (IP address)	IN (0x0001)
Oct 31, 2020 22:58:31.351303101 CET	192.168.1.102	8.8.8.8	0xaef	Standard query (0)	pownedfag.pw	A (IP address)	IN (0x0001)
Oct 31, 2020 22:58:31.599716902 CET	192.168.1.102	8.8.8.8	0xe282	Standard query (0)	pownedfag.pw	A (IP address)	IN (0x0001)
Oct 31, 2020 22:58:31.847336054 CET	192.168.1.102	8.8.8.8	0x896	Standard query (0)	pownedfag.pw	A (IP address)	IN (0x0001)
Oct 31, 2020 22:58:32.092302084 CET	192.168.1.102	8.8.8.8	0x57e6	Standard query (0)	pownedfag.pw	A (IP address)	IN (0x0001)
Oct 31, 2020 22:58:32.328479052 CET	192.168.1.102	8.8.8.8	0xa342	Standard query (0)	pownedfag.pw	A (IP address)	IN (0x0001)
Oct 31, 2020 22:58:32.577069998 CET	192.168.1.102	8.8.8.8	0x9b01	Standard query (0)	pownedfag.pw	A (IP address)	IN (0x0001)
Oct 31, 2020 22:58:32.822932959 CET	192.168.1.102	8.8.8.8	0x329	Standard query (0)	pownedfag.pw	A (IP address)	IN (0x0001)
Oct 31, 2020 22:58:33.063493013 CET	192.168.1.102	8.8.8.8	0x4d3a	Standard query (0)	pownedfag.pw	A (IP address)	IN (0x0001)
Oct 31, 2020 22:58:33.311418056 CET	192.168.1.102	8.8.8.8	0xd08a	Standard query (0)	pownedfag.pw	A (IP address)	IN (0x0001)
Oct 31, 2020 22:58:33.552701950 CET	192.168.1.102	8.8.8.8	0x3fee	Standard query (0)	pownedfag.pw	A (IP address)	IN (0x0001)
Oct 31, 2020 22:58:33.798768044 CET	192.168.1.102	8.8.8.8	0x6d9b	Standard query (0)	pownedfag.pw	A (IP address)	IN (0x0001)
Oct 31, 2020 22:58:34.033284903 CET	192.168.1.102	8.8.8.8	0x197f	Standard query (0)	pownedfag.pw	A (IP address)	IN (0x0001)
Oct 31, 2020 22:58:34.284466982 CET	192.168.1.102	8.8.8.8	0xfe1d	Standard query (0)	pownedfag.pw	A (IP address)	IN (0x0001)
Oct 31, 2020 22:58:34.526227951 CET	192.168.1.102	8.8.8.8	0x7344	Standard query (0)	pownedfag.pw	A (IP address)	IN (0x0001)
Oct 31, 2020 22:58:34.758867025 CET	192.168.1.102	8.8.8.8	0xec22	Standard query (0)	pownedfag.pw	A (IP address)	IN (0x0001)
Oct 31, 2020 22:58:34.997220993 CET	192.168.1.102	8.8.8.8	0x6f53	Standard query (0)	pownedfag.pw	A (IP address)	IN (0x0001)
Oct 31, 2020 22:58:35.243607044 CET	192.168.1.102	8.8.8.8	0x3c16	Standard query (0)	pownedfag.pw	A (IP address)	IN (0x0001)
Oct 31, 2020 22:58:35.494707108 CET	192.168.1.102	8.8.8.8	0x744	Standard query (0)	pownedfag.pw	A (IP address)	IN (0x0001)
Oct 31, 2020 22:58:35.738225937 CET	192.168.1.102	8.8.8.8	0x4b88	Standard query (0)	pownedfag.pw	A (IP address)	IN (0x0001)
Oct 31, 2020 22:58:35.982425928 CET	192.168.1.102	8.8.8.8	0xac75	Standard query (0)	pownedfag.pw	A (IP address)	IN (0x0001)
Oct 31, 2020 22:58:36.230536938 CET	192.168.1.102	8.8.8.8	0xb3ad	Standard query (0)	pownedfag.pw	A (IP address)	IN (0x0001)
Oct 31, 2020 22:58:36.482888937 CET	192.168.1.102	8.8.8.8	0x6451	Standard query (0)	pownedfag.pw	A (IP address)	IN (0x0001)
Oct 31, 2020 22:58:36.721333981 CET	192.168.1.102	8.8.8.8	0x9c5b	Standard query (0)	pownedfag.pw	A (IP address)	IN (0x0001)
Oct 31, 2020 22:58:36.972196102 CET	192.168.1.102	8.8.8.8	0x2ef1	Standard query (0)	pownedfag.pw	A (IP address)	IN (0x0001)
Oct 31, 2020 22:58:37.216810942 CET	192.168.1.102	8.8.8.8	0x3057	Standard query (0)	pownedfag.pw	A (IP address)	IN (0x0001)
Oct 31, 2020 22:58:37.462160110 CET	192.168.1.102	8.8.8.8	0x8c0a	Standard query (0)	pownedfag.pw	A (IP address)	IN (0x0001)
Oct 31, 2020 22:58:37.731558084 CET	192.168.1.102	8.8.8.8	0xafe5	Standard query (0)	pownedfag.pw	A (IP address)	IN (0x0001)
Oct 31, 2020 22:58:38.001010895 CET	192.168.1.102	8.8.8.8	0x9ad6	Standard query (0)	pownedfag.pw	A (IP address)	IN (0x0001)
Oct 31, 2020 22:58:38.255713940 CET	192.168.1.102	8.8.8.8	0xc4a9	Standard query (0)	pownedfag.pw	A (IP address)	IN (0x0001)
Oct 31, 2020 22:58:38.510190010 CET	192.168.1.102	8.8.8.8	0x3b19	Standard query (0)	pownedfag.pw	A (IP address)	IN (0x0001)
Oct 31, 2020 22:58:38.794533014 CET	192.168.1.102	8.8.8.8	0xbdf0	Standard query (0)	pownedfag.pw	A (IP address)	IN (0x0001)
Oct 31, 2020 22:58:39.037404060 CET	192.168.1.102	8.8.8.8	0xfac	Standard query (0)	pownedfag.pw	A (IP address)	IN (0x0001)
Oct 31, 2020 22:58:39.291409016 CET	192.168.1.102	8.8.8.8	0x85bb	Standard query (0)	pownedfag.pw	A (IP address)	IN (0x0001)
Oct 31, 2020 22:58:39.541771889 CET	192.168.1.102	8.8.8.8	0xf4b8	Standard query (0)	pownedfag.pw	A (IP address)	IN (0x0001)
Oct 31, 2020 22:58:39.806390047 CET	192.168.1.102	8.8.8.8	0xd0cc	Standard query (0)	pownedfag.pw	A (IP address)	IN (0x0001)
Oct 31, 2020 22:58:40.071918964 CET	192.168.1.102	8.8.8.8	0xaf1	Standard query (0)	pownedfag.pw	A (IP address)	IN (0x0001)
Oct 31, 2020 22:58:40.319116116 CET	192.168.1.102	8.8.8.8	0xcac4	Standard query (0)	pownedfag.pw	A (IP address)	IN (0x0001)
Oct 31, 2020 22:58:40.565732956 CET	192.168.1.102	8.8.8.8	0x975f	Standard query (0)	pownedfag.pw	A (IP address)	IN (0x0001)
Oct 31, 2020 22:58:40.821423054 CET	192.168.1.102	8.8.8.8	0xbea9	Standard query (0)	pownedfag.pw	A (IP address)	IN (0x0001)
Oct 31, 2020 22:58:41.094196081 CET	192.168.1.102	8.8.8.8	0x429f	Standard query (0)	pownedfag.pw	A (IP address)	IN (0x0001)
Oct 31, 2020 22:58:41.347328901 CET	192.168.1.102	8.8.8.8	0xf3a5	Standard query (0)	pownedfag.pw	A (IP address)	IN (0x0001)
Oct 31, 2020 22:58:41.614700079 CET	192.168.1.102	8.8.8.8	0xea73	Standard query (0)	pownedfag.pw	A (IP address)	IN (0x0001)
Oct 31, 2020 22:58:41.860361099 CET	192.168.1.102	8.8.8.8	0x117f	Standard query (0)	pownedfag.pw	A (IP address)	IN (0x0001)
Oct 31, 2020 22:58:42.106020927 CET	192.168.1.102	8.8.8.8	0x68b6	Standard query (0)	pownedfag.pw	A (IP address)	IN (0x0001)
Oct 31, 2020 22:58:42.351480007 CET	192.168.1.102	8.8.8.8	0x8be	Standard query (0)	pownedfag.pw	A (IP address)	IN (0x0001)
Oct 31, 2020 22:58:42.598376036 CET	192.168.1.102	8.8.8.8	0xf047	Standard query (0)	pownedfag.pw	A (IP address)	IN (0x0001)
Oct 31, 2020 22:58:42.837658882 CET	192.168.1.102	8.8.8.8	0x599d	Standard query (0)	pownedfag.pw	A (IP address)	IN (0x0001)
Oct 31, 2020 22:58:43.114191055 CET	192.168.1.102	8.8.8.8	0xc67a	Standard query (0)	pownedfag.pw	A (IP address)	IN (0x0001)
Oct 31, 2020 22:58:43.360255003 CET	192.168.1.102	8.8.8.8	0xdf72	Standard query (0)	pownedfag.pw	A (IP address)	IN (0x0001)
Oct 31, 2020 22:58:43.608668089 CET	192.168.1.102	8.8.8.8	0x4bc8	Standard query (0)	pownedfag.pw	A (IP address)	IN (0x0001)
Oct 31, 2020 22:58:43.854275942 CET	192.168.1.102	8.8.8.8	0xa727	Standard query (0)	pownedfag.pw	A (IP address)	IN (0x0001)
Oct 31, 2020 22:58:44.101288080 CET	192.168.1.102	8.8.8.8	0xdbf5	Standard query (0)	pownedfag.pw	A (IP address)	IN (0x0001)
Oct 31, 2020 22:58:44.347199917 CET	192.168.1.102	8.8.8.8	0xc1bc	Standard query (0)	pownedfag.pw	A (IP address)	IN (0x0001)
Oct 31, 2020 22:58:44.588150024 CET	192.168.1.102	8.8.8.8	0x75a3	Standard query (0)	pownedfag.pw	A (IP address)	IN (0x0001)
Oct 31, 2020 22:58:44.946187019 CET	192.168.1.102	8.8.8.8	0x3c18	Standard query (0)	pownedfag.pw	A (IP address)	IN (0x0001)
Oct 31, 2020 22:58:45.183635950 CET	192.168.1.102	8.8.8.8	0x738c	Standard query (0)	pownedfag.pw	A (IP address)	IN (0x0001)
Oct 31, 2020 22:58:45.422210932 CET	192.168.1.102	8.8.8.8	0xcc8	Standard query (0)	pownedfag.pw	A (IP address)	IN (0x0001)
Oct 31, 2020 22:58:45.668564081 CET	192.168.1.102	8.8.8.8	0x47e2	Standard query (0)	pownedfag.pw	A (IP address)	IN (0x0001)
Oct 31, 2020 22:58:46.283267021 CET	192.168.1.102	8.8.8.8	0xccea	Standard query (0)	pownedfag.pw	A (IP address)	IN (0x0001)
Oct 31, 2020 22:58:47.013602972 CET	192.168.1.102	8.8.8.8	0x7e39	Standard query (0)	pownedfag.pw	A (IP address)	IN (0x0001)
Oct 31, 2020 22:58:47.287213087 CET	192.168.1.102	8.8.8.8	0xc7a5	Standard query (0)	pownedfag.pw	A (IP address)	IN (0x0001)
Oct 31, 2020 22:58:47.583743095 CET	192.168.1.102	8.8.8.8	0xb440	Standard query (0)	pownedfag.pw	A (IP address)	IN (0x0001)
Oct 31, 2020 22:58:47.867212057 CET	192.168.1.102	8.8.8.8	0x1812	Standard query (0)	pownedfag.pw	A (IP address)	IN (0x0001)
Oct 31, 2020 22:58:48.120528936 CET	192.168.1.102	8.8.8.8	0xe52b	Standard query (0)	pownedfag.pw	A (IP address)	IN (0x0001)
Oct 31, 2020 22:58:48.375437975 CET	192.168.1.102	8.8.8.8	0xac49	Standard query (0)	pownedfag.pw	A (IP address)	IN (0x0001)
Oct 31, 2020 22:58:48.629600048 CET	192.168.1.102	8.8.8.8	0x3d75	Standard query (0)	pownedfag.pw	A (IP address)	IN (0x0001)
Oct 31, 2020 22:58:48.879422903 CET	192.168.1.102	8.8.8.8	0x86fe	Standard query (0)	pownedfag.pw	A (IP address)	IN (0x0001)
Oct 31, 2020 22:58:49.132314920 CET	192.168.1.102	8.8.8.8	0xa63c	Standard query (0)	pownedfag.pw	A (IP address)	IN (0x0001)
Oct 31, 2020 22:58:49.378151894 CET	192.168.1.102	8.8.8.8	0x5a32	Standard query (0)	pownedfag.pw	A (IP address)	IN (0x0001)
Oct 31, 2020 22:58:49.626338959 CET	192.168.1.102	8.8.8.8	0xc988	Standard query (0)	pownedfag.pw	A (IP address)	IN (0x0001)
Oct 31, 2020 22:58:49.879075050 CET	192.168.1.102	8.8.8.8	0xc670	Standard query (0)	pownedfag.pw	A (IP address)	IN (0x0001)
Oct 31, 2020 22:58:50.131946087 CET	192.168.1.102	8.8.8.8	0x1060	Standard query (0)	pownedfag.pw	A (IP address)	IN (0x0001)
Oct 31, 2020 22:58:50.377088070 CET	192.168.1.102	8.8.8.8	0xbed1	Standard query (0)	pownedfag.pw	A (IP address)	IN (0x0001)
Oct 31, 2020 22:58:50.643929005 CET	192.168.1.102	8.8.8.8	0x3909	Standard query (0)	pownedfag.pw	A (IP address)	IN (0x0001)
Oct 31, 2020 22:58:50.914680004 CET	192.168.1.102	8.8.8.8	0x4002	Standard query (0)	pownedfag.pw	A (IP address)	IN (0x0001)
Oct 31, 2020 22:58:51.172966003 CET	192.168.1.102	8.8.8.8	0x988b	Standard query (0)	pownedfag.pw	A (IP address)	IN (0x0001)
Oct 31, 2020 22:58:51.424407005 CET	192.168.1.102	8.8.8.8	0x747a	Standard query (0)	pownedfag.pw	A (IP address)	IN (0x0001)
Oct 31, 2020 22:58:51.688716888 CET	192.168.1.102	8.8.8.8	0x7842	Standard query (0)	pownedfag.pw	A (IP address)	IN (0x0001)
Oct 31, 2020 22:58:51.925961971 CET	192.168.1.102	8.8.8.8	0xd8	Standard query (0)	pownedfag.pw	A (IP address)	IN (0x0001)
Oct 31, 2020 22:58:52.186191082 CET	192.168.1.102	8.8.8.8	0x317b	Standard query (0)	pownedfag.pw	A (IP address)	IN (0x0001)
Oct 31, 2020 22:58:52.426301003 CET	192.168.1.102	8.8.8.8	0x1a2	Standard query (0)	pownedfag.pw	A (IP address)	IN (0x0001)
Oct 31, 2020 22:58:52.672508001 CET	192.168.1.102	8.8.8.8	0xaa22	Standard query (0)	pownedfag.pw	A (IP address)	IN (0x0001)
Oct 31, 2020 22:58:52.926002026 CET	192.168.1.102	8.8.8.8	0x457f	Standard query (0)	pownedfag.pw	A (IP address)	IN (0x0001)
Oct 31, 2020 22:58:53.175318003 CET	192.168.1.102	8.8.8.8	0x2606	Standard query (0)	pownedfag.pw	A (IP address)	IN (0x0001)
Oct 31, 2020 22:58:53.464314938 CET	192.168.1.102	8.8.8.8	0xf903	Standard query (0)	pownedfag.pw	A (IP address)	IN (0x0001)
Oct 31, 2020 22:58:53.706046104 CET	192.168.1.102	8.8.8.8	0xd822	Standard query (0)	pownedfag.pw	A (IP address)	IN (0x0001)
Oct 31, 2020 22:58:53.961328030 CET	192.168.1.102	8.8.8.8	0xe415	Standard query (0)	pownedfag.pw	A (IP address)	IN (0x0001)
Oct 31, 2020 22:58:54.243802071 CET	192.168.1.102	8.8.8.8	0xe95e	Standard query (0)	pownedfag.pw	A (IP address)	IN (0x0001)
Oct 31, 2020 22:58:54.499098063 CET	192.168.1.102	8.8.8.8	0xdc45	Standard query (0)	pownedfag.pw	A (IP address)	IN (0x0001)
Oct 31, 2020 22:58:54.777808905 CET	192.168.1.102	8.8.8.8	0xde7d	Standard query (0)	pownedfag.pw	A (IP address)	IN (0x0001)
Oct 31, 2020 22:58:55.033621073 CET	192.168.1.102	8.8.8.8	0xbf40	Standard query (0)	pownedfag.pw	A (IP address)	IN (0x0001)
Oct 31, 2020 22:58:55.324409008 CET	192.168.1.102	8.8.8.8	0xd828	Standard query (0)	pownedfag.pw	A (IP address)	IN (0x0001)
Oct 31, 2020 22:58:55.567173958 CET	192.168.1.102	8.8.8.8	0x9f6a	Standard query (0)	pownedfag.pw	A (IP address)	IN (0x0001)
Oct 31, 2020 22:58:55.818265915 CET	192.168.1.102	8.8.8.8	0x543d	Standard query (0)	pownedfag.pw	A (IP address)	IN (0x0001)
Oct 31, 2020 22:58:56.062531948 CET	192.168.1.102	8.8.8.8	0x2531	Standard query (0)	pownedfag.pw	A (IP address)	IN (0x0001)
Oct 31, 2020 22:58:56.301527977 CET	192.168.1.102	8.8.8.8	0x29d1	Standard query (0)	pownedfag.pw	A (IP address)	IN (0x0001)
Oct 31, 2020 22:58:56.595185041 CET	192.168.1.102	8.8.8.8	0xc211	Standard query (0)	pownedfag.pw	A (IP address)	IN (0x0001)
Oct 31, 2020 22:58:56.899789095 CET	192.168.1.102	8.8.8.8	0x8ad5	Standard query (0)	pownedfag.pw	A (IP address)	IN (0x0001)
Oct 31, 2020 22:58:57.158828020 CET	192.168.1.102	8.8.8.8	0xc90e	Standard query (0)	pownedfag.pw	A (IP address)	IN (0x0001)
Oct 31, 2020 22:58:57.396714926 CET	192.168.1.102	8.8.8.8	0xcccb	Standard query (0)	pownedfag.pw	A (IP address)	IN (0x0001)
Oct 31, 2020 22:58:57.649252892 CET	192.168.1.102	8.8.8.8	0x678	Standard query (0)	pownedfag.pw	A (IP address)	IN (0x0001)
Oct 31, 2020 22:58:57.914612055 CET	192.168.1.102	8.8.8.8	0x154f	Standard query (0)	pownedfag.pw	A (IP address)	IN (0x0001)
Oct 31, 2020 22:58:58.198401928 CET	192.168.1.102	8.8.8.8	0x62c5	Standard query (0)	pownedfag.pw	A (IP address)	IN (0x0001)
Oct 31, 2020 22:58:58.474261045 CET	192.168.1.102	8.8.8.8	0x9be5	Standard query (0)	pownedfag.pw	A (IP address)	IN (0x0001)
Oct 31, 2020 22:58:58.724769115 CET	192.168.1.102	8.8.8.8	0x1186	Standard query (0)	pownedfag.pw	A (IP address)	IN (0x0001)
Oct 31, 2020 22:58:58.974025965 CET	192.168.1.102	8.8.8.8	0x24c2	Standard query (0)	pownedfag.pw	A (IP address)	IN (0x0001)
Oct 31, 2020 22:58:59.221676111 CET	192.168.1.102	8.8.8.8	0xbc3e	Standard query (0)	pownedfag.pw	A (IP address)	IN (0x0001)
Oct 31, 2020 22:58:59.460984945 CET	192.168.1.102	8.8.8.8	0x592d	Standard query (0)	pownedfag.pw	A (IP address)	IN (0x0001)
Oct 31, 2020 22:58:59.717564106 CET	192.168.1.102	8.8.8.8	0x64e5	Standard query (0)	pownedfag.pw	A (IP address)	IN (0x0001)
Oct 31, 2020 22:59:00.027281046 CET	192.168.1.102	8.8.8.8	0x882	Standard query (0)	pownedfag.pw	A (IP address)	IN (0x0001)
Oct 31, 2020 22:59:00.317502022 CET	192.168.1.102	8.8.8.8	0xbcb0	Standard query (0)	pownedfag.pw	A (IP address)	IN (0x0001)
Oct 31, 2020 22:59:00.571221113 CET	192.168.1.102	8.8.8.8	0xe7dd	Standard query (0)	pownedfag.pw	A (IP address)	IN (0x0001)
Oct 31, 2020 22:59:00.818341970 CET	192.168.1.102	8.8.8.8	0x251b	Standard query (0)	pownedfag.pw	A (IP address)	IN (0x0001)
Oct 31, 2020 22:59:01.097857952 CET	192.168.1.102	8.8.8.8	0xef06	Standard query (0)	pownedfag.pw	A (IP address)	IN (0x0001)
Oct 31, 2020 22:59:01.392920017 CET	192.168.1.102	8.8.8.8	0x5ec3	Standard query (0)	pownedfag.pw	A (IP address)	IN (0x0001)
Oct 31, 2020 22:59:01.633388996 CET	192.168.1.102	8.8.8.8	0x8576	Standard query (0)	pownedfag.pw	A (IP address)	IN (0x0001)
Oct 31, 2020 22:59:01.888259888 CET	192.168.1.102	8.8.8.8	0x3479	Standard query (0)	pownedfag.pw	A (IP address)	IN (0x0001)
Oct 31, 2020 22:59:02.132716894 CET	192.168.1.102	8.8.8.8	0x47d0	Standard query (0)	pownedfag.pw	A (IP address)	IN (0x0001)
Oct 31, 2020 22:59:02.383390903 CET	192.168.1.102	8.8.8.8	0xef5f	Standard query (0)	pownedfag.pw	A (IP address)	IN (0x0001)
Oct 31, 2020 22:59:02.629148006 CET	192.168.1.102	8.8.8.8	0xce8d	Standard query (0)	pownedfag.pw	A (IP address)	IN (0x0001)
Oct 31, 2020 22:59:02.892231941 CET	192.168.1.102	8.8.8.8	0xec9c	Standard query (0)	pownedfag.pw	A (IP address)	IN (0x0001)
Oct 31, 2020 22:59:03.190824032 CET	192.168.1.102	8.8.8.8	0x9e20	Standard query (0)	pownedfag.pw	A (IP address)	IN (0x0001)
Oct 31, 2020 22:59:03.471592903 CET	192.168.1.102	8.8.8.8	0xab58	Standard query (0)	pownedfag.pw	A (IP address)	IN (0x0001)
Oct 31, 2020 22:59:03.724661112 CET	192.168.1.102	8.8.8.8	0x2371	Standard query (0)	pownedfag.pw	A (IP address)	IN (0x0001)
Oct 31, 2020 22:59:03.971355915 CET	192.168.1.102	8.8.8.8	0xe93a	Standard query (0)	pownedfag.pw	A (IP address)	IN (0x0001)
Oct 31, 2020 22:59:04.219145060 CET	192.168.1.102	8.8.8.8	0x15e	Standard query (0)	pownedfag.pw	A (IP address)	IN (0x0001)
Oct 31, 2020 22:59:04.520612955 CET	192.168.1.102	8.8.8.8	0x92b0	Standard query (0)	pownedfag.pw	A (IP address)	IN (0x0001)
Oct 31, 2020 22:59:04.759471893 CET	192.168.1.102	8.8.8.8	0xbefa	Standard query (0)	pownedfag.pw	A (IP address)	IN (0x0001)
Oct 31, 2020 22:59:05.006222010 CET	192.168.1.102	8.8.8.8	0x2de0	Standard query (0)	pownedfag.pw	A (IP address)	IN (0x0001)
Oct 31, 2020 22:59:05.248702049 CET	192.168.1.102	8.8.8.8	0x170e	Standard query (0)	pownedfag.pw	A (IP address)	IN (0x0001)
Oct 31, 2020 22:59:05.498981953 CET	192.168.1.102	8.8.8.8	0xa682	Standard query (0)	pownedfag.pw	A (IP address)	IN (0x0001)
Oct 31, 2020 22:59:05.741180897 CET	192.168.1.102	8.8.8.8	0xfc67	Standard query (0)	pownedfag.pw	A (IP address)	IN (0x0001)
Oct 31, 2020 22:59:05.980118990 CET	192.168.1.102	8.8.8.8	0x11c9	Standard query (0)	pownedfag.pw	A (IP address)	IN (0x0001)
Oct 31, 2020 22:59:06.281059027 CET	192.168.1.102	8.8.8.8	0xdd5b	Standard query (0)	pownedfag.pw	A (IP address)	IN (0x0001)
Oct 31, 2020 22:59:06.544899940 CET	192.168.1.102	8.8.8.8	0x753d	Standard query (0)	pownedfag.pw	A (IP address)	IN (0x0001)
Oct 31, 2020 22:59:06.797962904 CET	192.168.1.102	8.8.8.8	0x6d65	Standard query (0)	pownedfag.pw	A (IP address)	IN (0x0001)
Oct 31, 2020 22:59:07.054301023 CET	192.168.1.102	8.8.8.8	0x74af	Standard query (0)	pownedfag.pw	A (IP address)	IN (0x0001)
Oct 31, 2020 22:59:07.338673115 CET	192.168.1.102	8.8.8.8	0x49e5	Standard query (0)	pownedfag.pw	A (IP address)	IN (0x0001)
Oct 31, 2020 22:59:07.599427938 CET	192.168.1.102	8.8.8.8	0x873	Standard query (0)	pownedfag.pw	A (IP address)	IN (0x0001)
Oct 31, 2020 22:59:07.848397970 CET	192.168.1.102	8.8.8.8	0xca52	Standard query (0)	pownedfag.pw	A (IP address)	IN (0x0001)
Oct 31, 2020 22:59:08.113929033 CET	192.168.1.102	8.8.8.8	0x2ea0	Standard query (0)	pownedfag.pw	A (IP address)	IN (0x0001)
Oct 31, 2020 22:59:08.353817940 CET	192.168.1.102	8.8.8.8	0xb473	Standard query (0)	pownedfag.pw	A (IP address)	IN (0x0001)
Oct 31, 2020 22:59:08.590481997 CET	192.168.1.102	8.8.8.8	0xd9b	Standard query (0)	pownedfag.pw	A (IP address)	IN (0x0001)
Oct 31, 2020 22:59:08.840511084 CET	192.168.1.102	8.8.8.8	0x6837	Standard query (0)	pownedfag.pw	A (IP address)	IN (0x0001)
Oct 31, 2020 22:59:09.117484093 CET	192.168.1.102	8.8.8.8	0xc3f1	Standard query (0)	pownedfag.pw	A (IP address)	IN (0x0001)
Oct 31, 2020 22:59:09.362986088 CET	192.168.1.102	8.8.8.8	0x8233	Standard query (0)	pownedfag.pw	A (IP address)	IN (0x0001)
Oct 31, 2020 22:59:09.626601934 CET	192.168.1.102	8.8.8.8	0xfc74	Standard query (0)	pownedfag.pw	A (IP address)	IN (0x0001)
Oct 31, 2020 22:59:09.909435034 CET	192.168.1.102	8.8.8.8	0x8cfc	Standard query (0)	pownedfag.pw	A (IP address)	IN (0x0001)
Oct 31, 2020 22:59:10.157074928 CET	192.168.1.102	8.8.8.8	0x15eb	Standard query (0)	pownedfag.pw	A (IP address)	IN (0x0001)
Oct 31, 2020 22:59:10.436167955 CET	192.168.1.102	8.8.8.8	0x5e50	Standard query (0)	pownedfag.pw	A (IP address)	IN (0x0001)
Oct 31, 2020 22:59:10.713459015 CET	192.168.1.102	8.8.8.8	0xd411	Standard query (0)	pownedfag.pw	A (IP address)	IN (0x0001)
Oct 31, 2020 22:59:10.969902992 CET	192.168.1.102	8.8.8.8	0x14eb	Standard query (0)	pownedfag.pw	A (IP address)	IN (0x0001)
Oct 31, 2020 22:59:11.203850985 CET	192.168.1.102	8.8.8.8	0x8170	Standard query (0)	pownedfag.pw	A (IP address)	IN (0x0001)
Oct 31, 2020 22:59:11.456494093 CET	192.168.1.102	8.8.8.8	0xe689	Standard query (0)	pownedfag.pw	A (IP address)	IN (0x0001)
Oct 31, 2020 22:59:11.703495026 CET	192.168.1.102	8.8.8.8	0x5595	Standard query (0)	pownedfag.pw	A (IP address)	IN (0x0001)
Oct 31, 2020 22:59:11.937109947 CET	192.168.1.102	8.8.8.8	0x276b	Standard query (0)	pownedfag.pw	A (IP address)	IN (0x0001)
Oct 31, 2020 22:59:12.215946913 CET	192.168.1.102	8.8.8.8	0x84e	Standard query (0)	pownedfag.pw	A (IP address)	IN (0x0001)
Oct 31, 2020 22:59:12.463819981 CET	192.168.1.102	8.8.8.8	0xabd1	Standard query (0)	pownedfag.pw	A (IP address)	IN (0x0001)
Oct 31, 2020 22:59:12.703722954 CET	192.168.1.102	8.8.8.8	0x6137	Standard query (0)	pownedfag.pw	A (IP address)	IN (0x0001)
Oct 31, 2020 22:59:12.956382990 CET	192.168.1.102	8.8.8.8	0xc7b5	Standard query (0)	pownedfag.pw	A (IP address)	IN (0x0001)
Oct 31, 2020 22:59:13.253719091 CET	192.168.1.102	8.8.8.8	0x565c	Standard query (0)	pownedfag.pw	A (IP address)	IN (0x0001)
Oct 31, 2020 22:59:13.534048080 CET	192.168.1.102	8.8.8.8	0xcf14	Standard query (0)	pownedfag.pw	A (IP address)	IN (0x0001)
Oct 31, 2020 22:59:13.813366890 CET	192.168.1.102	8.8.8.8	0x3efa	Standard query (0)	pownedfag.pw	A (IP address)	IN (0x0001)
Oct 31, 2020 22:59:14.054671049 CET	192.168.1.102	8.8.8.8	0x62bd	Standard query (0)	pownedfag.pw	A (IP address)	IN (0x0001)
Oct 31, 2020 22:59:14.301342964 CET	192.168.1.102	8.8.8.8	0xcf67	Standard query (0)	pownedfag.pw	A (IP address)	IN (0x0001)
Oct 31, 2020 22:59:14.550076008 CET	192.168.1.102	8.8.8.8	0x5c23	Standard query (0)	pownedfag.pw	A (IP address)	IN (0x0001)
Oct 31, 2020 22:59:14.801049948 CET	192.168.1.102	8.8.8.8	0xa113	Standard query (0)	pownedfag.pw	A (IP address)	IN (0x0001)
Oct 31, 2020 22:59:15.041461945 CET	192.168.1.102	8.8.8.8	0x22e9	Standard query (0)	pownedfag.pw	A (IP address)	IN (0x0001)
Oct 31, 2020 22:59:15.292025089 CET	192.168.1.102	8.8.8.8	0x5c1e	Standard query (0)	pownedfag.pw	A (IP address)	IN (0x0001)
Oct 31, 2020 22:59:15.566790104 CET	192.168.1.102	8.8.8.8	0x5f99	Standard query (0)	pownedfag.pw	A (IP address)	IN (0x0001)
Oct 31, 2020 22:59:15.808876038 CET	192.168.1.102	8.8.8.8	0xe475	Standard query (0)	pownedfag.pw	A (IP address)	IN (0x0001)
Oct 31, 2020 22:59:16.059195042 CET	192.168.1.102	8.8.8.8	0xf7ea	Standard query (0)	pownedfag.pw	A (IP address)	IN (0x0001)
Oct 31, 2020 22:59:16.326210976 CET	192.168.1.102	8.8.8.8	0xb13	Standard query (0)	pownedfag.pw	A (IP address)	IN (0x0001)
Oct 31, 2020 22:59:16.595269918 CET	192.168.1.102	8.8.8.8	0x16de	Standard query (0)	pownedfag.pw	A (IP address)	IN (0x0001)
Oct 31, 2020 22:59:16.840065002 CET	192.168.1.102	8.8.8.8	0xd877	Standard query (0)	pownedfag.pw	A (IP address)	IN (0x0001)
Oct 31, 2020 22:59:17.121419907 CET	192.168.1.102	8.8.8.8	0x34f6	Standard query (0)	pownedfag.pw	A (IP address)	IN (0x0001)
Oct 31, 2020 22:59:17.416896105 CET	192.168.1.102	8.8.8.8	0xd4b1	Standard query (0)	pownedfag.pw	A (IP address)	IN (0x0001)
Oct 31, 2020 22:59:17.658880949 CET	192.168.1.102	8.8.8.8	0x14ca	Standard query (0)	pownedfag.pw	A (IP address)	IN (0x0001)
Oct 31, 2020 22:59:17.905126095 CET	192.168.1.102	8.8.8.8	0x8d2c	Standard query (0)	pownedfag.pw	A (IP address)	IN (0x0001)
Oct 31, 2020 22:59:18.149868011 CET	192.168.1.102	8.8.8.8	0x716d	Standard query (0)	pownedfag.pw	A (IP address)	IN (0x0001)
Oct 31, 2020 22:59:18.387938976 CET	192.168.1.102	8.8.8.8	0x9e53	Standard query (0)	pownedfag.pw	A (IP address)	IN (0x0001)
Oct 31, 2020 22:59:18.655294895 CET	192.168.1.102	8.8.8.8	0x6a2b	Standard query (0)	pownedfag.pw	A (IP address)	IN (0x0001)
Oct 31, 2020 22:59:18.912914038 CET	192.168.1.102	8.8.8.8	0xa6bc	Standard query (0)	pownedfag.pw	A (IP address)	IN (0x0001)
Oct 31, 2020 22:59:19.161531925 CET	192.168.1.102	8.8.8.8	0x1612	Standard query (0)	pownedfag.pw	A (IP address)	IN (0x0001)
Oct 31, 2020 22:59:19.434782982 CET	192.168.1.102	8.8.8.8	0xd050	Standard query (0)	pownedfag.pw	A (IP address)	IN (0x0001)
Oct 31, 2020 22:59:19.705502033 CET	192.168.1.102	8.8.8.8	0xfa7b	Standard query (0)	pownedfag.pw	A (IP address)	IN (0x0001)
Oct 31, 2020 22:59:19.968070030 CET	192.168.1.102	8.8.8.8	0x324d	Standard query (0)	pownedfag.pw	A (IP address)	IN (0x0001)
Oct 31, 2020 22:59:20.268593073 CET	192.168.1.102	8.8.8.8	0x8f04	Standard query (0)	pownedfag.pw	A (IP address)	IN (0x0001)
Oct 31, 2020 22:59:20.569405079 CET	192.168.1.102	8.8.8.8	0x6c90	Standard query (0)	pownedfag.pw	A (IP address)	IN (0x0001)
Oct 31, 2020 22:59:20.806374073 CET	192.168.1.102	8.8.8.8	0xf958	Standard query (0)	pownedfag.pw	A (IP address)	IN (0x0001)
Oct 31, 2020 22:59:21.048388004 CET	192.168.1.102	8.8.8.8	0x4ea8	Standard query (0)	pownedfag.pw	A (IP address)	IN (0x0001)
Oct 31, 2020 22:59:21.297161102 CET	192.168.1.102	8.8.8.8	0xea92	Standard query (0)	pownedfag.pw	A (IP address)	IN (0x0001)
Oct 31, 2020 22:59:21.546818018 CET	192.168.1.102	8.8.8.8	0x591e	Standard query (0)	pownedfag.pw	A (IP address)	IN (0x0001)
Oct 31, 2020 22:59:21.814594030 CET	192.168.1.102	8.8.8.8	0x4c2d	Standard query (0)	pownedfag.pw	A (IP address)	IN (0x0001)
Oct 31, 2020 22:59:22.097029924 CET	192.168.1.102	8.8.8.8	0x27e9	Standard query (0)	pownedfag.pw	A (IP address)	IN (0x0001)
Oct 31, 2020 22:59:22.349307060 CET	192.168.1.102	8.8.8.8	0xdced	Standard query (0)	pownedfag.pw	A (IP address)	IN (0x0001)
Oct 31, 2020 22:59:22.612602949 CET	192.168.1.102	8.8.8.8	0xde40	Standard query (0)	pownedfag.pw	A (IP address)	IN (0x0001)
Oct 31, 2020 22:59:22.854568005 CET	192.168.1.102	8.8.8.8	0x16e9	Standard query (0)	pownedfag.pw	A (IP address)	IN (0x0001)
Oct 31, 2020 22:59:23.133879900 CET	192.168.1.102	8.8.8.8	0x864e	Standard query (0)	pownedfag.pw	A (IP address)	IN (0x0001)
Oct 31, 2020 22:59:23.375050068 CET	192.168.1.102	8.8.8.8	0x84d2	Standard query (0)	pownedfag.pw	A (IP address)	IN (0x0001)
Oct 31, 2020 22:59:23.630074978 CET	192.168.1.102	8.8.8.8	0x64e3	Standard query (0)	pownedfag.pw	A (IP address)	IN (0x0001)
Oct 31, 2020 22:59:23.884705067 CET	192.168.1.102	8.8.8.8	0x52f3	Standard query (0)	pownedfag.pw	A (IP address)	IN (0x0001)
Oct 31, 2020 22:59:24.130032063 CET	192.168.1.102	8.8.8.8	0x1e1f	Standard query (0)	pownedfag.pw	A (IP address)	IN (0x0001)
Oct 31, 2020 22:59:24.379892111 CET	192.168.1.102	8.8.8.8	0x39fd	Standard query (0)	pownedfag.pw	A (IP address)	IN (0x0001)
Oct 31, 2020 22:59:24.622478962 CET	192.168.1.102	8.8.8.8	0xf5e8	Standard query (0)	pownedfag.pw	A (IP address)	IN (0x0001)
Oct 31, 2020 22:59:24.888324022 CET	192.168.1.102	8.8.8.8	0x2a08	Standard query (0)	pownedfag.pw	A (IP address)	IN (0x0001)
Oct 31, 2020 22:59:25.153604031 CET	192.168.1.102	8.8.8.8	0x66ae	Standard query (0)	pownedfag.pw	A (IP address)	IN (0x0001)
Oct 31, 2020 22:59:25.405442953 CET	192.168.1.102	8.8.8.8	0x8e60	Standard query (0)	pownedfag.pw	A (IP address)	IN (0x0001)
Oct 31, 2020 22:59:25.653238058 CET	192.168.1.102	8.8.8.8	0xb9ae	Standard query (0)	pownedfag.pw	A (IP address)	IN (0x0001)
Oct 31, 2020 22:59:25.903892994 CET	192.168.1.102	8.8.8.8	0x3689	Standard query (0)	pownedfag.pw	A (IP address)	IN (0x0001)
Oct 31, 2020 22:59:26.160885096 CET	192.168.1.102	8.8.8.8	0x5ee0	Standard query (0)	pownedfag.pw	A (IP address)	IN (0x0001)
Oct 31, 2020 22:59:26.416438103 CET	192.168.1.102	8.8.8.8	0xd3ab	Standard query (0)	pownedfag.pw	A (IP address)	IN (0x0001)
Oct 31, 2020 22:59:26.655599117 CET	192.168.1.102	8.8.8.8	0x1b62	Standard query (0)	pownedfag.pw	A (IP address)	IN (0x0001)
Oct 31, 2020 22:59:26.904875040 CET	192.168.1.102	8.8.8.8	0x6ad7	Standard query (0)	pownedfag.pw	A (IP address)	IN (0x0001)
Oct 31, 2020 22:59:27.140017033 CET	192.168.1.102	8.8.8.8	0xf9e6	Standard query (0)	pownedfag.pw	A (IP address)	IN (0x0001)
Oct 31, 2020 22:59:27.378006935 CET	192.168.1.102	8.8.8.8	0xd114	Standard query (0)	pownedfag.pw	A (IP address)	IN (0x0001)
Oct 31, 2020 22:59:27.631149054 CET	192.168.1.102	8.8.8.8	0xd797	Standard query (0)	pownedfag.pw	A (IP address)	IN (0x0001)
Oct 31, 2020 22:59:27.869113922 CET	192.168.1.102	8.8.8.8	0xedb3	Standard query (0)	pownedfag.pw	A (IP address)	IN (0x0001)
Oct 31, 2020 22:59:28.103110075 CET	192.168.1.102	8.8.8.8	0x7fbf	Standard query (0)	pownedfag.pw	A (IP address)	IN (0x0001)
Oct 31, 2020 22:59:28.354991913 CET	192.168.1.102	8.8.8.8	0x128e	Standard query (0)	pownedfag.pw	A (IP address)	IN (0x0001)
Oct 31, 2020 22:59:28.619333029 CET	192.168.1.102	8.8.8.8	0x2126	Standard query (0)	pownedfag.pw	A (IP address)	IN (0x0001)
Oct 31, 2020 22:59:28.852669954 CET	192.168.1.102	8.8.8.8	0xa0cd	Standard query (0)	pownedfag.pw	A (IP address)	IN (0x0001)
Oct 31, 2020 22:59:29.107744932 CET	192.168.1.102	8.8.8.8	0xb6d6	Standard query (0)	pownedfag.pw	A (IP address)	IN (0x0001)
Oct 31, 2020 22:59:29.349948883 CET	192.168.1.102	8.8.8.8	0xe23b	Standard query (0)	pownedfag.pw	A (IP address)	IN (0x0001)
Oct 31, 2020 22:59:29.604275942 CET	192.168.1.102	8.8.8.8	0x9bb0	Standard query (0)	pownedfag.pw	A (IP address)	IN (0x0001)
Oct 31, 2020 22:59:29.926681042 CET	192.168.1.102	8.8.8.8	0x7a26	Standard query (0)	pownedfag.pw	A (IP address)	IN (0x0001)
Oct 31, 2020 22:59:30.187779903 CET	192.168.1.102	8.8.8.8	0xa5a6	Standard query (0)	pownedfag.pw	A (IP address)	IN (0x0001)
Oct 31, 2020 22:59:30.439661980 CET	192.168.1.102	8.8.8.8	0xf33f	Standard query (0)	pownedfag.pw	A (IP address)	IN (0x0001)

Code Manipulations

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

Behavior

Click to jump to process

System Behavior

Analysis Process: 9fERLFJPjq.exe PID: 6088 Parent PID: 6140

General

Start time:	22:57:30
Start date:	31/10/2020
Path:	C:\Users\user\Desktop\9fERLFJPjq.exe
Wow64 process (32bit):	true
Commandline:	'C:\Users\user\Desktop\9fERLFJPjq.exe'
Imagebase:	0x400000
File size:	1593344 bytes
MD5 hash:	DDD60E9AE362DEF377AA70D414ED374D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	Visual Basic
Yara matches:	Rule: RAT_DarkComet, Description: Detects DarkComet RAT, Source: 00000002.00000002.605724298.0000000002F24000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: LokiBot_Dropper_Packed_R11_Feb18, Description: Auto-generated rule - file scan copy.pdf.r11, Source: 00000002.00000002.605724298.0000000002F24000.00000040.00000001.sdmp, Author: Florian Roth Rule: LokiBot_Dropper_Packed_R11_Feb18_RID328F, Description: Semiautomatic generated rule - file scan copy.pdf.r11, Source: 00000002.00000002.605724298.0000000002F24000.00000040.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_Keylogger_Generic, Description: Yara detected Keylogger Generic, Source: 00000002.00000002.605724298.0000000002F24000.00000040.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_DarkCometRat, Description: Yara detected DarkComet, Source: 00000002.00000002.605724298.0000000002F24000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: JoeSecurity_DelphiSystemParamCount, Description: Detected Delphi use of System.ParamCount(), Source: 00000002.00000002.605724298.0000000002F24000.00000040.00000001.sdmp, Author: Joe Security Rule: DarkComet_1, Description: DarkComet RAT, Source: 00000002.00000002.605724298.0000000002F24000.00000040.00000001.sdmp, Author: botherder https://github.com/botherder Rule: DarkComet_3, Description: unknown, Source: 00000002.00000002.605724298.0000000002F24000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: DarkComet_4, Description: unknown, Source: 00000002.00000002.605724298.0000000002F24000.00000040.00000001.sdmp, Author: unknown
Reputation:	low

Chronological Activities

Analysis Process: 9fERLFJPjq.exe PID: 5844 Parent PID: 6088

General

Start time:	22:58:03
Start date:	31/10/2020
Path:	C:\Users\user\Desktop\9fERLFJPjq.exe
Wow64 process (32bit):	true
Commandline:	'C:\Users\user\Desktop\9fERLFJPjq.exe'
Imagebase:	0x400000
File size:	1593344 bytes
MD5 hash:	DDD60E9AE362DEF377AA70D414ED374D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	Borland Delphi
Yara matches:	Rule: DarkComet_2, Description: DarkComet, Source: 00000006.00000002.602074619.00000000006C1000.00000004.00000001.sdmp, Author: Jean-Philippe Teissier / @Jipe_ Rule: DarkComet_2, Description: DarkComet, Source: 00000006.00000002.602017158.0000000000696000.00000004.00000001.sdmp, Author: Jean-Philippe Teissier / @Jipe_ Rule: DarkComet_2, Description: DarkComet, Source: 00000006.00000002.601989587.0000000000668000.00000004.00000001.sdmp, Author: Jean-Philippe Teissier / @Jipe_ Rule: DarkComet_2, Description: DarkComet, Source: 00000006.00000002.602066507.00000000006BA000.00000004.00000001.sdmp, Author: Jean-Philippe Teissier / @Jipe_
Reputation:	low

Chronological Activities

Analysis Process: wscript.exe PID: 368 Parent PID: 3520

General

Start time:	22:58:12
Start date:	31/10/2020
Path:	C:\Windows\System32\wscript.exe
Wow64 process (32bit):	false
Commandline:	'C:\Windows\System32\WScript.exe' 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\enxavse.vbs'
Imagebase:	0x7ff7bd3a0000
File size:	163840 bytes
MD5 hash:	9A68ADD12EB50DDE7586782C3EB9FF9C
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: enxavse.exe PID: 880 Parent PID: 368

General

Start time:	22:58:14
Start date:	31/10/2020
Path:	C:\Users\user\AppData\Local\Temp\Exjoares\enxavse.exe
Wow64 process (32bit):	true
Commandline:	'C:\Users\user\AppData\Local\Temp\Exjoares\enxavse.exe'
Imagebase:	0x400000
File size:	1593344 bytes
MD5 hash:	D409D2D823F91A2DCC7EE6563B632BF3
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	Visual Basic
Yara matches:	Rule: Malware_QA_update, Description: VT Research QA uploaded malware - file update.exe, Source: 00000008.00000002.501960152.0000000002FB6000.00000040.00000001.sdmp, Author: Florian Roth Rule: RAT_DarkComet, Description: Detects DarkComet RAT, Source: 00000008.00000002.501960152.0000000002FB6000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: Malware_QA_update_RID2DAD, Description: VT Research QA uploaded malware - file update.exe, Source: 00000008.00000002.501960152.0000000002FB6000.00000040.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_Keylogger_Generic, Description: Yara detected Keylogger Generic, Source: 00000008.00000002.501960152.0000000002FB6000.00000040.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_DarkCometRat, Description: Yara detected DarkComet, Source: 00000008.00000002.501960152.0000000002FB6000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: JoeSecurity_DelphiSystemParamCount, Description: Detected Delphi use of System.ParamCount(), Source: 00000008.00000002.501960152.0000000002FB6000.00000040.00000001.sdmp, Author: Joe Security Rule: DarkComet_1, Description: DarkComet RAT, Source: 00000008.00000002.501960152.0000000002FB6000.00000040.00000001.sdmp, Author: botherder https://github.com/botherder Rule: DarkComet_3, Description: unknown, Source: 00000008.00000002.501960152.0000000002FB6000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: DarkComet_4, Description: unknown, Source: 00000008.00000002.501960152.0000000002FB6000.00000040.00000001.sdmp, Author: unknown
Antivirus matches:	Detection: 100%, Avira Detection: 100%, Joe Sandbox ML Detection: 73%, Virustotal, Browse Detection: 66%, ReversingLabs
Reputation:	low

Chronological Activities

Analysis Process: enxavse.exe PID: 5520 Parent PID: 880

General

Start time:	22:58:49
Start date:	31/10/2020
Path:	C:\Users\user\AppData\Local\Temp\Exjoares\enxavse.exe
Wow64 process (32bit):	true
Commandline:	'C:\Users\user\AppData\Local\Temp\Exjoares\enxavse.exe'
Imagebase:	0x400000
File size:	1593344 bytes
MD5 hash:	D409D2D823F91A2DCC7EE6563B632BF3
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	Borland Delphi
Yara matches:	Rule: DarkComet_2, Description: DarkComet, Source: 0000000B.00000002.503082454.0000000000668000.00000004.00000001.sdmp, Author: Jean-Philippe Teissier / @Jipe_ Rule: DarkComet_2, Description: DarkComet, Source: 0000000B.00000002.503148674.00000000006C1000.00000004.00000001.sdmp, Author: Jean-Philippe Teissier / @Jipe_ Rule: DarkComet_2, Description: DarkComet, Source: 0000000B.00000002.503141508.00000000006BA000.00000004.00000001.sdmp, Author: Jean-Philippe Teissier / @Jipe_ Rule: DarkComet_2, Description: DarkComet, Source: 0000000B.00000002.503100449.0000000000696000.00000004.00000001.sdmp, Author: Jean-Philippe Teissier / @Jipe_
Reputation:	low

Chronological Activities

Disassembly

Reset < >

Description:	This technique has been deprecated. Please use Command and Scripting Interpreter where appropriate.
Tactics:	Defense Evasion, Execution
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use startup items automatically executed at boot initialization to establish persistence. Startup items execute during the final phase of the boot process and contain shell scripts or other executable files along with configuration information used by the system to determine the execution order for all startup items.
Tactics:	Persistence, Privilege Escalation
Data Sources:	File monitoring, Process monitoring
Platforms:	macOS
Url:	Open detailed description by Mitre

Description:	Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in. These programs will be executed under the context of the user and will have the account's associated permissions level.
Tactics:	Persistence, Privilege Escalation
Data Sources:	File monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify or add LSASS drivers to obtain persistence on compromised systems. The Windows security subsystem is a set of components that manage and enforce the security policy for a computer or domain. The Local Security Authority (LSA) is the main component responsible for local security policy and user authentication. The LSA includes multiple dynamic link libraries (DLLs) associated with various other security functions, all of which run in the context of the LSA Subsystem Service (LSASS) lsass.exe process.
Tactics:	Persistence, Privilege Escalation
Data Sources:	DLL monitoring, File monitoring, Loaded DLLs, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by hijacking the library manifest used to load DLLs. Adversaries may take advantage of vague references in the library manifest of a program by replacing a legitimate library with a malicious one, causing the operating system to load their malicious library when it is called for by the victim program.
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	Loaded DLLs, Process monitoring, Process use of network
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	API monitoring, Binary file metadata, DLL monitoring, Kernel drivers, Loaded DLLs, PowerShell logs, Process command-line parameters, Process monitoring, User interface, Windows Registry, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Analysis Report 9fERLFJPjq.exe

Overview

General Information

Detection

Signatures

Classification

Startup

Malware Configuration

Yara Overview

Memory Dumps

Sigma Overview

System Summary:

Signature Overview

AV Detection:

Spreading:

Networking:

Key, Mouse, Clipboard, Microphone and Screen Capturing:

System Summary:

Data Obfuscation:

Persistence and Installation Behavior:

Boot Survival:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Stealing of Sensitive Information:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted IPs

General Information

Signature Similarity

Similar Samples

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Version Infos

Possible Origin

Network Behavior

Network Port Distribution

UDP Packets

DNS Queries

Code Manipulations

Statistics

CPU Usage

Memory Usage

High Level Behavior Distribution